Personal tools
You are here: Home User Contributed Files Ipchains Scripting
Document Actions

Ipchains Scripting

by Neil Schneider last modified 2005-05-02 02:15

A 1999 presentation by Neil Schneider with example scripts for creating a firewall with ipchains.

Creation Date:
21 Sep 1999
Last Modified:
21 Sep 1999
Maintained by:
Neil Schneider

This is an example script for setting up packet filtering on a Linux system, using the new ipchains. You need to understand the implications of these rules, before implementing them, especially the default deny script.

This script /etc/rc.d/rc.ipchains is to be called in /etc/rc.d/rc.local on a gateway machine, by adding a line to rc.local to call it.

/etc/rc.d/rc.ipchains

It must be executable. The first line in the file should be:

#!/bin/bash

This script is highly restrictive and will allow only specific services to be used on or through the system.

DO NOT USE THIS SCRIPT UNLESS YOU UNDERSTAND WHAT YOU ARE DOING!

You may find yourself unable to access services with this script in place.

  # First define some useful names for configuration

  # If you do not have a definition for the variable, comment out or remove every line containing the reference to that variable, otherwise the script will fail.

  # For example, there is no definition for the variable EXTERNAL_DNS1.

  # As written, this script will fail. Null characters in the variable definitions are unacceptable, so beware.
  INTERNAL_IP="192.168.1.1"

  INTERNAL_IF="eth1"

  INTERNAL_NET="192.168.1.0/24"

  EXTERNAL_IP="192.168.0.11"

  EXTERNAL_IF="eth0"

  EXTERNAL_NET="192.168.0.0/24"

  EXTERNAL_DNS1=""

  EXTERNAL_DNS2=""

  EXTERNAL_DNS3=""

  EXTERNAL_NEWS=""

  EXTERNAL_MAIL=""

  ADMIN_1_IP="192.168.0.1/24"

  ADMIN_2_IP=""

  BROADCAST_0="0.0.0.0"

  BROADCAST_1="255.255.255.255"

  MULTICAST="240.0.0.0/3"

  LOOPBACK="127.0.0.1"

  ANYWHERE="0.0.0.0/0"

  UNPRIVPORTS="1024:65535"

  # Reset to known state

  /sbin/ipchains -F

  # Set default policy

  # Accept all output not specificaly denied

  /sbin/ipchains -P input DENY

  # deny all input except loopback

  /sbin/ipchains -P output ACCEPT

  # allow output to anywhere

  /sbin/ipchains -P forward DENY

  # don't allow any forwarding

  # Unlimited Access for Internal Network #

  /sbin/ipchains -A input -i $INTERNAL_IF -s $INTERNAL_NET -d $INTERNAL_IP -j ACCEPT

  #Allow Interprocess Communications #

  /sbin/ipchains -A input -i $LOOPBACK -s $LOOPBACK -j ACCEPT

  /sbin/ipchains -A output -i $LOOPBACK -d $LOOPBACK -j ACCEPT

  # Spoofing denial #

  # Refuse packets claiming to be from the internal network, arriving on the ex ternal interface.

  /sbin/ipchains -A input -i $EXTERNAL_IF -s $INTERNAL_NET -l -j DENY

  /sbin/ipchains -A output -i $EXTERNAL_IF -d $EXTERNAL_IP -l -j REJECT

  # Refuse packets claiming to be to or from the loopback interface

  /sbin/ipchains -A input -i $EXTERNAL_IF -s $LOOPBACK -l -j DENY

  /sbin/ipchains -A output -i $EXTERNAL_IF -d $LOOPBACK -l -j DENY

  /sbin/ipchains -A output -i $EXTERNAL_IF -s $LOOPBACK -l -j REJECT

  /sbin/ipchains -A output -i $EXTERNAL_IF -d $LOOPBACK -l -j REJECT

  # Refuse broadcast address SOURCE packets

  /sbin/ipchains -A input -i $EXTERNAL_IF -s $BROADCAST_1 -l -j DENY

  /sbin/ipchains -A input -i $EXTERNAL_IF -d $BROADCAST_0 -l -j DENY

  # Refuse multicast/anycast/broadcast addresses

  /sbin/ipchains -A input -i $EXTERNAL_IF -s $MULTICAST -j DENY

  # ICMP Packets #

  # Accept echo replies (ping)

  /sbin/ipchains -A input -i $EXTERNAL_IF -p icmp -s $ANYWHERE 0 -d $EXTERNAL_IP -j ACCEPT

  # Accept destination unreachable

  /sbin/ipchains -A input -i $EXTERNAL_IF -p icmp -s $ANYWHERE 3 -d $EXTERNAL_IP -j ACCEPT

  # Accept Source Quench

  /sbin/ipchains -A input -i $EXTERNAL_IF -p icmp -s $ANYWHERE 4 -d $EXTERNAL_IP -j ACCEPT

  # Accept Time_Exceeded

  /sbin/ipchains -A input -i $EXTERNAL_IF -p icmp -s $ANYWHERE 11 -d $EXTERNAL_IP -j ACCEPT

  # Accept Parameter_Problem

  /sbin/ipchains -A input -i $EXTERNAL_IF -p icmp -s $ANYWHERE 12 -d $EXTERNAL_IP -j ACCEPT

  # Return Dest_Unreachable

  /sbin/ipchains -A output -i $EXTERNAL_IF -p icmp -s $EXTERNAL_IP 3 -d $ANYWHERE -j ACCEPT

  # Return Source Quench

  /sbin/ipchains -A output -i $EXTERNAL_IF -p icmp -s $EXTERNAL_IP 4 -d $ANYWHERE -j ACCEPT

  # Send out Echo Request (ping & traceroute)

  /sbin/ipchains -A output -i $EXTERNAL_IF -p icmp -s $EXTERNAL_IP 8 -d $ANYWHERE -j ACCEPT

  # Send Paramter Problem

  /sbin/ipchains -A output -i $EXTERNAL_IF -p icmp -s $EXTERNAL_IP 12 -d $ANYWHERE -j ACCEPT

  # Don't respond to traceroute, usually -S 32769:65535 -D 33434:33523

  /sbin/ipchains -A input -i $EXTERNAL_IF -p udp -s $ANYWHERE 32769:65535 -d $EXT ERNAL_IP 33434:33523 -l -j DENY

  # Incoming Telnet from an Administrator #

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp -s $ADMIN_1_IP -d $EXTERNAL_IP 23 -j ACCEPT

  # Allow Outgoing Telnet Connection #

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp -s $ANYWHERE 23 -d $EXTERNAL_IP $ UNPRIVPORTS -j ACCEPT

  # SSH Sessions from an Administrator #

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp -s $ADMIN_1_IP -d $EXTERNAL_IP 22 -j ACCEPT

  # Allow Other Proxy Caches to Connect to Us #

  /sbin/ipchains -A input -i $EXTERNAL_IF -p udp -s $ANYWHERE -d $EXTERNAL_IP 3130 -j ACCEPT

  /sbin/ipchains -A input -i $EXTERNAL_IF -p udp -s $ANYWHERE -d $EXTERNAL_IP 312 9 -j ACCEPT

  # FTP (20 & 21)#

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp ! -y -s $ANYWHERE 21 -d $EXTERNAL _IP $UNPRIVPORTS -j ACCEPT

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp -s $ANYWHERE 20 -d $EXTERNAL_IP $ UNPRIVPORTS -j ACCEPT

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp ! -y -s $ANYWHERE $UNPRIVPORTS -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT

  # Mail #

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp ! -y -s $ANYWHERE 25 -d $EXTERNAL _IP $UNPRIVPORTS -j ACCEPT

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp -s $ANYWHERE $UNPRIVPORTS -d $EXT ERNAL_IP 25 -j ACCEPT

  # DNS (53) #

  # Answer to outgoing UDP query, ouside server to local client

  /sbin/ipchains -A input -i $EXTERNAL_IF -p udp -s $ANYWHERE 53 -d $EXTERNAL_IP $ UNPRIVPORTS -j ACCEPT

  # Answer to outgoing TCP query, outside server to local client

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp -s $ANYWHERE 53 -d $EXTERNAL_IP $ UNPRIVPORTS -j ACCEPT

  # Query or response between two servers via UDP

  /sbin/ipchains -A input -i $EXTERNAL_IF -p udp -s $ANYWHERE 53 -d $EXTERNAL_IP 5 3 -j ACCEPT

  # Query from external server to internal server via TCP,

  # Also zone transfer request from external secondary server via TCP

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp -s $ANYWHERE $UNPRIVPORTS -d $EXTERNAL_IP 53 -j ACCEPT

  # Answer from external server to internal server via TCP

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp -s $ANYWHERE 53 -d $EXTERNAL_IP $ UNPRIVPORTS -j ACCEPT

  # Gopher (70) #

  # gopher services must be here for squid to work

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp -s $ANYWHERE $UNPRIVPORTS -d $EXT ERNAL_IP 70 -j ACCEPT

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp -s $ANYWHERE 70 -d $EXTERNAL_IP $ UNPRIVPORTS -j ACCEPT

  # Usenet News #

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp -s $EXTERNAL_NEWS $UNPRIVPORTS -d $EXTERNAL_IP 119 -j ACCEPT

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp -s $EXTERNAL_NEWS 119 -d $EXTERNA L_IP $UNPRIVPORTS -j ACCEPT

  # HTTP #

  # Server to client

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp ! -y -s $ANYWHERE 80 -d $EXTERNAL_IP $UNPRIVPORTS -j ACCEPT

  # Server to client HTTPS (443)

  /sbin/ipchains -A input -i $EXTERNAL_IF -p tcp ! -y -s $ANYWHERE 443 -d $EXTERNAL_IP $UPRIVPORTS -j ACCEPT

Here are some useful references to learn more about ipchains rules.

Web Sites

This site is maintained by the author of the ipchains kernel code, and contains many good examples.

Books

Though not specific to ipchains, these have information that you will find useful for designing your own rules.

Building Internet Firewalls by D. Bruce Chapman and Elizabeth D. Zwicky; O'Reilly & Associates, Inc. ISBN: 1-56592-124-0

Practical Unix & Internet Security by Simson Garfinkel and Gene Spafford; O'Reilly & Associates, Inc. ISBN: 1-56592-148-8

Firewalls and Internet Security Repelling the Wily Hacker by William R. Cheswick and Steven M Bellovin Addison-Wesley Publishing Company ISBN: 0-201-63357-4

Internet Security Professional Reference Derek Atkins, Paul Bui s, Chris Hare, Robert Kelley, Carey Nachenberg, Anthony B. Nelson, Paul Phillips, Tim Ritchey, Tom Sheldon, Joel Snyder New Riders Publishing ISBN: 1-56205-760-X

« May 2019 »
Su Mo Tu We Th Fr Sa
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
 

Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: