#!/bin/sh # # 3iptables-ppp_up-rules, v 0.2 2003/04/27 17:52:55 # Kiryanov Vasiliy, mailto://root@lycos.ru # # Many people use ppp to connect to the InterNet, this script set BASIC # firewall (iptables) rules to protect you machine from crackers. # For good protect read iptables(8) manual and tune this script! # FOR USAGE: # put 3iptables-ppp_up-rules script in /etc/ppp/ip-up.d # put 3iptables-ppp_down-rules script in /etc/ppp/ip-down.d # If you find some errors or missing write me: root@lycos.ru #-------------------------------------------------------------- # check if iptables exist and have kernel support # Is somebody know the better way to check it ? /sbin/iptables --list --numeric test $? -eq 0 || exit 0 # when started pppd it call ip-up, which set variables and uses run-parts # to run scripts in /etc/ppp/ip-up.d, one of which is that. # ip-up set this variables, so we don't need to do it: # Var Name Example # PPP_IFACE Interface name ppp0 # PPP_TTY The tty ttyS1 # PPP_SPEED The link speed 38400 # PPP_LOCAL Local IP number 12.34.56.78 # PPP_REMOTE Peer IP number 12.34.56.99 # PPP_IPPARAM Optional ``ipparam'' value foo # PPP_TTYNAME Tty name stripped of /dev/ (if present) for easier matching # PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin # set variables for handy manipulation #MY_ISP="217.21.59.0/24" # set your ISP address range !! #-------------------------------------------------------------- LOOPBACK_INTERFACE="lo" # loopback interface LOOPBACK="127.0.0.0/8" # loopback interface CLASS_A="10.0.0.0/8" # class A adresses CLASS_B="172.16.0.0/12" # class B adresses CLASS_C="192.168.0.0/16" # class C adresses CLASS_D="224.0.0.0/4" # MULTICAST CLASS_E="240.0.0.0/5" # RESERVED BROADCAST_SRC="0.0.0.0" # broadcast source adress BROADCAST_DST="255.255.255.255" # broadcast destination adress PRIVATE_PORTS="0:1023" # your computer private ports #-------------------------------------------------------------- # save iptables exist rulesets, we restore them after PPP interface down! /sbin/iptables-save > /tmp/3iptables-ppp_up-SAVE #INPUT RULESET # block packets with your source ip-address [you can't send packets yourself] /sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $PPP_LOCAL --jump DROP # block packets with LOOPBACK source address /sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $LOOPBACK --jump DROP # block classes A,B,C,D,E adress range [it's can't come from InterNet] /sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_A --jump DROP /sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_B --jump DROP /sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_C --jump DROP /sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_D --jump DROP /sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_E --jump DROP # block multicast source and destination packets /sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $BROADCAST_SRC --jump DROP /sbin/iptables --append INPUT --in-interface $PPP_IFACE --destination $BROADCAST_DST --jump DROP #ISP block, WITHOUT Peer IP number [we work throught it] #/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $PPP_REMOTE --jump ACCEPT #/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $MY_ISP --jump DROP #OUTPUT RULESET # I can send anything I want, are you ? #FORWARD RULESET # block packets send to you for FORWARDING, do you need it? /sbin/iptables --policy FORWARD DROP # # try '$ ifconfig' to see if your ppp interface all right # try '# iptables --list' to see if all rules right