Saturday, 24 May 2008

rc.firewall script

A simple script to start and stop.. and restart your firewall with slackware:

The script:
  • blocks some standard workstation traffic
  • allows NAT for 192.168.0.1/24
  • allows syslog connections for a particular host
  • drops invalid and possibly bad packets

#!/bin/sh
#
# /etc/rc.d/rc.firewall
#
# Start/stop/restart the IPtables Firewall.
#
# To make IPtables Firewall start automatically at boot, make this
# file executable:  chmod 755 /etc/rc.d/rc.firewall
#

fire_start() {
if [ -x /usr/sbin/iptables ]; then
fire_stop
echo "Starting IPtables: "
iptables -A INPUT -s 0.0.0.0/0 -i ppp0 -p tcp --dport 139 -j DROP
iptables -A INPUT -s 0.0.0.0/0 -i ppp0 -p tcp --dport 445 -j DROP
iptables -A INPUT -s 0.0.0.0/0 -i ppp0 -p tcp --dport 631 -j DROP
iptables -A INPUT -s 0.0.0.0/0 -i ppp0 -p tcp --dport 6000 -j DROP
iptables -A INPUT -s source-address -p udp --dport 514 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -p udp --dport 514 -j DROP
iptables -N SPOOF
iptables -A INPUT -i ppp0 -s ppp0-ip.address -j SPOOF
iptables -A INPUT -i eth0 -s 192.168.0.1 -j SPOOF
iptables -A SPOOF -m limit --limit 1/second -j DROP
iptables -N PORTSCAN
iptables -A INPUT -i eth0 -p tcp ! --syn -j PORTSCAN
iptables -A INPUT -i eth0  -m state --state INVALID -j PORTSCAN
iptables -A SPOOF -j REJECT --reject-with icmp-host-unreachable
iptables -L INPUT
echo "Enabling NAT: "
iptables -A POSTROUTING -t nat -s 192.168.0.1/24 -o ppp0 -j SNAT --to-source source-address
iptables -L POSTROUTING -t nat
iptables -A FORWARD -s 192.168.0.1/24 -j ACCEPT
iptables -A FORWARD -d 192.168.0.1/24 -j ACCEPT
iptables -L FORWARD
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "IPtables - NAT Configuration finished ..."
fi
}

fire_stop() {
iptables -F
iptables -F FORWARD
iptables -F SPOOF
iptables -X SPOOF
iptables -X PORTSCAN
echo "Clearing Firewall:"
iptables -L INPUT
iptables -F -t nat
echo "Clearing Forwarding"
iptables -L POSTROUTING -t nat
iptables -L FORWARD
echo 0 > /proc/sys/net/ipv4/ip_forward
}

fire_restart() {
fire_stop
sleep 2
fire_start
}

case "$1" in
'start')
fire_start
;;
'stop')
fire_stop
;;
'restart')
fire_restart
;;
*)
# Default is "start", for backwards compatibility with previous
# Slackware versions.  This may change to a 'usage' error someday.
fire_start
esac

To be updated.. soon hopefully

No comments:

Post a Comment