Hi, i´ve there some problems by allowing UDP
PACKETS outgoing an Firewall
The Problem-Zones are bold masked to find them
easyer
(my friend wants to play halflife, but his firewall
is allways blocking with following message:
Packet log: output REJECT eth1 PROTO=17
212.186.xx.xx:62445 194.183.128.54:27019 L=37 S=0x00 I=5296 F=0x0000 T=127
(#29)
#!/bin/sh
echo "Starting firewalling... "
#
----------------------------------------------------------------------------
#
Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM
AND ISP.
EXTERNAL_INTERFACE="eth1" #
Internet connected interface
LOOPBACK_INTERFACE="lo" #
or your local naming convention
LOCAL_INTERFACE_1="eth0" #
internal LAN
interface
IPADDR="212.186.xx.xx" # your IP
address
LOCALNET_1="10.10.10.0/24" # whatever private range
you use
EXTERN_1="212.17.XX:XX" # extern 1 #
Simon
ANYWHERE="any/0" # match any
IP address
NAMESERVER_1="any/0" # everyone
must have at least
one
LOOPBACK="127.0.0.0/8" #
reserved loopback address range
CLASS_A="10.0.0.0/8" #
class A private networks
CLASS_B="172.16.0.0/12" #
class B private networks
CLASS_C="192.168.0.0/16" # class C
private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D
multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E
reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast
source address
BROADCAST_DEST="255.255.255.255" # broadcast
destination address
PRIVPORTS="0:1023" # well known,
privileged port range
UNPRIVPORTS="1024:65535" #
unprivileged port range
#
----------------------------------------------------------------------------
HALFLIFE="17000:17050" # HALFLIFE port
range
NFS_PORT="2049" # (TCP/UDP)
NFS
SOCKS_PORT="1080" # (TCP)
Socks
# X Windows port allocation begins at 6000 and
increments to 6063
# for each additional server
running.
XWINDOW_PORTS="6000:6063" # (TCP) X
windows
# traceroute usually uses -S 32769:65535 -D
33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
#
The SSH client starts at 1023 and works down to 513 for each
#
additional simultaneous connection originating from a privileged
port.
# Clients can optionally be configured to use only unprivileged
ports.
SSH_LOCAL_PORTS="1022:65535" # port range for local
clients
SSH_REMOTE_PORTS="513:65535" # port range for remote
clients
#
----------------------------------------------------------------------------
#
Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING
connections
# Remove all existing rules belonging to this
filter
ipchains -F
# Set the default policy of the
filter to deny.
ipchains -P input DENY
ipchains -P
output REJECT
ipchains -P forward DENY
# set
masquerade timeout to 10 hours for tcp connections
ipchains -M -S 36000
0 0
#
----------------------------------------------------------------------------
# Enable IP Forwarding, if it isn't
already
echo 1 > /proc/sys/net/ipv4/ip_forward
#
Enable TCP SYN Cookie Protection
echo 1 >
/proc/sys/net/ipv4/tcp_syncookies
# Enable always defragging
Protection
echo 1 >
/proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast
echo Protection
echo 1 >
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad
error message Protection
echo 1 >
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable
IP spoofing protection
# turn on Source Address
Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 1 > $f
done
# Disable ICMP
Redirect Acceptance
for f in
/proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 >
$f
done
for f in
/proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 >
$f
done
# Disable Source Routed Packets
for
f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 >
$f
done
# Log Spoofed Packets, Source Routed
Packets, Redirect Packets
for f in
/proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 >
$f
done
# These modules are necessary to
masquerade their respective services.
/sbin/modprobe
ip_masq_ftp
#
----------------------------------------------------------------------------
#
LOOPBACK
# Unlimited traffic on the loopback
interface.
ipchains -A input -i
$LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i
$LOOPBACK_INTERFACE -j ACCEPT
#
----------------------------------------------------------------------------
#
Unlimited traffic within the local network.
# All internal machines have access to the
fireall machine.
ipchains -A input -i
$LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT
ipchains -A output -i
$LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT
# All internal access extern ip
adresses
ipchains -A input -i $EXTERNAL_INTERFACE -s
$EXTERN_1 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -d
$EXTERN_1 -j ACCEPT
#
----------------------------------------------------------------------------
#
Masquerade internal traffic.
# All internal traffic is masqueraded
externally.
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1
-j MASQ
#
----------------------------------------------------------------------------
#
Network Ghouls
# Deny access to jerks
#
--------------------
# /etc/rc.d/rc.firewall.blocked contains a list
of
# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j
DENY
# rules to block from any access.
# Refuse any
connection from problem sites
if [ -f /etc/rc.d/rc.firewall.blocked ];
then
. /etc/rc.d/rc.firewall.blocked
fi
#
----------------------------------------------------------------------------
#
SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly
illegal source addresses.
# Protect yourself from sending to bad
addresses.
# Refuse incoming packets pretending to be
from the external address.
ipchains -A input -s $IPADDR -j
DENY -l
# Refuse incoming packets claiming to be from a Class
A, B or C private network
ipchains -A input -s $CLASS_A -j
DENY
ipchains -A input -s $CLASS_B -j DENY
ipchains -A input -s $CLASS_C -j DENY
# Refuse broadcast address SOURCE packets
ipchains
-A input -s $BROADCAST_DEST -j DENY -l
ipchains -A
input -d $BROADCAST_SRC -j DENY -l
# Refuse Class
D multicast addresses
# Multicast is illegal as a source
address.
# Multicast uses UDP.
ipchains -A input
-s $CLASS_D_MULTICAST -j DENY
# Refuse Class E reserved
IP addresses
ipchains -A input -s
$CLASS_E_RESERVED_NET -j DENY -l
# Refuse special addresses
defined as reserved by the IANA.
# Note: The remaining reserved
addresses are not included.
# Filtering them causes problems as
reserved blocks are
# being allocated more often
now.
# Note: this list includes the loopback,
multicast, & reserved addresses.
# 0.*.*.* -
Can't be blocked for DHCP users.
# 127.*.*.* -
LoopBack
# 169.254.*.* - Link Local Networks
#
192.0.2.* - TEST-NET
# 224-255.*.*.* - Classes D &
E, plus unallocated.
ipchains -A input -s
0.0.0.0/8 -j DENY -l
ipchains -A input -s 127.0.0.0/8 -j
DENY -l
ipchains -A input -s 169.254.0.0/16 -j DENY
-l
ipchains -A input -s 192.0.2.0/24 -j DENY
-l
ipchains -A input -s 224.0.0.0/3 -j DENY -l
#
----------------------------------------------------------------------------
#
NOTE:
# The symbolic names used in
/etc/services for the port numbers vary by
#
supplier. Using them is less error prone and more meaningful,
though.
#
----------------------------------------------------------------------------
#
TCP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system
administration problems.
# NFS: establishing a TCP
connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --syn
\
--destination-port $NFS_PORT -j DENY
-l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp --syn
\
--destination-port $NFS_PORT -j REJECT
# Xwindows: establishing a connection
ipchains -A
input -i $EXTERNAL_INTERFACE -p tcp --syn
\
--destination-port $XWINDOW_PORTS -j DENY
-l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp --syn
\
--destination-port $XWINDOW_PORTS -j REJECT
# SOCKS: establishing a connection
ipchains -A
input -i $EXTERNAL_INTERFACE -p tcp --syn
\
--destination-port $SOCKS_PORT -j DENY
-l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp --syn
\
--destination-port $SOCKS_PORT -j REJECT
#
----------------------------------------------------------------------------
#
UDP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system
administration problems.
ipchains -A input -i
$EXTERNAL_INTERFACE -p udp \
--destination-port $NFS_PORT -j DENY -l
# UDP INCOMING
TRACEROUTE
# traceroute usually uses -S 32769:65535 -D
33434:33523
ipchains -A input -i $EXTERNAL_INTERFACE -p
udp \
--source-port
$TRACEROUTE_SRC_PORTS \
--destination-port
$TRACEROUTE_DEST_PORTS -j DENY -l
# ALLOWED CONNECTIONS
# MIXED TRAFFIC (TCP/UDP)
#
------------------------------------------------------------------
#
DNS client (53)
# ---------------
ipchains -A output -i
$EXTERNAL_INTERFACE -p udp \
-s $IPADDR
$UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
\
-s $NAMESERVER_1 53
\
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p
tcp \
-s $IPADDR $UNPRIVPORTS
\
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp !
--syn \
-s $NAMESERVER_1 53
\
-d $IPADDR $UNPRIVPORTS -j ACCEPT
#
------------------------------------------------------------------
# HALFLIFE client
(17000:17050)
# ----------------
ipchains -A output -i
$EXTERNAL_INTERFACE -p tcp \
-s $IPADDR
$UNPRIVPORTS \
-d $ANYWHERE $HALFLIFE -j
ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
! --syn \
-s $ANYWHERE $HALFLIFE
\
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A input -i
$EXTERNAL_INTERFACE -p udp \
-d $IPADDR
$UNPRIVPORTS -j ACCEPT
ipchains -A input -i
$EXTERNAL_INTERFACE -p udp \
-d
$ANYWHERE $HALFLIFE -j ACCEPT
# UDP TRAFFIC
# TCP TRAFFIC
#
------------------------------------------------------------------
# FTP client (21)
#
---------------
# outgoing request
ipchains -A
output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port
21 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE
-p tcp ! --syn \
--source-port 21
\
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# PORT mode data channel
ipchains -A
input -i $EXTERNAL_INTERFACE -p tcp
\
--source-port 20
\
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! --syn
\
-s $IPADDR $UNPRIVPORTS
\
--destination-port 20 -j ACCEPT
# PASSIVE mode data channel
creation
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp
\
-s $IPADDR $UNPRIVPORTS
\
--destination-port $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp !
--syn \
--source-port $UNPRIVPORTS
\
-d $IPADDR $UNPRIVPORTS -j ACCEPT
#
------------------------------------------------------------------
# SSH server (22)
#
---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p
tcp \
--source-port $SSH_REMOTE_PORTS
\
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! --syn
\
-s $IPADDR 22
\
--destination-port $SSH_REMOTE_PORTS -j
ACCEPT
# SSH client (22)
#
---------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp
\
-s $IPADDR $SSH_LOCAL_PORTS
\
--destination-port 22 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp !
--syn \
--source-port 22
\
-d $IPADDR $SSH_LOCAL_PORTS -j ACCEPT
#
------------------------------------------------------------------
# SMTP server (25)
#
----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p
tcp \
--source-port $UNPRIVPORTS
\
-d $IPADDR 25 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! --syn
\
-s $IPADDR 25
\
--destination-port $UNPRIVPORTS -j ACCEPT
# SMTP client (25)
#
----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp
\
-s $IPADDR $UNPRIVPORTS
\
-d $SMTP_SERVER 25 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp !
--syn \
-s $SMTP_SERVER 25
\
-d $IPADDR $UNPRIVPORTS -j ACCEPT
#
------------------------------------------------------------------
# WHOIS client (43)
#
-----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p
tcp \
-s $IPADDR $UNPRIVPORTS
\
--destination-port 43 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp !
--syn \
--source-port 43
\
-d $IPADDR $UNPRIVPORTS -j ACCEPT
#
------------------------------------------------------------------
# HTTP client (80)
#
----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp
\
-s $IPADDR $UNPRIVPORTS
\
--destination-port 80 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp !
--syn \
--source-port 80
\
-d $IPADDR $UNPRIVPORTS -j ACCEPT
#
------------------------------------------------------------------
# HTTP server (80)
#
----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p
tcp \
--source-port $UNPRIVPORTS
\
-d $IPADDR 80 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! --syn
\
-s $IPADDR 80
\
--destination-port $UNPRIVPORTS -j ACCEPT
#
------------------------------------------------------------------
# POP server (110)
#
----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p
tcp \
-s 212.17.77.232 $UNPRIVPORTS
\
-d $IPADDR 110 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! --syn
\
-s $IPADDR 110
\
-d 212.17.77.232 $UNPRIVPORTS -j ACCEPT
# POP client (110)
#
----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp
\
-s $IPADDR $UNPRIVPORTS
\
--destination-port 110 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp !
--syn \
--source-port 110
\
-d $IPADDR $UNPRIVPORTS -j ACCEPT
#
------------------------------------------------------------------
# AUTH server (113)
#
-----------------
# Reject, rather than deny, the incoming
auth port. (NET-3-HOWTO)
ipchains -A input -i $EXTERNAL_INTERFACE
-p tcp \
--source-port $UNPRIVPORTS
\
-d $IPADDR 113 -j REJECT
# AUTH client (113)
#
-----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p
tcp \
-s $IPADDR $UNPRIVPORTS
\
--destination-port 113 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp !
--syn \
--source-port 113
\
-d $IPADDR $UNPRIVPORTS -j ACCEPT
#
------------------------------------------------------------------
# HTTPS client (443)
#
------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p
tcp \
-s $IPADDR $UNPRIVPORTS
\
--destination-port 443 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp !
--syn \
--source-port 443
\
-d $IPADDR $UNPRIVPORTS -j ACCEPT
#
----------------------------------------------------------------------------
#
UDP accept only on selected ports
#
---------------------------------
#
------------------------------------------------------------------
#
OUTGOING TRACEROUTE
# -------------------
ipchains -A output
-i $EXTERNAL_INTERFACE -p udp \
-s
$IPADDR $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT -l
#
----------------------------------------------------------------------------
#
ICMP
# To prevent denial of
service attacks based on ICMP bombs, filter
#
incoming Redirect (5) and outgoing Destination Unreachable
(3).
# Note, however, disabling Destination
Unreachable (3) is not
# advisable, as it is used to
negotiate packet fragment size.
# For bi-directional
ping.
# Message Types: Echo_Reply
(0), Echo_Request (8)
# To prevent
attacks, limit the src addresses to your ISP range.
#
# For
outgoing traceroute.
# Message Types:
INCOMING Dest_Unreachable (3), Time_Exceeded
(11)
# default UDP base: 33434 to
base+nhops-1
#
# For incoming
traceroute.
# Message Types: OUTGOING
Dest_Unreachable (3), Time_Exceeded (11)
# To
block this, deny OUTGOING 3 and 11
# 0: echo-reply
(pong)
# 3: destination-unreachable, port-unreachable,
fragmentation-needed, etc.
# 4: source-quench
# 5:
redirect
# 8: echo-request (ping)
# 11:
time-exceeded
# 12: parameter-problem
ipchains -A
input -i $EXTERNAL_INTERFACE -p icmp
\
--icmp-type echo-reply
\
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
\
--icmp-type destination-unreachable
\
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
\
--icmp-type source-quench
\
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
\
--icmp-type time-exceeded
\
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
\
--icmp-type parameter-problem
\
-d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp
\
-s $IPADDR fragmentation-needed -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp
\
-s $IPADDR source-quench -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp
\
-s $IPADDR echo-request -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp
\
-s $IPADDR parameter-problem -j ACCEPT
#
----------------------------------------------------------------------------
#
Enable logging for selected denied packets
ipchains -A input -i
$EXTERNAL_INTERFACE -p tcp -j DENY -l
ipchains -A
input -i $EXTERNAL_INTERFACE -p udp
\
-d $IPADDR $PRIVPORTS -j DENY
-l
ipchains -A input -i $EXTERNAL_INTERFACE -p
udp \
-d $IPADDR $UNPRIVPORTS -j DENY
-l
ipchains -A input -i $EXTERNAL_INTERFACE -p
icmp \
--icmp-type 5 -j DENY
-l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
\
--icmp-type 13:255 -j DENY
-l
ipchains -A output -i $EXTERNAL_INTERFACE -j
REJECT -l
#
----------------------------------------------------------------------------
echo "done"
exit 0