#!/bin/bash # # Default firewalls for the CIS Computer labs # # Eric Thern eric@thern.org # April 2002 # # # 1) set up /etc/hosts.allow so only the computers that need "portmap" access get it. # tested and works on single addresses. should work on addresses in form 10.0.0.0/16 but NOT on partial IP addresses # example line: # portmap: 127.0.0.1 10.0.0.1 10.0.0.2 # # 2) run this script, and it will set up ipchains to allow all access to hosts in the portmap section, but to no other hosts. # IPCHAINS="/sbin/ipchains" # # flush ruleset # $IPCHAINS -F # # comment out if you don't want forwarding enabled # echo 1 > /proc/sys/net/ipv4/ip_forward # # set up default rules # $IPCHAINS -A input -j ACCEPT $IPCHAINS -A output -j ACCEPT $IPCHAINS -A forward -j ACCEPT # # rulesets # $IPCHAINS -A input -s 0.0.0.0/0.0.0.0 67:68 -d 0.0.0.0/0.0.0.0 67:68 -i eth0 -p udp -j ACCEPT $IPCHAINS -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 53:53 -p udp -j ACCEPT $IPCHAINS -A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 1024:65535 -p udp -j ACCEPT $IPCHAINS -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT for i in `cat /etc/hosts.allow | grep portmap | awk -F": " '{print $2}' | awk -F" " '{for (x=1; $x > 1; ++x) print $x}'`; do `$IPCHAINS -A input -s $i -d 0.0.0.0/0.0.0.0 0:65535 -p tcp -j ACCEPT; $IPCHAINS -A input -s 0.0.0.0/0.0.0.0 -d $i 0:65535 -p tcp -j ACCEPT; $IPCHAINS -A input -s $i -d 0.0.0.0/0.0.0.0 0:65535 -p udp -j ACCEPT; $IPCHAINS -A input -s 0.0.0.0/0.0.0.0 -d $i 0:65535 -p udp -j ACCEPT`; done $IPCHAINS -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p tcp -j REJECT -y $IPCHAINS -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p udp -j REJECT