slitaz-tools rev 769
New way to setup SliTaz firewall
author | Christophe Lincoln <pankso@slitaz.org> |
---|---|
date | Fri Jun 01 14:04:34 2012 +0200 (2012-06-01) |
parents | d6b0effae42e |
children | 2f00591f2ce6 |
files | Makefile etc/firewall.conf etc/init.d/firewall etc/slitaz/firewall.conf etc/slitaz/firewall.sh |
line diff
1.1 --- a/Makefile Sat May 19 11:34:12 2012 +0200 1.2 +++ b/Makefile Fri Jun 01 14:04:34 2012 +0200 1.3 @@ -97,7 +97,7 @@ 1.4 done; 1.5 1.6 # /usr/bin tools. 1.7 - for app in tazx startx history editor browser terminal file-manager; \ 1.8 + for app in tazx startx history editor browser terminal file-manager decode; \ 1.9 do \ 1.10 install -m 0755 tinyutils/$$app $(DESTDIR)$(PREFIX)/bin; \ 1.11 done;
2.1 --- a/etc/firewall.conf Sat May 19 11:34:12 2012 +0200 2.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 2.3 @@ -1,65 +0,0 @@ 2.4 -# /etc/firewall.conf: SliTaz firewall configuration. 2.5 -# Config file used by: /etc/init.d/firewall.sh 2.6 -# 2.7 - 2.8 -# Network interface. 2.9 -INTERFACE="eth0" 2.10 - 2.11 -# Enable/disable kernel security. 2.12 -KERNEL_SECURITY="yes" 2.13 - 2.14 -# Enable/disable iptables rules (iptables package must be installed). 2.15 -IPTABLES_RULES="no" 2.16 - 2.17 -# Netfilter/iptables rules. 2.18 -# This shell function is included in /etc/init.d/firewall.sh 2.19 -# to start iptables rules. 2.20 -# 2.21 -iptables_rules() 2.22 -{ 2.23 - 2.24 -# Drop all input connections. 2.25 -iptables -P INPUT DROP 2.26 - 2.27 -# Drop all output connections. 2.28 -iptables -P OUTPUT DROP 2.29 - 2.30 -# Drop all forward connections. 2.31 -iptables -P FORWARD DROP 2.32 - 2.33 -# Accept input on localhost (127.0.0.1). 2.34 -iptables -A INPUT -i lo -j ACCEPT 2.35 - 2.36 -# Accept input on the local network (192.168.0.0/24). 2.37 -iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT 2.38 - 2.39 -# Accept near all output trafic. 2.40 -iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 2.41 - 2.42 -# Accept input trafic only for connections initialized by user. 2.43 -iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 2.44 - 2.45 -# If you manage a HTTP/SSH/FTP/IRC server you can accept input for non-established connections an some ports. 2.46 -# else you can disable the lines below for more secured setup 2.47 - 2.48 -# Accept input on port 80 for the HTTP server. 2.49 -iptables -A INPUT -i $INTERFACE -p tcp --source-port 80 -j ACCEPT 2.50 - 2.51 -# Accept input on port 22 for SSH. 2.52 -iptables -A INPUT -i $INTERFACE -p tcp --destination-port 22 -j ACCEPT 2.53 - 2.54 -# Accept port 21 and, 1024 to 60310 for FTP. 2.55 -iptables -A INPUT -i $INTERFACE -p tcp --destination-port 21 -j ACCEPT 2.56 -iptables -A INPUT -i $INTERFACE -p tcp --destination-port 1024:60310 -j ACCEPT 2.57 - 2.58 -# Accept port 6667 for IRC chat. 2.59 -iptables -A INPUT -i $INTERFACE -p tcp --source-port 6667 -j ACCEPT 2.60 - 2.61 -# Accept unprivileged ports. 2.62 -iptables -A INPUT -i $INTERFACE -p udp --destination-port 1024:65535 -j ACCEPT 2.63 - 2.64 -# Accept ping. 2.65 -iptables -A INPUT -i $INTERFACE -p icmp -j ACCEPT 2.66 - 2.67 -} 2.68 -
3.1 --- a/etc/init.d/firewall Sat May 19 11:34:12 2012 +0200 3.2 +++ b/etc/init.d/firewall Fri Jun 01 14:04:34 2012 +0200 3.3 @@ -1,90 +1,80 @@ 3.4 #!/bin/sh 3.5 -# /etc/init.d/firewall - SliTaz firewall daemon script using iptables. 3.6 -# Config file is: /etc/firewall.conf 3.7 +# 3.8 +# /etc/init.d/firewall : SliTaz firewall daemon script 3.9 +# Configuration file : /etc/slitaz/firewall.conf 3.10 +# Firewall script : /etc/slitaz/firewall.sh 3.11 # 3.12 . /etc/init.d/rc.functions 3.13 -. /etc/firewall.conf 3.14 +. /etc/slitaz/firewall.conf 3.15 3.16 -case $1 in 3.17 - start) 3.18 - # Kernel security. 0 = disable, 1 = enable. 3.19 - # 3.20 - if [ "$KERNEL_SECURITY" = "yes" ] ; then 3.21 - echo -n "Setting up kernel security rules... " 3.22 - # ICMP redirects acceptance. 3.23 - for conf in /proc/sys/net/ipv4/conf/*/accept_redirects ; do 3.24 - echo "0" > $conf 3.25 - done 3.26 - for conf in /proc/sys/net/ipv4/conf/*/secure_redirects ; do 3.27 - echo "0" > $conf 3.28 - done 3.29 - # IP source routing. 3.30 - for conf in /proc/sys/net/ipv4/conf/*/accept_source_route ; do 3.31 - echo "0" > $conf 3.32 - done 3.33 - # Log impossible addresses. 3.34 - for conf in /proc/sys/net/ipv4/conf/*/log_martians ; do 3.35 - echo "1" > $conf 3.36 - done 3.37 - # Ip spoofing protection. 3.38 - for conf in /proc/sys/net/ipv4/conf/*/rp_filter ; do 3.39 - echo "1" > $conf 3.40 - done 3.41 - echo "1" > /proc/sys/net/ipv4/tcp_syncookies 3.42 - status 3.43 - else 3.44 - echo "Kernel security rules are disabled in: /etc/firewall.conf... " 3.45 - fi 3.46 - # Netfilter/iptables rules. We get the rules from /etc/firewall.conf. 3.47 - # 3.48 - if [ "$IPTABLES_RULES" = "yes" ] ; then 3.49 - echo -n "Setting up iptables rules defined in: /etc/firewall.conf... " 3.50 - iptables_rules 3.51 - status 3.52 - else 3.53 - echo "Iptables rules are disabled in: /etc/firewall.conf... " 3.54 - exit 0 3.55 - fi 3.56 - ;; 3.57 - stop) 3.58 - if [ "$IPTABLES_RULES" = "yes" ] ; then 3.59 - echo -n "Stopping iptables firewall rules... " 3.60 - iptables -P INPUT ACCEPT 3.61 - iptables -P OUTPUT ACCEPT 3.62 - iptables -P FORWARD ACCEPT 3.63 - iptables -F 3.64 - iptables -X 3.65 - status 3.66 - else 3.67 - echo "Iptables rules are disabled in: /etc/firewall.conf... " 3.68 - exit 0 3.69 - fi 3.70 - ;; 3.71 - restart) 3.72 - $0 stop 3.73 - sleep 2 3.74 - $0 start 3.75 - ;; 3.76 - status) 3.77 - echo "" 3.78 - echo -e "\033[1m===================== SliTaz firewall statistics =====================\033[0m" 3.79 - echo "" 3.80 - if [ "$KERNEL_SECURITY" = "yes" ] ; then 3.81 - echo "Kernel security: enabled" 3.82 - else 3.83 - echo "Kernel security: disabled" 3.84 - fi 3.85 - echo "" 3.86 - echo "Netfilter/iptables rules: " 3.87 - echo "" 3.88 - iptables -nL 3.89 - echo "" 3.90 - ;; 3.91 - *) 3.92 - echo "" 3.93 - echo -e "\033[1mUsage:\033[0m /etc/init.d/`basename $0` [start|stop|restart|status]" 3.94 - echo "" 3.95 - exit 1 3.96 - ;; 3.97 +case "$1" in 3.98 + start) 3.99 + # Kernel security. 0 = disable, 1 = enable. 3.100 + # 3.101 + if [ "$KERNEL_SECURITY" = "yes" ] ; then 3.102 + echo -n "Setting up kernel security rules... " 3.103 + # ICMP redirects acceptance. 3.104 + for conf in /proc/sys/net/ipv4/conf/*/accept_redirects ; do 3.105 + echo "0" > $conf 3.106 + done 3.107 + for conf in /proc/sys/net/ipv4/conf/*/secure_redirects ; do 3.108 + echo "0" > $conf 3.109 + done 3.110 + # IP source routing. 3.111 + for conf in /proc/sys/net/ipv4/conf/*/accept_source_route ; do 3.112 + echo "0" > $conf 3.113 + done 3.114 + # Log impossible addresses. 3.115 + for conf in /proc/sys/net/ipv4/conf/*/log_martians ; do 3.116 + echo "1" > $conf 3.117 + done 3.118 + # Ip spoofing protection 3.119 + for conf in /proc/sys/net/ipv4/conf/*/rp_filter; do 3.120 + echo "1" > $conf 3.121 + done 3.122 + echo "1" > /proc/sys/net/ipv4/tcp_syncookies 3.123 + status 3.124 + else 3.125 + echo "WARNING: Kernel security rules are disabled" 3.126 + fi 3.127 + # Netfilter/IPtables rules 3.128 + if [ "$IPTABLES_RULES" = "yes" ] ; then 3.129 + echo -n "Starting IPtables firewall: /etc/slitaz/firewall.sh" 3.130 + /etc/slitaz/firewall.sh 3.131 + status 3.132 + else 3.133 + echo "WARNING: IPtables rules are disabled" 3.134 + fi ;; 3.135 + stop) 3.136 + if [ "$IPTABLES_RULES" = "yes" ] ; then 3.137 + echo -n "Stopping iptables firewall rules... " 3.138 + iptables -P INPUT ACCEPT 3.139 + iptables -P OUTPUT ACCEPT 3.140 + iptables -P FORWARD ACCEPT 3.141 + iptables -F 3.142 + iptables -X 3.143 + status 3.144 + else 3.145 + echo "Iptables rules are disabled... " 3.146 + fi ;; 3.147 + restart) 3.148 + $0 stop 3.149 + sleep 2 3.150 + $0 start ;; 3.151 + status) 3.152 + echo "" 3.153 + echo -e "\033[1m===================== SliTaz firewall statistics =====================\033[0m" 3.154 + echo "" 3.155 + if [ "$KERNEL_SECURITY" = "yes" ] ; then 3.156 + echo "Kernel security: enabled" 3.157 + else 3.158 + echo "Kernel security: disabled" 3.159 + fi 3.160 + echo -e "\nNetfilter/iptables rules:\n" 3.161 + iptables -nL 3.162 + echo "" ;; 3.163 + *) 3.164 + echo "" 3.165 + echo -e "\033[1mUsage:\033[0m $0 [start|stop|restart|status]" 3.166 + echo "" ;; 3.167 esac 3.168 -
4.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 4.2 +++ b/etc/slitaz/firewall.conf Fri Jun 01 14:04:34 2012 +0200 4.3 @@ -0,0 +1,15 @@ 4.4 +# /etc/slitaz/firewall.conf : SliTaz firewall configuration 4.5 +# Sourced by: /etc/init.d/firewall and /etc/slitaz/firewall.sh 4.6 +# 4.7 + 4.8 +# Network interfaces (separate by space) 4.9 +INTERFACES="eth0" 4.10 + 4.11 +# Enable/disable kernel security 4.12 +KERNEL_SECURITY="yes" 4.13 + 4.14 +# Enable/disable iptables rules (iptables package must be installed). 4.15 +IPTABLES_RULES="no" 4.16 + 4.17 +# Accept input on the local network 4.18 +LOCAL_NETWORK="192.168.0.0/24"
5.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 5.2 +++ b/etc/slitaz/firewall.sh Fri Jun 01 14:04:34 2012 +0200 5.3 @@ -0,0 +1,51 @@ 5.4 +#!/bin/sh 5.5 +# 5.6 +# SliTaz IPtables firewall rules 5.7 +# 5.8 +. /etc/slitaz/firewall.conf 5.9 + 5.10 +# Drop all input connections 5.11 +iptables -P INPUT DROP 5.12 + 5.13 +# Drop all output connections 5.14 +iptables -P OUTPUT DROP 5.15 + 5.16 +# Drop all forward connections 5.17 +iptables -P FORWARD DROP 5.18 + 5.19 +# Accept input on localhost (127.0.0.1) 5.20 +iptables -A INPUT -i lo -j ACCEPT 5.21 + 5.22 +# Accept input on the local network 5.23 +iptables -A INPUT -s $LOCAL_NETWORK -j ACCEPT 5.24 + 5.25 +# Accept near all output trafic. 5.26 +iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 5.27 + 5.28 +# Accept input trafic only for connections initialized by user. 5.29 +iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 5.30 + 5.31 +# If you manage a HTTP/SSH/FTP/IRC server you can accept input for 5.32 +# non-established connections an some ports. Else you can disable the 5.33 +# lines below for more secured setup. 5.34 +for iface in $INTERFACES 5.35 +do 5.36 + # Accept input on port 80 for the HTTP server. 5.37 + iptables -A INPUT -i $iface -p tcp --source-port 80 -j ACCEPT 5.38 + 5.39 + # Accept input on port 22 for SSH. 5.40 + iptables -A INPUT -i $iface -p tcp --destination-port 22 -j ACCEPT 5.41 + 5.42 + # Accept port 21 and, 1024 to 60310 for FTP. 5.43 + iptables -A INPUT -i $iface -p tcp --destination-port 21 -j ACCEPT 5.44 + iptables -A INPUT -i $iface -p tcp --destination-port 1024:60310 -j ACCEPT 5.45 + 5.46 + # Accept port 6667 for IRC chat. 5.47 + iptables -A INPUT -i $iface -p tcp --source-port 6667 -j ACCEPT 5.48 + 5.49 + # Accept unprivileged ports. 5.50 + iptables -A INPUT -i $iface -p udp --destination-port 1024:65535 -j ACCEPT 5.51 + 5.52 + # Accept ping. 5.53 + iptables -A INPUT -i $iface -p icmp -j ACCEPT 5.54 +done