Linux Know-How provides a collection of introductory texts on often needed Linux skills.


Linux Know-How Firewall and Proxy Server Example Scripts Script using GFCC
See also: A VPN RC Script for Redhat, RC Script without GFCC 

Script using GFCC

#!/bin/bash
#
# Firewall Script - Version 0.9.1
#
# chkconfig: 2345 09 99
# description: firewall script for 2.2.x kernel
# Set for testing
# set -x
#
# NOTES:
#
#  This script is written for RedHat 6.1 or better.
#
#  Be careful about offering public services like web or ftp servers.
#
# INSTALLATION:
#  1. place this file in /etc/rc.d/init.d  (you'll have to be root..)
#     call it something like "firewall"    :-)
#     make it root owned -->  "chown root.root (filename)"
#     make it executable -->  "chmod 755 (filename)"
#
#  2. use GFCC to create your firewall rules and export them to a file
#     named /etc/gfcc/rules/firewall.rule.sh.
#
#  3. add the firewall to the RH init structure --> "chkconfig --add (filename)"
#     next time the router boots, things should happen automagically!
#     sleep better at night knowing you are *LESS* vulnerable than before...
#
# RELEASE NOTES
#   30 Jan, 2000 - Changed to GFCC script
#   11 Dec, 1999 - updated by Mark Grennan <mark@grennan.com>
#   20 July, 1999 - initial writing - Anthony Ball <tony@LinuxSIG.org>
#

################################################

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# See how we are called
case "$1" in

  start)
        # Start providing access
        action "Starting firewall: " /bin/true
        /etc/gfcc/rules/firewall.rule.sh
        action "Loading firewall modules: " /bin/true
#       /sbin/insmod ip_masq_autofw
#       /sbin/insmod ip_masq_suseeme
        /sbin/insmod ip_masq_ftp
        /sbin/insmod ip_masq_irc
#       /sbin/insmod ip_masq_mfw
#       /sbin/insmod ip_masq_portfw
#       /sbin/insmod ip_masq_quake
        /sbin/insmod ip_masq_raudio
#       /sbin/insmod ip_masq_user
#       /sbin/insmod ip_masq_vdolive
        echo
        ;;

  stop)
        action "Stoping firewall: " /bin/true
        echo 0 > /proc/sys/net/ipv4/ip_forward
        /sbin/ipchains -F input
        /sbin/ipchains -F output
        /sbin/ipchains -F forward

        echo
        ;;

  restart)
        action "Restarting firewall: " /bin/true
        $0 stop
        $0 start

        echo
        ;;

  status)
        # List out all settings
        /sbin/ipchains -L
        ;;

  test)
        action "Test Mode firewall: " /bin/true
        /sbin/ipchains -F input
        /sbin/ipchains -F output
        /sbin/ipchains -F forward
        echo 1 > /proc/sys/net/ipv4/ip_forward
        /sbin/ipchains -A input -j ACCEPT
        /sbin/ipchains -A output -j ACCEPT
        /sbin/ipchains -P forward DENY
        /sbin/ipchains -A forward -i $PUBLIC -j MASQ

        echo
        ;;

  *)
        echo "Usage: $0 {start|stop|restart|status|test}"
        exit 1

esac

This script was generated by the Graphical Firewall program (GFCC). This is not the working rule set. This is the exported rules set. 


#!/bin/sh
# Generated by Gtk+ firewall control center

IPCHAINS=/sbin/ipchains


localnet="192.168.1.0/24"
firewallhost="192.168.1.1/32"
localhost="172.0.0.0/8"
DNS1="24.94.163.119/32"
DNS2="24.94.163.124/32"
Broadcast="255.255.255.255/32"
Multicast="224.0.0.0/8"
Any="0.0.0.0/0"
mail_grennan_com="192.168.1.1/32"
mark_grennan_com="192.168.1.3/32"

$IPCHAINS -P input DENY
$IPCHAINS -P forward ACCEPT
$IPCHAINS -P output ACCEPT

$IPCHAINS -F
$IPCHAINS -X

# input rules
$IPCHAINS -A input -s $Any -d $Broadcast -j DENY
$IPCHAINS -A input -p udp -s $Any -d $Any netbios-ns -j DENY
$IPCHAINS -A input -p tcp -s $Any -d $Any netbios-ns -j DENY
$IPCHAINS -A input -p udp -s $Any -d $Any netbios-dgm -j DENY
$IPCHAINS -A input -p tcp -s $Any -d $Any netbios-dgm -j DENY
$IPCHAINS -A input -p udp -s $Any -d $Any bootps -j DENY
$IPCHAINS -A input -p udp -s $Any -d $Any bootpc -j DENY
$IPCHAINS -A input -s $Multicast -d $Any -j DENY
$IPCHAINS -A input -s $localhost -d $Any -i lo -j ACCEPT
$IPCHAINS -A input -s $localnet -d $Any -i eth1 -j ACCEPT
$IPCHAINS -A input -s $localnet -d $Broadcast -i eth1 -j ACCEPT
$IPCHAINS -A input -p icmp -s $Any -d $Any -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any -j ACCEPT ! -y
$IPCHAINS -A input -p udp -s $DNS1 domain -d $Any 1023:65535 -j ACCEPT
$IPCHAINS -A input -p udp -s $DNS2 domain -d $Any 1023:65535 -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any ssh -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any telnet -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any smtp -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any pop-3 -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any auth -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any www -j ACCEPT
$IPCHAINS -A input -p tcp -s $Any -d $Any ftp -j ACCEPT
$IPCHAINS -A input -s $Any -d $Any -j DENY -l

# forward rules
$IPCHAINS -A forward -s $localnet -d $Any -j MASQ

# output rules


Last Update: 2005-Sep-14