#! /bin/sh # # firewall Activate/Deactivate the network firewall. # # chkconfig: 345 45 55 # description: this script manages the firewall between the local network \ # and the outer world. # Source function library. . /etc/rc.d/init.d/functions # See how we were called. case "$1" in start) echo -n "Installing firewall: " echo '0' >>/proc/sys/net/ipv4/ip_forward if [ -f /proc/net/ip_fwchains ]; then # Clean things up ipchains -F forward ipchains -F input ipchains -F output ipmasqadm mfw -F # Define forwarding policy ipchains -P forward REJECT ipchains -A forward -s 10.0.0.0/24 -d \! 10.0.0.0/8 -j MASQ ipchains -A forward -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT # Reject and log attempts at IP spoofing ipchains -A input -s 10.0.0.0/16 -i ppp+ -j REJECT -l # Hosts that are denied any access ipchains -A input -s 199.247.0.0/16 -j REJECT -l ipchains -A input -s 195.98.0.0/16 -j REJECT -l ipchains -A output -d 199.95.0.0/16 -j REJECT -b # Services that are denied external access ipchains -A input -p tcp -i ppp+ -d 0.0.0.0/0 109 -j REJECT -l ipchains -A input -p tcp -i ppp+ -d 0.0.0.0/0 109 -j REJECT -l ipchains -A input -p udp -i ppp+ -d 0.0.0.0/0 110 -j REJECT -l ipchains -A input -p udp -i ppp+ -d 0.0.0.0/0 110 -j REJECT -l ipchains -A input -p tcp -i ppp+ -d 0.0.0.0/0 1109 -j REJECT -l ipchains -A input -p udp -i ppp+ -d 0.0.0.0/0 1109 -j REJECT -l ipchains -A input -p tcp -i ppp+ -d 0.0.0.0/0 106 -j REJECT -l ipchains -A input -p udp -i ppp+ -d 0.0.0.0/0 106 -j REJECT -l ipchains -A input -p tcp -i ppp+ -d 0.0.0.0/0 995 -j REJECT -l ipchains -A input -p udp -i ppp+ -d 0.0.0.0/0 995 -j REJECT -l ipchains -A input -p tcp -i ppp+ -d 0.0.0.0/0 512 -j REJECT -l ipchains -A input -p udp -i ppp+ -d 0.0.0.0/0 514 -j REJECT -l ipchains -A input -p tcp -i ppp+ -d 0.0.0.0/0 515 -j REJECT -l ipchains -A input -p udp -i ppp+ -d 0.0.0.0/0 520 -j REJECT -l ipchains -A input -p udp -i ppp+ -d 0.0.0.0/0 521 -j REJECT -l ipchains -A input -p tcp -i ppp+ -d 0.0.0.0/0 1313 -j REJECT -l # There are rumors about the following being scanned ipchains -A input -p tcp -i ppp+ -d 0.0.0.0/0 1800 -j REJECT -l ipchains -A input -p udp -i ppp+ -d 0.0.0.0/0 1800 -j REJECT -l ipchains -A input -p tcp -i ppp+ -d 0.0.0.0/0 1945 -j REJECT -l ipchains -A input -p udp -i ppp+ -d 0.0.0.0/0 1945 -j REJECT -l # Services that are passed to pleiades ipchains -A input -p tcp -i ppp+ -y -d 129.199.1.160/28 21 -m 21 -l ipmasqadm mfw -A -m 21 -r 10.0.0.1 21 ipchains -A input -p tcp -i ppp+ -y -d 129.199.1.160/28 22 -m 22 -l ipmasqadm mfw -A -m 22 -r 10.0.0.1 22 ipchains -A input -p tcp -i ppp+ -y -d 129.199.1.160/28 23 -m 23 -l ipmasqadm mfw -A -m 23 -r 10.0.0.1 23 ipchains -A input -p tcp -i ppp+ -y -d 129.199.1.160/28 79 -m 79 -l ipmasqadm mfw -A -m 79 -r 10.0.0.1 79 ipchains -A input -p tcp -i ppp+ -y -d 129.199.1.160/28 80 -m 80 -l ipmasqadm mfw -A -m 80 -r 10.0.0.1 80 ipchains -A input -p tcp -i ppp+ -y -d 129.199.1.160/28 113 -m 113 -l ipmasqadm mfw -A -m 113 -r 10.0.0.1 113 ipchains -A input -p udp -i ppp+ -d 129.199.1.160/28 517 -m 517 -l ipmasqadm mfw -A -m 517 -r 10.0.0.1 517 ipchains -A input -p udp -i ppp+ -d 129.199.1.160/28 518 -m 518 -l ipmasqadm mfw -A -m 518 -r 10.0.0.1 518 ipchains -A input -p tcp -i ppp+ -y -d 129.199.1.160/28 2003 -m 2003 -l ipmasqadm mfw -A -m 2003 -r 10.0.0.1 2003 ipchains -A input -p tcp -i ppp+ -y -d 129.199.1.160/28 2401 -m 2401 -l ipmasqadm mfw -A -m 2401 -r 10.0.0.1 2401 fi modprobe ip_masq_ftp echo '1' >>/proc/sys/net/ipv4/ip_forward echo done touch /var/lock/subsys/firewall ;; stop) echo -n "Closing down firewall: " echo '0' >>/proc/sys/net/ipv4/ip_forward if [ -f /proc/net/ip_fwchains ]; then ipchains -F forward ipchains -F input ipchains -F output ipmasqadm mfw -F fi echo done rm -f /var/lock/subsys/firewall ;; status) echo -n "IP forwarding is: " cat /proc/sys/net/ipv4/ip_forward echo "IP chains configuration:" if [ -f /proc/net/ip_fwchains ]; then ipchains -L -n ipmasqadm mfw -L -n fi ;; restart) $0 start ;; *) echo "Usage: firewall {start|stop|status|restart}" exit 1 esac exit 0