#!/bin/sh # # Configure safe networking practices for Linux 2.4 # # chkconfig: - 06 90 # description: Setup firewalling and network security # # To install this on a Red Hat system, save this script as # /etc/rc.d/init.d/securenet, then run the commands # # chmod 755 /etc/rc.d/init.d/securenet # /sbin/chkconfig --add securenet # /sbin/chkconfig --level 2345 securenet on # # The "iptables" command is available from http://netfilter.kernelnotes.org/ # An rpm-package is available from Red Hat's contrib-section # # Henrik Størner, henrik@storner.dk # PATH=/bin:/sbin:/usr/bin:/usr/sbin #################### # Configuration # # Need to know which ethX is external, # and which is internal #################### NET_INTERN=eth0 NET_EXTERN="ppp0" # Slet de næste to linier efter du har rettet NET_INTERN og NET_EXTERN echo "Du skal rette NET_INTERN og NET_EXTERN for at scriptet virker" exit 1 ######################################### # First setup some of the kernel features ######################################### # Disable forwarding - this is for a standalone system. # (For masquerading, see below). echo "0" >/proc/sys/net/ipv4/ip_forward # Enable syn-cookies (syn-flooding attacks) echo "1" >/proc/sys/net/ipv4/tcp_syncookies # Disable ICMP echo-request to broadcast addresses (Smurf amplifier) echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Shut off source-routing and enable IP spoof detection # It seems that this must be done for all network interfaces for f in /proc/sys/net/ipv4/conf/*; do # Drop all source-routed packets echo "0" >$f/accept_source_route # Enable source-address verification (anti spoofing). echo "1" >$f/rp_filter done ###################### # Setup IP firewalling ###################### # Default policies iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT # Create a common chain for the INPUT and FORWARD handling iptables -N block iptables -F block # Allow traffic on established connections iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow new connections if not from the outside iptables -A block -m state --state NEW -i ! "$NET_EXTERN" -j ACCEPT # Allow new connections to our public http service # For home users there are normally none # # How to do this depends on whether the service is running on the # firewall host itself, or on another system "behind" the firewall # (on the internal LAN, or a separate network segment - so called DMZ). # # The following command is needed in both cases: # iptables -A block -m state --protocol tcp --state NEW -i $NET_EXTERN --destination-port http -j ACCEPT # If the service is running on another host (here: 192.168.11.22), you must # do "port forwarding" like this (no need for ipmasqadm anymore): # iptables -t nat -A PREROUTING --protocol tcp -i $NET_EXTERN --destination-port http -j DNAT --to 192.168.11.22 # Block anything else iptables -A block -j LOG # Activate the new chain iptables -A INPUT -j block iptables -A FORWARD -j block #################### # Setup Masquerading #################### # Setup NAT for outgoing connections from the local network ### NB: This is disabled by default. If you want to use ### ### masquerading, just remove the "###" comment-markers ### ### from the lines below. ### ###iptables -t nat -F POSTROUTING ###iptables -t nat -A POSTROUTING -o $NET_EXTERN -j MASQUERADE # # NB: On Red Hat systems, forwarding is controlled in /etc/sysctl.conf ! # You need to set net.ipv4.ip_forward=1 in this file, or the # command below will have no effect. # ###echo "1" >/proc/sys/net/ipv4/ip_forward