exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

standalone.sh

standalone.sh
Posted Feb 29, 2000
Authored by eth0 | Site b0f.com

A sample ipchains firewall script, featuring many options you can uncomment.

tags | tool, firewall
systems | unix
SHA-256 | c73bf8b50e6482f94f2b58e1d0d9d22ff9f47189b62981413f8451f53b316756

standalone.sh

Change Mirror Download

#!/bin/sh
#xxxxxxxxxxxxxxxxxxxxxxxxxxxx
# buffer0verfl0w security...x
# // eth0 x
#xxxxxxxxxxxxxxxxxxxxxxxxxxxx

# Simple ipchains frontend script to help you configure ipchains
# for standalone...
# usage: simply run...

# ---------------------------------------------------------------- Interfaces -
# Local Interface
# This is the interface that is your link to the world

LOCALIF="ppp0"

# ------------------------------------------------------- Variable definition -
#
# Set the location of ipchains.

IPCHAINS="/sbin/ipchains"

# You shouldn't need to change anything in the rest of this section

LOCALIP=`ifconfig $LOCALIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
LOCALMASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4`
LOCALNET="$LOCALIP/$LOCALMASK"

echo "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"


echo "[standalone] IP: $LOCALNET"


REMOTENET="0/0"

# -------------------------------------- Flush everything, start from scratch -

echo -n "[standalone] Flushing rulesets.."

# Incoming packets from the outside network
$IPCHAINS -F input
echo -n "."

# Outgoing packets from the internal network
$IPCHAINS -F output
echo -n "."

echo "Done!"

# -------------------------------------------------- Allow loopback interface -

echo -n "[standalone] Loopback.."

$IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
echo -n ".."

echo "Done!"

# ----------------------------------Set telnet, www and FTP for minimum delay -
# This section manipulates the Type Of Service (TOS) bits of the
# packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
# in your kernel

echo -n "[standalone] TOS flags.."

$IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 telnet -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10
echo -n "..."

# Set ftp-data for maximum throughput
$IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08
echo -n "."

echo "Done!"

# ---------------------------------------------------------- Trusted Networks -
# Add in any rules to specifically allow connections from hosts/nets that
# would otherwise be blocked.

# echo -n "[standalone] Trusted Networks.."

# $IPCHAINS -A input -s [trusted host/net] -d $LOCALNET <ports> -j ACCEPT
# echo -n "."

# echo "Done!"

# ----------------------------------------------------------- Banned Networks -
# Add in any rules to specifically block connections from hosts/nets that
# have been known to cause you problems. These packets are logged.

# echo -n "[standalone] Banned Networks.."

# This one is generic
# $IPCHAINS -A input -l -s [banned host/net] -d $LOCALNET <ports> -j DENY
# echo -n "."

# This one blocks ICMP attacks
# $IPCHAINS -A input -l -b -i $LOCALIF -p icmp -s [host/net] -d $LOCALNET -j DENY
# echo -n "."

# echo "Done!"

# ------------------------------------------------------ @home-specific rules -
# This @home stuff is pretty specific to me (terminus). I get massive port
# scans from my neighbors and from pokey admins at @home, so I just got harsh
# and blocked all their stuff, with a few exceptions, listed below.
#
# If someone out there finds out the ip ranges of JUST tci@home, let me know
# so i don't end up blocking ALL cablemodems like it's doing now.

echo -n "[standalone] Cable Modem Nets.."

# so we can check mail, use the proxy server, hit @home's webpage.
# you will want to set these to your local servers, and uncomment them

# $IPCHAINS -A input -p tcp -s ha1.rdc1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT
# $IPCHAINS -A input -p tcp -s mail.tcma1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT
# $IPCHAINS -A input -p tcp -s www.tcma1.wa.home.com -d $LOCALNET 1023:65355 -j ACCEPT
# $IPCHAINS -A input -p tcp -s proxy.tcma1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT
# echo -n "...."

# so we can resolve the above hostnames, allow dns queries back to us
# $IPCHAINS -A input -p tcp -s ns1.home.net -d $LOCALNET 1023:65535 -j ACCEPT
# $IPCHAINS -A input -p tcp -s ns2.home.net -d $LOCALNET 1023:65535 -j ACCEPT
# $IPCHAINS -A input -p udp -s ns1.home.net -d $LOCALNET 1023:65535 -j ACCEPT
# $IPCHAINS -A input -p udp -s ns2.home.net -d $LOCALNET 1023:65535 -j ACCEPT
# echo -n ".."

# linux ipchains building script page (I think)
# $IPCHAINS -A input -p tcp -s 24.128.61.117 -d $LOCALNET 1023:65535 -j ACCEPT
# echo -n "."

# Non-@home users may want to leave this uncommented, just to block all
# the wannabe crackers. Add any @home hosts you want to allow BEFORE this line.

# Blast all other @home connections into infinity and log them.
$IPCHAINS -A input -l -s 24.0.0.0/8 -d $LOCALNET -j DENY
echo -n "."

echo "Done!"

# ---------------------------- Specific port blocks on the external interface -
# This section blocks off ports/services to the outside that have
# vulnerabilities. This will not affect the ability to use these services
# within your network.

echo -n "[standalone] Port Blocks.."

# NetBEUI/Samba
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 139 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 139 -j DENY
echo -n "."

# Microsoft SQL
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1433 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1433 -j DENY
echo -n "."

# Postgres SQL

$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5432 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5432 -j DENY
echo -n "."

# Network File System
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 2049 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 2049 -j DENY
echo -n "."

# X Displays :0-:2-
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY
echo -n "."

# X Font Server :0-:2-
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 7100 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 7100 -j DENY
echo -n "."

# Back Orifice (logged)
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 31337 -j DENY
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 31337 -j DENY
echo -n "."

# NetBus (logged)
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 12345:12346 -j DENY
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 12345:12346 -j DENY
echo -n "."

echo "Done!"

# --------------------------------------------------- High Unprivileged ports -
# These are opened up to allow sockets created by connections allowed by
# ipchains

echo -n "[standalone] High Ports.."

$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT
echo -n "."

echo "Done!"

# ------------------------------------------------------------ Basic Services -

echo -n "[standalone] Services.."

# ftp-data (20) and ftp (21)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT
# echo -n ".."

# ssh (22)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 22 -j ACCEPT
# echo -n "."

# telnet (23)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 23 -j ACCEPT
# echo -n "."

# smtp (25)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j ACCEPT
# echo -n "."

# DNS (53)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
echo -n ".."

# DHCP on LAN side (to make @Home DHCP work) (67/68)
# $IPCHAINS -A input -i $LOCALIF -p udp -s $REMOTENET -d 255.255.255.255/24 67 -j ACCEPT
# $IPCHAINS -A output -i $LOCALIF -p udp -s $REMOTENET -d 255.255.255.255/24 68 -j ACCEPT
# echo -n ".."

# http (80)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT
# echo -n "."

# POP-3 (110)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 110 -j ACCEPT
# echo -n "."

# identd (113)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 113 -j REJECT
echo -n "."

# nntp (119)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 119 -j ACCEPT
# echo -n "."

# https (443)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 443 -j ACCEPT
# echo -n "."

# ICQ Services (it's a server service) (4000)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 4000 -j ACCEPT
# echo -n "."

echo "Done!"

# ---------------------------------------------------------------------- ICMP -

echo -n "[standalone] ICMP Rules.."

# Use this to deny ICMP attacks from specific addresses
# $IPCHAINS -A input -b -i $EXTERNALIF -p icmp -s <address> -d 0/0 -j DENY
# echo -n "."

# Allow incoming ICMP
$IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
$IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
echo -n ".."

# Allow outgoing ICMP
$IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
echo -n "...."

echo "Done!"

# -------------------------------------------------------- set default policy -

$IPCHAINS -A input -j DENY
$IPCHAINS -A output -j ACCEPT

echo ""
echo "[standalone] Finished Establishing Firewall."
echo "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close