Mfillpot's Slackware Firewall Script

From TWUUG

The information below is a rc.firewall script developed by mfillpot.
This is currently a work in progress so some things do not work properly or are incomplete.

--mfillpot 17:56, 3 February 2011 (EST)


#!/bin/bash
# iptables firewall script by matthew fillpot
#  Partially derived from AlienBOB's firewall generator
#  http://connie.slackware.com/~alien/efg/index.php

# Local Settings
#

# sysctl location.  If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.

SYSCTL="/sbin/sysctl -w" 

# To echo the value directly to the /proc file instead
# SYSCTL=""

# IPTables Location - adjust if needed

IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"

# Internet Interface
INET_IFACE="eth0"

# Localhost Interface

LO_IFACE="lo"
LO_IP="127.0.0.1"
LOC_SUB="192.168.1.1/24"

# SET COLORS
RED=$'\e[31;01m'
BLUE=$'\e[34;01m'
GREEN=$'\e[32;01m'
NORMAL=$'\e[0m'

# Save and Restore arguments handled here
#if [ "$1" = "save" ]
#then
#	echo -n "Saving firewall to /etc/sysconfig/iptables ... "
#	$IPTS > /etc/sysconfig/iptables
#	echo "done"
#	exit 0
#elif [ "$1" = "restore" ]
#then
#	echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
#	$IPTR < /etc/sysconfig/iptables
#	echo "done"
#	exit 0
#fi

#######################################################

fw_start() {

# Display a message stating the firewall is starting
  echo "${BLUE}Firewall is being configured.....${NORMAL}"

# Flush the current rules
flush_rules

# load the appropriate kernel modules
load_modules

# load the necessary kernel bits
load_kernel_bits

# Make the user Chains
make_chains

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
     -j ACCEPT

# check for bad packets
check_bad_packets
# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets

# check the icmp packets
check_icmp

# Open ports for selected services
check_services

####    INPUT    ###############################################

# Add the rules for specific packet types
udp_out
udp_in
tcp_out
tcp_in

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

# Log packets that still don't match
#$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "


####    OUTPUT   ###############################################
# Generally trust the firewall on output

# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

# Log packets that still don't match
#$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "



###############################################################################

# block all other incoming traffic
#  $IPT -A INPUT -j DROP

# Display a message stating the firewall has been started
  echo "${BLUE}Firewall Started.....${NORMAL}"

}

fw_stop() {

  # Flush all rules
flush_rules

  echo "${RED}Firewall Stopped.....${NORMAL}"

}

flush_rules() {
#echo "Start flush"

# Flush all rules
  $IPT -F
#$IPT -L
#  $IPT -X bad_packets
#  $IPT -X bad_tcp_packets
#  $IPT -X icmp_packets
#  $IPT -X udp_inbound
#  $IPT -X udp_outbound
#  $IPT -X tcp_inbound
#  $IPT -X tcp_outbound

#echo "Flush Complete"
}

#######################################################

load_modules() {
# Load Modules
#

# You should uncomment the line below and run it the first time just to
# ensure all kernel module dependencies are OK.  There is no need to run
# every time, however.

# /sbin/depmod -a

# Unless you have kernel module auto-loading disabled, you should not
# need to manually load each of these modules.  Other than ip_tables,
# ip_conntrack, and some of the optional modules, I've left these
# commented by default.  Uncomment if you have any problems or if
# you have disabled module autoload.  Note that some modules must
# be loaded by another kernel module.

# core netfilter module
/sbin/modprobe ip_tables

# the stateful connection tracking module
/sbin/modprobe ip_conntrack

# filter table module
# /sbin/modprobe iptable_filter

# mangle table module
# /sbin/modprobe iptable_mangle

# nat table module
# /sbin/modprobe iptable_nat

# LOG target module
# /sbin/modprobe ipt_LOG

# This is used to limit the number of packets per sec/min/hr
 /sbin/modprobe ipt_limit

# masquerade target module
# /sbin/modprobe ipt_MASQUERADE

# filter using owner as part of the match
# /sbin/modprobe ipt_owner

# REJECT target drops the packet and returns an ICMP response.
# The response is configurable.  By default, connection refused.
# /sbin/modprobe ipt_REJECT

# This target allows packets to be marked in the mangle table
# /sbin/modprobe ipt_mark

# This target affects the TCP MSS
# /sbin/modprobe ipt_tcpmss

# This match allows multiple ports instead of a single port or range
# /sbin/modprobe multiport

# This match checks against the TCP flags
# /sbin/modprobe ipt_state

# This match catches packets with invalid flags
# /sbin/modprobe ipt_unclean

# the module for full irc connection tracking
/sbin/modprobe ip_conntrack_irc

#####################################################################
# Kernel Parameter Configuration
#
# See http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
# for a detailed tutorial on sysctl and the various settings
# available.

# Required to enable IPv4 forwarding.
# Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true
# Alternatively, it can be set in /etc/sysctl.conf
#if [ "$SYSCTL" = "" ]
#then
#    echo "1" > /proc/sys/net/ipv4/ip_forward
#else
#    $SYSCTL net.ipv4.ip_forward="1"
#fi

# This enables dynamic address hacking.
# This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\).
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr
else
    $SYSCTL net.ipv4.ip_dynaddr="1"
fi

# This enables SYN flood protection.
# The SYN cookies activation allows your system to accept an unlimited
# number of TCP connections while still trying to give reasonable
# service during a denial of service attack.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
    $SYSCTL net.ipv4.tcp_syncookies="1"
fi

# This enables source validation by reversed path according to RFC1812.
# In other words, did the response packet originate from the same interface
# through which the source packet was sent?  It's recommended for single-homed
# systems and routers on stub networks.  Since those are the configurations
# this firewall is designed to support, I turn it on by default.
# Turn it off if you use multiple NICs connected to the same network.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
fi

# This option allows a subnet to be firewalled with a single IP address.
# It's used to build a DMZ.  Since that's not a focus of this firewall
# script, it's not enabled by default, but is included for reference.
# See: http://www.sjdjweis.com/linux/proxyarp/ 
#if [ "$SYSCTL" = "" ]
#then
#    echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#else
#    $SYSCTL net.ipv4.conf.all.proxy_arp="1"
#fi

# The following kernel settings were suggested by Alex Weeks. Thanks!

# This kernel parameter instructs the kernel to ignore all ICMP
# echo requests sent to the broadcast address.  This prevents
# a number of smurfs and similar DoS nasty attacks.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
    $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi

# This option can be used to accept or refuse source routed
# packets.  It is usually on by default, but is generally
# considered a security risk.  This option turns it off.
if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
    $SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi

# This option can disable ICMP redirects.  ICMP redirects
# are generally considered a security risk and shouldn't be
# needed by most systems using this generator.
#if [ "$SYSCTL" = "" ]
#then
#    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
#else
#    $SYSCTL net.ipv4.conf.all.accept_redirects="0"
#fi

# However, we'll ensure the secure_redirects option is on instead.
# This option accepts only from gateways in the default gateways list.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
    $SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi

# This option logs packets from impossible addresses.
#if [ "$SYSCTL" = "" ]
#then
#    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#else
#    $SYSCTL net.ipv4.conf.all.log_martians="1"
#fi

}

load_kernel_bits() {
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
#echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
}

make_chains() {
# User-Specified Chains

# Create a chain to filter INVALID packets
  $IPT -N bad_packets

# Create another chain to filter bad tcp packets
  $IPT -N bad_tcp_packets

# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.
  $IPT -N icmp_packets

# Used for UDP packets inbound from the Internet
  $IPT -N udp_inbound

# Used to block outbound UDP services from internal network
# Default to allow all
  $IPT -N udp_outbound

# Used to allow inbound services if desired
# Default fail except for established sessions
  $IPT -N tcp_inbound

# Used to block outbound services from internal network
# Default to allow all
  $IPT -N tcp_outbound
}

check_bad_packets() {
# bad_packets chain
#

# Drop INVALID packets immediately
#$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
#    --log-prefix "fp=bad_packets:1 a=DROP "

$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP

# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets

# All good, so return
$IPT -A bad_packets -p ALL -j RETURN

# bad_tcp_packets chain
#
# All tcp packets will traverse this chain.
# Every new connection attempt should begin with
# a syn packet.  If it doesn't, it is likely a
# port scan.  This drops packets in state
# NEW that are not flagged as syn packets.


#$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
#    --log-prefix "fp=bad_tcp_packets:1 a=DROP "
#$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
#    --log-prefix "fp=bad_tcp_packets:2 a=DROP "
#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP

#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
#    --log-prefix "fp=bad_tcp_packets:3 a=DROP "
#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP

#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
#    --log-prefix "fp=bad_tcp_packets:4 a=DROP "
#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
#
#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
#    --log-prefix "fp=bad_tcp_packets:5 a=DROP "
#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
#
#$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
#    --log-prefix "fp=bad_tcp_packets:6 a=DROP "
#$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

#$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
#    --log-prefix "fp=bad_tcp_packets:7 a=DROP "
#$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

}

check_icmp() {
# icmp_packets chain
#
# This chain is for inbound (from the Internet) icmp packets only.
# Type 8 (Echo Request) is not accepted by default
# Enable it if you want remote hosts to be able to reach you.
# 11 (Time Exceeded) is the only one accepted
# that would not already be covered by the established
# connection rule.  Applied to INPUT on the external interface.
# 
# See: http://www.ee.siue.edu/~rwalden/networking/icmp.html
# for more info on ICMP types.
#
# Note that the stateful settings allow replies to ICMP packets.
# These rules allow new packets of the specified types.

# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented.  Fragmented ICMP packets are a typical sign
# of a denial of service attack.
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
    --log-prefix "fp=icmp_packets:1 a=DROP "
$IPT -A icmp_packets --fragment -p ICMP -j DROP

# Echo - uncomment to allow your system to be pinged.
# Uncomment the LOG command if you also want to log PING attempts
# 
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
#    --log-prefix "fp=icmp_packets:2 a=ACCEPT "
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

# By default, however, drop pings without logging. Blaster
# and other worms have infected systems blasting pings.
# Comment the line below if you want pings logged, but it
# will likely fill your logs.
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP

# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j DROP

############ MY RULES ############################
# Allow pings per minute to block ping DOS attacks
#  $IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 4/m -j ACCEPT

# Allow all echo replies including destination unreachable and time exceeded
#  $IPT -A icmp_packets -p icmp --icmp-type echo-reply -j ACCEPT
#  $IPT -A icmp_packets -p icmp --icmp-type destination-unreachable -j ACCEPT
#  $IPT -A icmp_packets -p icmp --icmp-type time-exceeded -j ACCEPT

# Block all other icmp traffic
#  $IPT -A icmp_packets -p icmp -j DROP


}

udp_out() {
# udp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# UDP requests on specific protocols.  Applied to the FORWARD rule from
# the internal network.  Ends with an ACCEPT


# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

}

udp_in() {
# udp_inbound chain
#
# This chain describes the inbound UDP packets it will accept.
# It's applied to INPUT on the external or Internet interface.
# Note that the stateful settings allow replies.
# These rules are for new requests.
# It drops netbios packets (windows) immediately without logging.

# Drop netbios calls
# Please note that these rules do not really change the way the firewall
# treats netbios connections.  Connections from the localhost and
# internal interface (if one exists) are accepted by default.
# Responses from the Internet to requests initiated by or through
# the firewall are also accepted by default.  To get here, the
# packets would have to be part of a new request received by the
# Internet interface.  You would have to manually add rules to
# accept these.  I added these rules because some network connections,
# such as those via cable modems, tend to be filled with noise from
# unprotected Windows machines.  These rules drop those packets
# quickly and without logging them.  This prevents them from traversing
# the whole chain and keeps the log from getting cluttered with
# chatter from Windows systems.
$IPT -A udp_inbound -p UDP -s 0/0 --dport 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --dport 138 -j DROP

# Ident requests (Port 113) must have a REJECT rule rather than the
# default DROP rule.  This is the minimum requirement to avoid
# long delays while connecting.  Also see the tcp_inbound rule.
$IPT -A udp_inbound -p UDP -s 0/0 --dport 113 -j REJECT

# A more sophisticated configuration could accept the ident requests.
# $IPT -A udp_inbound -p UDP -s 0/0 --dport 113 -j ACCEPT

# Dynamic Address
# If DHCP, the initial request is a broadcast. The response
# doesn't exactly match the outbound packet.  This explicitly
# allow the DHCP ports to alleviate this problem.
# If you receive your dynamic address by a different means, you
# can probably comment this line.
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --dport 68 \
     -j ACCEPT


# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j DROP

}

tcp_out() {
# tcp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols.  Applied to the FORWARD rule from
# the internal network.  Ends with an ACCEPT

# No match, so ACCEPT
  $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
}

tcp_in() {
# tcp_inbound chain
#
# This chain is used to allow inbound connections to the
# system/gateway.  Use with care.  It defaults to none.
# It's applied on INPUT from the external or Internet interface.

# Ident requests (Port 113) must have a REJECT rule rather than the
# default DROP rule.  This is the minimum requirement to avoid
# long delays while connecting.  Also see the tcp_inbound rule.
  $IPT -A tcp_inbound -p TCP -s 0/0 --dport 113 -j REJECT

# Not matched, so return so it will be logged
  $IPT -A tcp_inbound -p TCP -j DROP
}

#######################################################

check_services() {

# choose services to allow

Srv=1

# For items with values listed $1 = WEB or LOCAL
#  Otherwise it assumes LOCAL of WEB based upon the type of service

#enable_cups LOCAL
enable_httpd LOCAL
#enable_httpd_encrypted WEB
#enable_ftp LOCAL  #FTP does not allow all packets to transfer yet, it needs to be refined
#enable_samba LOCAL
#enable_sshd LOCAL

#enable_mysql LOCAL

# $2 = non-PASV or PASV
#enable_ftpd LOCAL non-PASV # Not tested

# Local only services
#enable_dns

# Web facing services
#enable_icq
#enable_msn

}


enable_cups() {
SRV="cups printing"

case "$1" in
  "LOCAL")
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 631 -j ACCEPT
    echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
    ;;
  "WEB")
    $IPT -A tcp_inbound -p TCP -s 0/0 --dport 631 -j ACCEPT
    echo "${RED}Allowing $SRV for all hosts.....${NORMAL}"
    ;;
  *)
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 631 -j ACCEPT
    echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
    ;;
 esac 

}

enable_httpd() {

SRV="http web-server"

case "$1" in
  "LOCAL")
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 80 -j ACCEPT
    echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
    ;;
  "WEB")
    $IPT -A tcp_inbound -p TCP -s 0/0 --dport 80 -j ACCEPT
    echo "${RED}Allowing $SRV for all hosts.....${NORMAL}"
    ;;
  *)
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 80 -j ACCEPT
    echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
    ;;
 esac 

}

enable_httpd_encrypted() {

SRV="encrypted http web-server"

case "$1" in
  "LOCAL")
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 443 -j ACCEPT
    echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
    ;;
  "WEB")
    $IPT -A tcp_inbound -p TCP -s 0/0 --dport 443 -j ACCEPT
    echo "${RED}Allowing $SRV for all hosts.....${NORMAL}"
    ;;
  *)
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 443 -j ACCEPT
    echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
    ;;
 esac 

}

enable_ftp() {

SRV="ftp server"

case "$1" in
  "LOCAL")
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 21 -j ACCEPT
    #$IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 20 -j ACCEPT
    #$IPT -A tcp_inbound -p UDP -s $LOC_SUB --dport 21 -j ACCEPT
    #$IPT -A tcp_inbound -p UDP -s $LOC_SUB --dport 20 -j ACCEPT
    echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
    ;;
  "WEB")
    $IPT -A tcp_inbound -p TCP -s 0/0 --dport 21 -j ACCEPT
    #$IPT -A tcp_inbound -p TCP -s 0/0 --dport 20 -j ACCEPT
    #$IPT -A tcp_inbound -p UDP -s 0/0 --dport 21 -j ACCEPT
    #$IPT -A tcp_inbound -p UDP -s 0/0 --dport 20 -j ACCEPT
    echo "${RED}Allowing $SRV for all hosts.....${NORMAL}"
    ;;
  *)
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 21 -j ACCEPT
    #$IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 20 -j ACCEPT
    #$IPT -A tcp_inbound -p UDP -s $LOC_SUB --dport 21 -j ACCEPT
    #$IPT -A tcp_inbound -p UDP -s $LOC_SUB --dport 20 -j ACCEPT
    echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
    ;;
 esac 

}

enable_samba() {
SRV="samba"

case "$1" in
  "LOCAL")
    $IPT -A udp_inbound -p UDP -s $LOC_SUB --dport 137:138 -j ACCEPT
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 139 -j ACCEPT
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 445 -j ACCEPT
    echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
    ;;
  "WEB")
    $IPT -A udp_inbound -p UDP -s 0/0 --dport 137:138 -j ACCEPT
    $IPT -A tcp_inbound -p TCP -s 0/0 --dport 139 -j ACCEPT
    $IPT -A tcp_inbound -p TCP -s 0/0 --dport 445 -j ACCEPT
    echo "${RED}Allowing $SRV for all hosts.....${NORMAL}"
    ;;
  *)
    $IPT -A udp_inbound -p UDP -s $LOC_SUB --dport 137:138 -j ACCEPT
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 139 -j ACCEPT
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 445 -j ACCEPT
    echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
    ;;
 esac 
}

enable_sshd() {
SRV="ssh"

case "$1" in
  "LOCAL")
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport ssh -j ACCEPT
    echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
    ;;
  "WEB")
    $IPT -A tcp_inbound -p TCP -s 0/0 --dport ssh -j ACCEPT
    echo "${RED}Allowing $SRV for all hosts.....${NORMAL}"
    ;;
  *)
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport ssh -j ACCEPT
    echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
    ;;
 esac 
}

enable_mysql() {
SRV="mysql"

case "$1" in
  "WEB")
    SUB="0/0"
    TRM="all"
    ;;
  *)
    SUB=$LOC_SUB
    TRM="local"
    ;;
 esac 

    $IPT -A tcp_inbound -p TCP -s $SUB --dport 22 -j ACCEPT
    echo "${GREEN}Allowing $SRV for $TRM hosts.....${NORMAL}"
}
enable_ftpd() {
# Passive FTP
# 
# With passive FTP, the server provides a port to the client
# and allows the client to initiate the connection rather
# than initiating the connection with the client from the data port.
# Web browsers and clients operating behind a firewall generally
# use passive ftp transfers.  A general purpose FTP server
# will need to support them.
# 
# However, by default an FTP server will select a port from the entire
# range of high ports.  It is not particularly safe to open all
# high ports.  Fortunately, that range can be restricted.  This
# firewall presumes that the range has been restricted to a specific
# selected range.  That range must also be configured in the ftp server.
# 
# Instructions for specifying the port range for the wu-ftpd server
# can be found here:
# http://www.wu-ftpd.org/man/ftpaccess.html
# (See the passive ports option.)
# 
# Instructions for the ProFTPD server can be found here:
# http://proftpd.linux.co.uk/localsite/Userguide/linked/x861.html

# the module for full ftp connection tracking
/sbin/modprobe ip_conntrack_ftp

# The ftp nat module is required for non-PASV ftp support
#/sbin/modprobe ip_nat_ftp


# FTP Server (Control)
#  $IPT -A tcp_inbound -p TCP -s 0/0 --dport 21 -j ACCEPT

# FTP Client (Data Port for non-PASV transfers)
#  $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT

SRV="ftp"

case "$1" in
  "LOCAL")
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 21 -j ACCEPT
    case "$2" in
    "non-PASV")
      $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
      /sbin/modprobe ip_nat_ftp
      ;;  
    esac
    echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
    ;;
  "WEB")
    $IPT -A tcp_inbound -p TCP -s 0/0 --dport 21 -j ACCEPT
    case "$2" in
    "non-PASV")
      $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
      /sbin/modprobe ip_nat_ftp
      ;;  
    esac
    echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
    ;;
  *)
    $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport 21 -j ACCEPT
    case "$2" in
    "non-PASV")
      $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
      /sbin/modprobe ip_nat_ftp
      ;;  
    esac
    echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
    ;;
 esac 
}


enable_dns() {
  $IPT -A udp_inbound -p UDP -s 0/0 --dport 53 -j ACCEPT
}


enable_icq() {
# ICQ File Transfers & Other Advanced Features
# 
# ICQ supports a number of options beyond simple instant messaging.
# For those to function, the instant messaging system must allow
# new connections initiated from remote systems. This option will
# open a specified port range on the firewalled system.  The ICQ client
# on the firewalled system must also be configured to use the specified
# port range.

  $IPT -A tcp_inbound -p TCP -s 0/0 --dport 5000:5100 -j ACCEPT
}

enable_msn() {
# MSN Messenger File Transfers
# 
# Messenger supports file transfers.  For transfers initiated by
# remote systems to function, the system must allow
# new connections initiated from remote systems a specific port range.
# This option defaults to the port range 6891 through 6900.
# Unless the MSN Messenger client can be configured to specify any
# port range, don't change the default.

  $IPT -A tcp_inbound -p TCP -s 0/0 --dport 6891:6900 -j ACCEPT
}

#######################################################

case "$1" in
  start)
    fw_start
    ;;
  stop)
    fw_stop
    ;;
  restart)
    fw_stop
    fw_start
    ;;
  *)
    echo $"Usage: $0 {start|stop|restart}"
    ;;
esac


# TO-DO
# flush all chains --flush
# Delete all chains -X
# zero all counters in all chains -S (chain)
# make module to simplify services
Personal tools