From: katpete (katpete@optonline.net)
Date: Thu Nov 23 2000 - 10:11:13 PST
Alex Boag-Munroe wrote:
> Hold on a minute...
>
> No distribution of Linux is designed to be one thing or another, its all
> Linux! If Red Hat isn't supposed to be a server, then how come CNN use it as
> such?
>
> Katpete: Send us your pmfirewall configs.
OK, here they are:
#!/bin/sh
# pmfirewall.conf - used by pmfirewall package
IPCHAINS=/sbin/ipchains
ATBOOT=1
CONFIG_DIR=/usr/local/pmfirewall
OUTERIF=eth0
REMOTENET=0/0
OUTERIP=`ifconfig $OUTERIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
OUTERMASK=`ifconfig $OUTERIF | grep Mas | cut -d : -f 4`
OUTERNET=$OUTERIP/$OUTERMASK
INTERNALIF=eth1
INTERNALIP=`ifconfig $INTERNALIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
INTERNALMASK=`ifconfig $INTERNALIF | grep Mas | cut -d : -f 4`
INTERNALNET=$INTERNALIP/$INTERNALMASK
#!/bin/sh
# pmfirewall.rules.1 used by pmfirewall package
#
#### Start Firewall ####
## Allow loopback interface
$IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
# Allow packets with ack bit set, they are from an established connection.
$IPCHAINS -A input ! -y -p tcp -s $REMOTENET -d $OUTERNET -j ACCEPT
# Block incoming IP Spoofing
# Turn on Source Address Verification
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f
done
fi
#Turn on SYN COOKIES PROTECTION (Thanks Holger!)
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
# Now read pmfirewall.rules.local
#!/bin/sh
# pmfirewall.rules.local
# ver.PM1 (do not remove this line)
### BEGIN SYSTEM DEFAULTS ###
# Block Nonroutable IP's from entering on the External Interface
$IPCHAINS -A input -j DENY -s 10.0.0.0/8 -d $OUTERNET -i $OUTERIF
$IPCHAINS -A input -j DENY -s 127.0.0.0/8 -d $OUTERNET -i $OUTERIF
$IPCHAINS -A input -j DENY -s 172.16.0.0/12 -d $OUTERNET -i $OUTERIF
$IPCHAINS -A input -j DENY -s 192.168.0.0/16 -d $OUTERNET -i $OUTERIF
# - Specific port blocks on the external interface -
# This section blocks off ports/services to the outside that have
# vulnerabilities. This will not affect the ability to use these services
# within your network.
#
# Back Orifice (logged)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 31337 -j DENY -l
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 31337 -j DENY -l
# NetBus (logged)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 12345:12346 -j DENY -l
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 12345:12346 -j DENY -l
# Trin00 (logged)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1524 -j DENY -l
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 27665 -j DENY -l
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 27444 -j DENY -l
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 31335 -j DENY -l
# Multicast
$IPCHAINS -A input -s 224.0.0.0/8 -d $REMOTENET -j DENY
$IPCHAINS -A input -s $REMOTENET -d 224.0.0.0/8 -j DENY
### END SYSTEM DEFAULTS ###
#### EXAMPLES ###
### ALLOWED NETWORKS
# Add in any rules to specifically allow connections from hosts/nets that
# would otherwise be blocked.
#$IPCHAINS -A input -s [trusted host/net] -d $OUTERNET <ports> -j ACCEPT
### BLOCKED NETWORKS
# Add in any rules to specifically block connections from hosts/nets that
# have been known to cause problems. These packets are logged.
#$IPCHAINS -A input -s [banned host/net] -d $OUTERNET <ports> -j DENY -l
### BLOCK ICMP ATTACKS
#
#$IPCHAINS -A input -b -i $OUTERIF -p icmp -s [host/net] -d $OUTERNET -j DENY -l
#### END OF EXAMPLES ###
### AUTOMATICALLY GENERATED BY THE INSTALL SCRIPT ###
#UNRESTRICTED ACCESS
$IPCHAINS -A input -s 192.168.1.1/24 -d $REMOTENET -j ACCEPT
#DHCP CLIENT ALLOW
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 67:68 -i $OUTERIF -j
ACCEPT
#FTP
$IPCHAINS -A input -p tcp -s 192.168.1.1/24 -d $OUTERNET 20 -j ACCEPT
$IPCHAINS -A input -p tcp -s 192.168.1.1/24 -d $OUTERNET 21 -j ACCEPT
#SSH
$IPCHAINS -A input -p tcp -s 192.168.1.1/24 -d $OUTERNET 22 -j ACCEPT
#TELNET
$IPCHAINS -A input -p tcp -s 192.168.1.1/24 -d $OUTERNET 23 -j ACCEPT
#HTTPD
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 80 -j ACCEPT
#IDENTD
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 113 -j REJECT
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 113 -j REJECT
#NETBIOS
$IPCHAINS -A input -p tcp -s 192.168.1.1/24 -d $REMOTENET 137:139 -i $OUTERIF -j
ACCEPT
$IPCHAINS -A input -p udp -s 192.168.1.1/24 -d $REMOTENET 137:139 -i $OUTERIF -j
ACCEPT
#SSL
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 443 -j ACCEPT
#RIP
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 520 -i $OUTERIF -j REJECT
#NFS
$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 2049 -i $OUTERIF -j DENY
-l
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 2049 -i $OUTERIF -j DENY
-l
#XSERVER
$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 5999:6003 -i $OUTERIF -j
DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 5999:6003 -i $OUTERIF -j
DENY
#DCHP SERVER
$IPCHAINS -A input -p udp -s $REMOTENET 67 -i $INTERNALIF -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET 68 -i $INTERNALIF -j ACCEPT
#!/bin/sh
#pmfirewall.rules.masq - used by pmfirewall package
#
## Masquerading
## Modules to help certain services
/sbin/depmod -a >/dev/null 2>&1
/sbin/modprobe ip_masq_ftp >/dev/null 2>&1
/sbin/modprobe ip_masq_raudio >/dev/null 2>&1
/sbin/modprobe ip_masq_irc >/dev/null 2>&1
/sbin/modprobe ip_masq_icq >/dev/null 2>&1
/sbin/modprobe ip_masq_quake >/dev/null 2>&1
/sbin/modprobe ip_masq_user >/dev/null 2>&1
/sbin/modprobe ip_masq_vdolive >/dev/null 2>&1
## Masquerading firewall timeouts: tcp conns 8hrs, tcp after fin pkt 60s, udp
10min
$IPCHAINS -M -S 14400 60 600
## Set up kernel to enable IP masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward
## Set up kernel to handle dynamic IP masquerading
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
## Don't Masquerade internal-internal traffic
$IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT
## Don't Masquerade external interface direct
$IPCHAINS -A forward -s $OUTERNET -d $REMOTENET -j ACCEPT
## Masquerade all internal IP's going outside
$IPCHAINS -A forward -s $INTERNALNET -d $REMOTENET -j MASQ
## Set Default rule on MASQ chain to Deny
$IPCHAINS -P forward DENY
## Allow all connections from the network to the outside
$IPCHAINS -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT
# This section manipulates the Type Of Service (TOS) bits of the
# packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
# in your kernel
# Set telnet, www, smtp, pop3 and FTP for minimum delay
$IPCHAINS -A output -p tcp -d 0/0 80 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 22 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 23 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 21 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 110 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 25 -t 0x01 0x10
# Set ftp-data for maximum throughput
$IPCHAINS -A output -p tcp -d 0/0 20 -t 0x01 0x08
# Allow outgoing ICMP
$IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
>
>
> Also, make sure you have IPMasquerading enabled in your kernel (For info on
> recompiling the kernel, see the Kernel Howto on www.linuxdoc.org ).
>
I thought that redhat 6.2 has ipmasq'ing in the kernel. Is there any way to
tell if there is something wrong with my kernel, or do I just have to recomplie
it?
>
> Then ensure that IPChains is installed. To do this:
>
> As root type rpm -qa | grep -i ipchain
>
The response is:
ipchains-1.3.9-5
>
> And hit return.
>
> HTH
>
> Alex
>
>
Thanks,
Pete
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:38:02 PDT