Find the answer to your Linux question:
Results 1 to 3 of 3
below is the firewall script that i use. I online check the Stealth Test at PC Flank. And i get this result. The result which is scared me, I want ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2004
    Posts
    6

    need help to fix rc.firewall


    below is the firewall script that i use. I online check the Stealth Test at PC Flank. And i get this result. The result which is scared me, I want all tcp and UDP is stealthed. So i would like to ask help to help me fix what are still open or missing. Thank you

    Packet' type Status
    =================
    TCP "ping" stealthed
    TCP NULL unknown
    TCP FIN unknown
    TCP XMAS unknown
    UDP non-stealthed

    ============== begin ========================

    #!/bin/sh
    #
    # rc.firewall-2.4-stronger
    #
    FWVER=0.80s

    # An example of a stronger IPTABLES firewall with IP Masquerade
    # support for 2.4.x kernels.
    #
    # Log:
    #
    # 0.80s - Added a DISABLED ip_nat_irc kernel module section, changed the
    # default of the ip_conntrack_irc to NOT load by default, and
    # added additional kernel module comments
    # 0.79s - ruleset now uses modprobe instead of insmod
    # 0.78s - REJECT is not a legal policy yet; back to DROP
    # 0.77s - Changed the default block behavior to REJECT not DROP
    # 0.76s - Added a comment about the OPTIONAL WWW ruleset and a comment
    # where to put optional PORTFW commands
    # 0.75s - Added clarification that PPPoE users need to use
    # "ppp0" instead of "eth0" for their external interface
    # 0.74s - Changed the EXTIP command to work on NON-English distros
    # 0.73s - Added comments in the output section that DHCPd is optional
    # and changed the default settings to disabled
    # 0.72s - Changed the filter from the INTNET to the INTIP to be
    # stateful; moved the command VARs to the top and made the
    # rest of the script to use them
    # 0.70s - Added a disabled examples for allowing internal DHCP
    # and external WWW access to the server
    # 0.63s - Added support for the IRC module
    # 0.62s - Initial version based upon the basic 2.4.x rc.firewall


    echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"


    # The location of various iptables and other shell programs
    #
    # If your Linux distribution came with a copy of iptables, most
    # likely it is located in /sbin. If you manually compiled
    # iptables, the default location is in /usr/local/sbin
    #
    # ** Please use the "whereis iptables" command to figure out
    # ** where your copy is and change the path below to reflect
    # ** your setup
    #
    #IPTABLES=/sbin/iptables
    IPTABLES=/usr/local/sbin/iptables
    #
    LSMOD=/sbin/lsmod
    DEPMOD=/sbin/depmod
    MODPROBE=/sbin/modprobe
    GREP=/bin/grep
    AWK=/bin/awk
    SED=/bin/sed
    IFCONFIG=/sbin/ifconfig


    #Setting the EXTERNAL and INTERNAL interfaces for the network
    #
    # Each IP Masquerade network needs to have at least one
    # external and one internal network. The external network
    # is where the natting will occur and the internal network
    # should preferably be addressed with a RFC1918 private address
    # scheme.
    #
    # For this example, "eth0" is external and "eth1" is internal"
    #
    # NOTE: If this doesnt EXACTLY fit your configuration, you must
    # change the EXTIF or INTIF variables above. For example:
    #
    # If you are a PPPoE or analog modem user:
    #
    # EXTIF="ppp0"
    #
    EXTIF="eth0"
    INTIF="eth1"
    echo " External Interface: $EXTIF"
    echo " Internal Interface: $INTIF"
    echo " ---"

    # Specify your Static IP address here or let the script take care of it
    # for you.
    #
    # If you prefer to use STATIC addresses in your firewalls, un-# out the
    # static example below and # out the dynamic line. If you don't care,
    # just leave this section alone.
    #
    # If you have a DYNAMIC IP address, the ruleset already takes care of
    # this for you. Please note that the different single and double quote
    # characters and the script MATTER.
    #
    #
    # DHCP users:
    # -----------
    # If you get your TCP/IP address via DHCP, **you will need ** to enable the
    # #ed out command below underneath the PPP section AND replace the word
    # "eth0" with the name of your EXTERNAL Internet connection (ppp0, ippp0,
    # etc) on the lines for "ppp-ip" and "extip". You should also note that the
    # DHCP server can and will change IP addresses on you. To deal with this,
    # users should configure their DHCP client to re-run the rc.firewall ruleset
    # everytime the DHCP lease is renewed.
    #
    # NOTE #1: Some DHCP clients like the original "pump" (the newer
    # versions have been fixed) did NOT have the ability to run
    # scripts after a lease-renew. Because of this, you need to
    # replace it with something like "dhcpcd" or "dhclient".
    #
    # NOTE #2: The syntax for "dhcpcd" has changed in recent versions.
    #
    # Older versions used syntax like:
    # dhcpcd -c /etc/rc.d/rc.firewall eth0
    #
    # Newer versions execute a file called /etc/dhcpc/dhcpcd-eth0.exe
    #
    # NOTE #3: For Pump users, put the following line in /etc/pump.conf:
    #
    # script /etc/rc.d/rc.firewall
    #
    # PPP users:
    # ----------
    # If you aren't already aware, the /etc/ppp/ip-up script is always run when
    # a PPP connection comes up. Because of this, we can make the ruleset go and
    # get the new PPP IP address and update the strong firewall ruleset.
    #
    # If the /etc/ppp/ip-up file already exists, you should edit it and add a line
    # containing "/etc/rc.d/rc.firewall" near the end of the file.
    #
    # If you don't already have a /etc/ppp/ip-up sccript, you need to create the
    # following link to run the /etc/rc.d/rc.firewall script.
    #
    # ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
    #
    # * You then want to enable the #ed out shell command below *
    #
    #
    # Determine the external IP automatically:
    # ----------------------------------------
    #
    # The following line will determine your external IP address. This
    # line is somewhat complex and confusing but it will also work for
    # all NON-English Linux distributions:
    #
    EXTIP="`$IFCONFIG $EXTIF | $AWK \
    /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"


    # For users who wish to use STATIC IP addresses:
    #
    # # out the EXTIP line above and un-# out the EXTIP line below
    #
    #EXTIP="your.static.PPP.address"
    echo " External IP: $EXTIP"
    echo " ---"


    # Assign the internal TCP/IP network and IP address
    INTNET="192.168.1.0/24"
    INTIP="192.168.1.1/24"
    echo " Internal Network: $INTNET"
    echo " Internal IP: $INTIP"
    echo " ---"




    # Setting a few other local variables
    #
    UNIVERSE="0.0.0.0/0"

    #================================================= =====================
    #== No editing beyond this line is required for initial MASQ testing ==

    # Need to verify that all modules have all required dependencies
    #
    echo " - Verifying that all kernel modules are ok"
    $DEPMOD -a

    echo -en " Loading kernel modules: "

    # With the new IPTABLES code, the core MASQ functionality is now either
    # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
    # options as MODULES. If your kernel is compiled correctly, there is
    # NO need to load the kernel modules manually.
    #
    # NOTE: The following items are listed ONLY for informational reasons.
    # There is no reason to manual load these modules unless your
    # kernel is either mis-configured or you intentionally disabled
    # the kernel module autoloader.
    #

    # Upon the commands of starting up IP Masq on the server, the
    # following kernel modules will be automatically loaded:
    #
    # NOTE: Only load the IP MASQ modules you need. All current IP MASQ
    # modules are shown below but are commented out from loading.
    # ================================================== =============

    #Load the main body of the IPTABLES module - "ip_tables"
    # - Loaded automatically when the "iptables" command is invoked
    #
    # - Loaded manually to clean up kernel auto-loading timing issues
    #
    echo -en "ip_tables, "
    #
    #Verify the module isn't loaded. If it is, skip it
    #
    if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
    $MODPROBE ip_tables
    fi


    #Load the IPTABLES filtering module - "iptable_filter"
    #
    # - Loaded automatically when filter policies are activated


    #Load the stateful connection tracking framework - "ip_conntrack"
    #
    # The conntrack module in itself does nothing without other specific
    # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
    # module
    #
    # - This module is loaded automatically when MASQ functionality is
    # enabled
    #
    # - Loaded manually to clean up kernel auto-loading timing issues
    #
    echo -en "ip_conntrack, "
    #
    #Verify the module isn't loaded. If it is, skip it
    #
    if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
    $MODPROBE ip_conntrack
    fi


    #Load the FTP tracking mechanism for full FTP tracking
    #
    # Enabled by default -- insert a "#" on the next line to deactivate
    #
    echo -e "ip_conntrack_ftp, "
    #
    #Verify the module isn't loaded. If it is, skip it
    #
    if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
    $MODPROBE ip_conntrack_ftp
    fi


    #Load the IRC tracking mechanism for full IRC tracking
    #
    # Disabled by default -- insert a "#" on the next few lines to activate
    #
    # echo -en " ip_conntrack_irc, "
    #
    #Verify the module isn't loaded. If it is, skip it
    #
    # if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
    # $MODPROBE ip_conntrack_irc
    # fi


    #Load the general IPTABLES NAT code - "iptable_nat"
    # - Loaded automatically when MASQ functionality is turned on
    #
    # - Loaded manually to clean up kernel auto-loading timing issues
    #
    echo -en "iptable_nat, "
    #
    #Verify the module isn't loaded. If it is, skip it
    #
    if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
    $MODPROBE iptable_nat
    fi


    #Loads the FTP NAT functionality into the core IPTABLES code
    # Required to support non-PASV FTP.
    #
    # Enabled by default -- insert a "#" on the next line to deactivate
    #
    echo -e "ip_nat_ftp"
    #
    #Verify the module isn't loaded. If it is, skip it
    #
    if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
    $MODPROBE ip_nat_ftp
    fi


    #Loads the IRC NAT functionality (for DCC) into the core IPTABLES code
    #
    # DISABLED by default -- delete the "#" on the next few lines to activate
    #
    # echo -e "ip_nat_irc"
    #
    #Verify the module isn't loaded. If it is, skip it
    #
    # if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} `" ]; then
    # $MODPROBE ip_nat_irc
    # fi


    echo " ---"

    # Just to be complete, here is a partial list of some of the other
    # IPTABLES kernel modules and their function. Please note that most
    # of these modules (the ipt ones) are automatically loaded by the
    # master kernel module for proper operation and don't need to be
    # manually loaded.
    # --------------------------------------------------------------------
    #
    # ip_nat_snmp_basic - this module allows for proper NATing of some
    # SNMP traffic
    #
    # iptable_mangle - this target allows for packets to be
    # manipulated for things like the TCPMSS
    # option, etc.
    #
    # --
    #
    # ipt_mark - this target marks a given packet for future action.
    # This automatically loads the ipt_MARK module
    #
    # ipt_tcpmss - this target allows to manipulate the TCP MSS
    # option for braindead remote firewalls.
    # This automatically loads the ipt_TCPMSS module
    #
    # ipt_limit - this target allows for packets to be limited to
    # to many hits per sec/min/hr
    #
    # ipt_multiport - this match allows for targets within a range
    # of port numbers vs. listing each port individually
    #
    # ipt_state - this match allows to catch packets with various
    # IP and TCP flags set/unset
    #
    # ipt_unclean - this match allows to catch packets that have invalid
    # IP/TCP flags set
    #
    # iptable_filter - this module allows for packets to be DROPped,
    # REJECTed, or LOGged. This module automatically
    # loads the following modules:
    #
    # ipt_LOG - this target allows for packets to be
    # logged
    #
    # ipt_REJECT - this target DROPs the packet and returns
    # a configurable ICMP packet back to the
    # sender.


    #CRITICAL: Enable IP forwarding since it is disabled by default since
    #
    # Redhat Users: you may try changing the options in
    # /etc/sysconfig/network from:
    #
    # FORWARD_IPV4=false
    # to
    # FORWARD_IPV4=true
    #
    echo " Enabling forwarding.."
    echo "1" > /proc/sys/net/ipv4/ip_forward


    # Dynamic IP users:
    #
    # If you get your IP address dynamically from SLIP, PPP, or DHCP,
    # enable the following option. This enables dynamic-address hacking
    # which makes the life with Diald and similar programs much easier.
    #
    echo " Enabling DynamicAddr.."
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr

    echo " ---"

    ################################################## ###########################
    #
    # Enable Stronger IP forwarding and Masquerading
    #
    # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
    #
    # NOTE #2: The following is an example for an internal LAN address in the
    # 192.168.1.x network with a 255.255.255.0 or a "24" bit subnet
    # mask connecting to the Internet on external interface "eth0".
    # This example will MASQ internal traffic out to the Internet
    # but not allow non-initiated traffic into your internal network.
    #
    #
    # ** Please change the above network numbers, subnet mask, and your
    # *** Internet connection interface name to match your setup
    #

    #Clearing any previous configuration
    #
    # Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP
    #
    # You CANNOT change this to REJECT as it isn't a vaild policy setting.
    # If you want REJECT, you must explictly REJECT at the end of a giving
    # INPUT, OUTPUT, or FORWARD chain
    #
    echo " Clearing any existing rules and setting default policy to DROP.."
    $IPTABLES -P INPUT DROP
    $IPTABLES -F INPUT
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -F OUTPUT
    $IPTABLES -P FORWARD DROP
    $IPTABLES -F FORWARD
    $IPTABLES -F -t nat

    #Not needed and it will only load the unneeded kernel module
    #$IPTABLES -F -t mangle
    #
    # Flush the user chain.. if it exists
    if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
    $IPTABLES -F drop-and-log-it
    fi
    #
    # Delete all User-specified chains
    $IPTABLES -X
    #
    # Reset all IPTABLES counters
    $IPTABLES -Z


    #Configuring specific CHAINS for later use in the ruleset
    #
    # NOTE: Some users prefer to have their firewall silently
    # "DROP" packets while others prefer to use "REJECT"
    # to send ICMP error messages back to the remote
    # machine. The default is "REJECT" but feel free to
    # change this below.
    #
    # NOTE: Without the --log-level set to "info", every single
    # firewall hit will goto ALL vtys. This is a very big
    # pain.
    #
    echo " Creating a DROP chain.."
    $IPTABLES -N drop-and-log-it
    $IPTABLES -A drop-and-log-it -j LOG --log-level info
    $IPTABLES -A drop-and-log-it -j REJECT

    echo -e "\n - Loading INPUT rulesets"


    ################################################## #####################
    # INPUT: Incoming traffic from various interfaces. All rulesets are
    # already flushed and set to a default policy of DROP.
    #

    # loopback interfaces are valid.
    #
    $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


    # local interface, local machines, going anywhere is valid
    #
    $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT


    # remote interface, claiming to be local machines, IP spoofing, get lost
    #
    $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it


    # external interface, from any source, for ICMP traffic is valid
    #
    # If you would like your machine to "ping" from the Internet,
    # enable this next line
    #
    #$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT


    # remote interface, any source, going to permanent PPP address is valid
    #
    #$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT


    # Allow any related traffic coming back to the MASQ server in
    #
    $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
    ESTABLISHED,RELATED -j ACCEPT


    # ----- Begin OPTIONAL INPUT Section -----
    #

    # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
    #
    #$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
    #$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT

    # HTTPd - Enable the following lines if you run an EXTERNAL WWW server
    #
    # NOTE: This is NOT needed for simply enabling PORTFW. This is ONLY
    # for users that plan on running Apache on the MASQ server itself
    #
    #echo -e " - Allowing EXTERNAL access to the WWW server"
    #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
    # -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT

    #
    # ----- End OPTIONAL INPUT Section -----



    # Catch all rule, all other incoming is denied and logged.
    #
    $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


    echo -e " - Loading OUTPUT rulesets"

    ################################################## #####################
    # OUTPUT: Outgoing traffic from various interfaces. All rulesets are
    # already flushed and set to a default policy of DROP.
    #

    # loopback interface is valid.
    #
    $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


    # local interfaces, any source going to local net is valid
    #
    $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT


    # local interface, any source going to local net is valid
    #
    $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT


    # outgoing to local net on remote interface, stuffed routing, deny
    #
    $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it


    # anything else outgoing on remote interface is valid
    #
    $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT


    # ----- Begin OPTIONAL OUTPUT Section -----
    #

    # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
    # - Remove BOTH #s all the #s if you need this functionality.
    #
    #$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
    # -d 255.255.255.255 --dport 68 -j ACCEPT
    #$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
    # -d 255.255.255.255 --dport 68 -j ACCEPT

    #
    # ----- End OPTIONAL OUTPUT Section -----


    # Catch all rule, all other outgoing is denied and logged.
    #
    $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


    echo -e " - Loading FORWARD rulesets"

    ################################################## #####################
    # FORWARD: Enable Forwarding and thus IPMASQ
    #

    # ----- Begin OPTIONAL FORWARD Section -----
    #
    # ----- End OPTIONAL FORWARD Section -----


    echo " - FWD: Allow all connections OUT and only existing/related IN"
    $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \
    -j ACCEPT
    $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

    # Catch all rule, all other forwarding is denied and logged.
    #
    $IPTABLES -A FORWARD -j drop-and-log-it


    echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
    #
    #More liberal form
    #$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
    #
    #Stricter form
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP


    ################################################## #####################
    echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"

    ===============End================================ =

  2. #2
    Just Joined!
    Join Date
    Jul 2004
    Posts
    6
    i trully need help on this

  3. #3
    Just Joined!
    Join Date
    Jul 2004
    Posts
    6
    please help helper

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •