Listing 2. Annotated Script for Bridging Firewall Setup
#!/bin/sh
#####################################################################
# firewall.sh - set up ipchains rules for a bridging firewall
#
# Copyright (c) 2000 UK/Canada/Netherlands Joint Astronomy Centre
#
# Permission to use, copy, modify, distribute,
# and sell this software and its documentation
# for any purpose is hereby granted without fee,
# provided that the above copyright notice appear
# in all copies and that both that copyright notice
# and this permission notice appear in
# supporting documentation, and that the name
# Joint Astronomy Centre not
# be used in advertising or publicity pertaining
# to distribution of this
# software without specific, written prior
# permission.
#
# THIS SOFTWARE IS PROVIDED `AS-IS'. THE JOINT
# ASTRONOMY CENTRE DISCLAIMS
# ALL WARRANTIES WITH REGARD TO THIS
# SOFTWARE, INCLUDING WITHOUT
# LIMITATION ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE, OR NONINFRINGEMENT.
# IN NO EVENT SHALL THE JOINT
# ASTRONOMY CENTRE BE LIABLE FOR ANY DAMAGES
# WHATSOEVER, INCLUDING SPECIAL,
# INCIDENTAL OR CONSEQUENTIAL DAMAGES,
# INCLUDING LOSS OF USE, DATA, OR
# PROFITS, EVEN IF ADVISED OF THE
# POSSIBILITY THEREOF, AND REGARDLESS OF
# WHETHER IN AN ACTION IN CONTRACT,
# TORT OR NEGLIGENCE, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
#
# (There. That should satisfy the lawyers.
# In Plain English, here's the
# software. Do whatever you want with it.
# If anything breaks, it's your
# fault and your problem. Don't come
# crying to us. We're not paying
# anyone for anything.)
#######################################################################
IPCHAINS=/sbin/ipchains
#############################
# Definitions
#############################
firewallhost=N.N.N.N/32 # EDIT - your firewall
# address here
mynet="" # EDIT - your network/mask
# here
Any="0.0.0.0/0"
localhost="127.0.0.1/32"
EXT_IF=eth2 # EDIT - This is the
# interface which will
# connect to the Internet
INT_IF=eth1 # EDIT - This is the
# interface which will
# connect to your
# protected network
##########################################
# Public (outside the firewall) servers
##########################################
WWW_SERVER= # EDIT - address of your
# public WWW server
FTP_SERVER= # EDIT - address of your
# public FTP server
SMTP_SERVER= # EDIT - address of your
# public mail server
INTERNAL_SMTP= # EDIT - address of your
# internal mail hub
SSH_SERVER= # EDIT - address of your
# public login (SSH) server
NNTP_SERVER= # EDIT - address of your
# upstream News server
INTERNAL_NTP= # EDIT - address of your
# internal NTP server
#############################
# Set default policies
#############################
$IPCHAINS -P input ACCEPT
$IPCHAINS -P forward ACCEPT
$IPCHAINS -P output ACCEPT
#############################
# Flush any old rules
#############################
$IPCHAINS -F
#############################
# Create 2 new chains
#############################
$IPCHAINS -N public
$IPCHAINS -N private
# Since this is a bridge, not a router,
# you really don't need any of these
# input rules
# forward rules
# output rules
#############################
# Bridge chain - pass packets to appropriate
# chain based on their input
# interface
#############################
# bridgein rules
$IPCHAINS -A bridgein -s $mynet -d $Any -i $INT_IF -j private
$IPCHAINS -A bridgein -s $Any -d $mynet -i $EXT_IF -j public
# Deny anything not explicitly matched in one of the other chains
$IPCHAINS -A bridgein -p tcp -s $Any -d $Any -j DENY -l
$IPCHAINS -A bridgein -s $Any -d $Any -j DENY -l
#############################
# "Public" rules - these control who/what gets to
# talk through the
# firewall from the Internet
# to your protected network
#
# These are examples - modify to suit your own
# security needs
#############################
# public rules
# ICMP - allow echo-request from the "public"
# servers back in to the
# internal net. Do we need this? In any case,
# block all echo-request
# packets from anyone else. Don't bother to
# log ping attempts.
# Allow some of the other useful ICMP messages
$IPCHAINS -A public -p icmp -s $mynet 8 -d $mynet -i $EXT_IF -j ACCEPT
$IPCHAINS -A public -p icmp -s $Any 8 -d $mynet -i $EXT_IF -j DENY
# ICMP - allow echo-reply from anyone, so we can ping out.
$IPCHAINS -A public -p icmp -s $mynet 0 -d $mynet -i $EXT_IF -j ACCEPT
# ICMP - allow destination-unreachable
$IPCHAINS -A public -p icmp -s $Any 3 -d $mynet -i $EXT_IF -j ACCEPT
# ICMP - allow source-quench
$IPCHAINS -A public -p icmp -s $Any 4 -d $mynet -i $EXT_IF -j ACCEPT
# ICMP - allow time-exceeded
$IPCHAINS -A public -p icmp -s $Any 11 -d $mynet -i $EXT_IF -j ACCEPT
# ICMP - allow parameter-problem
$IPCHAINS -A public -p icmp -s $Any 12 -d $mynet -i $EXT_IF -j ACCEPT
#######################################
# Services
#######################################
# SSH - Assumes you have a machine on the outside
# of the firewall to which
# users can login via SSH, then, once
# authenticated, connect to
# any of the protected hosts
$IPCHAINS -A public -p tcp -s $SSH_SERVER -d $mynet ssh -i $EXT_IF -j ACCEPT
# Allow replies from any SSH server anywhere
# back in - only if SYN not set
$IPCHAINS -A public -p tcp -s $Any ssh -d $mynet -i $EXT_IF -j ACCEPT ! -y
#######################################
# Telnet - allow replies from telnet servers
# back in - only if SYN not set
$IPCHAINS -A public -p tcp -s $Any telnet -d $mynet -i $EXT_IF -j ACCEPT ! -y
#######################################
# WWW - allow replies from standard HTTP/HTTPS
# servers - only if SYN not set
$IPCHAINS -A public -p tcp -s $Any www -d $mynet -i $EXT_IF -j ACCEPT ! -y
$IPCHAINS -A public -p tcp -s $Any https -d $mynet -i $EXT_IF -j ACCEPT ! -y
#######################################
# FTP - Allow replies from external FTP servers
# - only if SYN not set
$IPCHAINS -A public -p tcp -s $Any ftp -d $mynet -i $EXT_IF -j ACCEPT ! -y
$IPCHAINS -A public -p tcp -s $Any ftp-data -d $mynet -i $EXT_IF -j ACCEPT ! -y
#######################################
# SMTP - only allow incoming Email from the
# "public" server to the internal hub
$IPCHAINS -A public -p tcp -s $SMTP_SERVER -d $INTERNAL_SMTP smtp -i $EXT_IF -j ACCEPT
$IPCHAINS -A public -p tcp -s $SMTP_SERVER smtp -d $INTERNAL_SMTP -i $EXT_IF -j ACCEPT ! -y
#######################################
# WHOIS - allow replies from any WHOIS server
$IPCHAINS -A public -p tcp -s $Any whois -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT ! -y
#######################################
# Finger - allow replies from any finger server
$IPCHAINS -A public -p tcp -s $Any finger -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT ! -y
#######################################
# Auth - allow IDENT replies
$IPCHAINS -A public -p tcp -s $Any auth -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT ! -y
#######################################
# News - allow replies from the NNTP server
$IPCHAINS -A public -p tcp -s $NNTP_SERVER nntp -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT ! -y
#######################################
# NTP - let your internal NTP server synchronize
# with a clock somewhere.
# For better security, specify the external
# NTP servers.
$IPCHAINS -A public -p udp -s $Any ntp -d $INTERNAL_NTP ntp -i $EXT_IF -j ACCEPT
#######################################
# DNS - allow DNS replies back in
$IPCHAINS -A public -p udp -s $Any domain -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT
$IPCHAINS -A public -p tcp -s $Any domain -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT ! -y
#######################################
# NFS - let internal hosts mount disks from
# the "public" servers.
# Do we need this?
$IPCHAINS -A public -p tcp -s $mynet 2049 -d $mynet -i $EXT_IF -j ACCEPT
$IPCHAINS -A public -p tcp -s $mynet -d $mynet 2049 -i $EXT_IF -j ACCEPT
#######################################
# RPC - let the "public" servers contact the
# portmapper on internal hosts.
# Do we need this?
$IPCHAINS -A public -p udp -s $mynet 0:1023 -d $mynet sunrpc -i $EXT_IF -j ACCEPT
#######################################
# UDP - Allow general UDP traffic between
# "public" and "protected" hosts.
# Do we need this?
$IPCHAINS -A public -p udp -s $mynet 0:1023 -d $mynet -i $EXT_IF -j ACCEPT
$IPCHAINS -A public -p udp -s $mynet 1024:65535 -d $mynet -i $EXT_IF -j ACCEPT
#######################################
# Established connections from unprivileged ports
$IPCHAINS -A public -p tcp -s $Any 1024:65535 -d $mynet -i $EXT_IF -j ACCEPT ! -y
# Deny (and log!) everything not explicitly allowed
$IPCHAINS -A public -s $Any -d $Any -i $EXT_IF -j DENY -l
######################################
# "Private" rules - these control which internal
# hosts can talk through the
# firewall, and to whom
#
# In most cases, these should be fairly liberal.
######################################
# private rules
######################################
# ICMP - Allow echo replies back out to the
# "public" servers, as well as
# allowing some of the more useful
# messages back out to anyone.
$IPCHAINS -A private -p icmp -s $mynet 0 -d $mynet -i $INT_IF -j ACCEPT
# ICMP - Allow echo-request
$IPCHAINS -A private -p icmp -s $mynet 8 -d $Any -i $INT_IF -j ACCEPT
# ICMP - Allow destination-unreachable
$IPCHAINS -A private -p icmp -s $mynet 3 -d $Any -i $INT_IF -j ACCEPT
# ICMP - allow source-quench
$IPCHAINS -A private -p icmp -s $mynet 4 -d $Any -i $INT_IF -j ACCEPT
# ICMP - allow time-exceeded
$IPCHAINS -A private -p icmp -s $mynet 11 -d $Any -i $INT_IF -j ACCEPT
# ICMP - Allow parameter-problem
$IPCHAINS -A private -p icmp -s $mynet 12 -d $Any -i $INT_IF -j ACCEPT
######################################
# Services
######################################
# SMTP - restrict SMTP to only between
# the "public" server and the internal
# mailhub. Log any unauthorized attempts
$IPCHAINS -A private -p tcp -s $INTERNAL_SMTP -d $SMTP_SERVER smtp -i $INT_IF -j ACCEPT
$IPCHAINS -A private -p tcp -s $mynet -d $Any smtp -i $INT_IF -j DENY -l
#####################################
# Pretty much allow anything else.
$IPCHAINS -A private -p tcp -s $mynet 0:1023 -d $Any -i $INT_IF -j ACCEPT
$IPCHAINS -A private -p tcp -s $mynet 1024:65535 -d $Any -i $INT_IF -j ACCEPT
$IPCHAINS -A private -p udp -s $mynet 0:1023 -d $Any -i $INT_IF -j ACCEPT
$IPCHAINS -A private -p udp -s $mynet 1024:65535 -d $Any -i $INT_IF -j ACCEPT