#!/bin/sh # # /etc/rc.d/rc.local: Local system initialization script. # # Put any local setup commands in here: # ######################################### # Version 2.1 (18-Sept-03) # - simplified some of NetBIOS/RPC stuff by one statement to block 135:139 ######################################### # Version 2 (20-Aug-03) # - added udp ports 135, 137, 138, 445; tcp ports 443, 445, 593 # (some were previously tcp rather than udp) ######################################### # turn IP forwarding off while we configure stuff.. echo 0 > /proc/sys/net/ipv4/ip_forward #configure network address for internal NIC # ifconfig eth1 10.0.0.2 netmask 255.255.255.0 up ; ****commented out 20-aug-03**** # load netfilter modules from /lib/modules/2.4.x/kernel/net/ipv4/netfilter modprobe -v ip_tables # do nat modprobe -v iptable_nat # support natted ftp modprobe -v ip_nat_ftp # allow filtering modprobe -v iptable_filter # allow -m state modprobe -v ipt_state # allow LOG target modprobe -v ipt_LOG # keep on supporting natted ftp... modprobe -v ip_conntrack_ftp echo modules loaded, setting up firewall rules. # set policy to DROP for INPUT and FORWARD chains. iptables -P INPUT DROP iptables -P FORWARD DROP # INPUT chain deals with packets which are for this machine # accept any packets from the internal lan for this machine iptables -I INPUT -i eth1 -j ACCEPT # accept all related and established packets for here iptables -I INPUT -m state --state RELATED -j ACCEPT iptables -I INPUT -m state --state ESTABLISHED -j ACCEPT # begrudgingly accept packets for the auth port arriving on the # external interface iptables -I INPUT -i eth0 -s '!' 10.0.0.0/24 -p tcp --dport 113 -j ACCEPT # drop invalid packets! Duh! iptables -I INPUT -m state --state INVALID -j DROP # allow traffic on the dummy loopback interface 127.0.0.1 iptables -I INPUT -i lo -s 127.0.0.0/8 -j ACCEPT # because the INPUT policy is DROP, all other (INPUT) packets # will be DROPPED! # FORWARD chain is for packets that traverse this machine, # don't originate or end up here, but go through.. # drop NetBIOS and RPC stuff from anywhere to anywhere iptables -I FORWARD -p tcp --dport 42 -j DROP iptables -I FORWARD -p tcp --dport 135:139 -j DROP iptables -I FORWARD -p udp --dport 135:139 -j DROP iptables -I FORWARD -p tcp --dport 443 -j DROP iptables -I FORWARD -p udp --dport 445 -j DROP iptables -I FORWARD -p tcp --dport 445 -j DROP iptables -I FORWARD -p tcp --dport 593 -j DROP iptables -I FORWARD -p tcp --dport 1024 -j DROP # agree to forward stuff to do with current connections # we know of iptables -I FORWARD -m state --state RELATED -j ACCEPT iptables -I FORWARD -m state --state ESTABLISHED -j ACCEPT # don't allow packets from addresses arriving from the wrong address # for that interface iptables -I FORWARD -s 10.0.0.0/24 -i eth0 -j LOG iptables -I FORWARD -s 10.0.0.0/24 -i eth0 -j DROP iptables -I FORWARD -s '!' 10.0.0.0/24 -i eth1 -j DROP iptables -I FORWARD -s '!' 10.0.0.0/24 -i eth1 -j LOG # don't allow new connections through to internal from # external interface iptables -I FORWARD -i eth0 -m state --state NEW -j DROP # do allow new connection through to external that arrive on # the internal interface iptables -I FORWARD -i eth1 -m state --state NEW -j ACCEPT # don't forward invalid packets.. iptables -I FORWARD -m state --state INVALID -j DROP # do Network Address Translation for anything we send out of # the external interface.. iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.39 # turn IP forwarding back on echo 1 > /proc/sys/net/ipv4/ip_forward