TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Improved ipchains scripts



Here is a new an improved ipchains script. If you have only one interface,
this script should be easy to modify to fit most needs. It is pretty
self-explanatory too, I think.

(It also blocks those ads from ad.doubleclick.net! alah ipchains how-to)

Enjoy,

Ben 

Ben Luey
lueyb@carleton.edu
ICQ: 19144397

Political power grows out of the barrel of a gun."  -- Mao Tse-tung
#!/bin/sh
IFACE=eth0
ALL=0.0.0.0/0
YOURNET=137.22.96.160
TRUST="1.2.3.4/16 2.3.4.5/24" 
# Clear all old stuff in ipchains
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward

#no packets from intranet ip's or your ip on internet device
/sbin/ipchains -A input -p all -j DENY -s 10.0.0.0/8 -i $IFACE -d $ALL
/sbin/ipchains -A input -p all -j DENY -s 127.0.0.0/8 -i $IFACE -d $ALL
/sbin/ipchains -A input -p all -j DENY -s 192.168.0.0/16 -i $IFACE -d $ALL
/sbin/ipchains -A input -p all -j DENY -s 172.16.0.0/16 -i $IFACE -d $ALL
/sbin/ipchains -A input -p all -j DENY -s $YOURNET -i $IFACE -d $ALL

#no forward
/sbin/ipchains -P forward DENY

######allow stuff

#Open these ports from anywhere
GLOBALYES="25 80"
for GYIP in $GLOBALYES
do
/sbin/ipchains -A input -p tcp -j ACCEPT -s $ALL -i $IFACE -d $YOURNET $GYIP
done

#allow ntp on udp
/sbin/ipchains -A input -p udp -j ACCEPT -s $ALL -i $IFACE -d $YOURNET 123 

#Allow these ports to trusted sites
TRUSTPORTS="20 21 22 23"
for TIP in $TRUST
do
for TP in $TRUSTPORTS
do
/sbin/ipchains -A input -p tcp -j ACCEPT -s $TIP -i $IFACE -d $YOURNET $TP
done
done

#log these ports (and deny)
LOGPORTS="143 23 1256"
for LP in $LOGPORTS
do
/sbin/ipchains -A input -p tcp -j DENY -l -s $ALL -i $IFACE -d $YOURNET $LP
done

#Block outgoing web requests to ad.doubleclick.net and ads.realcities.com
BADIPS="209.67.38.90 209.67.38.62 209.67.38.61 209.97.26.234 209.67.38.98"
for IP in $BADIPS
do
/sbin/ipchains -A output -p tcp -d $IP 80 -j REJECT
done

#Deny all non-mentioned service ports
/sbin/ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $IFACE -d $ALL :1015
/sbin/ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i $IFACE -d $ALL :1024