Hi Stefan, Nice script. How could I disable SuSEfirewall and use this script to setup a firewall ? Regards Matt -----Original Message----- From: Stefan_Walther@gehag-dsk.de [mailto:Stefan_Walther@gehag-dsk.de] Sent: 28 May 2001 20:10 To: Pupeno; suse-security@suse.com Subject: [suse-security] Antwort: [suse-security] configuring firewalls with iptables #!/bin/sh echo "starting firewall" # interfaces EXT="ippp+" # external interface (maybe a tokenring-card or anthing else; point to the internet) INT="eth+" # internal interface (point to your lan) LO="lo" # loopbackinterface # IP-adresses INTIP="192.168.0.1" # your local ip for your lan (internal ip) ANY="0.0.0.0/0" # all other ip's (maybe you need it in further times) # ports PRIVP="0:1023" # priviliged ports UNPRI="1024:65535" # unpriviliged ports # SYNFLOODING echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Source Address Verification on for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > f done # IP-forwarding on echo 1 > /proc/sys/net/ipv4/ip_forward iptables -P INPUT DROP # drop all incoming packets iptables -P OUTPUT DROP # drop all outcoming packets iptables -P FORWARD DROP # drop all forwarded packets iptables -X # delete all userdefined tables iptables -F # flushing tables iptables -t nat -F # flushing nat-tables iptables -t nat -X # deleting userdefined nat-tables # ignore waste coming from your windowslan # netbios (drop it before writing these messages into your firewall-logfile) iptables -A INPUT -i $EXT -p tcp --sport 137:139 -j DROP iptables -A INPUT -i $EXT -p tcp --dport 137:139 -j DROP # droping bootp and tftp connections (if you have thin clients or some boxes booting from a server via bootrom) iptables -A INPUT -p tcp --sport 67:68 -j DROP iptables -A INPUT -p tcp --dport 67:68 -j DROP # no limits for connections comming from your lan (maybe specify some single rules ex.: SSH, DNS, HTTP...) iptables -A INPUT -i $INT -j ACCEPT iptables -A OUTPUT -o $INT -j ACCEPT # no limits for your LOOPBACK-device iptables -A INPUT -i $LO -j ACCEPT iptables -A OUTPUT -o $LO -j ACCEPT # do want to ping from your firewall iptables -A INPUT -p icmp -j ACCEPT iptables -A OUTPUT -p icmp -j ACCEPT iptables -A FORWARD -p icmp -j ACCEPT ########################################################################## # NAT (MASQUERADING) # replace your local-ip from lan with the offical Internet-IP you got from your ISP ########################################################################## echo "NAT" iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE iptables -A FORWARD -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $EXT -m state --state NEW -j ACCEPT ########################################################################## # DNS # allows you to connect to an DNS-Server of your ISP or other ########################################################################## echo "DNS" iptables -A OUTPUT -o $EXT -p udp --sport 1024:65535 --dport 53 -j ACCEPT iptables -A INPUT -i $EXT -p udp --sport 53 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -o $EXT -p tcp --sport $UNPRI --dport 53 -j ACCEPT iptables -A INPUT -i $EXT -p tcp --sport 53 --dport $UNPRI -j ACCEPT # LOG anything else with setting som prefixes infront of any message in your firewall-log # you should add one of the following line to your syslog.conf in /etc # kern.* /dev/tty11 # most tty11 is unused and you see a blank screen when switching (same tty12) # or/and # kern.* /var/log/firewall # here you write every message comming from the kernel in the file firewall iptables -A INPUT -j LOG --log-prefix "input " iptables -A OUTPUT -j LOG --log-prefix "output " iptables -A FORWARD -j LOG --log-prefix "forward " echo "READY" MfG. Stefan Walther stefan_walther@gehag-dsk.de dienst.: 030/89786448 Funk: 0172/3943961 --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com