# Filename: firewall.ini # # Version 0.9-pre9 (Beta) # ---------------------------------------------------------------------------- # Maintained by Tom Siebeling mailto:T.Siebeling@student.tue.nl # Get the latest version from: http://home.wxs.nl/~siebe398/firewall.html # Mirrored by Walther Ligtvoet: http://www.aesir.nl/downloads.html # Last time edited: 12 October 2002 # # Based on: the firewall script by Henk de Jong V0.5 (http://www.nu2.nu), # the changes by Willem (http://www.xs4all.nl/~aroa/uitleg_firewall.htm) # and the FloppyT 0.9 config.ini by EMJ (www.lintegrate.nl) # ---------------------------------------------------------------------------- # # !!!!! FOR NORMAL OPERATION. YOU DON'T HAVE TO CHANGE THIS FILE. !!!!! # # You can modify the operation of the firewall by setting the options in the # config.ini file. # Make sure you use the latest version of BOTH the firewall.ini & config.ini # # Check the security of your firewall on: # - Quick: https://grc.com/x/ne.dll?bh0bkyd2 # - Thorough (Slow): http://scan.sygatetech.com/ # - Free Server/Firewall Test: http://www.securitymetrics.com/portscan.adp # - IP utilities: http://home.planet.nl/~houwe135/wbnt1/index.htm # # ---------------------------------------------------------------------------- . /etc/default/config # Set NET_IP to the value FloppyT returns after the connection has come up. # NET_IP=$1 echo # Set options and enable forwarding in the kernel. # #Turn on source address verication in kernel if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then if [ $verbose = "y" ]; then echo "(1) Enable on Source Address Verification"; fi for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $interface done fi; # Disable ICMP redirect accept if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then if [ $verbose = "y" ]; then echo "(2) Disable ICMP redirect accept"; fi for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $interface; done fi; # Disable ICMP send_redirect if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then if [ $verbose = "y" ]; then echo "(3) Disable ICMP redirect send"; fi for interface in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $interface; done fi; # Disable source routed packets if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then if [ $verbose = "y" ]; then echo "(4) Disable source routed packets"; fi for interface in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $interface; done fi; # Log spoofed packets, source routed packets, redirect packets if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then if [ $verbose = "y" ]; then echo "(5) Enable logging of spoofed-, source routed- and redirect- packets"; fi for interface in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $interface; done fi; # Turn on syn cookies protection in kernel if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then if [ $verbose = "y" ]; then echo "(6) Enable TCP SYN cookie protection"; fi echo 1 > /proc/sys/net/ipv4/tcp_syncookies fi; # ICMP Broadcasting echo protection if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then if [ $verbose = "y" ]; then echo "(7) Enable ICMP broadcast echo protection"; fi echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi; # ICMP Dead Error Messages protection if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then if [ $verbose = "y" ]; then echo "(8) Enable ICMP bogus error message protection"; fi echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses fi; # Enable automatic IP defragmenting if [ -e /proc/sys/net/ipv4/ip_always_defrag ]; then if [ $verbose = "y" ]; then echo "(9) Enable automatic IP defragmenting"; fi echo 1 > /proc/sys/net/ipv4/ip_always_defrag fi; # Turn on dynamic TCP/IP address hacking. turn of with echo 0 > if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then if [ $verbose = "y" ]; then echo "(10) Enable dynamic TCP/IP address hacking"; fi echo 1 > /proc/sys/net/ipv4/ip_dynaddr fi; # Enable the LooseUDP patch which some Internet-based games require # # If you are trying to get an Internet game to work through your IP MASQ box, # and you have set it up to the best of your ability without it working, try # enabling this option (with echo 1 >). This option is disabled by default # due to possible internal machine UDP port scanning vunerabilities. if [ -e /proc/sys/net/ipv4/ip_masq_udp_dloose ]; then if [ $verbose = "y" ]; then echo "(11) Disable the LooseUDP patch which some Internet-based games require"; fi echo 0 > /proc/sys/net/ipv4/ip_masq_udp_dloose fi; if [ $verbose = "y" ]; then echo "(12) Kernel options set, enabeling forwarding in the kernel"; fi echo 1 > /proc/sys/net/ipv4/ip_forward # Flush and clear the rules and set the default policies # if [ $verbose = "y" ]; then echo "(13) Flushing and clearing rules"; fi $path_ipchains -F $path_ipchains -X $path_ipchains -Z if [ $verbose = "y" ]; then echo "(14) Setting default policies"; fi $path_ipchains -P input DENY $path_ipchains -P output DENY $path_ipchains -P forward DENY # MASQ timeouts # # >> 2 hrs timeout for TCP session timeouts # 60 sec timeout for traffic after the TCP/IP "FIN" packet is received # 600 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec # firewall timeout in ICQ itself) if [ $verbose = "y" ]; then echo "(15) Setting MASQ timeouts"; fi $path_ipchains -M -S 20000 60 600 # Minimum delay for SSH. # if [ $verbose = "y" ]; then echo "(16) Setting minimum delay for SSH"; fi $path_ipchains -A output -p tcp -d 0.0.0.0/0 22 -t 0x01 0x10 # Loopback settings # if [ $verbose = "y" ]; then echo "(17) Enabling loopback settings"; fi $path_ipchains -A input -i lo -j ACCEPT $path_ipchains -A output -i lo -j ACCEPT $path_ipchains -A input -i $MODEMSIDE_DEV -d 127.0.0.0/8 -j DENY -l # Modem traffic # if [ $verbose = "y" ]; then echo "(18) Initializing modemrules"; fi # Refuse spoofing $path_ipchains -A input -i $MODEMSIDE_DEV -s $NET_IP -j DENY -l # Only trafic between modem and server is welcome $path_ipchains -A input -i $OUTSIDE_DEV -s $MODEM_IP -d $OUTSIDE_IP -j ACCEPT $path_ipchains -A output -i $OUTSIDE_DEV -s $OUTSIDE_IP -d $MODEM_IP -j ACCEPT # View your modemsettings with your browser via http://10.0.0.138 from every # computer on your LAN $path_ipchains -A forward -i $OUTSIDE_DEV -s $LOCAL_NET -d $MODEM_IP -j MASQ # Local traffic # if [ $verbose = "y" ]; then echo "(19) Enabling local traffic"; fi # Disallow Fragmented Packets $path_ipchains -A output -f -i $INSIDE_DEV -j DENY # Refuse spoofing $path_ipchains -A input -i $MODEMSIDE_DEV -s $LOCAL_NET -j DENY -l $path_ipchains -A input -s $NET_IP -j DENY -l # Everything else is fine $path_ipchains -A input -i $INSIDE_DEV -s $LOCAL_NET -j ACCEPT $path_ipchains -A output -i $INSIDE_DEV -d $LOCAL_NET -j ACCEPT # Masquerade # if [ $verbose = "y" ]; then echo "(20) Setting masquerading"; fi # Higher ports needed to accept incoming/outgoing calls # Any trafic from masqueraded machines/server accepted # Reject any trafic not started by masqueraded machine/server $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP $unpriv_ports ! -y -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP $unpriv_ports -d any/0 -j ACCEPT # Check if UDP connections are needed $path_ipchains -A input -p udp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP $unpriv_ports -j ACCEPT $path_ipchains -A output -p udp -i $MODEMSIDE_DEV -s $NET_IP $unpriv_ports -d any/0 -j ACCEPT # All local trafic is masqueraded externally $path_ipchains -A forward -i $MODEMSIDE_DEV -s $LOCAL_NET -j MASQ # DHCP server-client communication # # Open port 67 & 68 (UDP) on the inside for the DHCP server on FloppyT # These rules must be before the spoofing and blocking sections, otherwise # the DHCP server will not work! if [ $dhcp = "y" ]; then echo "(21) Opening ports 67 & 68 (UDP) on the inside for the DHCP server on FloppyT"; $path_ipchains -A input -p udp -i $INSIDE_DEV -s $LOCAL_NET --sport 68 -d $INSIDE_BROADCAST --dport 67 -j ACCEPT $path_ipchains -A output -p udp -i $INSIDE_DEV -s $INSIDE_IP -d $INSIDE_BROADCAST -j ACCEPT $path_ipchains -A input -p udp -i $INSIDE_DEV --dport 67 --sport 68 -j ACCEPT $path_ipchains -A output -p udp -i $INSIDE_DEV --sport 67 --dport 68 -j ACCEPT fi; # Syslog communication with client # # Open port 514 (TCP) on the inside for remote Syslog client if [ $remote_syslog = "y" ]; then echo "(22) Opening ports 514 (UDP) on the inside for SYSLOG client"; $path_ipchains -A input -p udp -i $INSIDE_DEV --dport 514 --sport 514 -j ACCEPT $path_ipchains -A output -p udp -i $INSIDE_DEV --sport 514 --dport 514 -j ACCEPT fi; # This is all generic protection against spoofing # if [ $spoofing_protection = "y" ]; then if [ $verbose = "y" ]; then echo -n "(23) Setting up generic protection against spoofing: "; fi # Block Packets with Stuffed Routing $path_ipchains -A input -s 0.0.0.0 -j DENY -l $path_ipchains -A output -s 0.0.0.0 -j DENY -l $path_ipchains -A input -s 255.255.255.255 -j DENY -l $path_ipchains -A output -s 255.255.255.255 -j DENY -l # Block Fragmented Packets $path_ipchains -A input -f -j DENY -l # Block all reserved private IP addresses $path_ipchains -A input -i $MODEMSIDE_DEV -s $class_a -j DENY -l $path_ipchains -A input -i $MODEMSIDE_DEV -s $class_b -j DENY -l $path_ipchains -A input -i $MODEMSIDE_DEV -s $class_c -j DENY -l $path_ipchains -A input -i $MODEMSIDE_DEV -s $class_d -j DENY -l $path_ipchains -A input -i $MODEMSIDE_DEV -s $class_e -j DENY -l # Block all ip addresses reserved by IANA (for the time being) this # changes regulary, see http://www.iana.org/assignments/ipv4-address-space # IANA-Multicast (224-239/8) is also blocked. Updated 23 September 2002 RESERVED_NET=" 0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \ 5.0.0.0/8 \ 7.0.0.0/8 \ 23.0.0.0/8 \ 27.0.0.0/8 \ 31.0.0.0/8 \ 36.0.0.0/8 37.0.0.0/8 \ 39.0.0.0/8 \ 41.0.0.0/8 42.0.0.0/8 \ 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \ 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \ 74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 \ 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \ 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 \ 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 \ 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \ 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \ 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \ 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \ 126.0.0.0/8 127.0.0.0/8 \ 197.0.0.0/8 \ 222.0.0.0/8 223.0.0.0/8 \ 224.0.0.0/8 225.0.0.0/8 226.0.0.0/8 227.0.0.0/8 228.0.0.0/8 229.0.0.0/8 \ 230.0.0.0/8 231.0.0.0/8 232.0.0.0/8 233.0.0.0/8 234.0.0.0/8 235.0.0.0/8 \ 236.0.0.0/8 237.0.0.0/8 238.0.0.0/8 239.0.0.0/8 \ 240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \ 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \ 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8" for NET in $RESERVED_NET; do if [ $verbose = "y" ]; then if [ $detail = "y" ]; then echo -n "$NET " else echo -n "." fi; fi; $path_ipchains -A input -s $NET -j DENY -l done; if [ $verbose = "y" ]; then echo ""; fi; fi; # Blocking some common ports # # Especially necessary to set this feature when opening ALL unpriv_ports # for instance due to ICQ filetransfer. # Avoid ports subject to protocol & system administration problems. if [ $refuse_common_ports = "y" ]; then if [ $verbose = "y" ]; then echo -n "(24) Blocking connections to common ports: "; fi # See http://linux-firewall-tools.com/linux/ports.html # Updated Updated 26 September 2002 # Common ports that are also used bij servers, are blocked # at the various server specific part of the firewall. common_ports_refused="0:5 7 11 13 15 19 37 67:69 79 87 109 \ 111 137:139 144 161:162 177 512:515 517:518 520 540 635 \ 1080 1114 2049 5631:5632 6000:6063 6665:6669 33434:33523" for common_ports in $common_ports_refused; do if [ $verbose = "y" ]; then if [ $detail = "y" ]; then echo -n "$common_ports " else echo -n "." fi; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport $common_ports -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport $common_ports -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport $common_ports -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport $common_ports -j DENY -l done; if [ $verbose = "y" ]; then echo ""; fi; fi; # Blocking some Trojan-ports # # Especially necessary to set this feature when opening ALL unpriv_ports # for instance due to ICQ filetransfer. # Trojan-ports: disable incoming connections to common trojan ports if [ $block_trojans = "y" ]; then if [ $verbose = "y" ]; then echo -n "(25) Blocking connections to known Trojan ports: "; fi # Block Subseven (1.7/1.9) 1243 / 6711:6713 # Block Backdoor-G and Subseven (2.X) 1999 / 6776 / 27374 # Block Stacheldraht 16660 / 60001 / 65000 # Block Trinity v3\n 33270 # Block Trin00 1524 / 27444 / 27665 / 31335 # Block Cheeseworm 10008 # Extra Trojan list from http://scan.sygate.com:443/cgi-bin/probe/trojans.cgi # Updated Updated 26 September 2002 # Trojans that are also used bij servers, are blocked # at the various server specific part of the firewall. trojan_ports="31 41 59 99 121 421 456 531 555 666 911 999 1001 1010:1012 1015 1024 1042 \ 1045 1090 1170 1234 1243 1245 1269 1349 1492 1509 1524 1600 1807 1981 1984 1999:2000 2140 \ 2155 2283 2565 2583 2600 2801 2989 3024 3128:3129 3150 3459 3700 3791 3801 4092 4321 4567 \ 4590 5000:5001 5011 5031 5321 5400:5402 5550 5512 5555:5557 5569 5742 6400 6669:6670 6711:6713 \ 6771 6776 6912 6939 6969:6970 7000 7300:7301 7306:7308 7789 9400 9872:9876 9878 9989 \ 10008 10067 10067 10101 10167 10520 10607 11000 11223 12076 12223 12345 12346 12361 12362 \ 12631 13000 16660 16969 17300 20000 20001 20034 20203 21544 22222 23456 23476:23477 26274 \ 27374 27444 27665 29891 30029 30100:30303 30999 31335:31339 31666 31785 31787:31792 33270 \ 33333 33911 34324 40412 40421:40423 40426 47262 50505 50766 53001 54320:54321 60000:60001 \ 61466 65000" for trojans in $trojan_ports; do if [ $verbose = "y" ]; then if [ $detail = "y" ]; then echo -n " $trojans" else echo -n "." fi; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport $trojans -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport $trojans -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport $trojans -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport $trojans -j DENY -l done; if [ $verbose = "y" ]; then echo ""; fi; fi; # ICMP settings # # Only accept pings from www.watchmyserver.com (195.179.115.45) # icmp trafic # 0 = echo-reply needed by ping # 3 = destination-unreachable needed by any TCP/UDP trafic # 5 = redirect needed by routing if not running routing daemon # 8 = echo-request needed by ping #11 = time-exceeded needed by traceroute if [ $accept_pings = "y" ]; then if [ $verbose = "y" ]; then echo "(26) Accept pings (Accept ICMP types 0,3,8,11 / Reject type 5)"; fi; $path_ipchains -A input -i $MODEMSIDE_DEV -p icmp --icmp-type 0 -s any/0 -d $NET_IP -j ACCEPT $path_ipchains -A input -i $MODEMSIDE_DEV -p icmp --icmp-type 3 -s any/0 -d $NET_IP -j ACCEPT $path_ipchains -A input -i $MODEMSIDE_DEV -p icmp --icmp-type 8 -s any/0 -d $NET_IP -j ACCEPT $path_ipchains -A input -i $MODEMSIDE_DEV -p icmp --icmp-type 11 -s any/0 -d $NET_IP -j ACCEPT $path_ipchains -A output -i $MODEMSIDE_DEV -p icmp --icmp-type 3 -s $NET_IP -d any/0 -j ACCEPT $path_ipchains -A output -i $MODEMSIDE_DEV -p icmp --icmp-type 8 -s $NET_IP -d any/0 -j ACCEPT $path_ipchains -A output -i $MODEMSIDE_DEV -p icmp --icmp-type 0 -s $NET_IP -d any/0 -j ACCEPT $path_ipchains -A output -i $MODEMSIDE_DEV -p icmp --icmp-type 11 -s $NET_IP -d any/0 -j ACCEPT # Deny redirect icmp-packet even when accepting pings, as there is no reason why this should be opened $path_ipchains -A input -i $MODEMSIDE_DEV -p icmp --icmp-type 5 -s any/0 -d $NET_IP -j DENY -l else if [ $verbose = "y" ]; then echo "(26) Reject pings (Reject ICMP types 0,5,8,11 / Accept type 3)"; fi; $path_ipchains -A input -i $MODEMSIDE_DEV -p icmp --icmp-type 0 -s any/0 -d $NET_IP -j ACCEPT $path_ipchains -A input -i $MODEMSIDE_DEV -p icmp --icmp-type 3 -s any/0 -d $NET_IP -j ACCEPT $path_ipchains -A input -i $MODEMSIDE_DEV -p icmp --icmp-type 8 -s 195.179.115.45 -d $NET_IP -j ACCEPT $path_ipchains -A input -i $MODEMSIDE_DEV -p icmp --icmp-type 11 -s any/0 -d $NET_IP -j ACCEPT $path_ipchains -A output -i $MODEMSIDE_DEV -p icmp --icmp-type 3 -s $NET_IP -d any/0 -j ACCEPT $path_ipchains -A output -i $MODEMSIDE_DEV -p icmp --icmp-type 8 -s $NET_IP -d any/0 -j ACCEPT $path_ipchains -A output -i $MODEMSIDE_DEV -p icmp --icmp-type 0 -s $NET_IP -d 195.179.115.45 -j ACCEPT $path_ipchains -A output -i $MODEMSIDE_DEV -p icmp --icmp-type 11 -s $NET_IP -d 195.179.115.45 -j ACCEPT # Deny redirect icmp-packet $path_ipchains -A input -i $MODEMSIDE_DEV -p icmp --icmp-type 5 -s any/0 -d $NET_IP -j DENY -l fi; # Block IP-numbers from certain file # if [ $ip_block = "y" ]; then mount -t vfat /dev/fd0 /mnt if [ $verbose = "y" ]; then echo "(27) Block and do not log IP-addresses from $path_ip_block_file: "; fi; blockipnumbers=`cat /mnt/$path_ip_block_file`; for blockips in $blockipnumbers; do echo -n "$blockips " $path_ipchains -I input -s $blockips -j DENY $path_ipchains -I output -d $blockips -j DENY $path_ipchains -I forward -d $blockips -j DENY done; if [ $verbose = "y" ]; then echo "Ready..."; fi; umount /dev/fd0 fi; # ICQ filetransfer # # Unfortunatelly ICQ uses the whole unpriv_port range for client to client # connections (filetransfer). Enabling this feature will open ALL unpriv_ports. # Hackers are then able to establish a connection to these ports. if [ $icq_filetransfer_all = "y" ]; then echo "(28) Enabling ICQ filetransfer"; echo " !!! Caution, this opens *ALL* unpriv_ports. When using this option, !!!"; echo " !!! make sure you have set refuse_common_ports=y and block_trojans=y !!!"; echo " !!! in config.ini to reduce the risk of opening all unpriv_ports. !!!"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport $unpriv_ports -y -j ACCEPT fi; # Restricted ICQ filetransfer based on IP-address if [ $icq_filetransfer_friends = "y" ]; then if [ $verbose = "y" ]; then echo -n "(29) Enable restricted ICQ filetransfer on: "; fi; for icq_ip in $icq_friends; do echo -n "$icq_ip "; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s $icq_ip --sport $unpriv_ports -d $NET_IP --dport $unpriv_ports -j ACCEPT done; if [ $verbose = "y" ]; then echo ""; fi; fi; # FTP-server # # See http://slacksite.com/other/ftp.html for more info. # Open port 21 (ftp) for FTP-server if [ $ftp_active = "y" -o $ftp_passive = "y" ]; then # Open port 21 (ftp) for FTP-server if $ftp_active="y" OR $ftp_passive="y" echo "(30) Opening port 21 (TCP) for FTP-server on $FTP_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 21 -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 21 -d any/0 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 21 -d $FTP_IP --dport 21 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 21 -R $FTP_IP 21 else # Block trojans on TCP port 21, if FTP server is not used if [ $verbose = "y" ]; then echo "(30) Blocking attacks on TCP/UDP port 21, as FTP server is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 21 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 21 -j DENY -l fi; # Block trojans on UDP port 21. This can be blocked anyway, as FTP doesn't use it $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 21 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 21 -j DENY -l if [ $ftp_active = "y" ]; then # Open port 20 (ftp-data) for active FTP-server echo "(31) Opening port 20 (TCP) for active FTP-server on $FTP_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 20 ! -y -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 20 -d any/0 -j ACCEPT fi; if [ $ftp_passive = "y" ]; then # Sustain establishing data channel for FTP in passive mode echo "(32) Opening all unpriv_ports for passive FTP server on $FTP_IP"; echo " !!! Caution, this opens *ALL* unpriv_ports. When using this option, !!!"; echo " !!! make sure you have set refuse_common_ports=y and block_trojans=y !!!"; echo " !!! in config.ini to reduce the risk of opening all unpriv_ports. !!!"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport $unpriv_ports -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport $unpriv_ports -d any/0 ! -y -j ACCEPT fi; # FTP - Active FTP for client # # Sustain FTP - please note that port 20 (ftp-data) for ACTIVE FTP sessions should NOT use # SYN-filtering. Because of this, we must specifically allow it in. It's better not use # active FTP, but set your FTP-client in passive mode if [ $ftp_client = "y" ]; then echo "(33) Opening port 20 (TCP) for active FTP-clients" echo " !!! It's better not to use a FTP client in active mode. Set your !!!"; echo " !!! client to passive mode and change the ftp_client to n !!!"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 --sport ftp-data -d $NET_IP --dport $unpriv_ports -j ACCEPT -l fi; if [ $ftp_active = "n" -a $ftp_client = "n" ]; then # Block attack on TCP/UDP port 20, only if the active FTP-server AND # the active FTP-client are not used. if [ $verbose = "y" ]; then echo "(34) Blocking attacks on TCP/UDP port 20, as active FTP is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 20 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 20 -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 20 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 20 -j DENY -l fi; # SSH server and client trafic (port 22) # # Any trafic to/from ssh deamon permitted if [ $ssh = "y" ]; then $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 22 -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 22 -d any/0 ! -y -j ACCEPT if [ $ssh_pfw = "y" ]; then echo "(35) Opening port 22 (TCP) for SSH server on $SSH_IP"; $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 22 -d $SSH_IP --dport 22 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 22 -R $SSH_IP 22 else echo "(35) Opening port 22 (TCP) for SSH server on FloppyT"; fi; else if [ $verbose = "y" ]; then echo "(35) Blocking attacks on TCP/UDP port 22, as SSH Server is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 22 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 22 -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 22 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 22 -j DENY -l fi; # Telnet server # # Open port 23 (telnet) for Telnet if [ $telnet = "y" ]; then echo "(36) Opening port 23 (TCP) for Telnet server on $TELNET_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 23 -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 23 -d any/0 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 23 -d $TELNET_IP --dport 23 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 23 -R $TELNET_IP 23 else if [ $verbose = "y" ]; then echo "(36) Blocking attacks on TCP/UDP port 23, as Telner Server is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 23 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 23 -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 23 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 23 -j DENY -l fi; # SMTP-server # # Open port 25 (smtp) for SMTP-server if [ $smtp = "y" ]; then echo "(37) Opening port 25 (TCP) for SMTP server on $SMTP_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 25 -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 25 -d any/0 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 25 -d $SMTP_IP --dport 25 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 25 -R $SMTP_IP 25 else if [ $verbose = "y" ]; then echo "(37) Blocking attacks on TCP/UDP port 25, as SMTP server is not used"; fi $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 25 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 25 -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 25 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 25 -j DENY -l fi; # DNS-server # # Open port 53 (domain) for DNS-server if [ $dns = "y" ]; then echo "(38) Opening port 53 (TCP and UDP) for DNS server on $DNS_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 53 -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 53 -d any/0 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 53 -d $DNS_IP --dport 53 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 53 -R $DNS_IP 53 $path_ipchains -A input -p udp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 53 -j ACCEPT $path_ipchains -A output -p udp -i $MODEMSIDE_DEV -s $NET_IP --sport 53 -d any/0 -j ACCEPT $path_ipchains -A input -p udp -i $OUTSIDE_DEV -s $NET_IP 53 -d $DNS_IP --dport 53 -l -j ACCEPT $path_ipmasqadm portfw -a -P udp -L $NET_IP 53 -R $DNS_IP 53 else if [ $verbose = "y" ]; then echo "(38) Blocking attacks on TCP/UDP port 53, as DNS server is not used"; fi $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 53 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 53 -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 53 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 53 -j DENY -l fi; # Webserver # # Open port 80 (http) for webserver if [ $http = "y" ]; then echo "(39) Opening port 80 (TCP) for HTTP server on $WEB_IP" $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 80 -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 80 -d any/0 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 80 -d $WEB_IP --dport 80 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 80 -R $WEB_IP 80 else if [ $verbose = "y" ]; then echo "(39) Blocking attacks on TCP/UDP port 80, as http server is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 80 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 80 -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 80 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 80 -j DENY -l fi; # Open poort 443 (https) for webserver # if [ $https = "y" ]; then echo "(40) Opening port 443 (TCP) for HTTPS server on $HTTPS_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 443 -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 443 -d any/0 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 433 -d $HTTPS_IP --dport 443 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 443 -R $HTTPS_IP 443 else if [ $verbose = "y" ]; then echo "(40) Blocking attacks on TCP/UDP port 443, as https server is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 443 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 443 -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 443 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 443 -j DENY -l fi; # NEWS-server # # Open port 119 (NNTP) for newsserver if [ $nntp = "y" ]; then echo "(41) Opening port 119 (TCP) for NNTP server on $NNTP_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 119 -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 119 -d any/0 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 119 -d $NNTP_IP --dport 119 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 119 -R $NNTP_IP 119 else if [ $verbose = "y" ]; then echo "(41) Blocking attacks on TCP/UDP port 119, as NNTP server is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 119 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 119 -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 119 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 119 -j DENY -l fi; # POP3-server # # Open port 110 (pop3) for POP3-server if [ $pop3 = "y" ]; then echo "(42) Opening port 110 (TCP) for POP3 server on $POP_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 110 -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 110 -d any/0 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 110 -d $POP_IP --dport 110 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 110 -R $POP_IP 110 else if [ $verbose = "y" ]; then echo "(42) Blocking attacks on TCP/UDP port 110, as POP3 server is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 110 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 110 -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 110 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 110 -j DENY -l fi; # Open port 995 (pop3s) for POP3-server over SSL # if [ $pop3s = "y" ]; then echo "(43) Opening port 995 (TCP) for POP3S server on $POP3S_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 995 -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 995 -d any/0 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 995 -d $POP3S_IP --dport 995 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 995 -R $POP3S_IP 995 else if [ $verbose = "y" ]; then echo "(43) Blocking attacks on TCP/UDP port 995, as POP3S server is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 995 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 995 -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 995 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 995 -j DENY -l fi; # Auth-server (ident) # # Open port 113 (auth/ident) for ident-server if [ $auth = "y" ]; then echo "(44) Opening port 113 (TCP) for AUTH server on $AUTH_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 113 -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 113 -d any/0 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 113 -d $AUTH_IP --dport 113 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 113 -R $AUTH_IP 113 else if [ $verbose = "y" ]; then echo "(44) Reject instead of drop TCP Auth requests, drop UDP Auth requests"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 113 -j REJECT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 113 -d any/0 ! -y -j REJECT $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 113 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 113 -j DENY -l fi; # NTP: Allow external computers to connect to FloppyT for NTP (time) updates # # Open port 123 (ntp) for NTP if [ $ntp_tcp = "y" ]; then for ntp_ip in $ntp_address; do echo "(45) Enable NTP protocol in UDP mode on $ntp_ip (no port forwarding)"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s $ntp_ip --sport 123 -d $NET_IP --dport 123 -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 123 -d $ntp_ip --dport 123 -j ACCEPT done; else if [ $verbose = "y" ]; then echo "(45) Blocking attacks on TCP port 123, as NTP server (TCP) is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 123 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 123 -j DENY -l fi; if [ $ntp_udp = "y" ]; then for ntp_ip in $ntp_address; do echo "(46) Enable NTP protocol in UDP mode on $ntp_ip (no port forwarding)"; $path_ipchains -A input -p udp -i $MODEMSIDE_DEV -s $ntp_ip --sport 123 -d $NET_IP --dport 123 -j ACCEPT $path_ipchains -A output -p udp -i $MODEMSIDE_DEV -s $NET_IP --sport 123 -d $ntp_ip --dport 123 -j ACCEPT done; else if [ $verbose = "y" ]; then echo "(46) Blocking attacks on UDP port 123, as NTP server (UDP) is not used"; fi; $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 123 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 123 -j DENY -l fi; # IMAP-server # # Open port 143 (imap) for IMAP-server if [ $imap = "y" ]; then echo "(47) Opening port 143 (TCP) for IMAP server on $IMAP_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 143 -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 143 -d any/0 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 143 -d $IMAP_IP --dport 143 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 143 -R $IMAP_IP 143 else if [ $verbose = "y" ]; then echo "(47) Blocking attacks on TCP/UDP port 143, as IMAP server is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 143 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 143 -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 143 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 143 -j DENY -l fi; # Open port 993 (imaps) for IMAP-server over SSL # if [ $imaps = "y" ]; then echo "(48) Opening port 993 (TCP) for IMAPS server on $IMAPS_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 993 -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 993 -d any/0 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 993 -d $IMAPS_IP --dport 993 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 993 -R $IMAPS_IP 993 else if [ $verbose = "y" ]; then echo "(48) Blocking attacks on TCP/UDP port 993, as IMAPS server is not used"; fi $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 993 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 993 -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 993 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 993 -j DENY -l fi; # Webmin-server # # Open port 10000 (webmin) for Webmin-server if [ $webmin = "y" ]; then echo "(49) Opening port 10000 (TCP) for WEBMIN server on $WEBMIN_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 10000 -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 10000 -d any/0 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 10000 -d $WEBMIN_IP --dport 10000 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 10000 -R $WEBMIN_IP 10000 else if [ $verbose = "y" ]; then echo "(49) Blocking attacks on TCP/UDP port 10000, as Webmin server is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 10000 -j DENY $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 10000 -d any/0 ! -y -j DENY $path_ipchains -A input -p udp -i $MODEMSIDE_DEV -s any/0 -d $NET_IP --dport 10000 -j DENY $path_ipchains -A output -p udp -i $MODEMSIDE_DEV -s $NET_IP --sport 10000 -d any/0 -j DENY fi; # Open port 5108 (WEBMAIL) for MAIL-server # if [ $webmail = "y" ]; then echo "(50) Opening port 5108 (TCP) for WEBMAIL server on $WEBMAIL_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport 5108 -y -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 5108 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 5108 -d $WEBMAIL_IP --dport 5108 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 5108 -R $WEBMAIL_IP 5108 else if [ $verbose = "y" ]; then echo "(50) Blocking attacks on TCP/UDP port 5108, as WEBMAIL server is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 5108 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 5108 -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 5108 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 5108 -j DENY -l fi; # Open port 7119 (WEBNEWS) for NEWS-server # if [ $webnews = "y" ]; then echo "(51) Opening port 7119 (TCP) for WEBNEWS server on $WEBNEWS_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport 7119 -y -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 7119 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 7119 -d $WEBNEWS_IP --dport 7119 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 7119 -R $WEBNEWS_IP 7119 else if [ $verbose = "y" ]; then echo "(51) Blocking attacks on TCP/UDP port 7119, as WEBNEWS server is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 7119 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 7119 -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 7119 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 7119 -j DENY -l fi; # Open port 8080 (PROXY) for PROXY-server # if [ $proxy = "y" ]; then echo "(52) Opening port 8080 (TCP) for WEBMAIL server on $PROXY_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport 8080 -y -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 8080 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 8080 -d $PROXY_IP --dport 8080 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 8080 -R $PROXY_IP 8080 else if [ $verbose = "y" ]; then echo "(52) Blocking attacks on TCP/UDP port 8080, as PROXY server is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport 8080 -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport 8080 -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport 8080 -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport 8080 -j DENY -l fi; # VNC-server # # It is more secure to establish a VNC-connection with Linux server via a SSH-tunnel # Establish an unencrypted VNC-connection with Linux server # Default display :1 if [ $vnc_with_server = "y" ]; then echo "(53) Opening port 5900 (TCP) for VNC server on $VNC_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport 5900 -y -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 5900 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 5900 -d $VNC_IP --dport 5900 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 5900 -R $VNC_IP 5900 else if [ $verbose = "y" ]; then echo "(53) Blocking attacks on TCP port 5900, as VNC server is not used"; fi $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport 5900 -y -j DENY $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 5900 ! -y -j DENY fi; # VNC-webserver # # It is more secure to establish a VNC-webconnection with Linux server via a SSH-tunnel # Establish an unencrypted VNC-webconnection with Linux server # Default display :1 if [ $vnc_with_webserver = "y" ]; then echo "(54) Opening port 5800 (TCP) for VNC Web server on $VNCWEB_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport 5800 -y -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 5800 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 5800 -d $VNCWEB_IP --dport 5800 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 5800 -R $VNCWEB_IP 5800 else if [ $verbose = "y" ]; then echo "(54) Blocking attacks on TCP port 5800, as VNC Web server is not used"; fi; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport 5800 -y -j DENY $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 5800 ! -y -j DENY fi; # VPN_IPsec # # Open UDP port 500 & Protocol 50,51 for IPsec/UDP or open port 10000 for IPsec/TCP if [ $VPN_IPsec = "y" ]; then for VPN_IPsec_address in $VPN_IPsec_ip; do for VPN_IPsec_protocol in $VPN_IPsec_mode; do if [ $VPN_IPsec_protocol = "UDP" ]; then # For UDP connections (UDP port 500 & Protocol 50,51) echo "(55) Opening port 500 & Protocol 50/51 (UDP) to $VPN_IPsec_address"; $path_ipchains -A input -p udp -i $MODEMSIDE_DEV -s $VPN_IPsec_address --sport 500 -d $NET_IP --dport 500 -j ACCEPT $path_ipchains -A output -p udp -i $MODEMSIDE_DEV -s $NET_IP --sport 500 -d $VPN_IPsec_address --dport 500 -j ACCEPT $path_ipchains -A input -p 50 -i $MODEMSIDE_DEV -s $VPN_IPsec_address -d $NET_IP -j ACCEPT $path_ipchains -A output -p 50 -i $MODEMSIDE_DEV -s $NET_IP -d $VPN_IPsec_address -j ACCEPT $path_ipchains -A input -p 51 -i $MODEMSIDE_DEV -s $VPN_IPsec_address -d $NET_IP -j ACCEPT $path_ipchains -A output -p 51 -i $MODEMSIDE_DEV -s $NET_IP -d $VPN_IPsec_address -j ACCEPT else if [ $VPN_IPsec_protocol = "TCP" ]; then # For TCP connections (TCP port 10000) echo "(55) Opening port $VPN_IPsec_TCP_port (TCP) to $VPN_IPsec_address"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s $VPN_IPsec_address --sport $VPN_IPsec_TCP_port -d $NET_IP --dport $VPN_IPsec_TCP_port -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport $VPN_IPsec_TCP_port -d $VPN_IPsec_address --dport $VPN_IPsec_TCP_port -j ACCEPT else echo "(55) Error: Rules not set. Choose UDP and/or TCP protocol for VPN IPsec in config.ini file !"; fi; fi; done; done; fi; # Windows XP Messenger # # See: http://www.microsoft.com/windowsxp/pro/techinfo/deployment/natfw/natfw.doc # # SIP signaling: 5060 # Audio and Video: UDP 5004:65535 # Application Sharing and Whiteboard: TCP 1503 + Plus mapping to client IP # File Transfer: TCP 6891:6900 # Remote Assistance: TCP 3389 # if [ $messenger = "y" ]; then echo "(56) Opening port 5060 (TCP) for XP Messenger Client"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport 5060 -y -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 5060 ! -y -j ACCEPT if [ $messenger_av = "y" ]; then echo "(56) Opening ports 5004:65535 (UDP) for Audio/Video in XP Messenger Client"; $path_ipchains -A input -p udp -i $MODEMSIDE_DEV -d $NET_IP --dport 5004:65535 -j ACCEPT $path_ipchains -A output -p udp -i $MODEMSIDE_DEV -s $NET_IP --sport 5004:65535 -j ACCEPT fi; if [ $messenger_as_wb = "y" ]; then echo "(56) Opening port 1503 (TCP) for AS & WB in XP Messenger Client on $MESSENGER_IP"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport 1503 -y -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 1503 ! -y -j ACCEPT $path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $NET_IP 1503 -d $MESSENGER_IP --dport 1503 -l -j ACCEPT $path_ipmasqadm portfw -a -P tcp -L $NET_IP 1503 -R $MESSENGER_IP 1503 fi; if [ $messenger_ft = "y" ]; then echo "(56) Opening ports 6891:6900 (TCP) for File Transefer in XP Messenger Client"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport 6891:6900 -y -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 6891:6900 ! -y -j ACCEPT fi; if [ $messenger_ra = "y" ]; then echo "(56) Opening port 3389 (TCP) for Remote Assistance in XP Messenger Client"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport 3389 -y -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 3389 ! -y -j ACCEPT fi; fi; # MSN Messenger # if [ $msn = "y" ]; then echo "(57) Opening port 1863 (TCP) for MSN Client - Express Messages"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport 1863 -y -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 1863 ! -y -j ACCEPT if [ $msn_speech = "y" ]; then echo "(57) Opening port 6901 (TCP & UDP) for MSN Client - Speech"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport 6901 -y -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 6901 ! -y -j ACCEPT $path_ipchains -A input -p udp -i $MODEMSIDE_DEV -d $NET_IP --dport 6901 -j ACCEPT $path_ipchains -A output -p udp -i $MODEMSIDE_DEV -s $NET_IP --sport 6901 -j ACCEPT fi; if [ $msn_n2p = "y" ]; then echo "(57) Opening ports 7801:7825 (TCP) for MSN Client - Net2phone"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport 7801:7825 -y -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 7801:7825 ! -y -j ACCEPT echo "(57) Opening ports 6801 & 2001:2120 (UDP) for MSN Client - Net2phone"; $path_ipchains -A input -p udp -i $MODEMSIDE_DEV -d $NET_IP --dport 6801 -j ACCEPT $path_ipchains -A output -p udp -i $MODEMSIDE_DEV -s $NET_IP --sport 6801 -j ACCEPT $path_ipchains -A input -p udp -i $MODEMSIDE_DEV -d $NET_IP --dport 2001:2120 -j ACCEPT $path_ipchains -A output -p udp -i $MODEMSIDE_DEV -s $NET_IP --sport 2001:2120 -j ACCEPT fi; if [ $msn_ft = "y" ]; then echo "(57) Opening ports 6891:6900 (TCP) for MSN Client - File transfer"; $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -d $NET_IP --dport 6891:6900 -y -j ACCEPT $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV -s $NET_IP --sport 6891:6900 ! -y -j ACCEPT fi; else if [ $verbose = "y" ]; then echo "(57) Blocking attacks on ports $msn_ports as MSN Messenger is not used"; fi; msn_ports="2001:2005 2023 2115" for msn_port in $msn_ports; do $path_ipchains -A input -p tcp -i $MODEMSIDE_DEV --dport $msn_port -j DENY -l $path_ipchains -A output -p tcp -i $MODEMSIDE_DEV --dport $msn_port -j DENY -l $path_ipchains -A input -p udp -i $MODEMSIDE_DEV --dport $msn_port -j DENY -l $path_ipchains -A output -p udp -i $MODEMSIDE_DEV --dport $msn_port -j DENY -l done; fi; # Logging # # All other incoming, forwarding and outgoing is denied and logged. $path_ipchains -A input -i $MODEMSIDE_DEV -s any/0 -d any/0 -j DENY -l $path_ipchains -A output -i $MODEMSIDE_DEV -s any/0 -d any/0 -j DENY -l $path_ipchains -A forward -i $MODEMSIDE_DEV -s any/0 -d any/0 -j DENY -l echo; echo "Firewall is up!" if [ $synchronise_floppty = "y" ]; then echo; echo "Synchronysing time with NTP server"; rdate -s $synchronise_ntp date echo "Done"; fi;