ted_chou12 |
08-15-2012 04:08 AM |
Here is my /etc/rc.d/rc.firewall with its configuration give, I don't know if it my be useful for debugging:
Code:
#!/bin/sh
## /etc/rc.d/rc.firewall
## Setup the firewall system before any network services is up.
## VASM's vfirewall modifies this script !!!
##
## This script will find and start firewall in the following order
## - user specified FIREWALL_SCRIPT variable
## - GuardDog (/etc/rc.firewall and /etc/rc.guidedog)
## - gShield (/etc/firewall/gShield.rc)
## - Firewall-Jay (/etc/firewall-jay/fw-jay)
## - the default VL firewall
##
## The default VL firewall is suitable for a workstation that allows:
## - all outputs from this machine
## - some inputs to this machine (domain, ssh, http)
## - optional ipmasquerading
##
## To enable ipmasquerading, specify the GREEN_NET.
## This machine should work as a gateway with the following configuration
##
## {RED}-----[gateway]------{GREEN}
##
## RED = The Internet
## GREEN = Your Intranet
##
## This firewall uses network address based rules.
## Therefore it is independent to interface, and easier to debug.
## Sufficient for home use, serving some casual clients.
## Not for a serious office !!!
## You cannot sue me for whatever reason regarding this script :P.
##
## GNU GPL (c) Eko M. Budi, 2004
## (c) Vector Linux, 2004
## If you have another script, tell it here
## For example, /etc/rc.firewall
FIREWALL_SCRIPT=""
## This is the default VL firewall settings
## The Network you want to protect.
## If specified, forwarding will be allowed.
## It the network is internal, masquerading will be turned on
## Empty means no forwarding/masquerading.
GREEN_NET=""
#GREEN_NET="192.168.0.0/255.255.255.0"
#GREEN_NET="172.16.0.0/255.255.0.0"
#GREEN_NET="10.0.0.0/255.0.0.0"
## The open ports of THIS host.
## see /etc/services for ports definition
## list the ports, space separated. ALL means all ports.
PORT_IN="ALL"
#PORT_IN="domain ssh http https ftp ftp-data"
ICMP_IN="ALL"
#ICMP_IN="0 3 8 11"
## The traffic that can come out from this machine.
## You may protect it if you are curious there is trojan in your machine.
## list the ports, space separated. ALL allows everything.
PORT_OUT="ALL"
#PORT_OUT="domain http https pop3 pop3s imap ssh ftp ftp-data irc"
## The traffic that can pass from GREEN the RED network (internet).
## list the ports, space separated. ALL allows everything.
PORT_FORWARD="ALL"
#PORT_FORWARD="domain http https pop3 pop3s imap ssh ftp ftp-data irc"
ICMP_FORWARD="ALL"
#ICMP_FORWARD="3 8 11"
########################################################################
# Do the business ...
. /etc/rc.d/functions
## If this configuration file exist, read it
if [ -r /etc/sysconfig/config/firewall.conf ]; then
. /etc/sysconfig/config/firewall.conf
fi
########################################################################
# here we go now
IPT="/usr/sbin/iptables"
MODPROBE="/sbin/modprobe"
## load modules
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE iptable_nat
$MODPROBE ip_nat_ftp
$MODPROBE ip_nat_irc
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc
# Check if a net is an internal network
is_internal()
{
IPADDR=$(echo $1 | cut -f 1 -d /)
NET=$(ipmask 255.255.0.0 $IPADDR | cut -f 2 -d ' ')
[ "$NET" = "192.168.0.0" ] && return
NET=$(ipmask 255.240.0.0 $IPADDR | cut -f 2 -d ' ')
[ "$NET" = "172.16.0.0" ] && return
NET=$(ipmask 255.0.0.0 $IPADDR | cut -f 2 -d ' ')
[ "$NET" = "10.0.0.0" ] && return
false
}
# STANDARD RULES
firewall_basic()
{
# Enable IP spoofing protection, turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Enabling ping of death protection
# $IPT -A INPUT -p icmp --icmp-type echo-request -m limit ! --limit 1/s -j DROP
# Enabling Syn flood protection
#$IPT -A INPUT -p tcp --syn -m limit ! --limit 1/s -j DROP
# Enabling Furtive port scanner protection
#$IPT -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit ! --limit 1/s -j DROP
}
firewall_flush()
{
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
}
## This is really open everything, except IP forwarding
firewall_clear()
{
## Disable IP forwarding
echo "0" > /proc/sys/net/ipv4/ip_forward
## Accept all for default
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
firewall_flush
}
# Rules for allowing traffic from the GREEN to the RED network
firewall_forward()
{
## if no green net, turn off forwarding
if [ -z "$GREEN_NET" ]; then
echo "0" > /proc/sys/net/ipv4/ip_forward
$IPT -P FORWARD DROP
return 0
fi
## Turn ON masquerade automatically
## People said that we should use SNAT for static IP
## But masquerade will do no harm
if is_internal $GREEN_NET; then
$IPT -t nat -A POSTROUTING -s $GREEN_NET -d ! $GREEN_NET -j MASQUERADE
fi
## if everything is ALL, just turn ON the FORWARD
if [ "$PORT_FORWARD" = "ALL" ] && [ "$ICMP_FORWARD" = "ALL" ]; then
$IPT -P FORWARD ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
return 0
fi
## ok, complicated settings are needed
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -f -j ACCEPT
if [ "$PORT_FORWARD" != "ALL" ]; then
for PORT in $PORT_FORWARD; do
$IPT -A FORWARD -s $GREEN_NET -p udp --dport $PORT -j ACCEPT
$IPT -A FORWARD -s $GREEN_NET -p tcp --dport $PORT -j ACCEPT
done
else
$IPT -A FORWARD -s $GREEN_NET -p tcp -j ACCEPT
$IPT -A FORWARD -s $GREEN_NET -p udp -j ACCEPT
fi
if [ "$ICMP_FORWARD" != "ALL" ]; then
for TYPE in $ICMP_FORWARD; do
$IPT -A FORWARD -s $GREEN_NET -p icmp --icmp-type $TYPE -j ACCEPT
done
else
$IPT -A FORWARD -s $GREEN_NET -p icmp -j ACCEPT
fi
$IPT -P FORWARD DROP
echo "1" > /proc/sys/net/ipv4/ip_forward
}
# Rules for accepting input to this gateway
firewall_input()
{
## if ALL, open the default. Save rules and faster !
if [ "$PORT_IN" = "ALL" ] && [ "$ICMP_IN" = "ALL" ]; then
$IPT -P INPUT ACCEPT
return 0
fi
## Set a secure input
$IPT -A INPUT -d 127.0.0.0/8 -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -f -j ACCEPT
## Allow some ports
if [ "$PORT_IN" != "ALL" ]; then
for PORT in $PORT_IN ; do
$IPT -A INPUT -p udp --dport $PORT -j ACCEPT
$IPT -A INPUT -p tcp --dport $PORT -j ACCEPT
done
else
$IPT -A INPUT -p udp -j ACCEPT
$IPT -A INPUT -p tcp -j ACCEPT
fi
## Allow ICMPs
if [ "$ICMP_IN" != "ALL" ]; then
for TYPE in $ICMP_IN ; do
$IPT -A INPUT -p icmp --icmp-type $TYPE -j ACCEPT
done
else
$IPT -A INPUT -p icmp -j ACCEPT
fi
## Drop everything else
$IPT -P INPUT DROP
}
# Rules for allowing OUTPUT traffic from this machine
firewall_output()
{
## if ALL, open the default. Save rules and faster !
if [ "$PORT_OUT" = "ALL" ]; then
$IPT -P OUTPUT ACCEPT
return 0
fi
## Hmmm ... the admin does not believe his own computer
## But let's the internal output
$IPT -A OUTPUT -d 127.0.0.0/8 -j ACCEPT
## allow all ICMPs from this host (is it secure enough ?)
$IPT -A OUTPUT -p icmp -j ACCEPT
## allow some ports
for PORT in $PORT_OUT; do
$IPT -A OUTPUT -p udp --dport $PORT -j ACCEPT
$IPT -A OUTPUT -p tcp --dport $PORT -j ACCEPT
done
## Drop everything else by default
$IPT -P OUTPUT DROP
}
###################################################################
## Main routines
firewall_start() {
## launch the specified one
if [ "$FIREWALL_SCRIPT" ] && [ -x $FIREWALL_SCRIPT ]; then
echo "Starting firewall $FIREWALL_SCRIPT ..."
$FIREWALL_SCRIPT start
return $?
fi
## if exist, start the new default firewall service
if [ ! x$service_firewall = x ]; then
if [ -x $service_firewall ]; then
if [ ! -x $rc_firewall ]; then
chmod +x $rc_firewall
fi
echo "Starting firewall service ..."
service firewall start
return $?
fi
fi
## if exist, start guarddog/guidedog firewall instead
## don't start guidedog if there is no guarddog
if [ -x /etc/rc.firewall ]; then
if [ -x /etc/rc.guidedog ]; then
echo "Starting guarddog and guidedog ..."
/etc/rc.firewall start && /etc/rc.guidedog start
else
echo "Starting guarddog ..."
/etc/rc.firewall start
fi
return $?
fi
## This is GShield
if [ -x /etc/firewall/gShield.rc ]; then
echo "Starting gshield firewall ..."
/etc/firewall/gShield.rc --start
return $?
fi
## This is firewall-jay
if [ -x /etc/firewall-jay/fw-jay ] && [ -f /etc/firewall-jay/firewall.config ]; then
echo "Starting firewall-jay ..."
/etc/firewall-jay/fw-jay start
return $?
fi
## the last contender ...default VASM firewall
echo "Starting default firewall ..."
firewall_basic
firewall_flush
firewall_input
firewall_output
firewall_forward
return 0
}
firewall_stop()
{
firewall_clear
return 0
}
case "$1" in
start)
firewall_start
;;
stop)
echo "Stopping firewall ..."
## if exist, stop the new default firewall service
if [ -x $service_firewall ]; then
# service firewall stop
echo "No, we are not going to stop firewall"
else
firewall_stop
fi
;;
restart)
echo "Restarting firewall ..."
## if exist, restart the new default firewall service
if [ -x $service_firewall ]; then
# service firewall restart
echo "No, we are not going to stop firewall"
else
## Restarting should not stop the firewall
## Since stopping opens the ports for a moment
firewall_start
fi
;;
reload)
echo "Reloading firewall ..."
## if exist, restart the new default firewall service
if [ -x $service_firewall ]; then
# service firewall restart
echo "No, we are not going to stop firewall"
else
firewall_start
fi
;;
status)
$IPT -nL
echo
$IPT -t nat -nL
;;
*)
echo "Usage $0 {start|stop|restart|reload|status}"
esac
|