[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

I'm confuzzed (SOLVED?)



OK, the samba startup is fixed - something crazy was going on with the link
in the rc3.d directory. When I deleted & recreated the link, things began
working fine (Maybe i misspelled something) *shrug* "FM"...

Another odd thing that I finally figured out is why things I put inside
rc.local were not running...  The darned thing had permissions of 644, for
some crazy reason...  chmod'd the thing to +x, & everytihng is working fine.

I never have figured out what the deal was with the rc.firewall scripts that
wouldn't run...  I suppose it might have been some unprintable characters in
there, or something.  Anyway, I have made up a new rc.firewall (which seems
to work, by the way)...  It is appended to this message...  Please feel free
to reuse it, or whatever.  In particular, I would like you all to pick on it
& tell me where I screwed up, what I left out, etc.

Thanks!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/bin/sh
#
#
############################################################################
#
# rc.firewall
#     Heavily plagiarized from Hal Burgiss (hburgiss bellsouth net)
#
# Tom Burke - 5 May 00 (tomii erols com)
#
############################################################################
#
# variables
#
# internal interface
INTERNAL_IF=eth0
INTERNAL_IP=192.168.68.1
INTERNAL_MASK=255.255.255.0
INTERNAL_NET=$INTERNAL_IP/$INTERNAL_MASK
#
#
# external interface
EXTERNAL_IF=ppp0
#
#   These lines for dynamic IP
# EXTERNAL_IP=`ifconfig $EXTERNAL_IF | grep inet | cut -d : -f 2 | cut -d \
-f 1`
# EXTERNAL_MASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4`
#
EXTERNAL_IP=OUR.EXT.IP.ADDR
EXTERNAL_MASK=255.255.255.0
EXTERNAL_NET=$EXTERNAL_IP/$EXTERNAL_MASK
echo -n "External net -> "
echo $EXTERNAL_NET
#
#
# Loopback Interface
LOOPBACK=lo
#
#
# All addresses
ALLADDR=0/0
#
#
# location of ipchains
IPCHAINS=/sbin/ipchains
#
#
#
############################################################################
##
# We assume that all interfaces are up...
#     Maybe this should be run in the PPP sartup script?
#
# First, we flush all rules
echo -n "Flushing all rules"
#
# Flush empty chains
$IPCHAINS -X
echo -n "."
#
# Flush Incoming rules (packets from the outside network)
$IPCHAINS -F input
echo -n "."
#
# Flush Outgoing rules (packets from the internal network)
$IPCHAINS -F output
echo -n "."
#
# Flush forwarding rules (masquerading stuff, etc)
$IPCHAINS -F forward
echo -n "."
echo "Done!"
#
############################################################################
#
#
# Handle the loopback device - we should accept anything coming from
#     or going to this device, otherwise we'll break the system.
#
echo -n "Loopback.."
$IPCHAINS -A input -i $LOOPBACK -s $ALLADDR -d $ALLADDR -j ACCEPT
$IPCHAINS -A output -i $LOOPBACK -s $ALLADDR -d $ALLADDR -j ACCEPT
echo -n ".."
echo "Done!"
#
############################################################################
#
# Different system tweaks
echo -n "/proc tweaks.."
#
# IP Spoofing protection
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
     for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
          echo 1 > $i
     done
fi
echo -n "."
#
# Block all ICMP echo requests (will this break my internal boxes'
#     ability to ping the outside world?
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo -n "."
#
# Disable ICMP Redirect Acceptance
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
     echo 0 > $i
done
echo -n "."
#
# Disable Source Routed Packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
     echo 0 > $i
done
echo -n "."
#
# Start IP Fragment Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo -n "."
#
# Start ICMP Broadcast Echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo -n "."
#
# Start Bogus Error Response Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo -n "."
#
# Start SYS COOKIES protection
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
     echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
echo -n "."
echo "Done!"
#
###########################################################################
#
# Block nonroutable IPs from entering our box
#
#     Block 192.168.0.0/16 on outer interface, only
#
###########################################################################
#
echo -n "Blocking non-routable addresses.."
$IPCHAINS -A input -s 10.0.0.0/8 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -s 127.0.0.0/8 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -s 172.16.0.0/12 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -i $EXTERNAL_IF -s 192.168.0.0/16 -d $EXTERNAL_NET -j
DENY
echo -n "."
echo "Done!"
#
###########################################################################
#
# Trusted networks and services
#      Put in rules to unconditionally allow connections from 
#      hosts/nets that might otherwise be blocked.
#
#      Any services that we want global, unfiltered access to
#      go here
#
#      Currently, global unfiltered access is only 
#           allowed to our internal network.
#
#      External network (the internet) can have full access to 
#           http, snmp, ftp, ssh, and nothing else
#
echo -n "Trusted Networks.."
#
# Add the internal net's unconditional access, here.
echo -n "Internal Network..."
$IPCHAINS -A input -i $INTERNAL_IF -s $INTERNAL_NET -d $ALLADDR -j ACCEPT
#
#
# Stuff we want the outside world to be able to use...
echo -n "Global Services..."
#
# http (80)
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 80 -j ACCEPT
echo -n "."
#
# ftp (21)
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 20 -j ACCEPT
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 21 -j ACCEPT
echo -n "."
#
# smtp (25)
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 25 -j ACCEPT
#
# ssh (22)
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 22 -j ACCEPT
echo -n "."
echo "Done!"
#
# DNS
#     May need to enable this so MASQ'd network can do DNS lookups
#     to ISP's DNS machine
#$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 53 -j ACCEPT
#$IPCHAINS -A input -p udp -s $ALLADDR -d $EXTERNAL_NET 53 -j ACCEPT
#
###########################################################################
#
# Banned Networks
#
# Put troublemakers here - Rules to specifically block connections
#     from hosts/nets that are known to cause problems.  Packets are logged.
#
###########################################################################
#
# echo -n "Banned Networks.."
#
# Generic blocker/logger
# $IPCHAINS -A input -l -s [banned host/net] -d $EXTERNAL_NET [ports] -j
DENY
# echo -n "."
#
# This one blocks ICMP attacks
# $IPCHAINS -A input -l -b -i $EXTERNAL_IF -p icmp -s [host/net] -d
$EXTERNAL_NET -j DENY
# echo -n "."
# echo "Done!"
#
############################################################################
#
# Specific blocks/logging on external interface
#
# blocks off ports with known vulnerabilities
#
############################################################################
#
echo -n "Port Blocks and traps.."
#
# NetBEUI/Samba/NetBios - only on external interface
#     Do not log - to much traffic
$IPCHAINS -A input -i $EXTERNAL_IF -p tcp -s $ALLADDR -d $EXTERNAL_NET
137:139 -j DENY
$IPCHAINS -A input -i $EXTERNAL_IF -p udp -s $ALLADDR -d $EXTERNAL_NET
137:139 -j DENY
echo -n "."
#
# Microsoft SQL - all interfaces
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 1433 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 1433 -j DENY
echo -n "."
#
# Postgres SQL
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 5432 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 5432 -j DENY
echo -n "."
#
# NFS
#  Does this block mail?
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 2049 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 2049 -j DENY
echo -n "."
#
# Back Orifice
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY
echo -n "."
#
# NetBus
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 12345:12346 -j
DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 12345:12346 -j
DENY
echo -n "."
#
# Trin00
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 1524 -j DENY
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 27655 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 27444 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 31335 -j DENY
echo -n "."
#
# Multicast
$IPCHAINS -A input -s 224.0.0.0/8 -d $ALLADDR -j DENY
$IPCHAINS -A input -s $ALLADDR -d 224.0.0.0/8 -j DENY
echo -n "."
echo "Done!"
#
##########################################################################
#
# All I/O rules are done(?) - set up masquerade
#
##########################################################################
#
echo -n "Masquerading.."
#
# Install any helpers we might need - Our CU_SeeMe seems to
#     work without the cuseeme module
/sbin/depmod -a > /dev/null 2>&1
/sbin/modprobe ip_masq_ftp > /dev/null 2>&1
/sbin/modprobe ip_masq_raudio > /dev/null 2>&1
/sbin/modprobe ip_masq_irc > /dev/null 2>&1
/sbin/modprobe ip_masq_icq > /dev/null 2>&1
/sbin/modprobe ip_masq_quake > /dev/null 2>&1
/sbin/modprobe ip_masq_user > /dev/null 2>&1
/sbin/modprobe ip_masq_vdolive > /dev/null 2>&1
#/sbin/modprobe ip_masq_mfw > /dev/null 2>&1
#/sbin/modprobe ip_masq_autofw > /dev/null 2>&1
#/sbin/modprobe ip_masq_portfw > /dev/null 2>&1
#/sbin/modprobe ip_masq_cuseeme > /dev/null 2>&1
echo -n "."
#
# Masq timeouts - tcp 8hrs, tcp after fin pkt 60s, udp 10min
$IPCHAINS -M -S 14400 60 600
echo -n "."
#
# Tell kernel to allow masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward
echo -n "."
#
# Tell kernel to alow dynamic IP masquerading
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo -n "."
#
# Don't masq internal traffic
$IPCHAINS -A forward -s $INTERNAL_NET -d $INTERNAL_NET -j ACCEPT
echo -n "."
#
# Don't masq external interface direct
$IPCHAINS -A forward -s $EXTERNAL_NET -d $ALLADDR -j ACCEPT
echo -n "."
#
# Masq all internal IPs going outside
$IPCHAINS -A forward -s $INTERNAL_NET -d $ALLADDR -j MASQ
echo -n "."
#
# Set default rule on MASQ chain to deny
$IPCHAINS -P forward DENY
echo -n "."
#
## Allow all connections from the network to the outside
$IPCHAINS -A input -s $INTERNAL_NET -d $ALLADDR -j ACCEPT   
$IPCHAINS -A output -s $INTERNAL_NET -d $ALLADDR -j ACCEPT
echo -n "."
echo "Done!"
#
#########################################################################
#
#This section manipulates the Type Of Service (TOS) bits of the 
# packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
# in your kernel
echo -n "Tweak TOS bits for minimum delay.."
#
# Set telnet, www, smtp, pop3 and FTP for minimum delay 
$IPCHAINS -A output -p tcp -d 0/0 80 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 22 -t 0x01 0x10   
$IPCHAINS -A output -p tcp -d 0/0 23 -t 0x01 0x10   
$IPCHAINS -A output -p tcp -d 0/0 21 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 110 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 25 -t 0x01 0x10
echo -n "."
#
# Set ftp-data for maximum throughput
$IPCHAINS -A output -p tcp -d 0/0 20 -t 0x01 0x08
echo -n "."
echo "Done!"
#
# Allow outgoing ICMP
echo -n "Allow outgoing ICMP.."
$IPCHAINS -A output -p icmp -s $INTERNAL_NET -d $ALLADDR -j ACCEPT
echo -n "."
echo "Done!"
#
############################################################################
#
# Start PortSentry
/usr/local/bin/psionic/portsentry/portsentry -atcp
/usr/local/bin/psionic/portsentry/portsentry -audp
#
############################################################################
# End of rc.firewall!
############################################################################



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]