head	1.9;
access;
symbols;
locks; strict;
comment	@# @;


1.9
date	2001.09.11.01.42.38;	author sgifford;	state Exp;
branches;
next	1.8;

1.8
date	2001.09.10.09.05.44;	author sgifford;	state Exp;
branches;
next	1.7;

1.7
date	2001.09.10.06.51.10;	author sgifford;	state Exp;
branches;
next	1.6;

1.6
date	2001.09.10.04.54.51;	author sgifford;	state Exp;
branches;
next	1.5;

1.5
date	2001.09.10.03.50.48;	author sgifford;	state Exp;
branches;
next	1.4;

1.4
date	2001.09.10.03.32.43;	author root;	state Exp;
branches;
next	1.3;

1.3
date	2001.09.10.02.56.18;	author root;	state Exp;
branches;
next	1.2;

1.2
date	2001.09.10.02.02.48;	author root;	state Exp;
branches;
next	1.1;

1.1
date	2001.09.09.04.01.41;	author root;	state Exp;
branches;
next	;


desc
@@


1.9
log
@Add DEBUG and VERBOSE messages.
Exit with a proper status.
@
text
@#!/bin/sh

if [ -n "$DEBUG" ]; then
  echo "$0: Beginning $1"
fi

# Set this to your internal interface.  Everything else should be
# automatic.
intint="eth0"

MASQMODS="ip_masq_ftp ip_masq_raudio ip_masq_ftp"
PARANOID=1

if [ "$1" = "change" ]; then
  if [ "$IPADDR" = "$OLD_IPADDR" ]; then

    if [ -n "$VERBOSE" ]; then
      echo "$0: IP address unchanged; skipping"
    fi

    exit 0
  fi
fi

extint="${DEVICE}"
extip="${IPADDR}"
extmask="${NETMASK}"

for i in `/sbin/ifconfig "$intint" | grep '^ *inet'` 
do
  setting="`echo "$i" |sed -e 's/:.*$//' |tr '[A-Z]' '[a-z]'`"
  val="`echo "$i" |sed -e 's/^.*://'`"
  if [ -n "$setting" ]; then
    case "$setting" in
      addr)  intip="$val";;
      bcast) intbcast="$val" ;;  
      mask)  intmask="$val"; intnet="$intip/$intmask" ;;
    esac
  fi
done


case "$1" in
  up|change)

    if [ -z "${DEVICE}" -o -z "${IPADDR}" ]; then
      echo "$0: DEVICE or IPADDR not set!" 1>&2
      exit 2
    fi

    if [ -n "$VERBOSE" ]; then
      echo "$0: Configuring network for sharing."
      echo "$0:     internal: $intint $intnet"
      echo "$0:     external: $extint $extip"
    fi

    for mod in $MASQMODS
    do
      /sbin/modprobe "$mod"
    done
    
    # Timeouts: 24 hours TCP, 
    #           512 sec after-FIN (2*MSL-ish), 
    #           160 sec UDP.
    /sbin/ipchains -M -S 86400 512 3600

    /sbin/ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ

    # Log and reject anything else.
    /sbin/ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

    echo "1" >/proc/sys/net/ipv4/ip_forward  

    if [ "`uname -m`" = "alpha" ]; then
      HZ=1024
    else
      HZ=100
    fi

    ICMP_MAXRATE=`expr $HZ / 3`
    echo "1" >/proc/sys/net/ipv4/ip_dynaddr  
    echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo "$ICMP_MAXRATE" >/proc/sys/net/ipv4/icmp_destunreach_rate
    echo "$ICMP_MAXRATE" >/proc/sys/net/ipv4/icmp_paramprob_rate
    echo "$ICMP_MAXRATE" >/proc/sys/net/ipv4/icmp_timeexceed_rate
    echo "$ICMP_MAXRATE" >/proc/sys/net/ipv4/icmp_echoreply_rate
    echo "0" >/proc/sys/net/ipv4/conf/$extint/accept_redirects
    echo "0" >/proc/sys/net/ipv4/conf/$intint/accept_redirects
    echo "0" >/proc/sys/net/ipv4/conf/$extint/send_redirects
    echo "0" >/proc/sys/net/ipv4/conf/$intint/send_redirects
    echo "0" >/proc/sys/net/ipv4/conf/$extint/accept_source_route
    echo "0" >/proc/sys/net/ipv4/conf/$intint/accept_source_route
      
;;
  
  down)

    echo "0" >/proc/sys/net/ipv4/ip_forward  

    for mod in $MASQMODS
    do
      /sbin/rmmod $mod
    done
    
  ;;
  
  *)
    echo "Usage: $0 up|down|change"
    exit 1
  ;;
esac  

if [ -n "$DEBUG" ]; then
  echo "$0: Ending $1"
fi

exit 0
@


1.8
log
@Move check for IPADDR and DEVICE into 'up' and 'check' only.
@
text
@d3 4
d16 5
a41 4
#echo "Configuring network for sharing."
#echo "    internal: $intint $intnet"
#echo "    external: $extint $extip"
#echo 
d51 6
d112 6
@


1.7
log
@Move all firewall code into a seperate "fireall" script, so that
  it can be run before this.
@
text
@a6 5
if [ -z "${DEVICE}" -o -z "${IPADDR}" ]; then
  echo "$0: DEVICE or IPADDR not set!" 1>&2
  exit 2
fi

d40 5
@


1.6
log
@Added some recommendations from the NSA router security guide.
Added some comments on confusing parts (That I'd forgotten what
  they did)
Added stuff to allow NTP.
@
text
@d45 1
d51 12
a69 1
    echo "1" >/proc/sys/net/ipv4/ip_forward  
a81 183



    # Timeouts: 24 hours TCP, 
    #           512 sec after-FIN (2*MSL-ish), 
    #           160 sec UDP.
    /sbin/ipchains -M -S 86400 512 3600

    if [ -n "$PARANOID" ]
    then
    
      # Reject by default.
      /sbin/ipchains -F input
      /sbin/ipchains -P input REJECT
    
      # Allow DHCP packets, even from martian addresses.
      /sbin/ipchains -A input -i $intint -s 0/0 67 -d 0/0 68 -p udp -j ACCEPT 
      /sbin/ipchains -A input -i $intint -s 0/0 68 -d 0/0 67 -p udp -j ACCEPT 

      # Block Martian packets
      /sbin/ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
      /sbin/ipchains -A input -i $extint -s 127.0.0.0/8 -d 0.0.0.0/0 -l -j REJECT
      /sbin/ipchains -A input -i $extint -s 224.0.0.0/8 -d 0.0.0.0/0 -l -j REJECT
      /sbin/ipchains -A input -i $extint -s 10.0.0.0/8 -d 0.0.0.0/0 -l -j REJECT
      /sbin/ipchains -A input -i $extint -s 192.168.0.0/16 -d 0.0.0.0/0 -l -j REJECT
      /sbin/ipchains -A input -i $extint -s 169.254.0.0/16 -d 0.0.0.0/0 -l -j REJECT
      /sbin/ipchains -A input -i $extint -s 172.16.0.0/12 -d 0.0.0.0/0 -l -j REJECT
      /sbin/ipchains -A input -i $extint -s 255.255.255.255/32 -d 0.0.0.0/0 -l -j REJECT
      /sbin/ipchains -A input -i $extint -s 0.0.0.0/32 -d 0.0.0.0/0 -l -j REJECT

      # Cisco land attack
      /sbin/ipchains -A input -i $extint -s $intip/32 -d $intip/32 -l -j REJECT
      /sbin/ipchains -A input -i $extint -s $extip/32 -d $extip/32 -l -j REJECT
      /sbin/ipchains -A input -i $intint -s $intip/32 -d $intip/32 -l -j REJECT
      /sbin/ipchains -A input -i $intint -s $extip/32 -d $extip/32 -l -j REJECT
 
      # Disallow some ICMP packets from coming in.
      # Redirect
      /sbin/ipchains -A input -i $extint -p icmp --dport 5 -l -j REJECT
      # Address mask request
      /sbin/ipchains -A input -i $extint -p icmp --dport 17 -l -j REJECT
      # Information request
      /sbin/ipchains -A input -i $extint -p icmp --dport 15 -l -j REJECT
      # Anything we've never heard of...
      /sbin/ipchains -A input -i $extint -p icmp --dport 18: -l -j REJECT

      # Specific blocked ports (Windows filesharing crap)
      /sbin/ipchains -A input -i $extint -p tcp --sport 137 -l -j REJECT
      /sbin/ipchains -A input -i $extint -p tcp --sport 138 -l -j REJECT
      /sbin/ipchains -A input -i $extint -p tcp --sport 139 -l -j REJECT
      /sbin/ipchains -A input -i $extint -p tcp --sport 445 -l -j REJECT
      /sbin/ipchains -A input -i $extint -p udp --sport 137 -l -j REJECT
      /sbin/ipchains -A input -i $extint -p udp --sport 138 -l -j REJECT
      /sbin/ipchains -A input -i $extint -p udp --sport 139 -l -j REJECT
      /sbin/ipchains -A input -i $extint -p udp --sport 445 -l -j REJECT

      /sbin/ipchains -A input -i $extint -p tcp --dport 137 -l -j REJECT
      /sbin/ipchains -A input -i $extint -p tcp --dport 138 -l -j REJECT
      /sbin/ipchains -A input -i $extint -p tcp --dport 139 -l -j REJECT
      /sbin/ipchains -A input -i $extint -p tcp --dport 445 -l -j REJECT
      /sbin/ipchains -A input -i $extint -p udp --dport 137 -l -j REJECT
      /sbin/ipchains -A input -i $extint -p udp --dport 138 -l -j REJECT
      /sbin/ipchains -A input -i $extint -p udp --dport 139 -l -j REJECT
      /sbin/ipchains -A input -i $extint -p udp --dport 445 -l -j REJECT

      # Local machines on local interface can go anywhere on the local network.
      # (but can't forge IP addresses)
      /sbin/ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT
  
      # Allow NTP to work
      /sbin/ipchains -A input -i $extint -p udp -d $intnet 123 -j ACCEPT
      /sbin/ipchains -A input -i $extint -p tcp -d $intnet 123 -j ACCEPT

      # Block any other special ports.
      /sbin/ipchains -A input -i $extint -p tcp --dport 0:1000 -l -j REJECT
      /sbin/ipchains -A input -i $extint -p udp --dport 0:1000 -l -j REJECT
 
      # Remote interface can go to permanent address
      /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
  
      # Allow anything from the loopback interface.
      /sbin/ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
  
      # Log and drop everything else.
      /sbin/ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
  
      # Outgoing Rules
  
      # Default to off.
      /sbin/ipchains -F output
      /sbin/ipchains -P output REJECT
  
      /sbin/ipchains -A output -i $extint -p tcp --sport 137 -l -j REJECT
      /sbin/ipchains -A output -i $extint -p tcp --sport 138 -l -j REJECT
      /sbin/ipchains -A output -i $extint -p tcp --sport 139 -l -j REJECT
      /sbin/ipchains -A output -i $extint -p tcp --sport 445 -l -j REJECT
      /sbin/ipchains -A output -i $extint -p udp --sport 137 -l -j REJECT
      /sbin/ipchains -A output -i $extint -p udp --sport 138 -l -j REJECT
      /sbin/ipchains -A output -i $extint -p udp --sport 139 -l -j REJECT
      /sbin/ipchains -A output -i $extint -p udp --sport 445 -l -j REJECT


      # Allow local interface to local net
      /sbin/ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT

      # Allow DHCP messages
      /sbin/ipchains -A output -i $intint -p udp --sport 67 --dport 68 -j ACCEPT
      /sbin/ipchains -A output -i $intint -p udp --sport 68 --dport 67 -j ACCEPT
  
      # Deny outgoing to local net on remote interface
      /sbin/ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT
  
      # Deny outgoing from local net on remote interface.
      # (it should be NAT'd)
      /sbin/ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
  
      # Anything else is OK.
      /sbin/ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
  
      # Loopback inteface is OK.
      /sbin/ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
  
      # Anything else
      /sbin/ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
    fi # PARANOID

    # Forwarding


    # Start up masquerading
    /sbin/ipchains -F forward
    /sbin/ipchains -P forward DENY

    if [ -n "$PARANOID" ]; then

      /sbin/ipchains -A forward -i $intint -p tcp --dport 137 -l -j REJECT
      /sbin/ipchains -A forward -i $intint -p tcp --dport 138 -l -j REJECT
      /sbin/ipchains -A forward -i $intint -p tcp --dport 139 -l -j REJECT
      /sbin/ipchains -A forward -i $intint -p tcp --dport 445 -l -j REJECT
      /sbin/ipchains -A forward -i $intint -p udp --dport 137 -l -j REJECT
      /sbin/ipchains -A forward -i $intint -p udp --dport 138 -l -j REJECT
      /sbin/ipchains -A forward -i $intint -p udp --dport 139 -l -j REJECT
      /sbin/ipchains -A forward -i $intint -p udp --dport 445 -l -j REJECT

      /sbin/ipchains -A forward -i $extint -p tcp --dport 137 -l -j REJECT
      /sbin/ipchains -A forward -i $extint -p tcp --dport 138 -l -j REJECT
      /sbin/ipchains -A forward -i $extint -p tcp --dport 139 -l -j REJECT
      /sbin/ipchains -A forward -i $extint -p tcp --dport 445 -l -j REJECT
      /sbin/ipchains -A forward -i $extint -p udp --dport 137 -l -j REJECT
      /sbin/ipchains -A forward -i $extint -p udp --dport 138 -l -j REJECT
      /sbin/ipchains -A forward -i $extint -p udp --dport 139 -l -j REJECT
      /sbin/ipchains -A forward -i $extint -p udp --dport 445 -l -j REJECT

      # Broadcast packets can't be forwarded
      /sbin/ipchains -A forward -i $intint -s 0.0.0.0/32 -j REJECT
      /sbin/ipchains -A forward -i $intint -d 0.0.0.0/32 -j REJECT
      /sbin/ipchains -A forward -i $intint -s 255.255.255.255/32 -j REJECT
      /sbin/ipchains -A forward -i $intint -d 255.255.255.255/32 -j REJECT

      /sbin/ipchains -A forward -i $extint -s 0.0.0.0/32 -j REJECT
      /sbin/ipchains -A forward -i $extint -d 0.0.0.0/32 -j REJECT
      /sbin/ipchains -A forward -i $extint -s 255.255.255.255/32 -j REJECT
      /sbin/ipchains -A forward -i $extint -d 255.255.255.255/32 -j REJECT
      /sbin/ipchains -A forward -i $extint -s $intbcast/32 -j REJECT
      /sbin/ipchains -A forward -i $extint -d $intbcast/32 -j REJECT

      # DHCP packets can't be forwarded
      /sbin/ipchains -A forward -i $intint -p udp --sport 67 -j REJECT
      /sbin/ipchains -A forward -i $intint -p udp --sport 68 -j REJECT
      /sbin/ipchains -A forward -i $intint -p udp --dport 67 -j REJECT
      /sbin/ipchains -A forward -i $intint -p udp --dport 68 -j REJECT

      /sbin/ipchains -A forward -i $extint -p udp --sport 67 -j REJECT
      /sbin/ipchains -A forward -i $extint -p udp --sport 68 -j REJECT
      /sbin/ipchains -A forward -i $extint -p udp --dport 67 -j REJECT
      /sbin/ipchains -A forward -i $extint -p udp --dport 68 -j REJECT

    fi # PARANOID

    /sbin/ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ

    # Log and reject anything else.
    /sbin/ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
@


1.5
log
@Automate discovery of local interface information.
@
text
@d85 1
a85 1
      # Allow DHCP packets.
d89 1
a89 1
      # Martian Packets
d106 10
d136 1
d139 4
d183 1
@


1.4
log
@Set a bunch of ipv4 settings.
Fix some DHCP stuff.
@
text
@d3 4
a20 1

d23 1
a23 4
intint="eth0"
intip="10.0.0.1"
intnet="$intip/24"
intbcast="10.0.0.255"
d25 12
@


1.3
log
@Fix some DHCP stuff.
@
text
@d12 1
a12 1
  if [ "$IPADDR" -eq "$OLD_IPADDR" ]; then
d25 1
d38 7
d47 11
d73 4
a115 4
      # Allow DHCP packets.
      /sbin/ipchains -A input -i $intint -s 0/0 67 -d 0/0 68 -p udp -j ACCEPT 
      /sbin/ipchains -A input -i $intint -s 0/0 68 -d 0/0 67 -p udp -j ACCEPT 

@


1.2
log
@Rearrange SMB protocol so that we can still send out broadcasts
  to the local network.
@
text
@d23 1
d90 1
a90 1
      # Local machines on local interface can go anywhere else.
d94 2
a95 1
      /sbin/ipchains -A input -j ACCEPT -i $extint -s 0/0 67 -d 0/0 68 -p udp
d128 4
d176 24
d215 1
a215 1
      /sbin/rmmod ip_masq_ftp
@


1.1
log
@Initial revision
@
text
@a122 8
      /sbin/ipchains -A output -i $intint -p tcp --dport 137 -l -j REJECT
      /sbin/ipchains -A output -i $intint -p tcp --dport 138 -l -j REJECT
      /sbin/ipchains -A output -i $intint -p tcp --dport 139 -l -j REJECT
      /sbin/ipchains -A output -i $intint -p tcp --dport 445 -l -j REJECT
      /sbin/ipchains -A output -i $intint -p udp --dport 137 -l -j REJECT
      /sbin/ipchains -A output -i $intint -p udp --dport 138 -l -j REJECT
      /sbin/ipchains -A output -i $intint -p udp --dport 139 -l -j REJECT
      /sbin/ipchains -A output -i $intint -p udp --dport 445 -l -j REJECT
d149 23
@
