Linux firewalls

Linux Firewalls

What is a firewall?

  • A firewall is a controlled gateway between one network and another (i.e. an intranet and the internet).
  • It is not a universal panacea for computer security. You must follow other good security practices.

Why Firewalls?

  • You cannot trust everyone. Some people take pleasure in hacking into machines. Not all are malicious but some are!
  • Your computer holds private/confidential data an you have a duty to protect it.
  • You want to limit access from within your private network to specific external information/services (i.e. not mpeg3’s)
  • You want to monitor/record traffic for audit/security purposes. Beware of privacy laws!

Types of Firewall

  • Gateway based – you have to log onto a gateway machine which has restricted (if any) internal access and connect to external sites from the gateway.
  • Service based – A variation on the gateway based approach is to restrict the services which are available on machines which are visible externally.
  • Proxy based – provide external services via proxies which are accessible from within the private network. Only the proxies will have access to the external network.
  • Packet based – packets filters can control which network packets are forwarded between networks and may make access decisions based on the contents of the packets.
  • Masquerading – where all packets from a private network are rewritten in such a way that they appear to come from a single firewall (gateway) machine.

Gateway based

A gateway system operates by having a gateway machine which does not forward packets at all. The user must log onto the gateway machine and from there access external sites.

In this setup the gateway machine typically has a very restricted set of services which are necessary for accessing external sites. You will often find that it does not export or import filesystems (via NFS) and that many system commands have been removed to limit the range of tools that a hacker can exploit. It is also typical that filesystems are mounted read-only to stop any trojan horse based attacks etc.

Accounts are strictly controlled on gateway machines and may require explicit authorisation to use them. In addition to this password ageing may be enabled ensuring that passwords are changed on a regular basis.

Limited Service based

Limiting services revolves around configuring system daemons to ensure that only the necessary daemons/services are available. In particular you may choose not to run services which give away information about users and system configuration. For example:

  • finger – the finger service can give information about who is logged into your system, when they last logged in and other bits of information which are useful to hackers.
  • ident – information about users.
  • tftpd – allows access to (certain) files without any form of authorisation.

These services/daemons are typically started at boot time or dynamically from inetd. The configuration/startup scripts are typically found in:

  • /etc/inetd.conf
  • /etc/rc.d

In general you should be very careful about giving external access to user daemons. Take special care over database daemons and similar user tools which may accept connections from anybody who cares to try.

tcpd

A simple but powerful method of protecting internet services is to use the tcpd wrapper program which is invoked in place of the normal service binary and first vets a connection to ensure that it is appropriate before invoking the normal binary with that connection. tcpd can only be used in place of daemons which have a one-to-one mapping between network connection and executable. In other words it is not possible to substitute a long running daemon (e.g. a database) with tcpd. The database must be configured correctly in this case.

hosts_access(5)

tcpd is primarily configured via the files /etc/hosts.allow and /etc/hosts.deny. These files contain a describe what action tcpd must take for specific services with connections coming from certains hosts/users.

An example which denies access to all hosts is

       /etc/hosts.deny:
          ALL: ALL

To allow authorised hosts to connect /etc/hosts.allow can be populated with entries similar to:

       /etc/hosts.allow:
          ALL: LOCAL @some_netgroup
          ALL: .foobar.edu EXCEPT terminalserver.foobar.edu

The full configuration language is much more expressive than that described above and involve scripts which could be used to perform a reverse search on the connecting host to find out more information. A full description of this can be found in the hosts_access manual page which is found in section 5 of the manuals.

tcpdchk

The program tcpdchk can be used to check the configuration of tcpd to ensure that mistakes are not present which may provide security problems. It even checks if tcpd protection is appropriate for a particular daemon (note this is heuristic based – it is not magic!).

Proxy based

Proxies are very popular and are typically used to limit network usage by caching frequently accessed information and thus reducing bandwidth requirements.

In addition to this use it is possible to use proxies as controlled firewall breaches. By doing this you can monitor external traffic (for security purposes of course) and provide hackers with a limited scope for attacking your system.

Popular proxies include:

  • tis firewall toolkit (www.tis.com) – includes sendmail, ftp, telnet proxies (amongst others) and also provides a generic proxy which can be used for other daemons.
  • socks – provides restricted access for many common tcp (and udp?) based services
  • squid – web based cacheing

Packet based

A Packet based firewall involves selectively passing packets between different network interfaces based on the type of packet, source, destination and even the status of a connection.

Linux provides the IP chains facility (configured by the ipchains command) which allows a user to give the kernel about what should and should not be allowed between different interfaces.

A sample firewall configuration file is shown below. Note that this includes entries for IP masquerading.

Masquerading

An extension to packet based filtering is IP masquerading. Using this mechanism all external traffic has its IP headers rewritten in such a way that it appears that the packet has come from the gateway machine. For any external packets which are coming into the network the rewriting is reversed and the packet headers are rewritten to ensure that they go back to the appropriate internal machine. This hides all information about the internal network and makes it difficult for external sites to target specific machines within the network.

A common use for this technique is to allow an internal network which does not have proper addresses assigned to them to go via a single machine which does have an address assigned to it.

Sample IP chains configuration

#!/bin/sh
#
# Firewall rules.
# Invoked by rc.M after rc.inet?
#
# EJY 24/12/2000
#
# Flush all chains: start from a clean config.
/sbin/ipchains -F
/sbin/ipchains -X

# Create chain for input on ppp interface(s)
/sbin/ipchains -N ppp-in

# Default policy is deny on forward chain
/sbin/ipchains -P output ACCEPT 
/sbin/ipchains -P forward DENY 

# We trust anyone on the local ethernet,
# anything on ppp we don't
/sbin/ipchains -A input -i eth0 -j ACCEPT
/sbin/ipchains -A input -i ppp+ -j ppp-in

# Activate TOS mangling
/sbin/ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10
/sbin/ipchains -A output -p tcp -d 0.0.0.0/0 ftp -t 0x01 0x10
/sbin/ipchains -A output -p tcp -s 0.0.0.0/0 ftp-data -t 0x01 0x08

# Deny spoofed addresses 
/sbin/ipchains -A ppp-in -j DENY -s 192.168.0.0/16
/sbin/ipchains -A ppp-in -j DENY -s 172.16.0.0/12
/sbin/ipchains -A ppp-in -j DENY -s 10.0.0.0/8

# Ditch multicast silently
/sbin/ipchains -A ppp-in -j DENY -d 224.0.0.0/4

# Do masquerading
/sbin/ipchains -A forward -j MASQ -s 192.168.200.0/24 -d ! 192.168.200.0/24

# Allow auth connections, as they're almost always requd.
/sbin/ipchains -A ppp-in -p tcp --destination-port auth -j ACCEPT

# 
# Log the skript kiddiez, just for fun...
#
/sbin/ipchains -A ppp-in -j DENY -l -p udp --destination-port 53
/sbin/ipchains -A ppp-in -j DENY -l -p udp --destination-port ftp
/sbin/ipchains -A ppp-in -j DENY -l -p tcp --destination-port 53
/sbin/ipchains -A ppp-in -j DENY -l -p tcp --destination-port ftp

# Deny all priveleged ports (previous rules have precedence ...
/sbin/ipchains -A ppp-in -p tcp --destination-port 1:1023 -j DENY
/sbin/ipchains -A ppp-in -p udp --destination-port 1:1023 -j DENY

# Block certain high-number ports, with logging ...

# Block NFS-server
/sbin/ipchains -A ppp-in -j DENY -l -p tcp -i  ppp0 --destination-port 2049
/sbin/ipchains -A ppp-in -j DENY -l -p udp -i  ppp0 --destination-port 2049

# Block X-server
/sbin/ipchains -A ppp-in -j DENY -l -p tcp -i  ppp0 --destination-port 6000:6016
/sbin/ipchains -A ppp-in -j DENY -l -p udp -i  ppp0 --destination-port 6000:6016

# Block IJB and Squid
/sbin/ipchains -A ppp-in -j DENY -l -p tcp -i  ppp0 --destination-port 8000
/sbin/ipchains -A ppp-in -j DENY -l -p udp -i  ppp0 --destination-port 8000
/sbin/ipchains -A ppp-in -j DENY -l -p tcp -i  ppp0 --destination-port 8080
/sbin/ipchains -A ppp-in -j DENY -l -p udp -i  ppp0 --destination-port 8080
#
# Block various known trojans
#
# ipchains -A ppp-in -p tcp --destination-port asp -j DENY -l
# ipchains -A ppp-in -p udp --destination-port asp -j DENY -l
ipchains -A ppp-in -p tcp --destination-port 31337 -j DENY -l
ipchains -A ppp-in -p udp --destination-port 31337 -j DENY -l
ipchains -A ppp-in -p tcp --destination-port 1243 -j DENY -l
ipchains -A ppp-in -p udp --destination-port 1243 -j DENY -l

# Allow remaining high-numbered ports ...
/sbin/ipchains -A ppp-in -p tcp --destination-port 1024: -j ACCEPT
/sbin/ipchains -A ppp-in -p udp --destination-port 1024: -j ACCEPT

A more complex ipchains example

This configuration was produced automatically by Robert Ziegler’s wonderful Linux firewall design tool

#!/bin/sh

# ----------------------------------------------------------------------------
# Copyright (C) 1997, 1998, 1999, 2000  Robert L. Ziegler
#
#  Permission to use, copy, modify, and distribute this software and its
#  documentation for educational, research, private and non-profit purposes,
#  without fee, and without a written agreement is hereby granted. 
#  This software is provided as an example and basis for individual firewall
#  development.  This software is provided without warranty.
#
#  Any material furnished by Robert L. Ziegler is furnished on an 
#  "as is" basis.  He makes no warranties of any kind, either expressed 
#  or implied as to any matter including, but not limited to, warranty 
#  of fitness for a particular purpose, exclusivity or results obtained
#  from use of the material.
# ----------------------------------------------------------------------------

#  /etc/rc.d/rc.firewall
#  Invoked from /etc/ppp/ip-up, or
#  from /sbin/ifup-local, or
#  from /etc/sysconfig/network-scripts/ifup-post.

echo "Starting firewalling... "

# ----------------------------------------------------------------------------
#  Some definitions for easy maintenance.
#  EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="ppp0"               # Internet connected interface
LOOPBACK_INTERFACE="lo"                 # or your local naming convention
LOCAL_INTERFACE_1="eth0"                # internal LAN interface

IPADDR=$(/sbin/ifconfig | /bin/grep P-t-P | /usr/bin/cut -c 21-35)
LOCALNET_1="192.168.1.0/24"             # whatever private range you use

ANYWHERE="any/0"                        # match any IP address

DHCP_SERVER="any/0"
NAMESERVER_1="any/0"                    # everyone must have at least one

SMTP_SERVER="any/0"                     # Your ISP mail gateway. Your relay.
POP_SERVER="any/0"              # Your ISP pop mail server.
IMAP_SERVER="any/0"             # Your ISP imap mail server.

LOOPBACK="127.0.0.0/8"                  # reserved loopback address range
CLASS_A="10.0.0.0/8"                    # class A private networks
CLASS_B="172.16.0.0/12"                 # class B private networks
CLASS_C="192.168.0.0/16"                # class C private networks
BROADCAST_SRC="0.0.0.0"                 # broadcast source address
BROADCAST_DEST="255.255.255.255"        # broadcast destination address
PRIVPORTS="0:1023"                      # well known, privileged port range
UNPRIVPORTS="1024:65535"                # unprivileged port range

# ----------------------------------------------------------------------------

NFS_PORT="2049"                         # (TCP/UDP) NFS
SOCKS_PORT="1080"                       # (TCP) Socks
OPENWINDOWS_PORT="2000"                 # (TCP) openwindows

# X Windows port allocation begins at 6000 and increments to 6063
# for each additional server running.
XWINDOW_PORTS="6000:6063"               # (TCP) X windows

# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections

    # Remove all existing rules belonging to this filter
    ipchains -F

    # Set the default policy of the filter to deny.
    ipchains -P input  DENY
    ipchains -P output REJECT
    ipchains -P forward REJECT

    # set masquerade timeout to 10 hours for tcp connections
    ipchains -M -S 36000 0 0


# ----------------------------------------------------------------------------

    # Enable IP Forwarding, if it isn't already
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Enable TCP SYN Cookie Protection
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    # Enable always defragging Protection
    echo 1 > /proc/sys/net/ipv4/ip_always_defrag

    # Enable broadcast echo  Protection
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    # Enable bad error message  Protection
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

    # Enable IP spoofing protection
    # turn on Source Address Verification
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
    done

    # Disable ICMP Redirect Acceptance
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
    done

    # Disable Source Routed Packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
    done

    # Log Spoofed Packets, Source Routed Packets, Redirect Packets
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo 1 > $f
    done


    # These modules are necessary to masquerade their respective services.
    /sbin/modprobe ip_masq_ftp

# ----------------------------------------------------------------------------
# LOOPBACK

    # Unlimited traffic on the loopback interface.

    ipchains -A input  -i $LOOPBACK_INTERFACE  -j ACCEPT 
    ipchains -A output -i $LOOPBACK_INTERFACE  -j ACCEPT 

# ----------------------------------------------------------------------------
# Unlimited traffic within the local network.

    # All internal machines have access to the fireall machine.

    ipchains -A input  -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT 
    ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT 

# ----------------------------------------------------------------------------
# Masquerade internal traffic.

    # All internal traffic is masqueraded externally.
    ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ

# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.

    # Refuse incoming packets pretending to be from the external address.
    ipchains -A input  -i $EXTERNAL_INTERFACE  -s $IPADDR -j DENY -l

# ----------------------------------------------------------------------------
# NOTE:
#      The symbolic names used in /etc/services for the port numbers vary by
#      supplier.  Using them is less error prone and more meaningful, though.

# ----------------------------------------------------------------------------
# TCP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.

    # NFS: establishing a TCP connection
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
             --destination-port $NFS_PORT -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
             --destination-port $NFS_PORT -j REJECT 

    # openwindows: establishing a connection
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
             --destination-port $OPENWINDOWS_PORT -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
             --destination-port $OPENWINDOWS_PORT -j REJECT 


    # Xwindows: establishing a connection
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
             --destination-port $XWINDOW_PORTS -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
             --destination-port $XWINDOW_PORTS -j REJECT 

    # SOCKS: establishing a connection
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
             --destination-port $SOCKS_PORT -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
             --destination-port $SOCKS_PORT -j REJECT 

# ----------------------------------------------------------------------------
# UDP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             --destination-port $NFS_PORT -j DENY -l

    # UDP INCOMING TRACEROUTE
    # traceroute usually uses -S 32769:65535 -D 33434:33523

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             --source-port $TRACEROUTE_SRC_PORTS \
             --destination-port $TRACEROUTE_DEST_PORTS -j DENY -l

# ----------------------------------------------------------------------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -d $IPADDR -j ACCEPT 

    # ------------------------------------------------------------------

    # DNS server (53)
    # ---------------

    # DNS forward-only nameserver
    # ---------------------------

    # forward-only can use regular TCP protocol to forwarders

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
             -s $IPADDR 53 \
             -d $NAMESERVER_1 53 -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             -s $NAMESERVER_1 53 \
             -d $IPADDR 53 -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_1 53 -j ACCEPT 

    # ------------------------------------------------------------------

    # HTTP client (80)
    # ----------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             --destination-port 80 -j ACCEPT 

    # ------------------------------------------------------------------

    # HTTPS client (443)
    # ------------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             --destination-port 443 -j ACCEPT 

    # ------------------------------------------------------------------

    # POP client (110)
    # ----------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             --destination-port 110 -j ACCEPT 

    # ------------------------------------------------------------------

    # IMAP client (143)
    # -----------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             -d $IMAP_SERVER 143 -j ACCEPT 

    # ------------------------------------------------------------------

    # SMTP client (25)
    # ----------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             -d $SMTP_SERVER 25 -j ACCEPT 

    # ------------------------------------------------------------------

    # TELNET client (23)
    # ------------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             --destination-port 23 -j ACCEPT 

    # ------------------------------------------------------------------

    # AUTH server (113)
    # -----------------

    # Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
             --source-port $UNPRIVPORTS \
             -d $IPADDR 113 -j REJECT 


    # AUTH client (113)
    # -----------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             --destination-port 113 -j ACCEPT 

    # ------------------------------------------------------------------

    # WHOIS client (43)
    # -----------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             --destination-port 43 -j ACCEPT 

    # ------------------------------------------------------------------

    # FINGER client (79)
    # ------------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             --destination-port 79 -j ACCEPT 

    # ------------------------------------------------------------------

    # FTP client (21)
    # ---------------

    # outgoing request
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             --destination-port 21 -j ACCEPT 


    # PORT mode data channel
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
             --source-port 20 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR $UNPRIVPORTS \
             --destination-port 20 -j ACCEPT 


    # PASSIVE mode data channel creation
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             --destination-port $UNPRIVPORTS -j ACCEPT 

# ----------------------------------------------------------------------------
# UDP accept only on selected ports
# ---------------------------------


    # DHCP client (67, 68)
    # --------------------

    # allow dhcp server (67) to connect to dhcp client (68)
    # Note: the DHCP server is the only externel source of broadcast
    #       messages we should see, ever.

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             -s $DHCP_SERVER 67 \
             -d $IPADDR 68 -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
             -s $IPADDR 68 \
             -d $DHCP_SERVER 67 -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             -s $DHCP_SERVER 67 \
             -d $BROADCAST_DEST 68 -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
             -s $BROADCAST_SRC 68 \
             -d $DHCP_SERVER 67 -j ACCEPT 

    # Getting renumbered
    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             -s $BROADCAST_SRC 67 \
             -d $BROADCAST_DEST 68 -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
             -s $BROADCAST_SRC 68 \
             -d $BROADCAST_DEST 67 -j ACCEPT 

    # As a result of the above, we're supposed to change our IP address with
    # this message, which is addressed to our new address before the dhcp
    # client has received the update.

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             -s $DHCP_SERVER 67 \
             --destination-port 68 -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             --source-port 67 \
             -d $IPADDR 68 -j DENY -l

    # ------------------------------------------------------------------

    # OUTGOING TRACEROUTE
    # -------------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
             -s $IPADDR $TRACEROUTE_SRC_PORTS \
             --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT -l

# ----------------------------------------------------------------------------
# ICMP

    #    To prevent denial of service attacks based on ICMP bombs, filter
    #    incoming Redirect (5) and outgoing Destination Unreachable (3).
    #    Note, however, disabling Destination Unreachable (3) is not
    #    advisable, as it is used to negotiate packet fragment size.

    # For bi-directional ping.
    #     Message Types:  Echo_Reply (0),  Echo_Request (8)
    #     To prevent attacks, limit the src addresses to your ISP range.
    # 
    # For outgoing traceroute.
    #     Message Types:  INCOMING Dest_Unreachable (3), Time_Exceeded (11)
    #     default UDP base: 33434 to base+nhops-1
    # 
    # For incoming traceroute.
    #     Message Types:  OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
    #     To block this, deny OUTGOING 3 and 11

    #  0: echo-reply (pong)
    #  3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
    #  4: source-quench
    #  5: redirect
    #  8: echo-request (ping)
    # 11: time-exceeded
    # 12: parameter-problem

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type echo-reply \
             -d $IPADDR -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type destination-unreachable \
             -d $IPADDR -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type source-quench \
             -d $IPADDR -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type echo-request \
             -d $IPADDR -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type time-exceeded \
             -d $IPADDR -j ACCEPT 

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type parameter-problem \
             -d $IPADDR -j ACCEPT 


    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
             -s $IPADDR echo-reply -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
             -s $IPADDR fragmentation-needed -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
             -s $IPADDR source-quench -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
             -s $IPADDR echo-request -j ACCEPT 

    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp  \
             -s $IPADDR parameter-problem -j ACCEPT 

# ----------------------------------------------------------------------------
# Enable logging for selected denied packets

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             --destination-port $PRIVPORTS -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             --destination-port $UNPRIVPORTS -j DENY -l


    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type 5 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type 13:255 -j DENY -l

    ipchains -A output -i $EXTERNAL_INTERFACE  -j REJECT -l

# ----------------------------------------------------------------------------

echo "done"

exit 0



Richard Mortimer

Last modified: Thu Jan 11 23:40:46 GMT 2001

1 thought on “Linux firewalls

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.