#!/bin/sh
# firewall
# probe: true
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
if [ ! -f /etc/sysconfig/network ]; then
exit 0
fi
. /etc/sysconfig/network
# Check that networking is up.
[ $NETWORKING = ``no'' ] && exit 0
if [ ! -x /sbin/ipchains ]; then
exit 0
fi
# See how we were called.
case ``$1'' in
start)
# Activacion de firewall
echo``===============================================''
echo``Activacion de las reglas del firewall para cluster.psa.es''
echo``===============================================''
# Proteccion a nivel del nucleo
# Activacion ip_masq
echo 1 /proc/sys/net/ipv4/ip_forward
# Enable IP spoofing protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 $f
done
# Enable TCP SYN Cookie Protection
echo 1 /proc/sys/net/ipv4/tcp_syncookies
# Enable always defragging Protection
echo 1 /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo Protection
echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 $f
done
# Inclusion de modulos de enmasqueramiento en el kernel
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_quake
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_vdolive
# Variables de configuracion del firewall
PATH=/sbin:$PATH
export ppp0ADDR=ifconfig eth0 | grep inet addr | awk print $2 | sed -e s/.*:// /24"
export device=eth0
echo ``Utilizando la ip $ppp0ADDR de la interfaz $device''newline # Reglas del firewall
# Limpiamos reglas anteriores
ipchains -F
# Set the default policy to deny
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward DENY
# Anti-spoofing
# Refuse packets claiming to be to the loopback interface
ipchains -A input -p all -j DENY -s 127.0.0.0/8 -i $device -l
# Refuse packets claiming to be to a Class A private network
ipchains -A input -p all -j DENY -s 10.0.0.0/8 -i $device -l
# Refuse packets claiming to be to a Class B private network
ipchains -A input -p all -j DENY -s 172.16.0.0/12 -i $device -l
# Refuse packets claiming to be to a Class C private network
ipchains -A input -p all -j DENY -s 192.168.0.0/16 -i $device -l
# Refuse Class D multicast addresses
ipchains -A input -p all -j DENY -s 224.0.0.0/4 -i $device -l
# Refuse Class E reserved IP addresses
ipchains -A input -p all -j DENY -s 240.0.0.0/5 -i $device -l
# Refuse malformed broadcast packets
ipchains -A input -p all -j DENY -s 255.255.255.255 -i $device -l
ipchains -A input -p all -j DENY -d 0.0.0.0 -i $device -l
# Refuse addresses defined as reserved by the IANA.
ipchains -A input -p all -j DENY -s 1.0.0.0/8 -i $device -l
ipchains -A input -p all -j DENY -s 2.0.0.0/8 -i $device -l
ipchains -A input -p all -j DENY -s 5.0.0.0/8 -i $device -l
ipchains -A input -p all -j DENY -s 7.0.0.0/8 -i $device -l
ipchains -A input -p all -j DENY -s 23.0.0.0/8 -i $device -l
ipchains -A input -p all -j DENY -s 27.0.0.0/8 -i $device -l
ipchains -A input -p all -j DENY -s 31.0.0.0/8 -i $device -l
ipchains -A input -p all -j DENY -s 37.0.0.0/8 -i $device -l
ipchains -A input -p all -j DENY -s 39.0.0.0/8 -i $device -l
ipchains -A input -p all -j DENY -s 41.0.0.0/8 -i $device -l
ipchains -A input -p all -j DENY -s 42.0.0.0/8 -i $device -l
ipchains -A input -p all -j DENY -s 58.0.0.0/7 -i $device -l
ipchains -A input -p all -j DENY -s 60.0.0.0/8 -i $device -l
ipchains -A input -p all -j DENY -s 65.0.0.0/8 -i $device -l
ipchains -A input -p all -j DENY -s 66.0.0.0/7 -i $device -l
ipchains -A input -p all -j DENY -s 68.0.0.0/6 -i $device -l
ipchains -A input -p all -j DENY -s 72.0.0.0/5 -i $device -l
ipchains -A input -p all -j DENY -s 80.0.0.0/4 -i $device -l
ipchains -A input -p all -j DENY -s 96.0.0.0/3 -i $device -l
ipchains -A input -p all -j DENY -s 112.0.0.0/3 -i $device -l
ipchains -A input -p all -j DENY -s 169.254.0.0/16 -i $device -l
ipchains -A input -p all -j DENY -s 192.0.0.0/24 -i $device -l
ipchains -A input -p all -j DENY -s 217.0.0.0/8 -i $device -l
ipchains -A input -p all -j DENY -s 218.0.0.0/7 -i $device -l
ipchains -A input -p all -j DENY -s 220.0.0.0/6 -i $device -l
ipchains -A input -p all -j DENY -s 248.0.0.0/5 -i $device -l
# Rechazamos la conexion con nuestra ip interna
ipchains -A input -p all -j DENY -d 192.168.1.0/25 -i $device -l
# ICMP
ipchains -A input -p icmp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR -l
# SSH abierto
ipchains -A input -p tcp -j ACCEPT -s 0.0.0.0/0 -i $device -d $ppp0ADDR 22 -l
# HTTP abierto
ipchains -A input -p tcp -j ACCEPT -s 0.0.0.0/0 -i $device -d $ppp0ADDR 80 -l
ipchains -A input -p udp -j ACCEPT -s 0.0.0.0/0 -i $device -d $ppp0ADDR 80 -l
# Set uid de conexion
ipchains -A input -p tcp -y -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR -l
# Bloqueo 1:21
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 1:21 -l
ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 1:21 -l
# Bloqueo 23:79
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 23:79 -l
ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 23:79 -l
# Bloqueo 81:1023
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 81:1023 -l
ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 81:1023 -l
# Acepta ssh
ipchains -A input -p tcp -s 0/0 -d 0/0 22 -j ACCEPT
ipchains -A input -p udp -j ACCEPT -s 0.0.0.0/0 -i $device -d $ppp0ADDR 22 -l
# Acepta http
ipchains -A input -p tcp -s 0/0 -d 0/0 80 -j ACCEPT
ipchains -A input -p udp -j ACCEPT -s 0.0.0.0/0 -i $device -d $ppp0ADDR 80 -l
# Bloqueo de otros puertos
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 1109 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 1243 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 1524 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 1600 -l
ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 2001 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 2001 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 2003 -l
ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 2049 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 2049 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 2105 -l
ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 3001 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 3001 -l
ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 3128:3130 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 3128:3130 -l
ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 3306 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 3306 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 4444 -l
ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 6000:6100 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 6000:6100 -l
ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 6600:6800 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 6600:6800 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 7000 -l
# Back Orifice
ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 31337 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 31337 -l
# NetBus
ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 12345:12346 -l
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $device -d $ppp0ADDR 12345:12346 -l
# Reglas de redireccionamiento
ipchains -A forward -p all -j MASQ -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0
;;
stop)
echo "Parando Servicios del Firewall: "
# Borra todas las reglas por defecto
ipchains -F
# Borra todas las chain definidas por el usuario para el filtrado
ipchains -X
# Resetea los poltica por defecto de fitrado
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo ``Uso: firewall start|stop|restart|reload''
exit 1
;;
esac
exit 0
Este fichero únicamente podrá ser manipulado por el superusuario y ser localizado en directorio: $/etc/rc.d/init.d/