Michael Boyd wrote:
> 1. I obtain a dynamic IP address from my ISP. How can I include this in
> my ruleset? I have experimented with...
>
Here is what I use:
IPADDR=`ifconfig $EXT_IF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
>
> I was thinking of having a small ruleset denying
> everything on the external interface as part of the boot sequence then
> sticking with my more detailed ruleset when the ppp connection is
> established. Any comments? How would I invoke the smaller ruleset?
Here is what I do:
I have a script called /etc/init.d/firewall_deny
Here it is:
#!/bin/sh
# /etc/init.d/firewall_deny
# -------------------------------------------------------------------
# This firewall is started at boot up so that everything is protected until
# the actual firewall is started with the ip-up script. If for some reason
# the ppp connection was established without the definitive firewall loaded
# then this firewall will block everything.
logger Starting Temporary Deny Everything Firewall
LOOPBACK_IF="lo"
EXT_IF="ppp0"
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable always defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# Flush any existing rules from all chains and delete any user chains
ipchains -F
ipchains -X
# Set the default policy to deny
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT
# --------------------------------------------------------------------
# LOOPBACK
#
# Unlimited traffic on the loopback interface
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
logger Tempory Deny Everything firewall installed
exit 0
Then I have a symbolic link to this file in my /etc/rc2.d/ directory.
Create this symbolic link with:
ln -s /etc/init.d/firewall_deny /etc/rc2.d/S95firewall
This means that the script will be run on booting into the default runlevel 2
(assuming you boot into runlevel 2)
>
> The alternative is to start the detailed ruleset on boot. But then, how
> do I tell it the dynamic IP address?
>
> 3. Do dynamic IP addresses ever get changed during a session? Something
> I read seemed to suggest this might occur. If so, how do I overcome
> that?
>
Then you put a link to your real firewall in the directory /etc/ppp/ip-up.d/
eg. with this command:
#ln -s /etc/init.d/myfirewall /etc/ppp/ip-up.d/0myfirewall
The way it works is that the files in this directory are executed in order by
the /etc/ppp/ip-up script.
Take a look at that script - particularly the last line and the man page for
run-parts
Make sure that the first part of your firewall script includes lines like:
iptables -F
iptables -X
so that the rules set up by the initial firewall are deleted when the real
firewall is installed.
This means that when you run the script to connect to the internet with your
modem eg. "pon provider1" it will run your firewall script after the 0dns-up
script (which is also in the above directory). Don't forget to use the line
for getting your ipaddress.
Hope that helps.
Regards.
Mark.
