#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v1.0.5
#
# Generated Wed Sep 18 12:23:59 2002 CEST by kern
#
# Last updated by hand 31 Oct 2002 by Kern
#
#
check() {
if test ! -x "$1"; then
echo "$1 not found or is not executable"
exit 1
fi
}
log() {
if test -x "$LOGGER"; then
logger -p info "$1"
fi
}
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
LOGGER="/usr/bin/logger"
check $IPTABLES
check $IP
cd /etc || exit 1
log "Activating firewall script generated Wed Sep 18 12:23:59 2002 CEST by kern"
FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
#
# Rule 0(NAT)
#
# NAT for internal network
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to-source 200.200.200.200
#
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Rule 0(eth0)
#
# Block invalid ICMP packets
#
$IPTABLES -A INPUT -i eth0 -m state -p icmp --state INVALID -j DROP
$IPTABLES -A FORWARD -i eth0 -m state -p icmp --state INVALID -j DROP
$IPTABLES -A OUTPUT -o eth0 -m state -p icmp --state INVALID -j DROP
$IPTABLES -A FORWARD -o eth0 -m state -p icmp --state INVALID -j DROP
#
# Rule 1(eth0)
#
# Block NEW without SYN
#
$IPTABLES -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
#
# Rule 2(eth0)
#
# Anti-spoofing rule
#
$IPTABLES -A INPUT -i eth0 -s 200.200.200.200 -j DROP
$IPTABLES -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
$IPTABLES -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
#
# Rule 3(eth0)
#
# Blocked sites (modified to include firewall.blocked)
#
if [ -f /etc/rc.d/firewall.blocked ]; then
. /etc/rc.d/firewall.blocked
fi
#
# Rule 4(eth0)
#
# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
#
$IPTABLES -A INPUT -i eth0 -p ip -f -j DROP
$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#
# Rule 5(eth0)
#
# Authorized external services
#
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 11/1 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 11/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 3 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -m multiport --destination-port 53,80,22,25 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp --destination-port 53 -m state --state NEW -j ACCEPT
#
# Rule 0(lo)
#
# Allow all on loopback
#
$IPTABLES -A INPUT -i lo -s 200.200.200.200 -j ACCEPT
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -d 200.200.200.200 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
#
# Rule 0(global)
#
# Allow all outgoing connections
#
$IPTABLES -A INPUT -s 200.200.200.200 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.0/24 -m state --state NEW -j ACCEPT
#
# Rule 1(global)
#
# Send TCP RST to auth to speed up sendmail
#
$IPTABLES -A OUTPUT -p tcp -d 200.200.200.200 --destination-port 113 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp --destination-port 113 -j REJECT --reject-with tcp-reset
#
# Rule 2(global)
#
#
#
$IPTABLES -A OUTPUT -j DROP
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
#
#
echo "$FWD" > /proc/sys/net/ipv4/ip_forward