diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2002-01-03 12:39:41 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2002-01-03 12:39:41 +0000 |
| commit | 44aa93e6aa788df838c95bf92b5f0dba81124621 (patch) | |
| tree | 3460134819f1792c43ae710316c113575ffc465d | |
| parent | 327bff9038e355ab92d32bf7b90add340ede1fc6 (diff) | |
ipmasq: Add firewall and ipac (IP-accounting) rules.
| -rw-r--r-- | ipmasq/rules/A80firewall.def | 62 | ||||
| -rw-r--r-- | ipmasq/rules/I80firewall.def | 158 | ||||
| -rw-r--r-- | ipmasq/rules/O80firewall.def | 159 | ||||
| -rw-r--r-- | ipmasq/rules/ZZZ|Lipac.rul | 12 |
4 files changed, 391 insertions, 0 deletions
diff --git a/ipmasq/rules/A80firewall.def b/ipmasq/rules/A80firewall.def new file mode 100644 index 0000000..80045db --- /dev/null +++ b/ipmasq/rules/A80firewall.def @@ -0,0 +1,62 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. + +# Packet filter firewall script for ipmasq (GPL) +# By Osamu Aoki <osamu@aokiconsulting.com> +# +# Firewall are set for external network connection ports listed in $EXTERNAL +# Little consideration taken for shared port, eth0:0, etc. (Deny=Drop) +# +############################################################################### +# +# CONFIGURE FIREWALL RULES +# +## QADDR: deny(in)/reject(out) foreign hosts by address of forein host +# w/o log +# List all all annoying sites +# Default = none +QADDR="" +# ATT@HOME nntp port scan daemon: 24.0.94.130 24.0.0.203 +# pop-up ad sites: +# ads.x10.com 64.85.92.20 +# ad.doubleclick.net 206.65.183.125 +# network status check: +# pnap.com 216.52.223.0/24 ICMP +#QADDR="24.0.94.130/32 24.0.0.203/32 64.85.92.20/32 206.65.183.125/32 216.52.223.0/24" + +## ATCPSVR: allow foreign host by port of this PC for TCP +# List open port server services (Both in and out) +# Default = All open. +ATCPSVR="1:1023" +# Very open (No netbios nor sunrpc) +#ATCPSVR="ftp ftp-data ssh telnet smtp nameserver whois domain finger www kerberos pop2 pop3 auth imap2 irc imap3 ldap https who talk uucp ldaps imaps pop3s" +# Normal +#ATCPSVR="ssh auth smtp telnet www pop3 https" +# My choice +#ATCPSVR="ssh auth smtp" + +## AUDPSVR: allow foreign host by port of this PC for UDP +# List open port server services (Both in and out) +# Default = All open. +ATCPSVR="1:1023" +# Normal = just accept dhcp server <-> dhcp client +#AUDPSVR="bootpc" + +## QTCPSVR: deny foreign host by port of this PC w/o log for TCP +# do not service these to outside but useful inside +QTCPSVR="137:139 80 111" + +## QUDPSVR: deny foreign host by port of this PC w/o log for UDP +# do not service these to outside but useful inside +QUDPSVR="137:139" + +## DTCPSVR: deny foreign host by port of this PC with log for TCP +# server port range (LOG) +DTCPSVR="1:1023" + +## DUDPSVR: deny foreign host by port of this PC with log for UDP +# server port range (LOG) +DUDPSVR="1:1023" diff --git a/ipmasq/rules/I80firewall.def b/ipmasq/rules/I80firewall.def new file mode 100644 index 0000000..ee1a507 --- /dev/null +++ b/ipmasq/rules/I80firewall.def @@ -0,0 +1,158 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. + +# Packet filter firewall script for ipmasq (GPL) +# By Osamu Aoki <osamu@aokiconsulting.com> +# +# Firewall are set for external network connection ports listed in $EXTERNAL +# Little consideration taken for shared port. +# +echo "# Firewall for incoming packets" +############################################################################### +# QUIET INPUT ADDRESS (Deny for forein packet) RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $QADDR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -a deny -W ${i%%:*} -S $j + ;; + ipchains) + $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -s $j + ;; + netfilter) + $IPTABLES -A INPUT -j DROP -i ${i%%:*} -s $j + ;; + esac + done + done +fi +############################################################################### +# ALLOW INPUT TCP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $ATCPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -a accept -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P tcp + ;; + ipchains) + $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p tcp + ;; + netfilter) + $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j + ;; + esac + done + done +fi + +# ALLOW INPUT UDP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $AUDPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -a accept -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P udp + ;; + ipchains) + $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p udp + ;; + netfilter) + $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j + ;; + esac + done + done +fi + +############################################################################### +# QUIET INPUT TCP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $QTCPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P tcp + ;; + ipchains) + $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p tcp + ;; + netfilter) + $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j + ;; + esac + done + done +fi + +# QUIET INPUT UDP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $QUDPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P udp + ;; + ipchains) + $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p udp + ;; + netfilter) + $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j + ;; + esac + done + done +fi + +############################################################################### +# DENY INPUT TCP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $DTCPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P tcp -o + ;; + ipchains) + $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p tcp -l + ;; + netfilter) + $IPTABLES -A INPUT -j LOG -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j + $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j + ;; + esac + done + done +fi + +# DENY INPUT UDP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $DUDPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P udp -o + ;; + ipchains) + $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p udp -l + ;; + netfilter) + $IPTABLES -A INPUT -j LOG -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j + $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j + ;; + esac + done + done +fi +echo "#" diff --git a/ipmasq/rules/O80firewall.def b/ipmasq/rules/O80firewall.def new file mode 100644 index 0000000..d6fe9f8 --- /dev/null +++ b/ipmasq/rules/O80firewall.def @@ -0,0 +1,159 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. + +# Packet filter firewall script for ipmasq (GPL) +# By Osamu Aoki <osamu@aokiconsulting.com> +# +# Firewall are set for external network connection ports listed in $EXTERNAL +# Little consideration taken for shared port. +# +echo "# Firewall for outgoing packets" +############################################################################### +# QUIET ADDRESS (REJECT for internal request) RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $QADDR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -O -a reject -W ${i%%:*} -D $j + ;; + ipchains) + $IPCHAINS --no-warnings -A output -j REJECT -i ${i%%:*} -d $j + ;; + netfilter) + $IPTABLES -A OUTPUT -j REJECT -o ${i%%:*} -d $j + ;; + esac + done + done +fi + +############################################################################### +# ALLOW OUTPUT TCP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $ATCPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -O -a accept -W ${i%%:*} -S $IPOFIF/$NMOFIF $j -P tcp + ;; + ipchains) + $IPCHAINS -A output -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF $j -p tcp + ;; + netfilter) + $IPTABLES -A OUTPUT -j ACCEPT -o ${i%%:*} -s $IPOFIF/$NMOFIF -p tcp --source-port $j + ;; + esac + done + done +fi + +# ALLOW OUTPUT UDP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $AUDPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -O -a accept -W ${i%%:*} -S $IPOFIF/$NMOFIF $j -P udp + ;; + ipchains) + $IPCHAINS -A output -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF $j -p udp + ;; + netfilter) + $IPTABLES -A OUTPUT -j ACCEPT -o ${i%%:*} -s $IPOFIF/$NMOFIF -p udp --source-port $j + ;; + esac + done + done +fi + +############################################################################### +# QUIET OUTPUT TCP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $QTCPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P tcp + ;; + ipchains) + $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p tcp + ;; + netfilter) + $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j + ;; + esac + done + done +fi + +# QUIET OUTPUT UDP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $QUDPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P udp + ;; + ipchains) + $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p udp + ;; + netfilter) + $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j + ;; + esac + done + done +fi + +############################################################################### +# DENY OUTPUT TCP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $DTCPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P tcp -o + ;; + ipchains) + $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p tcp -l + ;; + netfilter) + $IPTABLES -A OUTPUT -j LOG -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j + $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j + ;; + esac + done + done +fi + +# DENY OUTPUT UDP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $DUDPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P udp -o + ;; + ipchains) + $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p udp -l + ;; + netfilter) + $IPTABLES -A OUTPUT -j LOG -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j + $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j + ;; + esac + done + done +fi +echo "#" diff --git a/ipmasq/rules/ZZZ|Lipac.rul b/ipmasq/rules/ZZZ|Lipac.rul new file mode 100644 index 0000000..544570f --- /dev/null +++ b/ipmasq/rules/ZZZ|Lipac.rul @@ -0,0 +1,12 @@ +# /etc/ipmasq/rules/ZZZ|L_ipac.rul +# +# Restarting IP-ACCOUNTING. +# Very last rule in the ipmasq chain. +# +# To speed-up the system start-up don't check at boot time. +[ ! $runlevel ] && for SCRIPT in /etc/init.d/ipac /etc/init.d/ipac-ng;do + test -s $SCRIPT && if [ "$SHOWRULES" = "yes" ] + then echo $SCRIPT force-reload;else $SCRIPT force-reload 2> /dev/null + fi +done + |