#!/bin/sh # # Configure safe networking practices # # chkconfig: - 06 90 # description: Setup firewalling and network security # This assumes your Internet is on a PPP connection # and the local (trusted) LAN is eth0. # # To install this on a Red Hat 6.x system, save this script as # /etc/rc.d/init.d/securenet, then run the commands # # chmod 755 /etc/rc.d/init.d/securenet # /sbin/chkconfig --add securenet # /sbin/chkconfig --level 2345 securenet on # # Henrik Størner, henrik@hswn.dk # # Modified 2000-03-20: Changed rules for ftp-data and DNS responses # so they work for masqueraded connections. # PATH=/bin:/sbin:/usr/bin:/usr/sbin ######################################### # First setup some of the kernel features ######################################### # Disable forwarding - this is for a standalone system. # (For masquerading, see below). echo "0" >/proc/sys/net/ipv4/ip_forward # Enable syn-cookies (syn-flooding attacks) if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then echo "1" >/proc/sys/net/ipv4/tcp_syncookies else echo "Warning: SYN-cookie protection disabled in this kernel." fi # Disable ICMP echo-request to broadcast addresses (Smurf amplifier) echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable ICMP echo-request altogether (see also below for ICMP filtering) # echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all # Set local port range for listeners (ftp ...) # The range used here is what will be used for the connections # initiated from the firewall host. If you do masquerading, then # masqueraded connections will use the range 61000-65096. # Thus, in the ipchains rules below we will combine these two # ranges into one: 56000:65096 echo "56000 60999" >/proc/sys/net/ipv4/ip_local_port_range # It seems that this must be done for all network interfaces for f in /proc/sys/net/ipv4/conf/*; do # Drop all source-routed packets echo "0" >$f/accept_source_route # Enable Egress filtering (anti-spoofing measure) echo "2" >$f/rp_filter done ###################### # Setup IP firewalling ###################### # Default policies. # We deny all input and forwarding, then allow specific things further down. # We allow all outgoing traffic - this could be tightened, but is only # necessary for very secure installations. ipchains -P input DENY; ipchains -F input ipchains -P forward DENY; ipchains -F forward ipchains -P output ACCEPT; ipchains -F output # Allow anything on trusted interfaces # ------------------------------------ # Allow anything on the loopback i/f: We trust ourselves. ipchains -A input -p all -j ACCEPT -i lo # Allow anything on the local LAN: We trust the local guys. ipchains -A input -p all -j ACCEPT -i eth0 # Handle incoming TCP traffic # --------------------------- # Allow all traffic that does not try to setup a connection (no SYN) ipchains -A input -p tcp -j ACCEPT \! -y # Explicitly reject (RST) connections to my ident/auth server. # Some mail servers try to talk to this when you send them mail, # and get really slow if you shut this off. ipchains -A input -p tcp -j REJECT -s 0/0 -d 0/0 auth -y # If you want people from the outside to be able to access your web # server, you must enable this. But most people don't run web servers # on their home machines. #ipchains -A input -p tcp -j ACCEPT -s 0/0 -d 0/0 www -y # Allow ftp-data connections to listener ports (downloads and dir listings). # Would be better if kernel could setup temporary rules when we start # an ftp download ("port" command), but this will have to do for now. # If you don't like this, consider enforcing use of passive-mode ftp only. ipchains -A input -p tcp -j ACCEPT -s 0/0 ftp-data -d 0/0 56000:65096 -y # Handle incoming UDP traffic # --------------------------- # Allow dns replies to our locally originating requests # BIND 8 uses the high ports for sending requests; this is good. ipchains -A input -p udp -j ACCEPT -s 0/0 domain -d 0/0 56000:65096 # Allow ntp communication (uses ntp port for request and reply) ipchains -A input -p udp -j ACCEPT -s 0/0 ntp -d 0/0 ntp # Allow Real Audio/Video in best quality (uses udp). # NB: This is for listening to RealAudio on the firewall only! # Don't do this if you're paranoid - newer (G2) Real Audio will # automatically switch to TCP if udp does not work. # # By default, you must allow incoming udp to ports 6970:7170, # but that is WAY too big an area for me. Changing this does # require some configuration of the Real Player client software. ipchains -A input -p udp -j ACCEPT -d 0/0 32768:32769 # Handle incoming ICMP # -------------------- # Allow all, except remote timestamp-, echo- and address-mask requests, # and ICMP redirects.and router-advertisements # (Denying echo-requests means we cannot be ping'ed). ipchains -A input -p icmp -s 0/0 timestamp-request -j DENY --log ipchains -A input -p icmp -s 0/0 address-mask-request -j DENY --log ipchains -A input -p icmp -s 0/0 redirect -j DENY --log ipchains -A input -p icmp -s 0/0 router-advertisement -j DENY --log ipchains -A input -p icmp -s 0/0 echo-request -j DENY --log ipchains -A input -p icmp -j ACCEPT # Log what drops through to here. If we catch anything, it # will be interesting. ipchains -A input --log # Now, play some tricks with outgoing packets on the modem link # Use the TOS field to prioritize different protocols # ------------------------------------------------------------- # http, telnet and ssh get "minimum delay" ipchains -A output -p tcp -d 0/0 80 -i ppp+ -t 0x01 0x10 ipchains -A output -p tcp -d 0/0 23 -i ppp+ -t 0x01 0x10 ipchains -A output -p tcp -d 0/0 22 -i ppp+ -t 0x01 0x10 # ftp-data, nntp and pop-3 get "low cost" ipchains -A output -p tcp -d 0/0 20 -i ppp+ -t 0x01 0x02 ipchains -A output -p tcp -d 0/0 119 -i ppp+ -t 0x01 0x02 ipchains -A output -p tcp -d 0/0 110 -i ppp+ -t 0x01 0x02 ###################### # Setup Masquerading # ###################### ### NB: This is disabled by default. If you want to use ### ### masquerading, just remove the "###" comment-markers ### ### from the lines below. ### # Load the masquerading prototcol-modules # This loads all of the modules in /lib/modules/2.2.x/ipv4/ ###for f in /lib/modules/`uname -r`/ipv4/*masq*.o; do ### /sbin/modprobe `basename $f | sed -e's/\.o$//'` ###done # Enable a hack in the kernel for dial-on-demand Internet connectivity # without having a static IP address. # Without setting this, the first packet that goes out on a dial-on-demand # connection has the wrong sender IP address, meaning that you will have # to retransmit at least once. # (This has nothing to do with security - but it is useful for a home # network using masquerading). ###echo "1" >/proc/sys/net/ipv4/ip_dynaddr # Defrag all packets. Needed for masquerading ###echo "1" >/proc/sys/net/ipv4/ip_always_defrag # Enable forwarding (needed for masquerading) # # NB: On Red Hat systems, this is controlled in /etc/sysctl.conf ! # You need to set net.ipv4.ip_forward=1 in this file, or the # command below will have no effect. # ###echo "1" >/proc/sys/net/ipv4/ip_forward # Masquerade anything that needs forwarding on the # external interface (ppp0, usually), except all the Windows # Netbios chit-chat on ports 137 thru 139. # Note: "-i" on the forward chain refers to the OUTGOING interface. ###ipchains -A forward -i ppp+ -p tcp -s 0/0 137:139 -j DENY ###ipchains -A forward -i ppp+ -p udp -s 0/0 137:139 -j DENY ###ipchains -A forward -i ppp+ -j MASQ