# #**ENDOSHIELD 1.2** #Written by Endo (Dave Cheeseman) cheeseman@users.sourceforge.net #EndoShield Site - http://www.sourceforge.net/projects/endoshield #****************************************************************************************************************************** #Configuration Part of the script - If you are unsure of any of these points, leave them as the default setting, changing these #options can seriously affect the security of your firewall. #Do you want to run a ipchains firewall or iptables? #If you are unsure about this, you need to find out what kernel you are running. #See the readme file for more information. TYPE="iptables" # Change INETDEV to the network device connceted to the Internet (ppp0/eth0) # This is ppp0 by default for dial-up connections. Most cable modem users # will probably want eth0 or possibly eth1. When in doubt look at the command # 'ifconfig'. INETDEV="eth0" # Change LAN to the correct network address and network mask for your LAN # this can be found by using ifconfig from one of the clients LAN="192.168.1.0/24" # Change LANDEV to the network device connected to your LAN LANDEV="eth1" # There should be no need to change this LOCALIP=`ifconfig $LANDEV | grep inet | cut -d : -f 2 | cut -d \ -f 1` #Do you want other machines on the internet to be able to PING your machine? #(If unsure, leave as no) PING="no" #If you selected no as the previous option, do you want the machine to log #the dropped pings? LOGPINGS="no" #If you trust all data coming from your local network, put yes. TRUST="yes" #If you want to share this machines internet connection, put yes #(This will provide Masquerading services for you LAN) #Otherwise, put no SHARE="yes" #Is this machine connected to a Samba Network? #If yes, over a LAN? SAMBALAN="no" #Or over a WAN? SAMBAWAN="no" #Or over both? SAMBA="no" #If you are running any servers on your machine, you need to specify them below, #you also need to specify wether these servers/ports should be open to just your local #network, or the whole world. If you answer yes to PORTNAMEPUBLIC, then the specified port #will be open to the whole internet, if this is left to the default, which is no, but you #have specified that you are running a server on the port, the port will only be available to #your local lan. #Do you run a FTP server? FTP="yes" FTPPUBLIC="yes" #Do you run a SSH server? SSH="yes" SSHPUBLIC="yes" #Do you run a telnet server? TELNET="no" TELNETPUBLIC="no" #Do you run a Web server? WEB="no" WEBPUBLIC="no" #Do you run a mail server? MAIL="no" MAILPUBLIC="no" #Do you run identd? IDENT="no" IDENTPUBLIC="no" #If you want to add any trusted hosts, that is, machines on the internet or on your local network #which you want to fully trust (Allow all data from these machines pass through the firewall), then #list these machines below. TRUSTEDHOST1="131.211.28.48" TRUSTEDHOST2="195.92.249.253" TRUSTEDHOST3="194.159.164.195" TRUSTEDHOST4="129.27.3.9" TRUSTEDHOST5="1.1.1.1" #If you want to block any hosts from accessing your machine, please list them below, these machines #will not be able to access your machine at all, even your public access servers. DENYHOST1="1.1.1.1" DENYHOST2="1.1.1.1" DENYHOST3="1.1.1.1" DENYHOST4="1.1.1.1" DENYHOST5="1.1.1.1" #End of Configuration. #************************************************************************************************************ echo "---------------------------------------------------------" echo "Local Network Device: $LANDEV" echo "Local IP: $LOCALIP" echo "Local Network Address: $LAN" echo "External Network Device: $INETDEV" echo "---------------------------------------------------------" echo "" #Set default chain policy echo -n "Setting default chain policies..." iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT echo " Done!" #Flush all chains echo -n "Flushing chains..." iptables -F iptables -X iptables -t nat -F PREROUTING iptables -t nat -F POSTROUTING echo " Done!" #Add custom chains echo -n "Adding custom chains..." iptables -N inet-in iptables -N inet-out echo " Done!" #Set INPUT rules echo -n "Setting rules for INPUT chain..." iptables -A INPUT -i lo -j ACCEPT if [ "$TRUST" = "yes" -o "$TRUST" = "YES" ]; then iptables -A INPUT -i $LANDEV -j ACCEPT else iptables -A INPUT -i $LANDEV -j inet-in fi iptables -A INPUT -i $INETDEV -j inet-in echo " Done!" #Set FORWARD rules echo -n "Setting rules for FORWARD chain..." if [ "$SHARE" = "yes" -o "$SHARE" = "YES" ]; then modprobe iptable_nat iptables -A FORWARD -s $LAN -j ACCEPT iptables -A FORWARD -d $LAN -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward #Activate masquerade echo -n "Activating masquerade..." iptables -t nat -A POSTROUTING -o $INETDEV -j MASQUERADE echo " Done!" fi echo " Done!" #Set OUTPUT rules echo -n "Setting rules for OUTPUT chain..." iptables -A OUTPUT -j inet-out echo " Done!" #Set inet-in rules echo -n "Setting rules for internet device incoming chain: " echo -n "Setting open ports for specified servers / Network Services .... "i if [ "$SAMBALAN" = "YES" -o "$SAMBALAN" = "yes" ]; then iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 138:139 -j ACCEPT fi if [ "$SAMBAWAN" = "YES" -o "$SAMBAWAN" = "yes" ]; then iptables -A inet-in -p tcp -i $INETDEV -o $INETDEV --dport 138:139 -j ACCEPT fi if [ "$SAMBA" = "YES" -o "$SAMBA" = "yes" ]; then iptables -A inet-in -p tcp --dport 138:139 -j ACCEPT fi if [ "$FTP" = "YES" -o "$FTP" = "yes" ]; then iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 21 -j ACCEPT if [ "$FTPPUBLIC" = "YES" -o "$FTPPUBLIC" = "yes" ]; then iptables -A inet-in -p tcp --dport 21 -j ACCEPT fi fi if [ "$TELNET" = "YES" -o "$TELNET" = "yes" ]; then iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 23 -j ACCEPT if [ "$TELNETPUBLIC" = "YES" -o "$TELNETPUBLIC" = "yes" ]; then iptables -A inet-in -p tcp --dport 23 -j ACCEPT fi fi if [ "$SSH" = "YES" -o "$SSH" = "yes" ]; then iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 22 -j ACCEPT if [ "$SSHPUBLIC" = "YES" -o "$SSHPUBLIC" = "yes" ]; then iptables -A inet-in -p tcp --dport 22 -j ACCEPT fi fi if [ "$WEB" = "YES" -o "$WEB" = "yes" ]; then iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 80 -j ACCEPT if [ "$WEBPUBLIC" = "YES" -o "$WEBPUBLIC" = "yes" ]; then iptables -A inet-in -p tcp --dport 80 -j ACCEPT fi fi if [ "$MAIL" = "YES" -o "$MAIL" = "yes" ]; then iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 110 -j ACCEPT if [ "$MAILPUBLIC" = "YES" -o "$MAILPUBLIC" = "yes" ]; then iptables -A inet-in -p tcp --dport 110 -j ACCEPT fi fi if [ "$IDENT" = "YES" -o "$IDENT" = "yes" ]; then iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 113 -j ACCEPT if [ "$IDENTPUBLIC" = "YES" -o "$IDENTPUBLIC" = "yes" ]; then iptables -A inet-in -p tcp --dport 113 -j ACCEPT fi fi echo "Done!" echo -n "Adding trusted hosts.... " iptables -A inet-in -s $TRUSTEDHOST1 -j ACCEPT iptables -A inet-in -s $TRUSTEDHOST2 -j ACCEPT iptables -A inet-in -s $TRUSTEDHOST3 -j ACCEPT iptables -A inet-in -s $TRUSTEDHOST4 -j ACCEPT iptables -A inet-in -s $TRUSTEDHOST5 -j ACCEPT echo "Done!" echo -n "Denying all specified hosts.... " iptables -A inet-in -s $DENYHOST1 -j DROP iptables -A inet-in -s $DENYHOST2 -j DROP iptables -A inet-in -s $DENYHOST3 -j DROP iptables -A inet-in -s $DENYHOST4 -j DROP iptables -A inet-in -s $DENYHOST5 -j DROP echo "Done!" echo -n " Setup ping option on/off..." if [ "$PING" = "YES" -o "$PING" = "yes" ]; then iptables -A inet-in -p ICMP -j ACCEPT fi if [ "$LOGPINGS" = "YES" -o "$LOGPINGS" = "yes" ]; then iptables -A inet-in -p ICMP -j LOG fi echo "Done!" echo -n " Setup port blocking on vulnerable ports..." #Block NFS iptables -A inet-in -p tcp --dport 2049 -j LOG iptables -A inet-in -p udp --dport 2049 -j LOG iptables -A inet-in -p tcp --dport 2049 -j DROP iptables -A inet-in -p udp --dport 2049 -j DROP #Block postgres iptables -A inet-in -p tcp --dport postgres -j LOG iptables -A inet-in -p udp --dport postgres -j LOG iptables -A inet-in -p tcp --dport postgres -j DROP iptables -A inet-in -p udp --dport postgres -j DROP #Block X iptables -A inet-in -p tcp --dport 5999:6003 -j LOG iptables -A inet-in -p udp --dport 5999:6003 -j LOG iptables -A inet-in -p tcp --dport 5999:6003 -j DROP iptables -A inet-in -p udp --dport 5999:6003 -j DROP #Block XFS iptables -A inet-in -p tcp --dport 7100 -j LOG iptables -A inet-in -p udp --dport 7100 -j LOG iptables -A inet-in -p tcp --dport 7100 -j DROP iptables -A inet-in -p udp --dport 7100 -j DROP #Block Back Orifice iptables -A inet-in -p tcp --dport 31337 -j LOG iptables -A inet-in -p udp --dport 31337 -j LOG iptables -A inet-in -p tcp --dport 31337 -j DROP iptables -A inet-in -p udp --dport 31337 -j DROP #Block netbus iptables -A inet-in -p tcp --dport 12345:12346 -j LOG iptables -A inet-in -p udp --dport 12345:12346 -j LOG iptables -A inet-in -p tcp --dport 12345:12346 -j DROP iptables -A inet-in -p udp --dport 12345:12346 -j DROP echo " Done!" echo " Done!" echo -n " Setting connection tracking..." iptables -A INPUT -i $INETDEV -m state --state NEW,INVALID -j DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT echo " Done!" if [ "$TYPE" = "ipchains" -o "$TYPE" = "IPCHAINS" ]; then echo "MAJOR APOLOGIES - The ipchains version didnt make it into the first version, but it is the highest priority on my TODO list" echo "Check http://www.endoshield.sourceforge.net for the next release" fi