TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Improved ipchains scripts
Here is a new an improved ipchains script. If you have only one interface,
this script should be easy to modify to fit most needs. It is pretty
self-explanatory too, I think.
(It also blocks those ads from ad.doubleclick.net! alah ipchains how-to)
Enjoy,
Ben
Ben Luey
lueyb@carleton.edu
ICQ: 19144397
Political power grows out of the barrel of a gun." -- Mao Tse-tung
#!/bin/sh
IFACE=eth0
ALL=0.0.0.0/0
YOURNET=137.22.96.160
TRUST="1.2.3.4/16 2.3.4.5/24"
# Clear all old stuff in ipchains
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
#no packets from intranet ip's or your ip on internet device
/sbin/ipchains -A input -p all -j DENY -s 10.0.0.0/8 -i $IFACE -d $ALL
/sbin/ipchains -A input -p all -j DENY -s 127.0.0.0/8 -i $IFACE -d $ALL
/sbin/ipchains -A input -p all -j DENY -s 192.168.0.0/16 -i $IFACE -d $ALL
/sbin/ipchains -A input -p all -j DENY -s 172.16.0.0/16 -i $IFACE -d $ALL
/sbin/ipchains -A input -p all -j DENY -s $YOURNET -i $IFACE -d $ALL
#no forward
/sbin/ipchains -P forward DENY
######allow stuff
#Open these ports from anywhere
GLOBALYES="25 80"
for GYIP in $GLOBALYES
do
/sbin/ipchains -A input -p tcp -j ACCEPT -s $ALL -i $IFACE -d $YOURNET $GYIP
done
#allow ntp on udp
/sbin/ipchains -A input -p udp -j ACCEPT -s $ALL -i $IFACE -d $YOURNET 123
#Allow these ports to trusted sites
TRUSTPORTS="20 21 22 23"
for TIP in $TRUST
do
for TP in $TRUSTPORTS
do
/sbin/ipchains -A input -p tcp -j ACCEPT -s $TIP -i $IFACE -d $YOURNET $TP
done
done
#log these ports (and deny)
LOGPORTS="143 23 1256"
for LP in $LOGPORTS
do
/sbin/ipchains -A input -p tcp -j DENY -l -s $ALL -i $IFACE -d $YOURNET $LP
done
#Block outgoing web requests to ad.doubleclick.net and ads.realcities.com
BADIPS="209.67.38.90 209.67.38.62 209.67.38.61 209.97.26.234 209.67.38.98"
for IP in $BADIPS
do
/sbin/ipchains -A output -p tcp -d $IP 80 -j REJECT
done
#Deny all non-mentioned service ports
/sbin/ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -i $IFACE -d $ALL :1015
/sbin/ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i $IFACE -d $ALL :1024