66 files changed, 15542 insertions, 1 deletions
diff --git a/configs/firewall-masq b/configs/firewall-masq new file mode 100755 index 0000000..14b9971 --- a/dev/null +++ b/configs/firewall-masq @@ -0,0 +1,71 @@ +#!/bin/sh +# +# firewall-masq This script sets up firewall rules for a machine +# acting as a masquerading gateway +# +# Copyright (C) 2000 Roaring Penguin Software Inc. This software may +# be distributed under the terms of the GNU General Public License, version +# 2 or any later version. +# LIC: GPL + +# Interface to Internet +EXTIF=ppp+ + +# NAT-Tables are different, so we can use ACCEPT everywhere (?) +iptables -t nat -P PREROUTING ACCEPT +iptables -t nat -P OUTPUT ACCEPT +iptables -t nat -P POSTROUTING ACCEPT + +# Flush the NAT-Table +iptables -t nat -F + +iptables -t filter -P INPUT DROP +iptables -t filter -F + +# Allow incoming SSH +#iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT + +# Log & Deny the rest of the privileged ports +iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j LOG +iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j LOG +iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j DROP +iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j DROP + +# Log & Deny NFS +iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j LOG +iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j LOG +iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j DROP +iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j DROP + +# Log & Deny X11 +iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j LOG +iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j DROP + +# Log & Deny XFS +iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j LOG +iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j DROP + +# Deny TCP connection attempts +iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j LOG +iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j DROP + +# Deny ICMP echo-requests +iptables -t filter -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j DROP + +# Do masquerading +iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE + +# Enable forwarding +echo 1 > /proc/sys/net/ipv4/ip_forward + +# no IP spoofing +if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then + for i in /proc/sys/net/ipv4/conf/*/rp_filter; do + echo 1 > $i + done +fi + +# Disable Source Routed Packets +for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do + echo 0 > $i +done |