PDA

Click to See Complete Forum and Search --> : Where do I put this?

MkIII_Supra
03-22-2001, 10:22 AM
In the new Red-Hat running the 2.4.2 kernel where does this go? Is it in /etc/sysconfig/firewall or is it in /etc/sysconfig/ipchains also will this firewall work with the 2.4 kernel and it's ipchains set-up?
Thanks!


# /etc/rc.d/rc.firewall
# Invoked from /etc/sysconfig/network-scripts/pump-done, or
# from /etc/dhcpc/dhcpcd-eth0.exe, or
# from /etc/sysconfig/network-scripts/ifdhcpc-done.

echo "Starting firewalling... "

# ----------------------------------------------------------------------------
# Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # or your local naming convention

IPADDR="my.ip.address" # your IP address

ANYWHERE="any/0" # match any IP address


SEGEMENT MISSING INTENTIONALLY


LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range

# ----------------------------------------------------------------------------

# nameservers are originally from /etc/dhcpc/resolv.conf.
# The example ifdhcpc-done script updates these automatically and
# appends them to /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE or
# /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info.

# The IP address, $IPADDR, is defined by dhcpc

if [ -f /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE ]; then
. /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE
elif [ -f /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info ]; then
. /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info
elif [ -f /etc/dhcpc/pump.info ]; then
. /etc/dhcpc/pump.info
else
echo "rc.firewall: dhcp is not configured."
ipchains -F
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
exit 1
fi

# If using the example ifdhcpc-done script, the above NAMESERVER
# definitions will be overridden correctly here.

DHCP_SERVER=$DHCPSIADDR

# ----------------------------------------------------------------------------

NFS_PORT="2049" # (TCP/UDP) NFS
SOCKS_PORT="1080" # (TCP) Socks
OPENWINDOWS_PORT="2000" # (TCP) openwindows

# X Windows port allocation begins at 6000 and increments to 6063
# for each additional server running.
XWINDOW_PORTS="6000:6063" # (TCP) X windows

# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged port.
# Clients can optionally be configured to use only unprivileged ports.
SSH_LOCAL_PORTS="1022:65535" # port range for local clients
SSH_REMOTE_PORTS="513:65535" # port range for remote clients

# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections

# Remove all existing rules belonging to this filter
ipchains -F

# Set the default policy of the filter to deny.
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY

# ----------------------------------------------------------------------------

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Enable always defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done

# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done


# ----------------------------------------------------------------------------
# LOOPBACK

# Unlimited traffic on the loopback interface.

ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

# ----------------------------------------------------------------------------
# Network Ghouls

# Deny access to jerks
# --------------------
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
# rules to block from any access.

# Refuse any connection from problem sites
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
. /etc/rc.d/rc.firewall.blocked
fi

# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.

# Refuse incoming packets pretending to be from the external address.
ipchains -A input -s $IPADDR -j DENY -l

# Refuse incoming packets claiming to be from a Class A, B or C private network
ipchains -A input -s $CLASS_A -j DENY -l
ipchains -A input -s $CLASS_B -j DENY -l
ipchains -A input -s $CLASS_C -j DENY -l

# Refuse broadcast address SOURCE packets
ipchains -A input -s $BROADCAST_DEST -j DENY -l
ipchains -A input -d $BROADCAST_SRC -j DENY -l

# Refuse Class D multicast addresses
# Multicast is illegal as a source address.
# Multicast uses UDP.
ipchains -A input -s $CLASS_D_MULTICAST -j DENY -l

# Refuse Class E reserved IP addresses
ipchains -A input -s $CLASS_E_RESERVED_NET -j DENY -l

# Refuse addresses defined as reserved by the IANA.
# Note: this list includes the loopback addresses.

# 0.*.*.* - Can't be blocked for DHCP users.
# 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
# 65-95.*.*.*, 96-127.*.*.*
# 169.254.*.* - Link Local Networks
# 192.0.2.* - TEST-NET
# 217-223.*.*.*
# 248.*.*.* - Unallocated

ipchains -A input -s 1.0.0.0/8 -j DENY -l
ipchains -A input -s 2.0.0.0/8 -j DENY -l
ipchains -A input -s 5.0.0.0/8 -j DENY -l
ipchains -A input -s 7.0.0.0/8 -j DENY -l
ipchains -A input -s 23.0.0.0/8 -j DENY -l
ipchains -A input -s 27.0.0.0/8 -j DENY -l
ipchains -A input -s 31.0.0.0/8 -j DENY -l
ipchains -A input -s 37.0.0.0/8 -j DENY -l
ipchains -A input -s 39.0.0.0/8 -j DENY -l
ipchains -A input -s 41.0.0.0/8 -j DENY -l
ipchains -A input -s 42.0.0.0/8 -j DENY -l
ipchains -A input -s 58.0.0.0/7 -j DENY -l
ipchains -A input -s 60.0.0.0/8 -j DENY -l
ipchains -A input -s 65.0.0.0/8 -j DENY -l
ipchains -A input -s 66.0.0.0/7 -j DENY -l
ipchains -A input -s 68.0.0.0/6 -j DENY -l
ipchains -A input -s 72.0.0.0/5 -j DENY -l
ipchains -A input -s 80.0.0.0/4 -j DENY -l
ipchains -A input -s 96.0.0.0/3 -j DENY -l
ipchains -A input -s 169.254.0.0/16 -j DENY -l
ipchains -A input -s 192.0.2.0/24 -j DENY -l
ipchains -A input -s 217.0.0.0/8 -j DENY -l
ipchains -A input -s 218.0.0.0/7 -j DENY -l
ipchains -A input -s 220.0.0.0/6 -j DENY -l
ipchains -A input -s 248.0.0.0/5 -j DENY -l

# ----------------------------------------------------------------------------
# NOTE:
# The symbolic names used in /etc/services for the port numbers vary by
# supplier. Using them is less error prone and more meaningful, though.

# ----------------------------------------------------------------------------
# TCP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.

# NFS: establishing a TCP connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $NFS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $NFS_PORT -j REJECT

# openwindows: establishing a connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $OPENWINDOWS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $OPENWINDOWS_PORT -j REJECT


# Xwindows: establishing a connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $XWINDOW_PORTS -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $XWINDOW_PORTS -j REJECT

# SOCKS: establishing a connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $SOCKS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $SOCKS_PORT -j REJECT

# ----------------------------------------------------------------------------
# UDP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port $NFS_PORT -j DENY -l

# UDP INCOMING TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j DENY -l


# DNS client (53)
# ---------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT


ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT


ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# HTTP client (80)
# ----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 80 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 80 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# HTTPS client (443)
# ------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 443 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 443 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# POP client (110)
# ----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $POP_SERVER 110 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $POP_SERVER 110 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# SMTP client (25)
# ----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $SMTP_SERVER 25 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $SMTP_SERVER 25 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# SSH client (22)
# ---------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $SSH_LOCAL_PORTS \
--destination-port 22 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 22 \
-d $IPADDR $SSH_LOCAL_PORTS -j ACCEPT

# ------------------------------------------------------------------

# TELNET client (23)
# ------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 23 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 23 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# AUTH server (113)
# -----------------

# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 113 -j REJECT


# AUTH client (113)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 113 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 113 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# FINGER client (79)
# ------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 79 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 79 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# FTP client (21)
# ---------------

# outgoing request
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 21 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 21 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT


# PORT mode data channel
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port 20 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
--destination-port 20 -j ACCEPT

# ------------------------------------------------------------------

# IRC client (6667)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 6667 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 6667 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# RealAudio / QuickTime client
# ----------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 554 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 554 -j ACCEPT

# TCP is a more secure method: 7070:7071

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 7070:7071 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 7070:7071 -j ACCEPT

# UDP is the preferred method: 6970:6999
# For LAN machines, UDP requires the RealAudio masquerading module and
# the ipmasqadm third-party software.

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port $UNPRIVPORTS \
-d $IPADDR 6970:6999 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 6970:6999 \
--destination-port $UNPRIVPORTS -j ACCEPT

# ----------------------------------------------------------------------------
# UDP accept only on selected ports
# ---------------------------------


# DHCP client (67, 68)
# --------------------

# allow dhcp server (67) to connect to dhcp client (68)
# Note: the DHCP server is the only externel source of broadcast
# messages we should see, ever.

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER 67 \
-d $IPADDR 68 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 68 \
-d $DHCP_SERVER 67 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER 67 \
-d $BROADCAST_DEST 68 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC 68 \
-d $DHCP_SERVER 67 -j ACCEPT

# Getting renumbered
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC 67 \
-d $BROADCAST_DEST 68 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC 68 \
-d $BROADCAST_DEST 67 -j ACCEPT

# As a result of the above, we're supposed to change our IP address with
# this message, which is addressed to our new address before the dhcp
# client has received the update.

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER 67 \
--destination-port 68 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port 67 \
-d $IPADDR 68 -j DENY -l

# ------------------------------------------------------------------

# OUTGOING TRACEROUTE
# -------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT -l

# ----------------------------------------------------------------------------
# ICMP

# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.

# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11

# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type echo-reply \
-d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type source-quench \
-d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type time-exceeded \
-d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type parameter-problem \
-d $IPADDR -j ACCEPT


ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR destination-unreachable -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR source-quench -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR echo-request -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR parameter-problem -j ACCEPT

# ----------------------------------------------------------------------------
# Enable logging for selected denied packets

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port $PRIVPORTS -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j DENY -l


ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 5 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 13:255 -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l

# ----------------------------------------------------------------------------

echo "done"

exit 0

# ----------------------------------------------------------------------------
# NOTE for DHCP users:
#
# The following is an example "/etc/sysconfig/network-scripts/ifdhcpc-done".
# DHCP clients through at least version "dhcpcd-0.70-2" used the "-c"
# mechanism to specify a program to execute whenever dhcpcd successfully
# received an IP address.
#
# As presented, the example "ifdhcpc-done" updates your host IP address in
# /etc/hosts and updates the NAMESERVER definitions in the hostinfo file.
#
#-------------------------------- CUT HERE ---------------------------
#!/bin/sh -x

# Get the pid of the process which is waiting for this to complete.
# If the wait file doesn't exist, either the parent timed out, or
# the dhcp server is issuing a new IP address.

SLEEPPIDFILE=/var/run/dhcp-wait-${IFNAME}.pid

if [ -f $SLEEPPIDFILE ]; then
SLEEPPID=`cat $SLEEPPIDFILE`
rm -f $SLEEPPIDFILE
kill $SLEEPPID
else
echo "DHCP is configured, but ifup may have timed out." > /dev/console
fi

#---------------------------------------------------------------------
# RedHat Versions thru 5.2 use /etc/dhcpc/hostinfo-eth0
# Future releases (RedHat development releases) use /etc/dhcpc/dhcpcd-eth0.info

if [ -f /etc/dhcpc/hostinfo-eth0 ]; then
hostinfo="/etc/dhcpc/hostinfo-eth0"
elif [ -f /etc/dhcpc/dhcpcd-eth0.info ]; then
hostinfo="/etc/dhcpc/dhcpcd-eth0.info"
else
echo "DHCP is configured, but ifup may have timed out." > /dev/console
exit 1
fi

# get the hostinfo
. $hostinfo

# Update domainname
domain=`fgrep domain /etc/dhcpc/resolv.conf | sed -e "s/domain //"`
domainname $domain

# Update /etc/hosts
# Some services will break without this, unless you use localhost (eg. pop)

sed -e "s/^.*YOU/$IPADDR YOU.$domain YOU/" /etc/hosts > /var/tmp/hosts
cp /var/tmp/hosts /etc/hosts
rm /var/tmp/hosts

#---------------------------------------------------------------------
# Update $hostinfo with the current nameservers from /etc/resolv.conf.
# Thanks to Roger Goun for the idea of appending these to $hostinfo and
# getting rid of the temporary file.

let cnt=1
fgrep nameserver /etc/dhcpc/resolv.conf | sed -e "s/nameserver //" |
while read naddr
do
echo NAMESERVER_$cnt="$naddr" >> $hostinfo
let cnt=$cnt+1
done

#---------------------------------------------------------------------

cp /etc/dhcpc/resolv.conf /etc

sh /etc/rc.d/rc.firewall
echo "Firewalling enabled." > /dev/console
johnwebb
03-22-2001, 01:12 PM
My understanding is that the 2.4.x kernel uses iptables instead of ipchains, although I seem to remember reading something about an ipchains compatability mode but not real sure about that part. You might try http://netfilter.kernelnotes.org
MkIII_Supra
03-23-2001, 01:56 AM
Ok now I have an iptable script that I acquired but I am a clueless **** on how to edit it. Could ya help a brother out? All I need is ICQ, send adn recieve e-mail and internet plus Real Player.

I am trying to find a thourogh tutorial but so far most are pretty musch written for the uber geek.


!/bin/sh
# ----------------------------------------------------------------------|
# Here it is...MonMotha's Firewall 2.2.1! |
# Once again, my crude ASCII art best viewed with pico. |
# ----------------------------------------------------------------------|
# 2.2 RELEASE NOTES: This is the "stable" version of the 2.1 series. |
# It works great for me, hope you like it! |
# ----------------------------------------------------------------------|
# COMMENTS from MonMotha, Steff, and LaptopZZ: |
# |
# Please...PLEASE give me feedback on your experiences with this script |
# I would really like to know what everyone wants, what works, and |
# about the inevitable bugs present in anything. |
# |
# Direct all feedback to: bvmopen@usa.net |
# --MonMotha |
# |
# If you encounter problems with this script, please feel free to EMail |
# me a report on what happened. Please include the file .config for |
# your kernel (the kernel configuration), relavent info from syslog |
# (check /var/log/messages) and relavent info from dmesg. With your |
# help, I can make my next firewall even better! |
# |
# I can be reached at: bvmopen@usa.net |
# --MonMotha |
# ----------------------------------------------------------------------|
# SYSTEM REQUIREMENTS: You must have either compiled the appropriate |
# iptables support into your 2.4 kernel or have loaded all the |
# applicable modules BEFORE you run this script. This script assumes |
# that you have everything compiled into your kernel. |
# |
# I'll get you a list of required kernel options as I play with the |
# 2.4 kernel series more. |
# |
# You need iptables. Get it at "http://netfilter.samba.org". |
# |
# This script was written (and partially tested) with iptables 1.2 |
# and kernel 2.4.0 in mind. This has been tested on 2.4.0. |
# |
# Also, this is a BASH shell script...any 2.x version of GNU BASH |
# should work with this script. |
# ----------------------------------------------------------------------|
# CHANGELOG (Since 2.2.0 only): |
# version 2.2.1: Added a check before enabling IP SynCookies |
# version 2.2.1-pre1: Updates for iptables 1.2 |
# version 2.2.0: Exactly the same as 2.1.16 with updated comments |
# ----------------------------------------------------------------------|
# USE AT YOUR OWN RISK! THIS IS WITHOUT ANY WARRANTY STATED OR IMPLIED! |
# That means NONE whatsoever, not even fitfullness for purpose! |
# ----------------------------------------------------------------------|
# You NEED to set this! |
# Configuration follows: |
# |
# Notes about configuration: |
# Some things take more than one option,separate with spaces. |
# You probably don't want all the ports I have under here open, portscan|
# yourself to find what you want open. |
# For SSH you need port 22 in TCP_ALLOW, and set the appropriate SSH |
# system(s) to "TRUE". |
# If you want to used host-based identd allowing, do NOT put 113 in |
# TCP_ALLOW and DO set AUTH_ALLOW, if you want to NOT use |
# host-based identd allowing, leave AUTH_ALLOW empty and put |
# 113 in TCP_ALLOW below. Putting 113 in TCP_ALLOW will cause a |
# global allow to be put in place (anyone can connect to it). |
# DNS only needs to be set to do ZONE TRANSFERS! |

IPTABLES="/usr/local/sbin/iptables" #set to your iptables location, must be set
DNS="" #set to your DNS server(s) that you get zones from
TCP_ALLOW="21 22 25 80 110 443 3333 6667" #TCP ports to ALLOW
UDP_ALLOW="6112 6119 4000" #UDP ports to ALLOW (53 not needed, covered by DNS above)
INET_IFACE="ppp0" #the interface your internet's on (one only), must be set
LAN_IFACE="eth0" #the interface(s) your LAN's on (currently unused)
USE_SSH1="TRUE" #set to TRUE if you use "real" SSH1 (anything else is interpreted as FALSE)
USE_OPENSSH="FALSE" #set to TRUE if you use OpenSSH (anything else is interpreted as FALSE)
INTERNAL_LAN="192.168.0.0/24 192.168.1.0/24" #the internal network(s), must be set
AUTH_ALLOW="207.69.200.132 216.32.132.250 206.132.27.156 209.81.232.66 207.45.69.69 216.80.83.185 212.158.123.66" #IPs allowed to use the AUTH service (leave blank and put 113 in TCP_ALLOW for all)
DENY_ALL="" #internet hosts to explicitly deny from accessing your system at all
DROP="REJECT" #what to do with packets we don't want

# You shouldn't need to modify anything below here |
# ----------------------------------------------------------------------|

# Let's load it!
echo "Loading iptables firewall:"

# Turn on IP forwarding
echo -n "Checking IP Forwarding..."
if [ -e /proc/sys/net/ipv4/ip_forward ] ; then
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "enabled."
else
echo "support not found! This will probably cause problems!"
fi

# Enable TCP Syncookies
echo -n "Checking IP SynCookies..."
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "enabled."
else
echo "support not found, but that's OK."
fi

# Flush everything
# If you need compatability, you can comment some or all of these out,
# but remember, if you re-run it, it'll just add the new rules in, it
# won't remove the old ones for you then, this is how it removes them.
#
# You'll notice I give status now :)

echo -n "Flush: "
${IPTABLES} -t filter -F INPUT
echo -n "INPUT "
${IPTABLES} -t filter -F OUTPUT
echo -n "OUTPUT1 "
${IPTABLES} -t filter -F FORWARD
echo -n "FORWARD "
${IPTABLES} -t nat -F PREROUTING
echo -n "PREROUTING1 "
${IPTABLES} -t nat -F OUTPUT
echo -n "OUTPUT2 "
${IPTABLES} -t nat -F POSTROUTING
echo -n "POSTROUTING "
${IPTABLES} -t mangle -F PREROUTING
echo -n "PREROUTING2 "
${IPTABLES} -t mangle -F OUTPUT
echo -n "OUTPUT3"
echo

# Create new chains
# Output to /dev/null in case the script hasn't been run yet
echo -n "Creating chains: "
${IPTABLES} -t filter -F INETIN > /dev/null 2>&1
${IPTABLES} -t filter -X INETIN > /dev/null 2>&1
${IPTABLES} -t filter -N INETIN
echo -n "INETIN "
${IPTABLES} -t filter -F INETOUT > /dev/null 2>&1
${IPTABLES} -t filter -X INETOUT > /dev/null 2>&1
${IPTABLES} -t filter -N INETOUT
echo -n "INETOUT "
echo

# Default Policies
# INPUT is still ACCEPT, the INETIN chain (defined above and jumped to later)
# is given a policy of DROP at the end
echo -n "Default Policies: "
${IPTABLES} -t filter -P INPUT ACCEPT
echo -n "INPUT:ACCEPT "
${IPTABLES} -t filter -P OUTPUT ACCEPT
echo -n "OUTPUT:ACCEPT "
${IPTABLES} -t filter -P FORWARD DROP
echo -n "FORWARD :DROP "
echo

# Security
echo -n "Local Traffic Rules: "
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT
${IPTABLES} -t filter -A FORWARD -d ${subnet} -j ACCEPT
echo -n "${subnet}:ACCEPT "
done
echo

# Set up basic NAT
# I assume masquerading here, which is technically for dynamic IPs, but
# it should still work with a static. If you want to be proper, change
# it accordingly.
echo -n "Setting up NAT: "
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE
echo -n "${subnet}:MASQUERADE "
done
echo

# Set up INET chains
echo -n "Setting up INET chains: "
${IPTABLES} -t filter -A INPUT -i ${INET_IFACE} -j INETIN
echo -n "INETIN "
${IPTABLES} -t filter -A OUTPUT -o ${INET_IFACE} -j INETOUT
echo -n "INETOUT "
echo

# Flood security
# You'll still respond to these if they comply with the limits
# Default limits are 1/sec for ICMP pings
# SYN Flood protection moved to a port-based basis because of the side
# effect that it allowed all SYN packets through regardless if they
# compiled with the limits. SYN flood protection is still in here, see
# the TCP_ALLOW loop for the new method

echo -n "Flood Protection: "
# Ping Floods (ICMP echo-request)
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit 1/s -i ${INET_IFACE} -j ACCEPT
echo -n "ICMP-PING "
echo

# Allow the rest of the ICMP in
echo -n "Allowing ICMP in..."
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT
echo "done"

#Explicit denies
echo -n "Denying hosts: "
for host in ${DENY_ALL} ; do
${IPTABLES} -t filter -A INETIN -s ${host} -j ${DROP}
echo -n "${host}:${DROP}"
done
echo

#Start allowing stuff
echo -n "TCP Input Allow: "
for port in ${TCP_ALLOW} ; do
if [ "0$port" == "021" ]; then #Active FTP (thanks steff)
${IPTABLES} -t filter -A INETIN -p tcp --sport 20 --dport 1024:65535 ! --syn -j ACCEPT
fi
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} ! --syn -j ACCEPT
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} --syn -m limit --limit 2/s -j ACCEPT
echo -n "${port} "
done
echo

echo -n "UDP Input Allow: "
for port in ${UDP_ALLOW} ; do
${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j ACCEPT
echo -n "${port} "
done
echo

echo -n "DNS Servers: "
for server in ${DNS} ; do
${IPTABLES} -t filter -A INETIN -p udp -s ${server} --sport 53 -j ACCEPT
echo -n "${server} "
done
echo

#SSH Rulesets
if [ $USE_SSH1 = TRUE ]; then #SSH1
echo -n "Accounting for SSH..."
${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 513:1023 ! --syn -j ACCEPT
echo -n "SSH1 "
fi
if [ $USE_OPENSSH = TRUE ] ; then #OpenSSH
if [ ! $USE_SSH1 = TRUE ] ; then #We need to echo "Accounting for SSH..."
echo -n "Accounting for SSH..."
fi
${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 1024:65535 ! --syn -j ACCEPT
echo -n "OpenSSH "
fi
echo

#AUTH(identd) host-based allows
if [ "$AUTH_ALLOW" != "" ] ; then
echo -n "AUTH accepts: "
for host in ${AUTH_ALLOW} ; do
${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport 113 -j ACCEPT
echo -n "${host} "
done
echo
fi

echo -n "Allowing established outbound connections back in..."
${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "done"

echo -n "Setting up INET Policies: "
# Drop if we cant find a valid inbound rule.
${IPTABLES} -t filter -A INETIN -j ${DROP}
echo -n "INETIN:${DROP} "
#We can send what we want to the internet
${IPTABLES} -t filter -A INETOUT -j ACCEPT
echo -n "INETOUT:ACCEPT "
echo

echo "Done loading the firewall!"


PS: I got the script from the following Mon-motha (http://t245.dyndns.org/~monmotha/firewall/index.php)
Algemon
03-23-2001, 10:48 AM
Take a look at these 2 topics:
http://www.linuxnewbie.org/cgi-bin/ubbcgi/ultimatebb.cgi?ubb=get_topic&f=21&t=001584 http://www.linuxnewbie.org/cgi-bin/ubbcgi/ultimatebb.cgi?ubb=get_topic&f=21&t=001582

Cheers
MkIII_Supra
03-23-2001, 01:00 PM
Thank you!