Olaf Kirch - Linux Network Administrator Guide, Second Edition

OURDEV="eth0"

# The outside address and the network device that supports it.

ANYADDR="0/0"

ANYDEV="eth1"

# The TCP services we wish to allow to pass - "" empty means all ports

# note: space separated

TCPIN="smtp www"

TCPOUT="smtp www ftp ftp-data irc"

# The UDP services we wish to allow to pass - "" empty means all ports

# note: space separated

UDPIN="domain"

UDPOUT="domain"

# The ICMP services we wish to allow to pass - "" empty means all types

# ref: /usr/include/netinet/ip_icmp.h for type numbers

# note: space separated

ICMPIN="0 3 11"

ICMPOUT="8 3 11"

# Logging; uncomment the following line to enable logging of datagrams

# that are blocked by the firewall.

# LOGGING=1

# END USER CONFIGURABLE SECTION

##########################################################################

# Flush the Input table rules

$IPCHAINS -F input

# We want to deny incoming access by default.

$IPCHAINS -P input deny

# SPOOFING

# We should not accept any datagrams with a source address matching ours

# from the outside, so we deny them.

$IPCHAINS -A input -s $OURNET -i $ANYDEV -j deny

# SMURF

# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.

$IPCHAINS -A input -p icmp -w $ANYDEV -d $OURBCAST -j deny

# We should accept fragments, in ipchains we must do this explicitly.

$IPCHAINS -A input -f -j accept

# TCP

# We will accept all TCP datagrams belonging to an existing connection

# (i.e. having the ACK bit set) for the TCP ports we're allowing through.

# This should catch more than 95 % of all valid TCP packets.

$IPCHAINS -A input -p tcp -d $OURNET $TCPIN ! -y -b -j accept

# TCP - INCOMING CONNECTIONS

# We will accept connection requests from the outside only on the

# allowed TCP ports.

$IPCHAINS -A input -p tcp -i $ANYDEV -d $OURNET $TCPIN -y -j accept

# TCP - OUTGOING CONNECTIONS

# We accept all outgoing TCP connection requests on allowed TCP ports.

$IPCHAINS -A input -p tcp -i $OURDEV -d $ANYADDR $TCPOUT -y -j accept

# UDP - INCOMING

# We will allow UDP datagrams in on the allowed ports.

$IPCHAINS -A input -p udp -i $ANYDEV -d $OURNET $UDPIN -j accept

# UDP - OUTGOING

# We will allow UDP datagrams out on the allowed ports.

$IPCHAINS -A input -p udp -i $OURDEV -d $ANYADDR $UDPOUT -j accept

# ICMP - INCOMING

# We will allow ICMP datagrams in of the allowed types.

$IPCHAINS -A input -p icmp -w $ANYDEV -d $OURNET $UDPIN -j accept

# ICMP - OUTGOING

# We will allow ICMP datagrams out of the allowed types.

$IPCHAINS -A input -p icmp -i $OURDEV -d $ANYADDR $UDPOUT -j accept

# DEFAULT and LOGGING

# All remaining datagrams fall through to the default

# rule and are dropped. They will be logged if you've

# configured the LOGGING variable above.

#

if [ "$LOGGING" ]

then

# Log barred TCP

$IPCHAINS -A input -p tcp -l -j reject

# Log barred UDP

$IPCHAINS -A input -p udp -l -j reject

# Log barred ICMP

$IPCHAINS -A input -p icmp -l -j reject

fi

#

# end.

In our iptables example, we've switched to using the FORWARD ruleset because of the difference in meaning of the INPUT ruleset in the netfilter implementation. This has implications for us; it means that none of the rules protect the firewall host itself. To accurately mimic our ipchains example, we would replicate each of our rules in the INPUT chain. For clarity, we've dropped all incoming datagrams received from our outside interface instead.

#!/bin/bash

##########################################################################

# IPTABLES VERSION

# This sample configuration is for a single host firewall configuration

# with no services supported by the firewall machine itself.

##########################################################################

# USER CONFIGURABLE SECTION

# The name and location of the ipchains utility.

IPTABLES=iptables

# The path to the ipchains executable.

PATH="/sbin"

# Our internal network address space and its supporting network device.

OURNET="172.29.16.0/24"

OURBCAST="172.29.16.255"

OURDEV="eth0"

# The outside address and the network device that supports it.

ANYADDR="0/0"

ANYDEV="eth1"

# The TCP services we wish to allow to pass - "" empty means all ports

# note: comma separated

TCPIN="smtp,www"

TCPOUT="smtp,www,ftp,ftp-data,irc"

# The UDP services we wish to allow to pass - "" empty means all ports

# note: comma separated

UDPIN="domain"

UDPOUT="domain"

# The ICMP services we wish to allow to pass - "" empty means all types

# ref: /usr/include/netinet/ip_icmp.h for type numbers

# note: comma separated

ICMPIN="0,3,11"

ICMPOUT="8,3,11"

# Logging; uncomment the following line to enable logging of datagrams

# that are blocked by the firewall.

# LOGGING=1

# END USER CONFIGURABLE SECTION

###########################################################################

# Flush the Input table rules

$IPTABLES -F FORWARD

# We want to deny incoming access by default.

$IPTABLES -P FORWARD deny

# Drop all datagrams destined for this host received from outside.

$IPTABLES -A INPUT -i $ANYDEV -j DROP

# SPOOFING

# We should not accept any datagrams with a source address matching ours

# from the outside, so we deny them.

$IPTABLES -A FORWARD -s $OURNET -i $ANYDEV -j DROP

# SMURF

# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.

$IPTABLES -A FORWARD -m multiport -p icmp -i $ANYDEV -d $OURNET -j DENY

# We should accept fragments, in iptables we must do this explicitly.

$IPTABLES -A FORWARD -f -j ACCEPT

# TCP

# We will accept all TCP datagrams belonging to an existing connection

# (i.e. having the ACK bit set) for the TCP ports we're allowing through.