SliTaz Forum

any help with a firewall?

(5 posts) (3 voices)

• Started 14 years ago by Anonymous
• Latest reply from Anonymous
• This topic is not a support question

Tags:

No tags yet.

1. 

   Anonymous
   

   offline

   Unregistered

   I just started with cooking today. I'm very impressed, but dont see a firewall in the over 2900 packages
   I am new to linux in general' trying to learn I was pleased with the ease of setting up the USB w/saving
   and how cool is it that even the "webkit browser" plays shows from hulu w/ flash?
   Any suggestions on a firewall is appreciated.TIA

   Posted 14 years ago #
2. 

   Anonymous
   

   offline

   Unregistered

   Hi ,

   use iptables .

   Do ./fw
   with my file in :
   su -

   and iptables -nvL for see the rules .

   It ' s for :

   Your interface : eth0
   Your ip : 192.168.1.2
   Your dns : 192.168.1.3
   and : ipv6 off .

   and http , dns only .

   Voilà , to start .

   Posted 14 years ago #
3. 

   Anonymous
   

   offline

   Unregistered

   #!/bin/bash

   # Active la protection

   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

   # Active la protection sur les mauvais messages d'erreur

   echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

   # Protection contre le broadcast echo

   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

   # Active la protection TCP SYN Cookie

   #echo 1 > /proc/sys/net/ipv4/tcp_syncookie

   # Protection contre les IP Spoofing : ip non-routables

   for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

   for f in /proc/sys/net/ipv4/conf/*/arp_filter; do echo 1 > $f; done

   # Protection ICMP redirect

   echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
   echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

   # Desactivation Source Routed

   echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

   # Surveillance de la taille de la fenetre TCP

   echo 0 > /proc/sys/net/ipv4/tcp_window_scaling

   # Lutte contre le denis de service (DoS)

   echo 20 > /proc/sys/net/ipv4/tcp_fin_timeout
   echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time

   # optimitation

   echo 0 > /proc/sys/net/ipv4/ip_dynaddr
   echo 0 > /proc/sys/net/ipv4/ip_forward
   echo 0 > /proc/sys/net/ipv4/tcp_dsack
   echo 0 > /proc/sys/net/ipv4/tcp_sack

   echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

   # Supprimer les regles precedentes (linux + perso)

   #ip6tables -F
   #ip6tables -X

   iptables -F
   iptables -X

   # Remise a zero des regles de filtrage

   #ip6tables -F INPUT
   #ip6tables -F FORWARD
   #ip6tables -F OUTPUT

   iptables -F INPUT
   iptables -F FORWARD
   iptables -F OUTPUT

   # Supprimer les redirections de ports

   iptables -t nat -F
   iptables -t nat -X

   # Supprimer les regles de modification de paquets (mangle)

   #ip6tables -t mangle -F
   #ip6tables -t mangle -X

   iptables -t mangle -F
   iptables -t mangle -X

   # Supprimer les filtres

   #ip6tables -t filter -F
   #ip6tables -t filter -X

   iptables -t filter -F
   iptables -t filter -X

   # Police du firewall par defaut => interdire toutes les connections

   #ip6tables -P INPUT DROP
   #ip6tables -P OUTPUT DROP
   #ip6tables -P FORWARD DROP

   iptables -P INPUT DROP
   iptables -P OUTPUT DROP
   iptables -P FORWARD DROP

   # optimitation

   iptables -t mangle -A PREROUTING -p udp --sport 53 -j TOS --set-tos Minimize-Delay
   iptables -t mangle -A PREROUTING -p udp --dport 53 -j TOS --set-tos Minimize-Delay
   iptables -t mangle -A PREROUTING -p tcp --sport 80 -j TOS --set-tos Maximize-Throughput
   iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput

   # Interdire no unicast

   iptables -A INPUT -m pkttype ! --pkt-type unicast -j DROP

   # Verification des flags TCP -- flag 64, 128 = bogues

   iptables -A INPUT -p tcp --tcp-option 64 -j DROP
   iptables -A INPUT -p tcp --tcp-option 128 -j DROP

   # All new incoming TCP should be SYN first

   iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
   iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
   iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

   # Block Fragments

   iptables -A INPUT -f -j DROP
   iptables -A FORWARD -f -j DROP
   iptables -A OUTPUT -f -j DROP

   # Block INVALID

   iptables -A INPUT -m state --state INVALID -j DROP
   iptables -A OUTPUT -m state --state INVALID -j DROP

   # Do not forward localhost packets !

   iptables -A FORWARD -s 127.0.0.0/8 -j DROP
   iptables -A FORWARD -d 127.0.0.0/8 -j DROP

   # Block Bogons

   iptables -A OUTPUT -o eth0 -s 0.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -s 5.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -s 10.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -s 23.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -s 37.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -s 39.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -s 100.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -s 102.0.0.0/7 -j DROP
   iptables -A OUTPUT -o eth0 -s 104.0.0.0/7 -j DROP
   iptables -A OUTPUT -o eth0 -s 106.0.0.0/8 -j DROP
   #iptables -A OUTPUT -o eth0 -s 127.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -s 169.254.0.0/16 -j DROP
   iptables -A OUTPUT -o eth0 -s 172.16.0.0/12 -j DROP
   iptables -A OUTPUT -o eth0 -s 179.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -s 185.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -s 192.0.0.0/24 -j DROP
   iptables -A OUTPUT -o eth0 -s 192.0.2.0/24 -j DROP
   iptables -A OUTPUT -o eth0 -s 198.18.0.0/15 -j DROP
   iptables -A OUTPUT -o eth0 -s 198.51.100.0/24 -j DROP
   iptables -A OUTPUT -o eth0 -s 203.0.113.0/24 -j DROP
   iptables -A OUTPUT -o eth0 -s 224.0.0.0/3 -j DROP
   iptables -A OUTPUT -o eth0 -s 255.255.255.255/32 -j DROP

   iptables -A OUTPUT -o eth0 -d 0.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -d 5.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -d 23.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -d 37.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -d 39.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -d 100.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -d 102.0.0.0/7 -j DROP
   iptables -A OUTPUT -o eth0 -d 104.0.0.0/7 -j DROP
   iptables -A OUTPUT -o eth0 -d 106.0.0.0/8 -j DROP
   #iptables -A OUTPUT -o eth0 -d 127.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -d 169.254.0.0/16 -j DROP
   iptables -A OUTPUT -o eth0 -d 172.16.0.0/12 -j DROP
   iptables -A OUTPUT -o eth0 -d 179.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -d 185.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -d 192.0.0.0/24 -j DROP
   iptables -A OUTPUT -o eth0 -d 192.0.2.0/24 -j DROP
   iptables -A OUTPUT -o eth0 -d 198.18.0.0/15 -j DROP
   iptables -A OUTPUT -o eth0 -d 198.51.100.0/24 -j DROP
   iptables -A OUTPUT -o eth0 -d 203.0.113.0/24 -j DROP
   iptables -A OUTPUT -o eth0 -d 224.0.0.0/3 -j DROP
   iptables -A OUTPUT -o eth0 -d 255.255.255.255/32 -j DROP

   # Allow loopback access

   iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 ! -f -m state ! --state INVALID -j ACCEPT
   iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 ! -f -m state ! --state INVALID -j ACCEPT

   iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
   iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -s 127.0.0.0/8 -j DROP
   iptables -A OUTPUT -o eth0 -d 127.0.0.0/8 -j DROP

   # Allow  dns access

   iptables -A INPUT -i eth0 -p udp -s 192.168.1.3 -d 192.168.1.2 --sport 53 --dport 32768:61000 ! -f -m state --state ESTABLISHED -j ACCEPT
   iptables -A OUTPUT -o eth0 -p udp -s 192.168.1.2 -d 192.168.1.3 --sport 32768:61000 --dport 53 ! -f -m state --state NEW,ESTABLISHED -j ACCEPT

   # Allow http access

   iptables -A INPUT -i eth0 -p tcp -d 192.168.1.2 --sport 80 --dport 32768:61000 ! -f -m state --state ESTABLISHED -j ACCEPT
   iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.2 --sport 32768:61000 --dport 80 ! -f -m state --state NEW,ESTABLISHED -j ACCEPT

   # Block spoofing

   iptables -A INPUT -s 192.168.1.2 -j DROP

   # Drop and log All

   iptables -A INPUT -j LOG --log-ip-options
   iptables -A FORWARD -j LOG --log-ip-options
   iptables -A OUTPUT -j LOG --log-ip-options

   iptables -A INPUT -p all -j DROP
   iptables -A FORWARD -p all -j DROP
   iptables -A OUTPUT -p all -j DROP

   #ip6tables -A INPUT -j LOG --log-ip-options
   #ip6tables -A FORWARD -j LOG --log-ip-options
   #ip6tables -A OUTPUT -j LOG --log-ip-options

   #ip6tables -A INPUT -p all -j DROP
   #ip6tables -A FORWARD -p all -j DROP
   #ip6tables -A OUTPUT -p all -j DROP

   ################################

   echo "done"

   exit 0 ;

   ################################

   Use leafpad , save to fw , chmod 700 , and do chmod +x fw .

   Posted 14 years ago #
4. 

   Trixar_za
   

   offline

   Key Master

   First, this will require him to install the iptables package.

   Secondly, why not just use /etc/init.d/firewall and it's configure file /etc/firewall.conf with iptables support set to "yes" and a proper set of rules?

   Posted 14 years ago #
5. 

   Anonymous
   

   offline

   Unregistered

   Hi ,

   First : yes , i said that .

   Secondly : a mistake , of course !

   put my rules in :

   firewall.conf

   and do :

   cp firewall.conf /etc/firewall.conf ( in su - )

   and /etc/init.d/firewall start

   Voilà .

   Posted 14 years ago #

RSS feed for this topic

Reply

You must log in to post.