gShield-2.8/0040775000175000017500000000000007474540345011776 5ustar godotgodotgShield-2.8/gShield-version0100600000175000017500000000000407447453301014733 0ustar godotgodot2.8 gShield-2.8/gShield.rc0100500000175000017500000013455707474540345013704 0ustar godotgodot#!/bin/sh # vim: set sw=4 ts=4 et: # $Id: gShield.rc,v 1.301 2002-05-27 19:27:32-04 godot Exp $ # ------------------------------------------------------------- # # gShield v2 - netfilter based firewall script # # Thrown together by Godot (godot@linuxmafia.org) # # # # Version 2 is a major revisionary release # # which not only takes advantage of the new # # firewalling code of the 2.4 series kernel, # # but incorporates many changes I had been unwilling # # to merge into the previous gShield series. # # # # Released under the GPL (of course). This script # # is provided 'as is' and may disrupt the number 62. # # # # There is no warranty associated with this script, but it # # does offer the following piece of folk wisdom: # # # # "Measure twice, cut once." # # # # This script in no way will taunt happy fun ball. # # # #---------------------------------------------------------------# # Copyright 2001,2002 R. Gregory # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA # 02111-1307 USA # A copy of the GPL may be found at http://www.gnu.org/licenses/gpl.txt # chkconfig: 2345 11 89 # Source function library. if [ -f /etc/init.d/functions ] then . /etc/init.d/functions fi # Refuse to run on ipchains host if [ -f /proc/net/ip_fwchains ] then echo "You already seem to be running ipchains. gShield requires iptables. Exiting now." exit 1 fi #-- Set path for script PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin #-- Bring in configuration . /etc/firewall/gShield.conf #-- Internal variables DTE=`date` VER=$(cat $FW_ROOT/gShield-version) MYNAME=`basename $0` LOGGER="logger -t $MYNAME[$$]" SW2=$2 # Log function SYSLOG() { if $SYSLOG; then $LOGGER "$*" else echo "[gShield] $*" fi } # silly iptables version check IPTABLES_VERSION=$($IPTABLES --version | awk {'print $2'}) # ------------------------------------------------------------- # # ------- [ Begin interface checks ] -------------------------- # # ------------------------------------------------------------- # up_firewall() { SYSLOG "initializing v$VER" EXTERNAL=$LOCALIF } # check_interface is disabled since 2.7.2 to avoid # some complications specific to ISDN users check_interface() { if [ ! -z "`$IFCONFIG $EXTERNAL 2>/dev/null | grep UP`" ]; then SYSLOG "interface $EXTERNAL up" else SYSLOG "interface $EXTERNAL -not- up (delaying)" if [ "$RUN" = "3" ]; then SYSLOG "interface $EXTERNAL still not up (bailing out)" echo "Error: Unable to determine interface status" else let "RUN=RUN +1" sleep 5 check_interface fi fi } # many thanks to S. Youngs for his # contributed functions usage() { cat< 1024 HOST can be either an IP or a FQDN. -V|--version ............ Display version info. -?|-h|--help ............ Display this help. EOF exit 1 } # Give a host access to ports > 1024 addhigh() { if [ "$SW2" = "" ]; then cmderror else echo "[gShield] allowing highport access for $SW2" ADDHIGH=$SW2 if [ ! "$(echo $SW2 | \ grep '[0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}')" ]; then ADDHIGH=`host $SW2|grep "address"|cut -d " " -f 4` fi if [ "$ADDHIGH" = "" ]; then ADDHIGH=$SW2 fi $IPTABLES -I INPUT -p tcp -s $ADDHIGH --dport 1024: -j HIGHPORT $IPTABLES -I INPUT -p udp -s $ADDHIGH --dport 1024: -j HIGHPORT SYSLOG "adding $ADDHIGH to permanent highport-access" echo "# $ADDHIGH added on" $DTE >> ${FW_ROOT}/conf/highport_access echo $ADDHIGH >> ${FW_ROOT}/conf/highport_access echo "" >> ${FW_ROOT}/conf/highport_access exit 1 fi } # Add to the blacklist addblack() { if [ "$SW2" = "" ]; then cmderror else echo "[gShield] adding $SW2 to blacklist" ADDBLACK=$SW2 if [ ! "$(echo $SW2 | \ grep '[0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}')" ]; then ADDBLACK=`host $SW2|grep "address"|cut -d " " -f 4` fi if [ "$ADDBLACK" = "" ]; then ADDBLACK=$SW2 fi $IPTABLES -I INPUT -s $ADDBLACK -j BLACKLIST $IPTABLES -I FORWARD -s $ADDBLACK -j BLACKLIST if sed "s/#.*$//" ${FW_ROOT}/conf/black_listed_hosts | grep -q $ADDBLACK then echo $SW2 already is on the permanent blacklist else SYSLOG "adding $SW2 to permanent blacklist" echo "# $SW2 added on" $DTE >> ${FW_ROOT}/conf/black_listed_hosts echo $ADDBLACK >> ${FW_ROOT}/conf/black_listed_hosts echo "" >> ${FW_ROOT}/conf/black_listed_hosts fi if [ "$BLACKLISTED" = "AUTO" -o "$BLACKLISTED" = "auto" ]; then SYSLOG "adding $ADDBLACK to hosts.deny" echo "#" $ADDBLACK "added via gShield on " $DTE >> /etc/hosts.deny echo "ALL:" $ADDBLACK >> /etc/hosts.deny echo "" >> /etc/hosts.deny fi exit 1 fi } # Add a client to ${FW_ROOT}/conf/client_hosts addclient() { if [ "$SW2" = "" ]; then cmderror else echo "[gShield] adding $SW2 as client" ADDCLIENT=$SW2 if [ ! "$(echo $ADDCLIENT | \ grep '[0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}')" ]; then ADDCLIENT=`host $SW2|grep "address"|cut -d " " -f 4` fi if [ "$ADDCLIENT" = "" ]; then ADDCLIENT=$SW2 fi for g in $CLIENTSERVICES do $IPTABLES -I INPUT -p tcp -s $ADDCLIENT -i $LOCALIF \ --dport $g -j CLIENT $IPTABLES -I INPUT -p udp -s $ADDCLIENT -i $LOCALIF \ --dport $g -j CLIENT done SYSLOG "adding $ADDCLIENT to permanent clientlist" echo "# $ADDCLIENT added on" $DTE >> ${FW_ROOT}/conf/client_hosts echo $ADDCLIENT >> ${FW_ROOT}/conf/client_hosts echo "" >> ${FW_ROOT}/conf/client_hosts exit 1 fi } # Disable the firewall. down() { echo "[gShield] flushing all rulsets -- firewall disabled" $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -X if [ "$NAT" = "YES" -o "$NAT" = "yes" ]; then $IPTABLES -F -t nat fi $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT exit 1 } # Command line error. cmderror() { echo "Oops! Looks like there was something wrong with" echo "that command line." echo "" echo "$MYNAME --help to see what you should have done." exit 1 } dump() { $IPTABLES -t nat -L -n -v $IPTABLES -t mangle -L -n -v $IPTABLES -t filter -L -n -v exit 1 } # Parse command line arguments case "$1" in -f|--flush|--stop|stop) down ;; -c|--client|addclient) addclient ;; -b|--blacklist|blacklist) addblack ;; -H|--highport|highport) addhigh ;; -s|--start|start) echo -n "Starting gShield firewall" up_firewall ;; -r|--restart|restart) echo -n "Restarting gShield firewall" up_firewall ;; -V|--version) echo "$MYNAME $VER" echo "Copyright (C) 2001, Godot " exit 1 ;; -d|-D|--dump|dump) dump ;; -\?|-h|--help) usage ;; *) up_firewall ;; esac # Check interface before beginning # exit if interface isn't up after a preset # time. # disabled by default in 2.8 # check_interface # ------------------------------------------------------------- # # -- Determine networking information ------------------------- # # ------------------------------------------------------------- # EXTERNALIP=`$IFCONFIG $EXTERNAL | grep inet | cut -d : -f 2 | cut -d \ -f 1` LOCALMASK=`$IFCONFIG $EXTERNAL | grep Mask | cut -d : -f 4` LOCALNET=`$IFCONFIG $EXTERNAL | grep inet | cut -d : -f 2 | cut -d \ -f 1` INTERNALNET=$LOCALNET REMOTENET="0/0" if [ "$DEBUG" = "YES" ]; then SYSLOG "external ip -> $EXTERNALIP" SYSLOG "localmask -> $LOCALMASK" fi # ------------------------------------------------------------- # # ------ [ Bring in configured options ] ---------------------- # # ------------------------------------------------------------- # # client hosts CLIENTHOSTS=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/client_hosts) CLIENTSERVICES=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/client_services) # blacklisted hosts case "$BLACKLISTED" in AUTO|auto) BLACKLIST=$(grep -vE '^[[:space:]]*(#|$)' /etc/hosts.deny | grep -i ^ALL | awk '{print $2}' | sed -e '/^$/d') ;; *) BLACKLIST=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/black_listed_hosts) esac # additional closed ports CLOSEDPORTS=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/closed_ports) # NATs NATS=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/NATS) # allowed high-port access HIGHPORTS=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/highport_access) # Reserved addresses (non-routable) NONROUTES=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/reserved_addresses) # multicasts MULTICAST=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/multicast) # Routables ROUTABLES=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/routables/routable_hosts) # DMZ DMZ=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/DMZ/dmz_hosts) # user-specified open ports OPENPORTS=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/open_ports) # port we never want logs on, but still drop NOLOG=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/no_log_ports) # outgoing ports we want blocked NOOUT=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/blocked_outgoing) # outgoing addresses we want blocked NOACCESS=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/blocked_addresses) # defined forwards FORWARDS=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/forwards) # defined PPTP hosts PPTP_ALLOWED=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/pptp_allowed_hosts) # defined HTTTP string(s) HTTP_BAD_STRING=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/http_string_drop) # defined global string(s) BAD_STRING=$(grep -vE '^[[:space:]]*(#|$)' ${FW_ROOT}/conf/global_content_drop) # ------------------------------------------------------------- # # ------- [ Set sane kernel configuration ] ------------------- # # ------------------------------------------------------------- # # Ensure ip-forwarding is disabled at onset echo "0" > /proc/sys/net/ipv4/ip_forward # Anti-spoofing blocks if [ "$ANTI_SPOOF" = "YES" -o "$ANTI_SPOOF" = "yes" ]; then for a in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $a done fi # no source routes if [ "$NO_SOURCE_ROUTE" = "YES" -o "$NO_SOURCE_ROUTE" = "yes" ]; then for z in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $z done fi # TCP SYN cookies if [ "$SYN_COOKIES" = "YES" -o "$SYN_COOKIES" = "yes" ]; then test -f /proc/sys/net/ipv4/tcp_syncookies && echo 1 > /proc/sys/net/ipv4/tcp_syncookies else test -f /proc/sys/net/ipv4/tcp_syncookies && echo 0 > /proc/sys/net/ipv4/tcp_syncookies fi # ICMP redirects if [ "$ICMP_REDIRECT" = "YES" -o "$ICMP_REDIRECT" = "yes" ]; then for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done fi # Ensure oddball addresses are logged if [ "$LOG_MARTIANS" = "YES" -o "$LOG_MARTIANS" = "yes" ]; then echo 1 > /proc/sys/net/ipv4/conf/all/log_martians else echo 0 > /proc/sys/net/ipv4/conf/all/log_martians fi # ECN if [ "$ECN" = "YES" -o "$ECN" = "yes" ]; then test -f /proc/sys/net/ipv4/tcp_ecn && echo "1" > /proc/sys/net/ipv4/tcp_ecn else test -f /proc/sys/net/ipv4/tcp_ecn && echo "0" > /proc/sys/net/ipv4/tcp_ecn fi # tcp timestamps if [ "$TCP_TS" = "NO" -o "$TCP_TS" = "no" ]; then echo 0 > /proc/sys/net/ipv4/tcp_timestamps else echo 1 > /proc/sys/net/ipv4/tcp_timestamps fi # icmp broadcasts if [ "$ICMP_IGNORE_BROADCASTS" = "YES" -o "$ICMP_IGNORE_BROADCASTS" = "yes" ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts else echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi # icmp reply rate if [ "$ICMP_ECHOREPLY_RATE" != "0" ]; then if [ ! "$(echo $ICMP_ECHOREPLY_RATE | grep -E '[[:digit:]]')" ]; then SYSLOG "ERROR: invalid value for ICMP_ECHOREPLY_RATE" else echo $ICMP_ECHOREPLY_RATE > /proc/sys/net/ipv4/icmp_echoreply_rate SYSLOG "setting ICMP_ECHOREPLY_RATE to $ICMP_ECHOREPLY_RATE" fi fi # "bogus" icmp responses if [ "$ICMP_IGNORE_BOGUS_ERROR" = "YES" -o "$ICMP_IGNORE_BOGUS_ERROR" = "yes" ]; then echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses else echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses fi # ------------------------------------------------------------ # # ------ [ Flush and set default policies ] ------------------ # # ------------------------------------------------------------ # # Set policy # One should always reset policy before the flush $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP #-- Flush sets (yes, some of this is redundant) $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -X if [ "$NAT" = "YES" -o "$NAT" = "yes" ]; then $IPTABLES -F -t nat fi # ------------------------------------------------------------- # # -- [ Loopback interface ] ----------------------------------- # # ------------------------------------------------------------- # $IPTABLES -N loopback $IPTABLES -F loopback $IPTABLES -A loopback -i lo -j ACCEPT # ------------------------------------------------------------- # # -- [ Check for user runtime file ] -------------------------- # # ------------------------------------------------------------- # if [ -e ${FW_ROOT}/gshield.first ]; then SYSLOG "User defined file found-- sourcing.." . ${FW_ROOT}/gshield.first || echo "[gShield} Error: problem sourcing ${FW_ROOT}/gshield.first" fi # ------------------------------------------------------------ # # ------ [ Create logging chains ] --------------------------- # # ------------------------------------------------------------ # # Set "response" policy for TCP. case "$TCP_RESPONSE" in reset|RESET) SYSLOG "default TCP response set to REJECT with tcp-reset" TCP_RESPOND="REJECT --reject-with tcp-reset" ;; drop|DROP) SYSLOG "default TCP response set to DROP" TCP_RESPOND="DROP" ;; reject|REJECT) SYSLOG "default TCP response set to default REJECT" TCP_RESPOND="REJECT" ;; *) SYSLOG "default TCP response set to REJECT with tcp-reset" TCP_RESPOND="REJECT --reject-with tcp-reset" esac # Set "response" policy for UDP. case "$UDP_RESPONSE" in reset|RESET) SYSLOG "default UDP response set to REJECT with icmp-port-unreachable" UDP_RESPOND="REJECT --reject-with icmp-port-unreachable" ;; drop|DROP) SYSLOG "default UDP response set to DROP" UDP_RESPOND="DROP" ;; reject|REJECT) SYSLOG "default UDP response set to default REJECT" UDP_RESPOND="REJECT" ;; prohibit|PROHIBIT) SYSLOG "default UDP response set to REJECT with icmp-host-prohibited" UDP_RESPOND="REJECT --reject-with icmp-host-prohibited" ;; *) SYSLOG "default UDP response set to REJECT with icmp-port-unreachable" UDP_RESPOND="REJECT --reject-with icmp-port-unreachable" esac # Since iptables lets us add custom log-prefixes, we create a # slew of logging chains to be as specific as possible # log then drop if [ "$DEFAULT_LOGGING" = "YES" -o "$DEFAULT_LOGGING" = "yes" ]; then $IPTABLES -N DROPnLOG 2> /dev/null $IPTABLES -F DROPnLOG $IPTABLES -A DROPnLOG -p udp --dport 137:139 -j DROP $IPTABLES -A DROPnLOG -p tcp ! --syn --sport 80 --dport 1024: -j ACCEPT $IPTABLES -A DROPnLOG -p udp --sport 67 -d 255.255.255.255 --dport 68 -j DROP # drop those ports we don't want logged regardless for all in $NOLOG do $IPTABLES -A DROPnLOG -p tcp -i $LOCALIF --dport $all -j $TCP_RESPOND $IPTABLES -A DROPnLOG -p udp -i $LOCALIF --dport $all -j $UDP_RESPOND $IPTABLES -A DROPnLOG -p udp -d 255.255.255.255 --dport $all -j $UDP_RESPOND done if [ "$USE_QUEUE" = "YES" -o "$USE_QUEUE" = "yes" ]; then $IPTABLES -A DROPnLOG -j QUEUE -m limit --limit $LTIME $IPTABLES -A DROPnLOG -p tcp -j $TCP_RESPOND $IPTABLES -A DROPnLOG -p udp -j $UDP_RESPOND SYSLOG "default logging rate (to queue) limit set to $LTIME" else $IPTABLES -A DROPnLOG -j LOG --log-level $LOG_LEVEL -m limit --limit $LTIME --log-prefix "gShield (default drop) " $IPTABLES -A DROPnLOG -j LOG --log-level $LOG_LEVEL -m limit --limit $LTIME --proto 47 --log-prefix "gShield (default drop / GRE) " $IPTABLES -A DROPnLOG -p tcp -j $TCP_RESPOND $IPTABLES -A DROPnLOG -p udp -j $UDP_RESPOND $IPTABLES -A DROPnLOG -j DROP SYSLOG "default logging rate limit set to $LTIME" fi else $IPTABLES -N DROPnLOG 2> /dev/null $IPTABLES -F DROPnLOG $IPTABLES -A DROPnLOG -p udp --dport 137:139 -j DROP $IPTABLES -A DROPnLOG -p tcp ! --syn --sport 80 --dport 1024: -j ACCEPT $IPTABLES -A DROPnLOG -p udp --sport 67 -d 255.255.255.255 --dport 68 -j DROP $IPTABLES -A DROPnLOG -p udp --sport 68 -d 255.255.255.255 --dport 67 -j DROP $IPTABLES -A DROPnLOG -p tcp -j $TCP_RESPOND $IPTABLES -A DROPnLOG -p udp -j $UDP_RESPOND $IPTABLES -A DROPnLOG -j DROP SYSLOG "default logging rate limit set to $LTIME" fi # Increased logging for invalid drops # within NAT (see netfilter FAQ, 3.1) if [ "$NAT_LOG_INVALID" = "YES" -o "$NAT_LOG_INVALID" = "yes" ]; then $IPTABLES -t mangle -A PREROUTING -j LOG -m state --state INVALID --log-prefix "gShield (INVALID drop) " SYSLOG "increasing verbosity for INVALID drops" fi # log then drop / services $IPTABLES -N SERVICEDROP 2> /dev/null $IPTABLES -F SERVICEDROP $IPTABLES -A SERVICEDROP -j LOG --log-level $LOG_LEVEL --log-prefix "gShield (service drop) " $IPTABLES -A SERVICEDROP -p tcp -j $TCP_RESPOND $IPTABLES -A SERVICEDROP -p udp -j $UDP_RESPOND $IPTABLES -A SERVICEDROP -j DROP # log then drop icmp case "$ICMP_LOG" in YES|yes) $IPTABLES -N DROPICMP 2> /dev/null $IPTABLES -F DROPICMP $IPTABLES -A DROPICMP -j LOG -m limit --limit $ICMP_RATE --log-level $LOG_LEVEL --log-prefix "gShield (icmp drop) " $IPTABLES -A DROPICMP -j DROP ;; NO|no) $IPTABLES -N DROPICMP 2> /dev/null $IPTABLES -F DROPICMP $IPTABLES -A DROPICMP -j DROP SYSLOG "not logging ICMP" ;; *) $IPTABLES -N DROPICMP 2> /dev/null $IPTABLES -F DROPICMP $IPTABLES -A DROPICMP -j LOG -m limit --limit $ICMP_RATE --log-level $LOG_LEVEL --log-prefix "gShield (icmp drop) " $IPTABLES -A DROPICMP -j DROP esac # log then accept $IPTABLES -N ACCEPTnLOG 2> /dev/null $IPTABLES -F ACCEPTnLOG $IPTABLES -A ACCEPTnLOG -j LOG --log-level $LOG_LEVEL --log-prefix "gShield (accept) " $IPTABLES -A ACCEPTnLOG -j ACCEPT # log for unclean if [ "$TAINTED_MATCH" = "YES" -o "$TAINTED_MATCH" = "yes" ]; then $IPTABLES -N TAINTED 2> /dev/null $IPTABLES -F TAINTED $IPTABLES -I TAINTED -j LOG --log-level $LOG_LEVEL --log-prefix "gShield (unclean drop) " $IPTABLES -A TAINTED -j DROP fi # log then drop- blacklist if [ "$LOG_BLACKLIST" = "YES" -o "$LOG_BLACKLIST" = "yes" ]; then $IPTABLES -N BLACKLIST 2> /dev/null $IPTABLES -F BLACKLIST $IPTABLES -I BLACKLIST -j LOG --log-level $LOG_LEVEL --log-prefix "gShield (blacklisted drop) " $IPTABLES -A BLACKLIST -j DROP else $IPTABLES -N BLACKLIST 2> /dev/null $IPTABLES -F BLACKLIST $IPTABLES -A BLACKLIST -j DROP fi # log then drop / closed port $IPTABLES -N CLOSED 2> /dev/null $IPTABLES -F CLOSED $IPTABLES -I CLOSED -j LOG --log-level $LOG_LEVEL --log-prefix "gShield (closed port drop) " $IPTABLES -A CLOSED -p tcp -j $TCP_RESPOND $IPTABLES -A CLOSED -p udp -j $UDP_RESPOND $IPTABLES -A CLOSED -j DROP # log then drop / reserved address if [ "$LOG_RESERVED" = "YES" -o "$LOG_RESERVED" = "yes" ]; then $IPTABLES -N RESERVED 2> /dev/null $IPTABLES -F RESERVED $IPTABLES -I RESERVED -j LOG --log-level $LOG_LEVEL --log-prefix "gShield (reserved drop) " $IPTABLES -A RESERVED -p tcp -j $TCP_RESPOND $IPTABLES -A RESERVED -p udp -j $UDP_RESPOND $IPTABLES -A RESERVED -j DROP SYSLOG "logging reserved address drops" else $IPTABLES -N RESERVED 2> /dev/null $IPTABLES -F RESERVED $IPTABLES -A RESERVED -p tcp -j $TCP_RESPOND $IPTABLES -A RESERVED -p udp -j $UDP_RESPOND $IPTABLES -A RESERVED -j DROP SYSLOG "no reserved drop logging" fi # drop / multicast addresses if [ "$DEBUG" = "YES" ]; then SYSLOG "drop multicast -> $DROP_MULTICAST" fi if [ "$DROP_MULTICAST" = "YES" -o "$DROP_MULTICAST" = "yes" ]; then $IPTABLES -N MULTICAST 2> /dev/null $IPTABLES -F MULTICAST $IPTABLES -A MULTICAST -j DROP SYSLOG "dropping multicasts" else $IPTABLES -N MULTICAST 2> /dev/null $IPTABLES -F MULTICAST SYLOG "[gShield] not dropping multicasts" fi # log DHCP traffic $IPTABLES -N DHCP 2> /dev/null $IPTABLES -F DHCP $IPTABLES -I DHCP -j LOG --log-level $LOG_LEVEL --log-prefix "gShield (DHCP accept) " $IPTABLES -A DHCP -j ACCEPT # Create public chain for services $IPTABLES -N PUBLIC 2> /dev/null $IPTABLES -F PUBLIC $IPTABLES -A PUBLIC -j ACCEPT # Create client-host/access chain $IPTABLES -N CLIENT 2> /dev/null $IPTABLES -F CLIENT $IPTABLES -I CLIENT -j ACCEPT # Create highport access chain $IPTABLES -N HIGHPORT 2> /dev/null $IPTABLES -F HIGHPORT $IPTABLES -I HIGHPORT -j ACCEPT # Create DMZ chain $IPTABLES -N DMZ 2> /dev/null $IPTABLES -F DMZ $IPTABLES -I DMZ -j LOG --log-level $LOG_LEVEL --log-prefix "gShield (DMZ drop) " $IPTABLES -A DMZ -j DROP # Create DNS chain $IPTABLES -N DNS 2> /dev/null $IPTABLES -F DNS $IPTABLES -A DNS -j ACCEPT # Create OPEN chain $IPTABLES -N OPENPORT 2> /dev/null $IPTABLES -F OPENPORT $IPTABLES -A OPENPORT -j ACCEPT # Create a monitoring chain for outgoing $IPTABLES -N MON_OUT 2> /dev/null $IPTABLES -F MON_OUT $IPTABLES -A MON_OUT -j ACCEPT # Create a outgoing block chain $IPTABLES -N BLOCK_OUT 2> /dev/null $IPTABLES -F BLOCK_OUT $IPTABLES -A BLOCK_OUT -j DROP # Create 'scan' chain $IPTABLES -N SCAN 2> /dev/null $IPTABLES -F SCAN $IPTABLES -I SCAN -j LOG --log-level $LOG_LEVEL --log-prefix "gShield (possible port scan) " $IPTABLES -A SCAN -j DROP # Exploit chain if [ "$CHECK_ALL_CONTENT" = "YES" -o "$CHECK_ALL_CONTENT" = "yes" ]; then $IPTABLES -N EXPLOIT 2> /dev/null $IPTABLES -F EXPLOIT $IPTABLES -I EXPLOIT -j LOG --log-level $LOG_LEVEL --log-prefix "gShield (possible exploit) " $IPTABLES -A EXPLOIT -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A EXPLOIT -p udp -j DROP fi # Global IP Limits for TCP connections # Global IP limits are not available for # 2.8 and earlier -- skeleton only if [ "$ENABLE_GLOBAL_LIMIT" = "YES" -o "$ENABLE_GLOBAL_LIMIT" = "yes" ]; then $IPTABLES -A INPUT -p tcp --syn -m iplimit --iplimit-above $GLOBAL_LIMIT -j DROP SYSLOG "global limit of $GLOBAL_LIMIT connections per ip" fi # ------------------------------------------------------------ # # ------ [ Statefull connection tracking ] ------------------- # # ------------------------------------------------------------ # # Create connection tracking chain $IPTABLES -N STATEFUL $IPTABLES -F STATEFUL $IPTABLES -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A STATEFUL -m state --state NEW -i ! $LOCALIF -j ACCEPT $IPTABLES -A STATEFUL -j DROPnLOG # IRC connection tracking if [ "$IRC_MODULE" = "YES" -o "$IRC_MODULE" = "yes" ]; then SYSLOG "Enabling IRC connection tracking for $IRC_PORTS" /sbin/modprobe ip_conntrack_irc ports=$IRC_PORTS || SYSLOG "Error: Could not load irc tracking module" /sbin/modprobe ip_nat_irc ports=$IRC_PORTS || SYSLOG "Error: Could not load irc NAT module" fi # ------------------------------------------------------------ # # ------ [ Begin Filtering ] --------------------------------- # # ------------------------------------------------------------ # # ------ [ unclean packets ] --------------------------------- # # Make sure the 1st things incoming packets # are checked against is the unclean module # If you get an error about "no such table", you do # not have support for this option in your kernel. Re-review # the kernel options for netfilter (ensure 'show experimental' # is checked. if [ "$TAINTED_MATCH" = "YES" -o "$TAINTED_MATCH" = "yes" ]; then $IPTABLES -I INPUT -i $EXTERNAL -m unclean -j TAINTED || SYSLOG "Error: seems you do not have the unclean extension compiled." fi # ------ [ Content Filters ] -------------------------------------- # if [ "$CHECK_ALL_CONTENT" = "YES" -o "$CHECK_ALL_CONTENT" = "yes" ]; then SYSLOG "Enabling GLOBAL string drops" for all in BAD_STRING do $IPTABLES -A INPUT -p tcp -m string --string $all -j EXPLOIT || SYSLOG "Error: Do you have string matching support?" $IPTABLES -A INPUT -p udp -m string --string $all -j EXPLOIT || SYSLOG "Error: Do you have string matching support?" done fi # ------ [ Loopback interface ] ----------------------------------- # $IPTABLES -A INPUT -i lo -j loopback $IPTABLES -A OUTPUT -o lo -j loopback # ------ [ Blacklisted Hosts ] ----------------------------------- # for kiddie_hosts in $BLACKLIST; do if [ "$DEBUG" = "YES" ]; then SYSLOG "Blacklisting: $kiddie_hosts" $IPTABLES -A INPUT -s $kiddie_hosts -j BLACKLIST || SYSLOG "Error: problem munching BLACKLIST. Check options in gShield.conf" $IPTABLES -A FORWARD -s $kiddie_hosts -j BLACKLIST else $IPTABLES -A INPUT -s $kiddie_hosts -j BLACKLIST || SYSLOG "Error: problem munching BLACKLIST. Check options in gShield.conf" $IPTABLES -A FORWARD -s $kiddie_hosts -j BLACKLIST fi done # ------ [ Ensure multi-homes systems play nice ] ----------------- # if [ "$MULTI" = "YES" -o "$MULTI" = "yes" ]; then INTERNAL=$INTIF INTERNALNET=`ifconfig $INTERNAL | grep inet | cut -d : -f 2 | cut -d \ -f 1` INTERNALMASK=`ifconfig $INTERNAL | grep Mask | cut -d : -f 4` IP1=`echo $INTERNALNET |cut -d . -f 1` IP2=`echo $INTERNALNET |cut -d . -f 2` IP3=`echo $INTERNALNET |cut -d . -f 3` IP4=`echo $INTERNALNET |cut -d . -f 4` MASK1=`echo $INTERNALMASK|cut -d . -f 1` MASK2=`echo $INTERNALMASK|cut -d . -f 2` MASK3=`echo $INTERNALMASK|cut -d . -f 3` MASK4=`echo $INTERNALMASK|cut -d . -f 4` NETWORK=`echo $((IP1 & MASK1))"."$((IP2 & MASK2))"."$((IP3 & MASK3))"."$((IP4 & MASK4))` case $INTERNALMASK in 255.0.0.0) INTERNALNET="$NETWORK/8" ;; 255.255.0.0) INTERNALNET="$NETWORK/16" ;; 255.255.255.0) INTERNALNET="$NETWORK/24" ;; 255.255.255.128) INTERNALNET="$NETWORK/25" ;; 255.255.255.192) INTERNALNET="$NETWORK/26" ;; 255.255.255.224) INTERNALNET="$NETWORK/27" ;; 255.255.255.240) INTERNALNET="$NETWORK/28" ;; 255.255.255.248) INTERNALNET="$NETWORK/29" ;; 255.255.255.252) INTERNALNET="$NETWORK/30" ;; *) echo "FAILURE: Can't determine the right bit mask for your network!" echo "Please add your netmask and the corresponding bit mask to gShield.rc" exit 1 ;; esac $IPTABLES -A INPUT -s $INTERNALNET -d $INTERNALNET -i $INTERNAL -j ACCEPT fi # ------------------------------------------------------------- # # --------- [ NAT ] ------------------------------------------- # # ------------------------------------------------------------- # if [ "$NAT" = "YES" -o "$NAT" = "yes" ]; then echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_dynaddr for all in $NATS; do SYSLOG "$all authorized for NAT" if [ "$STATIC" = "YES" -o "$STATIC" = "yes" ]; then check_interface $IPTABLES -t nat -A POSTROUTING -s $all -o $EXTERNAL -j SNAT --to-source $EXTERNALIP else $IPTABLES -t nat -A POSTROUTING -s $all -o $EXTERNAL -j MASQUERADE fi # trust check for NAT clients if [ "$TRUST_NAT" = "YES" -o "$TRUST_NAT" = "yes" ]; then for mall in $NATS do $IPTABLES -A INPUT -s $all -d $mall -i ! $LOCALIF -j ACCEPT done fi done fi # Transparent proxy stuff -- since it's part of the NAT munch # we add it here if [ "$ENABLE_TRANSPROXY" = "YES" -o "$ENABLE_TRANSPROXY" = "yes" ]; then if [ "X$PROXY_HOST" != "X" ] then $IPTABLES -t nat -A PREROUTING -i $INTERNAL -p tcp -s ! $PROXY_HOST --dport 80 -j DNAT --to $PROXY_HOST:$PROXY_PORT $IPTABLES -t nat -A PREROUTING -i $INTERNAL -p udp -s ! $PROXY_HOST --dport 80 -j DNAT --to $PROXY_HOST:$PROXY_PORT for SUBNET in $NATS ; do $IPTABLES -t nat -A POSTROUTING -o $INTERNAL -p tcp -s $SUBNET -d $PROXY_HOST --dport 80 -j SNAT --to $PROXY_HOST:$PROXY_PORT $IPTABLES -t nat -A POSTROUTING -o $INTERNAL -p udp -s $SUBNET -d $PROXY_HOST --dport 80 -j SNAT --to $PROXY_HOST:$PROXY_PORT $IPTABLES -A FORWARD -i $INTERNAL -o $INTERNAL -p tcp -s $SUBNET -d $PROXY_HOST --dport $PROXY_PORT -j ACCEPT $IPTABLES -A FORWARD -i $INTERNAL -o $INTERNAL -p udp -s $SUBNET -d $PROXY_HOST --dport $PROXY_PORT -j ACCEPT done else for SUBNET in $NATS ; do for SUBNET2 in $NATS ; do $IPTABLES -t nat -A PREROUTING -p tcp -s $SUBNET -d ! $SUBNET2 --dport 80 -j REDIRECT --to-ports $PROXY_PORT $IPTABLES -t nat -A PREROUTING -p udp -s $SUBNET -d ! $SUBNET2 --dport 80 -j REDIRECT --to-ports $PROXY_PORT done done fi fi # ------------------------------------------------------------- # # --------- [ FORWARDING ] ------------------------------------ # # ------------------------------------------------------------- # # Many thanks to J. Benson who contributed the main # aspect of this section for internal forwarding. If it # wasn't for his crazed forwarding needs, we wouldn't have # this. C. Gielen sent along a patch to easily allow # multiple port forwards as well. if [ "$FORWARDING" = "YES" -o "$FORWARDING" = "yes" ]; then while [ "$FORWARDS" ] do ALLOWFROM=$(echo $FORWARDS | awk '{print $1}') PROTO=$(echo $FORWARDS | awk '{print $2}') SRCIP=$(echo $FORWARDS | awk '{print $3}' | awk -F : '{print $1}') SRCPRT=$(echo $FORWARDS | awk '{print $3}' | awk -F : '{print $2}') DSTIP=$(echo $FORWARDS | awk '{print $4}' | awk -F : '{print $1}') DSTPRT=$(echo $FORWARDS | awk '{print $4}' | awk -F : '{print $2}') ip address add $SRCIP dev $LOCALIF 2>/dev/null # grok thru the list for protocols if [ $DSTPRT = "0" ]; then BAK=$SRCPRT SRCPRT=$(echo $SRCPRT | sed "s/-/:/") case "$PROTO" in both|BOTH) $IPTABLES -I FORWARD -p tcp -d $DSTIP --dport $SRCPRT -j ACCEPT $IPTABLES -I FORWARD -p udp -d $DSTIP --dport $SRCPRT -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -i $LOCALIF -s $ALLOWFROM -d $SRCIP --dport $SRCPRT -j DNAT --to $DSTIP $IPTABLES -t nat -A PREROUTING -p udp -i $LOCALIF -s $ALLOWFROM -d $SRCIP --dport $SRCPRT -j DNAT --to $DSTIP SYSLOG "Forwarding tcp/udp $SRCIP:$BAK -> $DSTIP for $ALLOWFROM" ;; tcp|TCP) $IPTABLES -I FORWARD -p tcp -d $DSTIP --dport $SRCPRT -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -i $LOCALIF -s $ALLOWFROM -d $SRCIP --dport $SRCPRT -j DNAT --to $DSTIP SYSLOG "Forwarding tcp $SRCIP:$BAK -> $DSTIP for $ALLOWFROM" ;; udp|UDP) $IPTABLES -I FORWARD -p udp -d $DSTIP --dport $SRCPRT -j ACCEPT $IPTABLES -t nat -A PREROUTING -p udp -i $LOCALIF -s $ALLOWFROM -d $SRCIP --dport $SRCPRT -j DNAT --to $DSTIP SYSLOG "Forwarding udp $SRCIP:$BAK -> $DSTIP for $ALLOWFROM" ;; *) $IPTABLES -I FORWARD -p tcp -d $DSTIP --dport $SRCPRT -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -i $LOCALIF -s $ALLOWFROM -d $SRCIP --dport $SRCPRT -j DNAT --to $DSTIP SYSLOG "Forwarding tcp $SRCIP:$BAK -> $DSTIP for $ALLOWFROM" ;; esac SRCPRT=$BAK else case "$PROTO" in both|BOTH) $IPTABLES -I FORWARD -p tcp -d $DSTIP --dport $DSTPRT -j ACCEPT $IPTABLES -I FORWARD -p udp -d $DSTIP --dport $DSTPRT -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -i $LOCALIF -s $ALLOWFROM -d $SRCIP --dport $SRCPRT -j DNAT --to $DSTIP:$DSTPRT $IPTABLES -t nat -A PREROUTING -p udp -i $LOCALIF -s $ALLOWFROM -d $SRCIP --dport $SRCPRT -j DNAT --to $DSTIP:$DSTPRT SYSLOG "Forwarding tcp/udp $SRCIP:$SRCPRT -> $DSTIP:$DSTPRT for $ALLOWFROM" ;; tcp|TCP) $IPTABLES -I FORWARD -p tcp -d $DSTIP --dport $DSTPRT -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -i $LOCALIF -s $ALLOWFROM -d $SRCIP --dport $SRCPRT -j DNAT --to $DSTIP:$DSTPRT SYSLOG "Forwarding tcp $SRCIP:$SRCPRT -> $DSTIP:$DSTPRT for $ALLOWFROM" ;; udp|UDP) $IPTABLES -I FORWARD -p udp -d $DSTIP --dport $DSTPRT -j ACCEPT $IPTABLES -t nat -A PREROUTING -p udp -i $LOCALIF -s $ALLOWFROM -d $SRCIP --dport $SRCPRT -j DNAT --to $DSTIP:$DSTPRT SYSLOG "Forwarding udp $SRCIP:$SRCPRT -> $DSTIP:$DSTPRT for $ALLOWFROM" ;; *) $IPTABLES -I FORWARD -p tcp -d $DSTIP --dport $DSTPRT -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -i $LOCALIF -s $ALLOWFROM -d $SRCIP --dport $SRCPRT -j DNAT --to $DSTIP:$DSTPRT SYSLOG "Forwarding tcp $SRCIP:$SRCPRT -> $DSTIP:$DSTPRT for $ALLOWFROM" ;; esac fi # Remove processed data from $FORWARDS FORWARDS=$(echo $FORWARDS | sed "s%^$ALLOWFROM $PROTO $SRCIP:$SRCPRT $DSTIP:$DSTPRT%%") done else SYSLOG "Custom forwards DISabled" fi # ------ [ Reserved nets ] --------------------------------------- # for reserved_ips in $NONROUTES; do $IPTABLES -A INPUT -s $reserved_ips -i $EXTERNAL -j RESERVED done # ------ [ Multicast ] --------------------------------------- # for casters in $MULTICAST; do $IPTABLES -A INPUT -s $casters -i $EXTERNAL -j MULTICAST done # ------ [ ICMP's ] ------------------------------------------ # if [ "$ICMP_ALLOW_ALL" = "NO" -o "$ICMP_ALLOW_ALL" = "no" ]; then SYSLOG "Filtering ICMP" $IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT $IPTABLES -A INPUT -p icmp -j DROPICMP else SYSLOG "Allowing all ICMP at rate of $ICMP_RATE" $IPTABLES -A INPUT -p icmp -m limit --limit $ICMP_RATE -j ACCEPT fi # ------ [ Traceroutes ] -------------------------------------- # if [ "$TRACE_ALLOW_ALL" = "NO" -o "$TRACE_ALLOW_ALL" = "no" ]; then SYSLOG "Denying all traceroutes" else SYSLOG "Allowing all traceroutes" $IPTABLES -A INPUT -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT fi # ------ [ Admin Host ] --------------------------------------- # if [ "$ADMIN_HOST" = "YES" -o "$ADMIN_HOST" = "yes" ]; then SYSLOG "Enabling administrative access for host $ADMIN_HOST_IP with mac address $ADMIN_HOST_MAC" $IPTABLES -N ADMIN 2> /dev/null $IPTABLES -F ADMIN $IPTABLES -A ADMIN -m mac --mac-source ! $ADMIN_HOST_MAC -j DROP $IPTABLES -A ADMIN -j ACCEPT $IPTABLES -A INPUT -s $ADMIN_HOST_IP -j ADMIN fi # ------ [ DHCP leases ] --------------------------------------- # if [ "$ALLOW_DHCP_LEASES" = "YES" -o "$ALLOW_DHCP_LEASES" = "yes" ]; then if [ "$LOG_DHCP" = "YES" -o "$LOG_DHCP" = "yes" ]; then for all in $DHCP_SERVERS do $IPTABLES -A INPUT -p udp -s $all --sport 67 -i $LOCALIF --dport 68 -j DHCP done else for all in $DHCP_SERVERS do $IPTABLES -A INPUT -p udp -s $all --sport 67 -i $LOCALIF --dport 68 -j ACCEPT done fi fi # ------ [ Time servers ] ---------------------------------------- # # Connection tracking seems to deal with this fine, but it is nice # to ensure NTP packets can enter if [ "$ALLOW_TIME" = "YES" -o "$ALLOW_TIME" = "yes" ]; then for all in $TIMESERVERS do $IPTABLES -A INPUT -p udp -s $all --sport 123 --dport 1024: -j ACCEPT done fi # ------ [ DMZ'd machines ] ------------------------------------- # if [ "$HAVE_DMZ" = "YES" -o "$HAVE_DMZ" = "yes" ]; then for all in $DMZ do SYSLOG "DMZing $all" $IPTABLES -A INPUT -d $all -j ACCEPT $IPTABLES -A FORWARD -d $all -j ACCEPT $IPTABLES -A INPUT -s $all -j DMZ done fi # ------ [ Routable chains ] ------------------------------------- # if [ "$HAVE_ROUTABLES" = "YES" -o "$HAVE_ROUTABLES" = "yes" ]; then SYSLOG "Configuring for routable addresses" # ensure ipforwarding is enabled echo 1 > /proc/sys/net/ipv4/ip_forward . $FW_ROOT/routables/routables.conf . $FW_ROOT/routables/routable.rules fi # ------ [ DNS servers ] -------------- # # 2.1 / added auto-configuration, hats off # to William Stearns and # his masonlib which had this handy grep/awk if [ "$DNS" = "AUTO" -o "$DNS" = "auto" ]; then DNS=$(grep '^nameserver' /etc/resolv.conf | awk '{print $2}') fi for all in $DNS; do $IPTABLES -A INPUT -p udp -s $all --sport 53 -j DNS done # ------ [ Authorized Public services ] ------------------------ # . ${FW_ROOT}/sourced/services.rules || echo "[gShield] error: cannot load services.rules." # ------ [ Closed ports ] --------------------------------------- # for c in $CLOSEDPORTS do SYSLOG "Closing port $c" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $LOCALNET --dport $c -j CLOSED $IPTABLES -A INPUT -p udp -s $REMOTENET -d $LOCALNET --dport $c -j CLOSED done # ------ [ Authorized highport connections ] ------------------- # if [ "$ALLOW_ALL_HIGHPORT" = "YES" -o "$ALLOW_ALL_HIGHPORT" = "yes" ]; then SYSLOG "Allowing highport access from everyone..." $IPTABLES -A INPUT -p tcp -s 0/0 --dport 1024: -j HIGHPORT $IPTABLES -A INPUT -p udp -s 0/0 --dport 1024: -j HIGHPORT else for all in $HIGHPORTS do $IPTABLES -A INPUT -p tcp -s $all --dport 1024: -j HIGHPORT $IPTABLES -A INPUT -p udp -s $all --dport 1024: -j HIGHPORT done fi # ------ [ Authorized client hosts ] ---------------------------- # for f in $CLIENTHOSTS do for g in $CLIENTSERVICES do $IPTABLES -A INPUT -p tcp -s $f -i $LOCALIF --dport $g -j CLIENT $IPTABLES -A INPUT -p udp -s $f -i $LOCALIF --dport $g -j CLIENT done done # ------ [ Open Ports ] ----------------------------------------- # for oall in $OPENPORTS; do SYSLOG "Opening port $oall" $IPTABLES -A INPUT -p tcp --dport $oall -j OPENPORT $IPTABLES -A INPUT -p udp --dport $oall -j OPENPORT done # -------------------------------------------------------------------- # # ------ [ Outgoing blocks ] ---------------------------------------- # # -------------------------------------------------------------------- # # close netfilter flaw # http://www.netfilter.org/security/2002-04-02-icmp-dnat.html $IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP # blocked ports for all in $NOOUT; do SYSLOG "Blocking outgoing port $all" $IPTABLES -A OUTPUT -p tcp --dport $all -j BLOCK_OUT $IPTABLES -A OUTPUT -p udp --dport $all -j BLOCK_OUT $IPTABLES -A FORWARD -p tcp --dport $all -j BLOCK_OUT $IPTABLES -A FORWARD -p udp --dport $all -j BLOCK_OUT done # block addresses for all in $NOACCESS; do SYSLOG "Blocking connections to $all" $IPTABLES -A OUTPUT -p tcp -d $all -j BLOCK_OUT $IPTABLES -A OUTPUT -p udp -d $all -j BLOCK_OUT $IPTABLES -A FORWARD -p tcp -d $all -j BLOCK_OUT $IPTABLES -A FORWARD -p udp -d $all -j BLOCK_OUT done # ------ [ TCP Flags ] ---------------------------------------------- # # DROP and LOG packets which have specific TCP flags set # In many cases this is indicative of portscans # Block XMAS packets if [ "$BLOCK_XMAS" = "yes" -o "$BLOCK_XMAS" = "YES" ]; then $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -m state --state ! ESTABLISHED -j SCAN $IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL -j SCAN fi # Block NULL packets if [ "$BLOCK_NULL" = "yes" -o "$BLOCK_NULL" = "YES" ]; then $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -m state --state ! ESTABLISHED -j SCAN $IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j SCAN fi # Block FIN scans if [ "$BLOCK_FIN" = "yes" -o "$BLOCK_FIN" = "YES" ]; then $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED -j SCAN fi # ------ [ Set STATE ] ----------------------------------------------- # $IPTABLES -A INPUT -j STATEFUL if [ "$NOSMB" = "YES" -o "$NOSMB" = "yes" ]; then SMB="137 138 139" for all in $SMB; do $IPTABLES -A OUTPUT -p tcp -o $EXTERNAL --dport $all -j BLOCK_OUT $IPTABLES -A OUTPUT -p udp -o $EXTERNAL --dport $all -j BLOCK_OUT $IPTABLES -A FORWARD -p tcp -o $EXTERNAL --dport $all -j BLOCK_OUT $IPTABLES -A FORWARD -p udp -o $EXTERNAL --dport $all -j BLOCK_OUT done $IPTABLES -A FORWARD -j STATEFUL else $IPTABLES -A FORWARD -j STATEFUL fi # -------------------------------------------------------------------- # # ------ [ TOS ] ---------------------------------------------------- # # -------------------------------------------------------------------- # # Set type of service rules for outgoing connections # echo "Setting TOS values for outgoing connections" # Many thanks to damaged for some ideas on detecting # iptables versions if [ "$TOS" = "YES" -o "$TOS" = "yes" ]; then case "$IPTABLES_VERSION" in v1.2.1|v1.2.2|v1.2.1a|v1.2|v1.1.2|v1.1.1) TOSMD="16" TOSMT="8" TOSMR="4" TOSMC="2" SYSLOG "TOS settings for iptables version(s) < 1.2.3" ;; *) TOSMD="Minimize-Delay" TOSMT="Maximize-Throughput" TOSMR="Maximize-Reliability" TOSMC="Minimize-Cost" esac # -- Maximize throughput $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 20 -j TOS --set-tos $TOSMT $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 22 -j TOS --set-tos $TOSMT $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 80 -j TOS --set-tos $TOSMT $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 119 -j TOS --set-tos $TOSMT # munch the incoming TOS as well $IPTABLES -A PREROUTING -t mangle -p tcp --sport 20 -j TOS --set-tos $TOSMT $IPTABLES -A PREROUTING -t mangle -p tcp --sport 22 -j TOS --set-tos $TOSMD $IPTABLES -A PREROUTING -t mangle -p tcp --sport 23 -j TOS --set-tos $TOSMD $IPTABLES -A PREROUTING -t mangle -p tcp --sport 80 -j TOS --set-tos $TOSMT # -- Minimize delay $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 21 -j TOS --set-tos $TOSMD $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 22 -j TOS --set-tos $TOSMD $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 23 -j TOS --set-tos $TOSMD $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 25 -j TOS --set-tos $TOSMD $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 53 -j TOS --set-tos $TOSMD $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p udp -d 0/0 --dport 53 -j TOS --set-tos $TOSMD $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 119 -j TOS --set-tos $TOSMD $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 110 -j TOS --set-tos $TOSMD $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 143 -j TOS --set-tos $TOSMD $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 6660:6669 -j TOS --set-tos $TOSMD $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 7000 -j TOS --set-tos $TOSMD $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 7500 -j TOS --set-tos $TOSMD $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 7501 -j TOS --set-tos $TOSMD $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 7777 -j TOS --set-tos $TOSMD fi # ------------------------------------------------------------ # # ------ [ Packet marking for QoS ] -------------------------- # # ------------------------------------------------------------ # # We mark specific traffic in case we need to do more # advanced routing later if [ "$QOS" = "YES" -o "$QOS" = "yes" ]; then # mark "mail/news" traffic to "1" MAIL="25 110 119 143 993 995" for marked in $MAIL do $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p tcp --dport $marked -j MARK --set-mark 1 $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p udp --dport $marked -j MARK --set-mark 1 done # mark "interactive" traffic to "2" LOGIN="22 23 6667" for interactive in $LOGIN do $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p tcp --dport $interactive -j MARK --set-mark 2 $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p udp --dport $interactive -j MARK --set-mark 2 done # mark "web" traffic to "3" WEB="80 443" for web in $WEB do $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p tcp --dport $web -j MARK --set-mark 3 $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p udp --dport $web -j MARK --set-mark 3 done # mark "game" traffic to "4" GAMES="27910:27980 7777 22450 26000 26950 27015 27020 27500 28000:28008 28910" for games in $GAMES do $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p tcp --dport $games -j MARK --set-mark 4 $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p udp --dport $games -j MARK --set-mark 4 done fi # ------------------------------------------------------------- # # --------- [ TCPMSS Fix for broken providers ] --------------- # # ------------------------------------------------------------- # # Hat's off to Dan Christensen for urging me to # include at least a warning about this issue. if [ "$TCPMSS" = "YES" -o "$TCPMSS" = "yes" ]; then $IPTABLES -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu || echo "[gShield] error: problem loading TCPMSS extension." fi # ------------------------------------------------------------- # # -- [ Check for user runtime file ] -------------------------- # # ------------------------------------------------------------- # if [ -e ${FW_ROOT}/gshield.last ]; then SYSLOG "User defined file found: sourcing.." . ${FW_ROOT}/gshield.last || echo "[gShield] Error: problem sourcing ${FW_ROOT}/gshield.last" fi gShield-2.8/gShield.conf0100400000175000017500000006724507474532445014225 0ustar godotgodot#!/bin/sh # vim: set sw=4 ts=4 et: # $Id: gShield.conf,v 1.138 2002-05-27 18:37:24-04 godot Exp $ # ------------------------------------------- # # ----- [ gShield configuration ] ----------- # # ------------------------------------------- # # # # Please make sure you read through the # # -entire- configuration # # # # Kernel-specific network options are # # located at the end -- the defaults should # # be fine, but they -ARE- configurable # # ------------------------------------------- # # ------------------------------------------- # # Yes, this config is somewhat long, but # # it will serve you well to go through the # # whole thing -- the defaults are fine for # # most folks, and "out of the box" gShield # # will: # # # # - allow identd connections # # - set sane limits for pings # # - provide NAT/IPmasq for 192.168.1.0/24 # # # # ------------------------------------------- # # ------------------------------------------- # # If you have specific commands or rules # # which you need gShield to run, you have two # # options: # # # # create "gshield.first" in FW_ROOT # # # # - gShield sources this file "first" # # immediately after flushing the fw # # # # create "gshield.last" in FW_ROOT # # # # - gShield will source this file # # as the last act it does # # # # Hopefully this will give folks flexibility # # if they have customized commands/rules # # ------------------------------------------- # # ------------------------------------------- # # Firewall root # # Location of gShield installation # # --------------------------------------------# FW_ROOT="/etc/firewall" # ------------------------------------------- # # Path to needed programs # # --------------------------------------------# # gShield tries to auto-detect this, if it's in # your path. If this is not the case, and you # need to manually set this option, it should take # the following form (for example): # IPTABLES="/usr/local/sbin/iptables" # You SHOULD REALLY set this below to # the actual path to iptables as opposed # to hoping gShield will figure it out. # Include the quotes as the example above # has. IPTABLES=`which iptables` # Same with ifconfig below IFCONFIG=`which ifconfig` # ------------------------------------------- # # gShield Logging options # # --------------------------------------------# # Set SYSLOG to "true" below # if you wish gShield to also # log to the system log; otherwise # gShield will log to STDOUT. # this option is for the various # messages gShield produces when # starting up, NOT iptables-specific # logging (which is handled by # syslogd itself). # Again, this options has NOTHING # to do with logs which are generated # by dropped packets # you must have "logger" in your # path for gShield to pull this # off. Valid options below are: # true, false (case sensitive) # NOTE: this option does NOT have quotes SYSLOG=false # ------------------------------------------- # # Interfaces # # --------------------------------------------# # Which interface connects you # to the "world"? For PPP users # this should be ppp0 (for example) LOCALIF="eth0" # Is your ip STATIC or Dynamic? # if you use PPPoE or DHCP, keep # it "NO" -- if it is truly a # static address, set it to YES STATIC="NO" # If this is a multi-homed setup # (i.e., another interace connects # to a local LAN), set MULTI="yes" # below. This adds some logic # to ensure machines on the LAN # can access the firewall even if # they are not listed in NATS # options: YES, NO MULTI="NO" # If the above is yes, set INTIF # below to the interface which # connects the locat net INTIF="eth1" # ------------------------------------------- # # DNS servers # # --------------------------------------------# # DNS servers # List the DNS servers you use here # If set to AUTO, gShield will read # this variable from /etc/resolv.conf DNS="AUTO" # ------------------------------------------- # # Log options for iptables/netfilter # # --------------------------------------------# # A few thing to remember-- gShield produces # it's own "messages" on startup, but iptables # itself logs through the system log (i.e., # syslog) -- so, if you tell gShield to log # packets, iptables will pass the log onto # syslog for processing. # This means if you're getting messages on your console, # don't want that, you need to look over -syslog.conf- # to configure what is logged where. Sylog logs # by "facility", and you can customize what facility # gShield sends to syslog a little bit further down. # [ Logging rate ] # gShield tries to reduce the amount of logging # it generates for many cases. # You can adjust this value as needed below # This is the -DEFAULT- logging rate for all # default drops (which defaults to 20 per MINUTE) LTIME="20/m" # Should we log reserved addresses? Multicast # is included here. options: YES, NO LOG_RESERVED="NO" # IN GENERAL, do you want a default policy # of logging dropped packets? options: YES, NO DEFAULT_LOGGING="YES" # Additionally, you can specify at what level gShield # sends logging information to syslog. The default # should work fine for most folks, but if you want # to alter this, see the man page for syslog.conf # NOTE: iptables 1.2.3 prefers this numeric LOG_LEVEL="4" # You can also decide to make use of netfilter's # userspace logging facility (the QUEUE target). # If you set USE_QUEUE to "YES" below, netfilter # will pass logging information to the QUEUE -not- # the standard LOG target. If you don't know what # If you don't know what this is, set to NO. # This will -bypass- many default logging options # if enabled, and requires specific support in # the kernel. USE_QUEUE="NO" # In addition, gShield can -increase- the amount of # logging of some common messages relating to # connection tracking. See netfilter FAQ, section # 3.1 # This is generally only helpful for # diagnostic purposes. Options: YES, NO NAT_LOG_INVALID="NO" # ------------------------------------------- # # How to respond to dropped packets # # --------------------------------------------# # Set "response" policy. # gShield provides the option to configure how it # "responds" to packets it intends to a packet munch.. # You have THREE choices for TCP: # - RESET (send a tcp-reset - the default) # - DROP (drop the packet totally) # - REJECT (send a "normal" iptables reject) TCP_RESPONSE="RESET" # You have FOUR choices for UDP: # - RESET (send a icmp-port-unreachable - the default) # - DROP (drop the packet totally) # - REJECT (send a "normal" iptables reject for UDP) # - PROHIBIT (send icmp-host-prohibited) UDP_RESPONSE="RESET" # NOTE: Some folks are convinced dropping packets # completely makes the firewall "stealthy"; I do not # share this view - gShield defaults to the "proper" # responses which would be made if no service were # listening. But feel free to drop away :) # ------------------------------------------- # # DHCP user options # # --------------------------------------------# # -[ DHCP Users ] # This option allows DHCP requests thru the # firewall. If you get your main IP via # a DHCP service (cable user), set this # to YES # options: YES, NO ALLOW_DHCP_LEASES="YES" # Generally speaking, most providers have 1 or # 2 DHCP servers which send out the leases. Since # we don't want too open access too much, list # the ips of these DHCP servers below. If you don't # know the address of these servers, just run the firewall # and wait a bit-- they'll show up when your DHCP # lease expires :) DHCP_SERVERS="21.31.194.62 21.31.194.62" # Do you want to log these requests? # options: YES, NO LOG_DHCP="YES" # ------------------------------------------- # # Time servers # # --------------------------------------------# # Having your machine ensure its time is set correctly # is a good thing. Allow time sync's through? # options: YES, NO ALLOW_TIME="NO" # list the servers here. TIMESERVERS="132.163.135.130 128.118.25.3 131.107.1.10" # ------------------------------------------- # # Blacklisted Clients # # --------------------------------------------# # if the below is set to "AUTO" # then gShield will pull out any # client address listed in hosts.deny # prefixed by ALL and drop all # connections from that client. # If you do not know how to deal # with hosts.deny see 'man hosts_access' # there -are- some limitations: # gShield does not deal with # whole domains within hosts.deny # it needs to be a -numeric- or # range (no more using .aol.com ;p) # Be advised, if you have whole # domains listed, iptables will # spew errors. # If set to AUTO, gShield WILL NOT # read black_listed_hosts # options: AUTO, NORMAL BLACKLISTED="NORMAL" # Should we log drops/connections from blacklisted # hosts (those listed in conf/black_listqed_hosts) # or in /etc/hosts.deny if BLACKLISTED is set # to AUTO) # options: YES, NO LOG_BLACKLIST="YES" # ------------------------------------------- # # Highport access (ports > 1024) # # --------------------------------------------# # By default, gShield drops all highport # connections via the default policy. To allow # -individual- clients access to highports, one # should add these hosts to conf/highport_access # (for example, specific irc botnets or whatnot). # If you want to -disable- this highport protection, # and allow highports to be accessible to THE WORLD, # set ALLOW_ALL_HIGHPORT below to "YES" ALLOW_ALL_HIGHPORT="NO" # ------------------------------------------- # # Network Address Translation / IPMasq # # --------------------------------------------# # ------------------------------------------- # # If you need gShield to provide NAT services # # (ipmasq of the ipchains era), then set # # NAT = to "YES" below -AND- edit # # /etc/firewall/conf/NATS -- # # /etc/firewall/conf/NATS needs to have the # # private range you wish to NAT for - the # # default is 192.168.1.0/24 # # ------------------------------------------- # # options: YES, NO NAT="YES" # Some folks have had problems with # some providers and PPPoE whereby # NAT'd clients cannot establish # connections. # If you think you are experiencing issues # such as this, install the TCPMSS patch # from the iptables patch-o-matic source # and set TCPMSS to "YES" below. TCPMSS="NO" # ------------------------------------------- # # ICMP and Traceroutes # # --------------------------------------------# # if ICMP_ALLOW_ALL is set to "NO", gShield # will drop "bad" icmp -- not replying to # echo requests but still allowing internal # pings to work correctly. # Thus, if you set the below to NO, gShield # will accept destination-unreachable, # time-exceeded, and echo-reply -- and # drop the rest # If you want to reply to ALL icmp, set # ICMP_ALLOW_ALL to "YES" ICMP_ALLOW_ALL="YES" # EVEN if you allow all ICMP, gShield sets "sane" # limits on how it goes about accepting ICMP. # The default is 1 per second; this is configurable # below -- for most folks, the default is fine ICMP_RATE="60/m" # ICMP Logging # Should we log ICMP drops? ICMP_LOG="NO" # If you want to allow traceroutes -to- # the firewall box, set TRACE_ALLOW_ALL # to "YES". It is very difficult to completely # stop traceroutes- gShield blocks the "standard" # approach if set to NO below TRACE_ALLOW_ALL="YES" # ------------------------------------------- # # Administrative Hosts # # --------------------------------------------# # gShield allows a host to be listed as # -COMPLETELY- trusted with respect to access # However, it is restrictive -- you # need BOTH the IP of this host -AND- # the MAC address of its ethernet card # Set below to YES if you need an ADMIN host ADMIN_HOST="NO" # The host's IP ADMIN_HOST_IP="192.168.1.6" # The mac address of the admin host's ethernet # card. # Note: -inappropiate- if the admin host # is separated from the host machine by a router. ADMIN_HOST_MAC="09:80:c8:f2:2c:2d" # ------------------------------------------- # # Routable protection # # --------------------------------------------# # If you have a machine BEHIND the firewall # which have NON-private ips AND you want # to allow traffic to these machines, # set HAVE_ROUTABLES to "YES". # You will ALSO have to ADD the IPS of these machines # to /etc/firewall/routables/routable_hosts # AND EDIT /etc/firewall/routables/routables.conf # options: YES, NO HAVE_ROUTABLES="NO" # ------------------------------------------- # # DMZ # # --------------------------------------------# # DMZ'd machine are hosts which gShield should # allow FULL access to. gShield does NOT # trust this machines and will drop all connections # made from them to the firewall itself # options: YES, NO # gShield does NOT currently think -private- ip's # are proper candidates for the DMZ. I am aware # some folks think this is a fine idea. HAVE_DMZ="NO" # Make sure to add the ips of the DMZ'd hosts # to /etc/firewall/DMZ/dmz_hosts # ------------------------------------------- # # PPTP # # --------------------------------------------# # For those wishing to enable PPTP, D. Powell # was nice enough to send in patches for this # functionality. I've added restriction policies. # If you wish to NAT pptp connections, you will # need to explore the pptp-conntrack-nat.patch # available in the iptables source. # options: OPEN, CLOSED, FORWARD, RESTRICTED # RESTRICTED assumes you -will- forward PPTP # connections, but ONLY from a specific range as # defined in conf/pptp_allowed_hosts PPTP_SERVICE="CLOSED" PPTP_HOST="x.x.x.x" # ------------------------------------------- # # Transparent Proxy # # --------------------------------------------# # If you wish to ensure web traffic is pumped thru # a proxy regardless of the client configuration, # set ENABLE_TRANSPROXY to "YES" and fill out the rest. # These are the squid options I enable # in squid itself: # http_port, httpd_accel_host, httpd_accel_port, # httpd_accel_with_proxy and httpd_accel_uses_host_header ENABLE_TRANSPROXY="NO" # port proxy listens on PROXY_PORT="3128" # If your proxy is different from the firewall, set # its ip here. Same holds when the proxy is on the # firewall but listening on a virtual interface PROXY_HOST="192.168.1.12" # ------------------------------------------- # # Common Exploit Matching # # --------------------------------------------# # Starting with gShield 2.8 -IF- you have # the experimental string matching, and want # to drop connections which match common # buffer overflow characteristics, you may # enable this below. This is especially # useful for protecting webservers and the # like from "kiddie" attacks. # gShield will drop any connection in which # it can match "bad" strings contained # in conf/global_content_drop # -------------------------------------------- # # -- WARNING --------------------------------- # # -------------------------------------------- # # The patches for string matching ARE AN # EXPERIMENTAL PATCH for iptables # string matching is -expensive- # as the kernel must inspect the content of # incoming packets, and enabling matching # here inspects -ALL- incoming packets # IF you really want to enable this # set CHECK_CONTENT to YES # -------------------------------------------- # # -- WARNING --------------------------------- # # -------------------------------------------- # # Enabling this will check content on -ALL- # incoming connections # Don't dispair -- of you want to simply # protect specific -services- (such as http) # you CAN restrict string matches to specific # services (see the service section below) # There are many good reasons NOT to enable # such a feature - among them the standard claim # that this level of inspection has no place # in a packet filter. Use at your discretion. CHECK_ALL_CONTENT="NO" # ------------------------------------------- # # Services and Port-forwarding # # --------------------------------------------# # Here you can set which services are OPEN and # accessible to EVERY host, as well as set # connections to these services to be forwarded to # a host behind the firewall. # Remember, you can ALSO set specific services # to be accessible ONLY to specific CLIENTS # see the README for more details on this # By default gShield -trusts- internal clients # (as listed in NATS) -- you can thus set a service # to NO, and still have internal access to that # service. # for each service, you have -3- possible # options: OPEN, FORWARD or NO # OPEN == open to the world # FORWARD == open and forward connections to defined host # NO == do not open that service # ------------------------------------------- # # --- [ FTP ] ------------------------------- # # ------------------------------------------- # # Allow FTP connections (either local or forwarded) # options are OPEN, FORWARD, NO # To review, OPEN opens the service to the world, # FORWARD will open the port AND forward connections # to the ip listed in FTP_HOST, and NO will not # allow connections to that port. FTP_SERVICE="NO" # If you have set FTP_SERVICE to "FORWARD" # define the host to which you want FTP # forwarded. FTP_HOST="192.168.1.6" # ------------------------------------------- # # ---[ Web services ] ----------------------- # # ------------------------------------------- # # HTTP # options are OPEN, FORWARD, NO HTTP_SERVICE="NO" HTTP_HOST="192.168.1.6" # -- /// start extra httpd settings # ------------------------------ # # -- String Matching for HTTP -- # # ------------------------------ # # -IF- you have string matching support # you may enable string-specific drops # for incoming or forwarded HTTP requests. # To enable, set HTTP_STRING_MATCH to "YES" # below. IF YOU enable this option, add # the strings you wished to be dropped # in conf/http_string_drop HTTP_STRING_MATCH="NO" # If you want drops due to content matching # logged, set HTTP_STRING_MATCH_LOG to "YES" HTTP_STRING_MATCH_LOG="NO" # -- /// end extra httpd settings # HTTPS # options are OPEN, FORWARD, NO HTTPS_SERVICE="NO" HTTPS_HOST="192.168.1.2" # ------------------------------------------- # # --- [ Mail ] ------------------------------ # # ------------------------------------------- # # SMTP # options are OPEN, FORWARD, NO SMTP_SERVICE="NO" SMTP_HOST="x.x.x.x" # K. Root pointed out there are some cases # where having a SMTP "proxy" is useful # If you need to ensure all SMTP connections # are transparently redirected, enable # SMTP_PROXY below # NOTE: this effects -outgoing- # connections, not incoming. # Use a SMTP Proxy? Options: YES, NO SMTP_PROXY="NO" # If SMTP_PROXY is set to "YES", note # where SMTP connections should be # directed SMTP_PROXY_HOST="x.x.x.x" # POP # options are OPEN, FORWARD, NO POP_SERVICE="NO" POP_HOST="x.x.x.x" # IMAP # options are OPEN, FORWARD, NO IMAPD_SERVICE="NO" IMAPD_HOST=x.x.x.x # IMAP-SSL # options are OPEN, FORWARD, NO IMAPDSSL_SERVICE="NO" IMAPDSSL_HOST=x.x.x.x # ------------------------------------------- # # --- [ DNS ] ------------------------------ # # ------------------------------------------- # # BIND # BIND options are somewhat different # from the rest: # Should we enable the BIND service? BIND_SERVICE="NO" # If you set the following to YES, make # sure you are using proper ACL's for bind ALLOW_ZONE_TRANSFERS="NO" # Is bind running locally on the firewall? LOCAL_BIND="NO" # Should gShield specifically forward # bind connections? FORWARD_BIND="NO" # To where? DNS_HOST="x.x.x.x." # ------------------------------------------- # # --- [ Login ] ---------------------------- # # ------------------------------------------- # #--[ sshd ]-- # options are OPEN, FORWARD, NO SSHD_SERVICE="NO" SSHD_HOST="x.x.x.x" # ------------------------------------------- # # --- [ Peer to Peer Services ] ------------ # # ------------------------------------------- # # This is general framework for supporting # p2p services such as napster, gnutella, # musiccity, etc. # options are OPEN, FORWARD, NO P2P_SERVICE="NO" # What port does the service use? # NOTE: the example below is for # musiccity -- you will need to determine # what port your p2p client uses. P2P_PORT="8888" P2P_HOST="192.168.1.2" # ------------------------------------------- # # --- [ Interactive logins ] ---------------- # # ------------------------------------------- # # Telnet # options: OPEN, FORWARD, NO TELNET_SERVICE="NO" TELNETD_HOST="x.x.x.x" # ------------------------------------------- # # --- [ NFS serving ] ----------------------- # # ------------------------------------------- # # options: # OPEN, FORWARD, NO NFS_SERVICE="NO" NFS_SERVICE_HOST="x.x.x.x" # ------------------------------------------- # # --- [ auth ] ------------------------------ # # ------------------------------------------- # # options: # OPEN, FORWARD, NO, RETURN, REJECT # auth has the additional options of sending # a tcp-reset back (RETURN) or a standard REJECT # regardless of the default gShield response setting IDENTD_SERVICE="OPEN" IDENTD_HOST="x.x.x.x" # ------------------------------------------- # # ------[ Misc services ] ------------------- # # ------------------------------------------- # # options: # OPEN, FORWARD, NO # fingerd FINGER_SERVICE="NO" FINGER_HOST="x.x.x.x" # time services TIME_SERVICE="NO" TIME_SERVICE_HOST="x.x.x.x" # In those cases where these services run # above the magic 1024 port range, gShield by # default will -block- access to those ports # unless you specifically open them here. # Again, the defaults should be fine for most # folks. # postgresql # options: # OPEN, FORWARD, NO POSTGRES_SERVICE="NO" POSTGRES_SERVICE_HOST="x.x.x.x" # mysql # options: # OPEN, FORWARD, NO MYSQL_SERVICE="NO" MYSQL_SERVICE_HOST="x.x.x.x" # socks # options: OPEN, FORWARD, NO SOCKS_SERVICE="NO" SOCKS_SERVICE_HOST="x.x.x.x" # Windows Terminal Server # Specifically this forwards # RDP to a protected host # options: FORWARD, NO TS_SERVICE="NO" TS_SERVICE_HOST="x.x.x.x" # ------------------------------------------- # # Setting your own port-forwards # # ------------------------------------------- # # Perhaps I don't have your specific service # listed, or it's some bizarre thing you # need forwarded. # There are several options at this stage. # you can manually add whatever forwards # you need to gshield.last, creating the # proper rulesets yourself. # you can generate simple forwards using # gforward.pl (look in the tools directory) # and send its output to gshield.last (gforward # can also parse a configuration file, making this # somewhat easy to automate). # you can use the nifty new internal forward # mapping. To use this, edit conf/forwards, # and set FORWARDING below to "YES" FORWARDING="NO" # ------------------------------------------- # # ------ [ custom options] ------------------ # # ------------------------------------------- # # -- irc connection tracking # IF you have irc connection tracking compiled # as a module (which you should) and you wish # to enable that functionality, set IRC_MODULE # below to "YES" and defined the irc ports # you want "tracked" - define those ports # WITH the comma as listed below IRC_MODULE="NO" IRC_PORTS="6666,6667" # ------------------------------------------- # # ------ [ ip-sysctl options] -------------- # # ------------------------------------------- # # You can find the complete docs for these # /usr/src/linux/Documentation/networking/ip-sysctl.txt # If you have no idea about what to put, the defaults # entered below "should" be fine for most folks. # perform source validation ANTI_SPOOF="YES" # source routing NO_SOURCE_ROUTE="YES" # disable ICMP redirects ICMP_REDIRECT="YES" # The rate at which echo replies are # sent to any one destination. # Kernel default is "0" (unlimited) ICMP_ECHOREPLY_RATE="0" # log packets with impossible # addresses LOG_MARTIANS="YES" # TCP syncookies SYN_COOKIES="NO" # Enable ECN? ECN="NO" # Enable timestamps as defined in RFC1323. TCP_TS="NO" # ignore ICMP echo broadcasts ICMP_IGNORE_BROADCASTS="YES" # ignore bogus icmp errors ICMP_IGNORE_BOGUS_ERROR="YES" # ------------------------------------------- # # ------ [ Language hack ] ----------------- # # ------------------------------------------- # # Many thanks to mtanguy who pointed out # gShield's method of determining the internal # network mask is English specific. His solution # is to clear the LANG setting when gShield # starts LANG="" # ------------------------------------------- # # ------ [ TOS ] -------------------------- # # ------------------------------------------- # # gShield does some rudimentary TOS modification # in the hopes of speeding up interactive traffic # such as irc, ssh connections and so forth. # Lots of folks have reported nice improvement # by enabling this. TOS="YES" # ------------------------------------------- # # ------ [ QoS ] -------------------------- # # ------------------------------------------- # # gShield "marks" specific sorts of outgoing # traffic to make things easier IF you plan # on doing QoS stuff. This can also be used # for various measuring facilities. # If you do NOT want gShield to do this # marking, set QOS to OFF below. QOS="ON" # I classify "4" types: mail, interactive, web, # and games # - mail is marked "1" : smtp,pop/s,imapd/s # - interactive is marked "2" : telnet, ssh, irc # - web is marked "3" : http, https # - games is marked "4" --> common game ports # ------------------------------------------- # # ------ [ Netbios Leaks ] ---------------- # # ------------------------------------------- # # Make sure we do not "leak" any netbios info # through the firewall's state tracking # This should have no effect on internal # samba. NOSMB="YES" # ------------------------------------------- # # ------ [ Unclean matches ] --------------- # # ------------------------------------------- # # If you want to enable # tainted matching, set TAINTED to "YES" below TAINTED_MATCH="NO" # ------------------------------------------- # # ------ [ TCP Flag options ] -------------- # # ------------------------------------------- # # This section gives "some" attention to # "possible" portscan activity. # Possible options are "YES" or "NO" # Block XMAS packets BLOCK_XMAS="NO" # Block NULL packets BLOCK_NULL="NO" # Block FIN scans BLOCK_FIN="NO" # ------------------------------------------- # # ------ [ Multicast Flag options ] -------- # # ------------------------------------------- # # The default is to drop multicast DROP_MULTICAST="YES" # ------------------------------------------- # # ------- [ runtime variables ] ------------ # # ------------------------------------------- # # # # DO NOT alter # # # # ------------------------------------------- # RUN="1" # set DEBUG to "YES" for more # verbose startup messages DEBUG="NO" gShield-2.8/conf/0040700000175000017500000000000007474527672012717 5ustar godotgodotgShield-2.8/conf/multicast0100600000175000017500000000135207442465025014633 0ustar godotgodot# multicast stuff # "all systems on this subnet" 224.0.0.1 # "all routers on this subnet" 224.0.0.2 # "all DVMRP routers" 224.0.0.4 # "all OSPF routers" 224.0.0.5 # "all OSPF designated routers" 224.0.0.6 # "all RIP2 routers" 224.0.0.9 # "all PIM routers" 224.0.0.13 # "all CBT routers" 224.0.0.15 224.0.0.1 224.0.0.2 224.0.0.4 224.0.0.5 224.0.0.6 224.0.0.9 224.0.0.13 224.0.0.15 # Stronger #224.0.0.0/8 #225.0.0.0/8 #226.0.0.0/8 #227.0.0.0/8 #228.0.0.0/8 #229.0.0.0/8 #230.0.0.0/8 #231.0.0.0/8 #232.0.0.0/8 #233.0.0.0/8 #234.0.0.0/8 #235.0.0.0/8 #236.0.0.0/8 #237.0.0.0/8 #238.0.0.0/8 #239.0.0.0/8 gShield-2.8/conf/highport_access0100600000175000017500000000035107227347154015774 0ustar godotgodot# By default, gShield does not allow new connections # to ports above 1024. This can cause things to break # such as DCC chats, transfers and so on to break. # Any host listed here is allowed to establish high-port # connections gShield-2.8/conf/client_services0100600000175000017500000000027707227347140016012 0ustar godotgodot# These are the port listings for services which clients # (as defined in client_hosts) are allowed to connect to # FTP 20 21 # SSH 22 # pop 110 # http/https 80 443 # icecast 8000 gShield-2.8/conf/no_log_ports0100600000175000017500000000013407262234554015330 0ustar godotgodot# add ports here which you do NOT want logged # such as the case for a default drop # 111 gShield-2.8/conf/global_content_drop0100600000175000017500000000011507474527644016653 0ustar godotgodot# drop strings here which you want to -DROP- # if found in the packet stream gShield-2.8/conf/client_hosts0100600000175000017500000000022607227347120015317 0ustar godotgodot# Hosts listed here are allows to connect to any service # listed in client_services -REGARDLESS- of whether those # services are open to the public gShield-2.8/conf/NATS0100600000175000017500000000022007227347077013373 0ustar godotgodot# What private net should gShield provide NAT # services for? You can have multiple # nets listed here if necessary 192.168.1.0/24 #10.0.0.1/8 gShield-2.8/conf/black_listed_hosts0100600000175000017500000000005307227347046016466 0ustar godotgodot# Hosts listed here are completely dropped gShield-2.8/conf/reserved_addresses0100600000175000017500000000166607407046174016513 0ustar godotgodot# $Id: reserved_addresses,v 1.1 2001-04-02 15:39:07-04 godot Exp $ # These are "reserved" addresseses, and thus have no business # hitting out external interface 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 # multicast stuff # "all systems on this subnet" 224.0.0.1 # "all routers on this subnet" 224.0.0.2 # "all DVMRP routers" 224.0.0.4 # "all OSPF routers" 224.0.0.5 # "all OSPF designated routers" 224.0.0.6 # "all RIP2 routers" 224.0.0.9 # "all PIM routers" 224.0.0.13 # "all CBT routers" 224.0.0.15 224.0.0.1 224.0.0.2 224.0.0.4 224.0.0.5 224.0.0.6 224.0.0.9 224.0.0.13 224.0.0.15 # Stronger #224.0.0.0/8 #225.0.0.0/8 #226.0.0.0/8 #227.0.0.0/8 #228.0.0.0/8 #229.0.0.0/8 #230.0.0.0/8 #231.0.0.0/8 #232.0.0.0/8 #233.0.0.0/8 #234.0.0.0/8 #235.0.0.0/8 #236.0.0.0/8 #237.0.0.0/8 #238.0.0.0/8 #239.0.0.0/8 gShield-2.8/conf/pptp_allowed_hosts0100600000175000017500000000012107423051151016517 0ustar godotgodot# include hosts which are allowed to connect to # pptp services # 172.32.0.0/16 gShield-2.8/conf/open_ports0100600000175000017500000000053107272203311015001 0ustar godotgodot# This should contain a list of ports which you # want gShield to allow connections to. Examples # might be a game server (say Half-life or Quakr) a MUD, # and so on. List the ports one per line. You can also # specify a -range- of ports by using : # example: 1627:1677 # NO port listed here can be ALSO listed in # closed_ports. gShield-2.8/conf/blocked_outgoing0100600000175000017500000000025607262235443016145 0ustar godotgodot# add ports here which you wish to BLOCK access to. # for example, adding '80' will prevent access to # remote webservers, adding '8888' will prevent access # to musiccity gShield-2.8/conf/http_string_drop0100600000175000017500000000032407474527672016231 0ustar godotgodot# drop strings here which you want to -DROP- # if found in the packet stream (such as IIS exploit # nonsense) - this file is specific for web services # and must have that feature enabled in gShield.conf cmd.exe gShield-2.8/conf/closed_ports0100600000175000017500000000020507272203372015316 0ustar godotgodot# Specifically closed ports. List each port one per # line or specify a -range- of ports by using : # example: 1627:1677 gShield-2.8/conf/blocked_addresses0100600000175000017500000000016507312542603016261 0ustar godotgodot# add addresses here which you wish to BLOCK access to. # this effects both the firewall itself, and NAT'd clients gShield-2.8/conf/forwards0100600000175000017500000000220307447453415014456 0ustar godotgodot# Define forwards # In order for this file to function, you MUST # HAVE ENABLED forwarding specifically in gShield.conf # ---> FORWARDING="YES" # The basic format of this file is simple: # allowfrom proto srcip:port dstip:port # A quick example: # 203.12.234.232 tcp 203.55.250.12:80 192.168.1.12:80 # The above forwards tcp connections coming from 203.12.234.232 # destined for 203.55.250.12 (port 80) and forwards them to # 192.168.1.12 (port 80) # Of course perhaps you want to forward all connections # from anywhere -- simply use "0/0" like so: # 0/0 tcp 203.55.250.12:80 192.168.1.12:80 # "0/0" == any # But wait, what if I want -both- tcp AND udp to be forwarded?? # 0/0 both 0/0:80 192.168.1.12:80 # Thanks to C. Gielen's patch, you can also forward port-ranges here # as well: # 0/0 both 1.2.3.4:2300-2400 192.168.1.2:0 # ^^ # forwards all connections to ports 2300 through 2400 connecting to 1.2.3.4 # to 192.168.1.2 : # ACCEPT udp -- anywhere 192.168.1.2 udp dpts:2300:2400 # ACCEPT tcp -- anywhere 192.168.1.2 tcp dpts:2300:2400 gShield-2.8/LICENSE0100600000175000017500000004313107375346240012766 0ustar godotgodot GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. gShield-2.8/Changelog0100600000175000017500000001562107474531030013567 0ustar godotgodotv2.8 * added version check for proper TOS variable set (thanks Damaged) * added gshield.pump (script by D. Munroe) to tools * removed useless UDP opening for SMTP * check_interface function disabled by default * folded in services.rules fixes * folded in C. Gielen's patch for port-range forwarding * added misc-patch by Harold van Oostrom - runtime option for -b blocks everything by default - support for remote transparent proxy * added windows terminal service (RDP) forwarding * typo fix in routables/routables.conf * added chkconfig parameters * added support for string filtering specific to HTTP * SMTP proxy support * added stronger regex for sourcing (thanks K. Root) * added PPTP options (thanks D. Powell) with restrictive options * multicast fixes / addresses moved to seperate file (thanks P. Starrenburg) * close netfilter flaw (unfiltered ICMP packets) * support for IRC connection tracking v2.7.1 * service ports now hard-wired in * increase port-range (marking) for Q3A servers (thanks S. Youngs) * typo fix for BIND_HOST * typo fixes for rFTP and rTraceroutes (thanks Nilsson/Bayer) * added network patch for proper mask calculations by Marcos Tadeu * misc service cleanup * TOS disabled by default (iptables 1.2.3 oddity) * logging facility defaults to numeric (resolves iptables 1.2.3 oddity) v2.7 * misc routable fixes (thanks J. Aitti) * gforward.pl updated * internal forwarding mechanism (thanks J. Benson) * added portscan detection options v2.6.9 * added option for QUEUE target * UNCLEAN toggle * adjusted domain service to handle brain-dead service listings v2.6.8 * changed GRE to numeric protocol to accomodate brain-dead distros * added smarter "broadcast" drops to reduce log verbosity * typo bugfix in kernel-options (thanks R. Goers) * extended highport_access logic (thanks A. Huffman) * added icmp_ignore_bogus_error kernel option (thanks R. Goers) * added return options for auth regardless of default policy (thanks R. Goers) v2.6.7 * added sanity loop for several kernel options * bugfix for tcp/sshd in routables.rules (thanks C. Graham) * added blocked_addresses to conf/ * added GRE-specific logging * added nntp/sshd TOS/QOS suggestions (thanks W. Torres) * updated gforward.pl w/ option to use external file v2.6.6 * added configurable options for UDP responses * added nice version logic (thanks phantoo) * bugfixes for routables/DMZ (thanks M. McCallister) * folded in sections of contributed patch by S. Youngs * added ICMP/traceroute options for routables/DMZ * added verbosity to routable startup * added toggle for QoS marking * added toggle for SNAT/MASQUERADE * added proper copyright and license file * cleaned up directories (added docs and tools subdir) v2.6.5 * gforward.pl now included (for setting up generic portforwards) * added QoS marking for typical game ports, irc * gShield.conf reorganized * added "error" documentation for common errors * misc cleanups (added restart runtime) v2.6.4 * bugfix for hosts.deny logic * BLACKLIST defaults to normal * toggle for locking down possible netbios leaks * removal of a few bashisms (thanks J. Breton) v2.6.3 * toggle for ICMP logging * error checking for UNCLEAN match * SYSLOG option defaults to false * bugfix for loopback interface * misc documentation updates v2.6.2 * option for TCPMSS fix for borked PPPoE * folded in TOS mangles for PREROUTE * primitive packet marking for PREROUTE * option for ICMP_ECHOREPLY_RATE * sanity check for ICMP_ECHOREPLY_RATE * fix for non-English LANG env (thanks mtanguy) v2.6.1 * folded in syslog function (thanks hburgiss) * moved conf/time_servers to gShield.conf * support for running out of init.d/ * option to auto-blacklist "ALL"-prefixed addresses in hosts.deny * run-time blacklist option can add to hosts.deny * documentation additions to cover hosts.deny use * cleaned up logging-prefixes v2.6 * Configuration file format change * ALL supported services are forwardable * reserved drops now specific to external interface * user-defined rules easily added (see gShield.conf) * script even less verbose/color crap removed v2.5.1 * improved logic for run-time option detection * bug-fix for syncookies * added generic peer to peer framework * p2p client port-forwarding v2.5 * added configuration kernel options for icmp_echo_ignore_broadcasts * added configuration kernel options for tcp_timestamps * syncookies now disabled by default * bugfix for run-time client-add option * misc documentation additions v2.4 * added security comments concerning recent iptables ftp issue. * run-time options: add blacklist, highport access, client access, flush. * NOLOG automatically deals with broadcast addresses (drop/nolog). * added kernel ip-sysctl options to main configuration * added additional usage notes to cover run-time options v2.3 * ifconfig now defined as a variable * reordered blacklist/NAT chain ordering (thanks Hurley) * folded in multi-homed logic based on diff by Duebbert * fixed outgoing typos (thanks Duebbert) * fixed protocol typo for HTTPS (thanks Faurot) * misc comment fixes / updated gShield.conf v2.2 * behavior when dropping packets now configurable * support for forwarding imap-ssl * toned down startup verbosity v2.1 * cleaned up reserved_address (was causing some issues) * added auto-configuration logic for DNS servers * added option to log INVALID state drops * added framework for outgoing filters * added blocked_outgoing to enable outgoing filtering * added no_log option for specific ports v2.0.4 * added toggle for traceroutes * added logging-level option * re-ordered CLOSED port chain * added "flush" option * folded in additional reserved blocks v2.0.3 * fixed typo for https entry * fixed typo for FW_ROOT in routables (thanks V. Hodges) * added forwarding for ssh * blacklist logging now a toggle * added toggle for "default logging" v2.0.2 * added option to not log reserved drops * added common multicast addresses to conf/reserved_addresses * enhanced DHCP logging * removed redundant reserved chain * removed redundant NAT entry * common public services now use /etc/services to determine port * added options for bind/domain forwarding * highport_access should now deal with passive FTP * highport blocking is now a toggle * added transparent proxy options v2.0.1 * added DNS chain to ease readability * moved DMZ rule entrace lower in filtering * cleaned up logging output (no logging smb broadcasts) * added conf/open_ports for user-defined open ports v2.0.0 * initial conversion to iptables * support for multiple NATs * routable support and protection * support for DMZ'd machines * sane limits for default drops, incoming icmp * MAC address filtering for administrative machines * configurable public service access * configurable client access * integrated port-forwarding * stateful tracking gShield-2.8/routables/0040700000175000017500000000000007372656153013764 5ustar godotgodotgShield-2.8/routables/routables.conf0100600000175000017500000000374707336115462016636 0ustar godotgodot# gShield v2 # routable configuration # This configuration assumes you have # routable machines protected by gShield. # If this is NOT THE CASE, turn back NOW! # ICMP # Allow ICMP to routables? rICMP_ALLOW="yes" # Should we allow all types of ICMP # or set some sane limits on the sorts # of ICMP which are allowed through? rICMP_FILTER="yes" # Should we allow all ICMP # traffic to all listed routables? rICMP_ALLOW_TO_ALL="yes" # If rICMP_ALLOW_TO_ALL is "no", then # defined which routables are allowed # to get ICMP's rICMP_ALLOWED="x.x.x.x y.y.y.y z.z.z.z" # Traceoutes # enable traceroutes to routables? rTRACE_ALLOW="yes" # to all listed routable machines? rTRACE_ALLOW_TO_ALL="yes" # if the above it set to NO, # which routables are allowed for # traceroutes? rTRACE_ALLOWED="x.x.x.x y.y.y.y z.z.z.z" # ------ [ Public Services ] ------ # # Below determines what sort of connections # to allow to which routables # [ FTP ] # Worry about FTP for routables? gShield # defaults to blocking connections rFTP_ENABLE=NO # Allow FTP connections to ALL routables rFTP_ALL=NO # Allow FTP connections to specific machines rFTP_ALLOWED="x.x.x.x y.y.y.y z.z.z.z" # [ Web services ] # HTTP rHTTP_ENABLE=NO rHTTP_ALL=NO rHTTP_ALLOWED="x.x.x.x y.y.y.y z.z.z.z" # HTTPS rHTTPS_ENABLE=NO rHTTPS_ALL=NO rHTTPS_ALLOWED="x.x.x.x y.y.y.y z.z.z.z" # [ Mail ] # SMTP rSMTP_ENABLE=NO rSMTP_ALL=NO rSMTP_ALLOWED="x.x.x.x y.y.y.y z.z.z.z" # POP rPOP_ENABLE=NO rPOP_ALL=NO rPOP_ALLOWED="x.x.x.x y.y.y.y z.z.z.z" # IMAP rIMAPD_ENABLE=NO rIMAPD_ALL=NO rIMAPD_ALLOWED="x.x.x.x y.y.y.y z.z.z.z" [ Misc ] # BIND rBIND_ENABLE=NO rBIND_ALL=NO rBIND_ALLOWED="x.x.x.x y.y.y.y z.z.z.z" # Interactive logins rSSHD_ENABLE=NO rSSHD_ALL=NO rSSHD_ALLOWED="x.x.x.x y.y.y.y z.z.z.z" rTELNET_ENABLE=NO rTELNET_ALL=NO rTELNET_ALLOWED="x.x.x.x y.y.y.y z.z.z.z" # auth rIDENTD_ENABLE=NO rIDENTD_ALL=NO rIDENTD_ALLOWED="x.x.x.x y.y.y.y z.z.z.z" # Time rTIME_ENABLE=NO rTIME_ALL=NO rTIME_ALLOWED="x.x.x.x y.y.y.y z.z.z.z" gShield-2.8/routables/routable.rules0100600000175000017500000003213007353171767016655 0ustar godotgodot#!/bin/sh # Routable construction -- part of # Godot's gShield # ------ [ FTP_SERVICE ] ------ # if [ "$rFTP_ENABLE" = "YES" -o "$rFTP_ENABLE" = "yes" ]; then if [ "$rFTP_ALL" = "YES" -o "$rFTP_ALL" = "yes" ]; then for all in $ROUTABLES; do SYSLOG "allowing ftp for $all" $IPTABLES -A INPUT -p tcp -d $all --dport 21 -j ACCEPT $IPTABLES -A INPUT -p tcp -d $all --dport 20 -j ACCEPT $IPTABLES -A FORWARD -p tcp -d $all --dport 20 -j ACCEPT $IPTABLES -A FORWARD -p tcp -d $all --dport 21 -j ACCEPT done else for rFTP in $rFTP_ALLOWED; do SYSLOG "allowing ftp for $rFTP" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $rFTP --dport 21 -j ACCEPT $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $rFTP --dport 20 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $rFTP --dport 21 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $rFTP --dport 20 -j ACCEPT done fi fi # ------ [ HTTP_SERVICE ] ------ # if [ "$rHTTP_ENABLE" = "YES" -o "$rHTTP_ENABLE" = "yes" ]; then if [ "$rHTTP_ALL" = "YES" -o "$rHTTP_ALL" = "yes" ]; then for all in $ROUTABLES; do SYSLOG "allowing HTTP for $all" $IPTABLES -A INPUT -p tcp -d $all --dport 80 -j ACCEPT $IPTABLES -A FORWARD -p tcp -d $all --dport 80 -j ACCEPT $IPTABLES -A INPUT -p udp -d $all --dport 80 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $all --dport 80 -j ACCEPT done else for rHTTP in $rHTTP_ALLOWED; do SYSLOG "allowing HTTP for $rHTTP" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $rHTTP --dport 80 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $rHTTP --dport 80 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $rHTTP --dport 80 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $rHTTP --dport 80 -j ACCEPT done fi fi # ------ [ HTTPS_SERVICE ] ------ # if [ "$rHTTPS_ENABLE" = "YES" -o "$rHTTPS_ENABLE" = "yes" ]; then if [ "$rHTTPS_ALL" = "YES" -o "$rHTTPS_ALL" = "yes" ]; then for all in $ROUTABLES; do SYSLOG "allowing HTTPS for $all" $IPTABLES -A INPUT -p tcp -d $all --dport 443 -j ACCEPT $IPTABLES -A FORWARD -p tcp -d $all --dport 443 -j ACCEPT $IPTABLES -A INPUT -p udp -d $all --dport 443 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $all --dport 443 -j ACCEPT done else for rHTTPS in $rHTTPS_ALLOWED; do SYSLOG "allowing HTTPS for $rHTTPS" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $rHTTPS --dport 443 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $rHTTPS --dport 443 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $rHTTPS --dport 443 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $rHTTPS --dport 443 -j ACCEPT done fi fi # ------ [ SMTP_SERVICE ] ------ # if [ "$rSMTP_ENABLE" = "YES" -o "$rSMTP_ENABLE" = "yes" ]; then if [ "$rSMTP_ALL" = "YES" -o "$rSMTP_ALL" = "yes" ]; then for all in $ROUTABLES; do SYSLOG "allowing SMTP for $all" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $all --dport 25 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $all --dport 25 -j ACCEPT done else for rSMTP in $rSMTP_ALLOWED; do SYSLOG "allowing SMTP for $rSMTP" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $rSMTP --dport 25 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $rSMTP --dport 25 -j ACCEPT done fi fi # ------ [ POP_SERVICE ] ------ # if [ "$rPOP_ENABLE" = "YES" -o "$rPOP_ENABLE" = "yes" ]; then if [ "$rPOP_ALL" = "YES" -o "$rPOP_ALL" = "yes" ]; then for all in $ROUTABLES; do SYSLOG "allowing POP for $all" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $all --dport 110 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $all --dport 110 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $all --dport 110 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $all --dport 110 -j ACCEPT done else for rPOP in $rPOP_ALLOWED; do SYSLOG "allowing POP for $rPOP" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $rPOP --dport 110 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $rPOP --dport 110 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $rPOP --dport 110 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $rPOP --dport 110 -j ACCEPT done fi fi # ------ [ IMAPD_SERVICE ] ------ # if [ "$rIMAPD_ENABLE" = "YES" -o "$rIMAPD_ENABLE" = "yes" ]; then if [ "$rIMAPD_ALL" = "YES" -o "$rIMAPD_ALL" = "yes" ]; then for all in $ROUTABLES; do SYSLOG "allowing IMAP for $all" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $all --dport 143 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $all --dport 143 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $all --dport 143 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $all --dport 143 -j ACCEPT done else for rIMAPD in $rIMAPD_ALLOWED; do SYSLOG "allowing IMAP for $rIMAPD" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $rIMAPD --dport 143 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $rIMAPD --dport 143 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $rIMAPD --dport 143 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $rIMAPD --dport 143 -j ACCEPT done fi fi # ------ [ BIND_SERVICE ] ------ # if [ "$rBIND_ENABLE" = "YES" -o "$rBIND_ENABLE" = "yes" ]; then if [ "$rBIND_ALL" = "YES" -o "$rBIND_ALL" = "yes" ]; then for all in $ROUTABLES; do SYSLOG "allowing bind for $all" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $all --dport 53 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $all --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $all --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $all --dport 53 -j ACCEPT done else for rBIND in $rBIND_ALLOWED; do SYSLOG "allowing bind for $rBIND" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $rBIND --dport 53 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $rBIND --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $rBIND --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $rBIND --dport 53 -j ACCEPT done fi fi # ------ [ SSHD_SERVICE] ------ # if [ "$rSSHD_ENABLE" = "YES" -o "$rSSHD_ENABLE" = "yes" ]; then if [ "$rSSHD_ALL" = "YES" -o "$rSSHD_ALL" = "yes" ]; then for all in $ROUTABLES; do SYSLOG "allowing SSHD for $all" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $all --dport 22 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $all --dport 22 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $all --dport 22 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $all --dport 22 -j ACCEPT done else for rSSHD in $rSSHD_ALLOWED; do SYSLOG "allowing SSHD for $rSSHD" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $rSSHD --dport 22 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $rSSHD --dport 22 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $rSSHD --dport 22 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $rSSHD --dport 22 -j ACCEPT done fi fi # ------ [ TELNET_SERVICE ] ------ # if [ "$rTELNET_ENABLE" = "YES" -o "$rTELNET_ENABLE" = "yes" ]; then if [ "$rTELNET_ALL" = "YES" -o "$rTELNET_ALL" = "yes" ]; then for all in $ROUTABLES; do SYSLOG "allowing telnetd for $all" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $all --dport 23 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $all --dport 23 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $all --dport 23 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $all --dport 23 -j ACCEPT done else for rTELNET in $rTELNET_ALLOWED; do SYSLOG "allowing telnetd for $rTELNET" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $rTELNET --dport 23 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $rTELNET --dport 23 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $rTELNET --dport 23 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $rTELNET --dport 23 -j ACCEPT done fi fi # ------ [ IDENTD_SERVICE ] ------ # if [ "$rIDENTD_ENABLE" = "YES" -o "$rIDENTD_ENABLE" = "yes" ]; then if [ "$rIDENTD_ALL" = "YES" -o "$rIDENTD_ALL" = "yes" ]; then for all in $ROUTABLES; do SYSLOG "allowing identd for $all" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $all --dport 113 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $all --dport 113 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $all --dport 113 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $all --dport 113 -j ACCEPT done else for rIDENTD in $rIDENTD_ALLOWED; do SYSLOG "allowing identd for $rIDENTD" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $rIDENTD --dport 113 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $rIDENTD --dport 113 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $rIDENTD --dport 113 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $rIDENTD --dport 113 -j ACCEPT done fi fi # ------ [ TIME_SERVICE ] ------ # if [ "$rTIME_ENABLE" = "YES" -o "$rTIME_ENABLE" = "yes" ]; then if [ "$rTIME_ALL" = "YES" -o "$rTIME_ALL" = "yes" ]; then for all in $ROUTABLES; do SYSLOG "allowing time sync for $all" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $all --dport 123 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $all --dport 123 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $all --dport 123 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $all --dport 123 -j ACCEPT done else for rTIME in $rTIME_ALLOWED; do SYSLOG "allowing time sync for $rTIME" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $rTIME --dport 123 -j ACCEPT $IPTABLES -A INPUT -p udp -s $REMOTENET -d $rTIME --dport 123 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $rTIME --dport 123 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $rTIME --dport 123 -j ACCEPT done fi fi # ------ [ ICMP's ] ------------------------------------------ # if [ "$rICMP_ALLOW" = "YES" -o "$rICMP_ALLOW" = "yes" ]; then if [ "$rICMP_ALLOW_TO_ALL" = "YES" -o "$rICMP_ALLOW_TO_ALL" = "yes" ]; then if [ "$rICMP_FILTER" = "YES" -o "$rICMP_FILTER" = "yes" ]; then for all in $ROUTABLES; do SYSLOG "filtering ICMP to $all" $IPTABLES -A INPUT -s $REMOTENET -d $all -p icmp --icmp-type destination-unreachable -m limit --limit $ICMP_RATE -j ACCEPT $IPTABLES -A FORWARD -s $REMOTENET -d $all -p icmp --icmp-type destination-unreachable -m limit --limit $ICMP_RATE -j ACCEPT $IPTABLES -A INPUT -s $REMOTENET -d $all -p icmp --icmp-type time-exceeded -m limit --limit $ICMP_RATE -j ACCEPT $IPTABLES -A FORWARD -s $REMOTENET -d $all -p icmp --icmp-type time-exceeded -m limit --limit $ICMP_RATE -j ACCEPT $IPTABLES -A INPUT -s $REMOTENET -d $all -p icmp --icmp-type echo-reply -m limit --limit $ICMP_RATE -j ACCEPT $IPTABLES -A FORWARD -s $REMOTENET -d $all -p icmp --icmp-type echo-reply -m limit --limit $ICMP_RATE -j ACCEPT done else for all in $ROUTABLES; do SYSLOG "allowing all ICMP to $all" $IPTABLES -A INPUT -s $REMOTENET -d $all -p icmp -m limit --limit $ICMP_RATE -j ACCEPT $IPTABLES -A FORWARD -s $REMOTENET -d $all -p icmp -m limit --limit $ICMP_RATE -j ACCEPT done fi else if [ "$rICMP_FILTER" = "YES" -o "$rICMP_FILTER" = "yes" ]; then for rICMP in $rICMP_ALLOWED; do SYSLOG "filtering ICMP to $rICMP" $IPTABLES -A INPUT -s $REMOTENET -d $rICMP -p icmp --icmp-type destination-unreachable -m limit --limit $ICMP_RATE -j ACCEPT $IPTABLES -A FORWARD -s $REMOTENET -d $rICMP -p icmp --icmp-type destination-unreachable -m limit --limit $ICMP_RATE -j ACCEPT $IPTABLES -A INPUT -s $REMOTENET -d $rICMP -p icmp --icmp-type time-exceeded -m limit --limit $ICMP_RATE -j ACCEPT $IPTABLES -A FORWARD -s $REMOTENET -d $rICMP -p icmp --icmp-type time-exceeded -m limit --limit $ICMP_RATE -j ACCEPT $IPTABLES -A INPUT -s $REMOTENET -d $rICMP -p icmp --icmp-type echo-reply -m limit --limit $ICMP_RATE -j ACCEPT $IPTABLES -A FORWARD -s $REMOTENET -d $rICMP -p icmp --icmp-type echo-reply -m limit --limit $ICMP_RATE -j ACCEPT done else for all in $rICMP_ALLOWED; do SYSLOG "allowing all ICMP to $all" $IPTABLES -A INPUT -s $REMOTENET -d $all -p icmp -m limit --limit $ICMP_RATE -j ACCEPT $IPTABLES -A FORWARD -s $REMOTENET -d $all -p icmp -m limit --limit $ICMP_RATE -j ACCEPT done fi fi fi # ------ [ Traceroutes ] -------------------------------------- # if [ "$rTRACE_ALLOW" = "YES" -o "$rTRACE_ALLOW" = "yes" ]; then if [ "$rTRACE_ALLOW_ALL" = "YES" -o "$rTRACE_ALLOW_ALL" = "yes" ]; then for all in $ROUTABLES; do SYSLOG "allowing traceroutes to $all" $IPTABLES -A INPUT -p udp --sport 32769:65535 -d $all --dport 33434:33523 -j ACCEPT $IPTABLES -A FORWARD -p udp --sport 32769:65535 -d $all --dport 33434:33523 -j ACCEPT done else for all in $rTRACE_ALLOWED; do SYSLOG "allowing traceroutes to $all" $IPTABLES -A INPUT -p udp --sport 32769:65535 -d $all --dport 33434:33523 -j ACCEPT $IPTABLES -A FORWARD -p udp --sport 32769:65535 -d $all --dport 33434:33523 -j ACCEPT done fi fi gShield-2.8/routables/routable_hosts0100600000175000017500000000000007227347052016723 0ustar godotgodotgShield-2.8/INSTALL0100644000175000017500000000467207424277360013032 0ustar godotgodotgShield Installation Notes -------------------------- # ------------------------------ # # Netfilter/iptables # # -------------------------------# gShield assumes you have a properly working and configured netfilter/iptables setup. It does not make use of any "special" extensions or patches, but some things will not work well unless you are sure they are installed (such as the FTP NAT support). There are case where gShield allows you to make use of some of the experimental iptables patches, but these are not necessary for the default settings. gShield DOES NOT attempt to load iptables modules for you; a properly configured linux system will load modules "as needed" -- there is one exception to this no-load behavior -- the irc connection tracking section allows you to specify which irc ports to consider for tracking and therefore does make provisions for loading this specific module. # ------------------------------ # # Installing # # -------------------------------# The default configuration assumes everything will be installed in /etc/firewall. gShield will untar to gShield- which means you will need to a) move/rename this directory to /etc/firewall or b) symlink /etc/firewall to gShield-/ ********************************************************** ** DO NOT attempt to run configure this script remotely ** ********************************************************** ********************************************************** ** DO NOT run the thing remotely! ************************ ********************************************************** I recommend installing/configuring the first time locally in case something horrible happens-- otherwise, if you make a mistake, you will find yourself locked out of your own machine. I'm not kidding. * NEXT * Open a terminal. Get out that favorite editor of yours. Edit gShield.conf -- it's commented. * NEXT * Read the README. It's in the docs directory. * NEXT * Run the script (/etc/firewall/gShield.rc) <- assuming you've renamed the directory. I suggest linking this, or setting it up as an automatic process. Three examples on how to do this. PPP -- under Debian, there's a nice directory -> /etc/ppp/ip-up.d/ Make a link from the firewall: ln -s /etc/firewall/gShield.rc /etc/ppp/ip-up.d/gShield.rc DHCP -- from my config file for dhcpcd: OPTIONS='-d -c /etc/firewall/gShield.rc' * That's it * gShield-2.8/tools/0040755000175000017500000000000007370677473013144 5ustar godotgodotgShield-2.8/tools/tracker.pl0100444000175000017500000000760407303652545015123 0ustar godotgodot#!/usr/bin/perl -w # # Purpose: # # Quick jobber to do some parsing of the iptables connection # tracking from /proc and print it out a little nicer. # (and to make Godot quit bugging me, of course ) # # Options: # -P This enables port lookups (translating ports -> services [Should be fast]) # -p This disables port lookups # # You can set the defaults for both of these below, 1 == lookup, # 0 == don't. The commandline switches override defaults. # # Author: # # Brian Poole, http://www.cerias.purdue.edu/homes/rajak/ # # LICENSE: # # This is licensed under the BSD license, in other words # do what you will, I don't care, just don't blame me. # I assume no liability for any incompetent usage of this # script, nor of any poor coding (though of course there # none of THAT!). $PORT_LOOKUPS = 1; if (defined @ARGV and $#ARGV != 0){ &usage; } elsif (defined @ARGV){ if ($ARGV[0] eq "-p"){ $PORT_LOOKUPS = 0; } elsif ($ARGV[0] eq "-P"){ $PORT_LOOKUPS = 1; } else { &usage; } } # Hey! Who told you that you could read my code! GET OUTTA HERE!#%^!@# # First lets grab the data from the proc entry.. open INPUT, "){ push @{ $records{(split " ")[0]} }, $_; } close INPUT; if (defined %records){ print " Current connections being tracked by netfilter\n\nProt Src IP Src Port State Dst IP Dst Port\n\n"; foreach $key (keys %records) { $proto = uc $key; for $i (0 .. $#{ $records{$key} } ){ # Assigning that bad boy into a variable because I don't like having to type all that every time ;) my $log = $records{$key}[$i]; # Zero out the port vars (we can't guarantee we have replaces to match them since some protocols (ICMP)) # don't have ports. Then do a match and shove the vars into place as appropriate. ($dport, $sport ) = ("",""); if( $log =~ /^.*?src=(.*?) dst=(.*?) (?:sport=(\d{1,5}) dport=(\d{1,5}) )?/) { ($srcip, $dstip) = ($1,$2); ($sport, $dport) = ($3,$4) if (defined $3 and defined $4); } else { report($log); } # This is detection of what ip_conntrack state the particular item is in, base is <--NORM--> (just regular) # the others are done as detected. I have a special check that if more than one []'s found to die and # report just because I'm not completely sure if this is impossible and I need to know if not. $state = "<--NORM-->"; if ( $log =~ /\[ASSURED\]/ ){ $state = "<==ASRD==>"; } if ( $log =~ /\[UNREPLIED\]/ ){ report($log) if $state ne "<--NORM-->"; $state = " --UNRE-->"; } if ( $log =~ /\[UNCONFIRMED\]/ ){ report($log) if $state ne "<--NORM-->"; $state = "<--UNCO-- "; } if ($PORT_LOOKUPS and $sport ne "" and $dport ne ""){ my $name = (getservbyport $sport, $key)[0]; $sport = $name if defined $name; undef $name; $name = (getservbyport $dport, $key)[0]; $dport = $name if defined $name; } write; } print "\n"; } } else { # No tracked connections.. weird. print "\nNo connections currently being tracked.\n"; } exit; # All of those -- err, that one subroutine # -- Make that TWO! I'm all about efficiency baby. sub usage { die "IP connection tracker\n", "Written by Brian Poole \n", "\nUsage: $0 [-Pp]\n", "\n-P enables port -> service mappings\n", "-p disables port -> service mappings\n\n"; } sub report { die "Please mail the following log entry to raj\@cerias.purdue.edu for debugging purposes.\n\n$_[0]\n"; } # The format.. duh. format STDOUT = @<<< @>>>>>>>>>>>>>> @|||||||||||| @<<<<<<<<< @>>>>>>>>>>>>>> @|||||||||||| $proto, $srcip, $sport, $state, $dstip, $dport . gShield-2.8/tools/gforward.pl0100444000175000017500000001026707322001561015265 0ustar godotgodot#!/usr/bin/perl -w # gforward.pl v0.2 # a generic forwarding tool for # iptables. Part of the gShield # firewall. # gforward is a perl script which quickly # generates basic port-forwarding mechanisms # using iptables. It can also make use of # an external file to easily create multiple # forward rules in a single step. # Copyright 2001 R. Gregory # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # A copy of the GPL can be found at http://www.gnu.org/copyleft/gpl.html # sanity check chomp ($iptables = (`which iptables`)); die "Cannot determine path to iptables: set path" if $iptables =~ /\s/ or $iptables eq ""; # get options use Getopt::Long; GetOptions( "help" => \$help, # print usage information "i=s" => \$interface, # interface to use "f=s" => \$file); # use external file # no options passed sub doh() { print < test.rules && sh test.rule (gShield users) ./gforward.pl eth0 80 192.168.1.6 80 >> /etc/firewall/gshield.last && /etc/firewall/gShield.rc Using the external file option: ./gforward -i eth0 -f fwdfile Notes: ------ To use the -f feature, create a file with a single forward rule per line: :: 5900:192.168.2.10:5900 5901:192.168.2.12:5900 5902:192.168.2.13:5900 You MUST include the -i option to pass the proper interface if you use the -f option. DUMP ; } # multi-forward setup sub multi_forward { if ($file) { open(FWDFILE, $file); while (defined($fwdline = )) { next if ($fwdline =~ /^#/); ($fwport,$destip,$destport) = split(/:/,$fwdline); chomp ($fwport,$destip,$destport); die "Error: Invalid port\n" if (($fwport) =~ /\D/) || (($fwport) < 1) || (($fwport) > 65535) || (($destport) =~ /\D/) || (($destport) < 1) || (($destport) > 65535); print "$iptables -I FORWARD -p tcp -d $destip --dport $destport -j ACCEPT\n", "$iptables -I FORWARD -p udp -d $destip --dport $destport -j ACCEPT\n", "$iptables -t nat -A PREROUTING -p tcp -i $interface --dport $fwport -j DNAT --to $destip:$destport\n", "$iptables -t nat -A PREROUTING -p udp -i $interface --dport $fwport -j DNAT --to $destip:$destport\n"; } } } # forward from stdin sub single_forward { if ( $#ARGV != 3 ) { &doh(); exit; } ($interface, $fwport, $destip, $destport) = ($ARGV[0], $ARGV[1], $ARGV[2], $ARGV[3]); die "Error: Invalid port\n" if (($fwport) =~ /\D/) || (($fwport) < 1) || (($fwport) > 65535) || (($destport) =~ /\D/) || (($destport) < 1) || (($destport) > 65535); print "$iptables -I FORWARD -p tcp -d $destip --dport $destport -j ACCEPT\n", "$iptables -I FORWARD -p udp -d $destip --dport $destport -j ACCEPT\n", "$iptables -t nat -A PREROUTING -p tcp -i $interface --dport $fwport -j DNAT --to $destip:$destport\n", "$iptables -t nat -A PREROUTING -p udp -i $interface --dport $fwport -j DNAT --to $destip:$destport\n"; } # dump help if ($help) { &usage; exit 1 } # begin if ($file) { if ($interface) { &multi_forward; } else { die "Error: set external interface thru -i\n"; } } else { &single_forward; } gShield-2.8/tools/gshield.pump0100444000175000017500000000151607370677473015464 0ustar godotgodot#! /bin/sh # Contributed script by Don Munroe # Modified from the seawall firewall # package # copy this script into /etc/firewall/pump # # Change the owner and permissions of this file: # chown root.root /etc/firewall/pump # chmod 500 /etc/firewall/pump # logger "The /etc/firewall/pump scripts was called with args $1 $2 $3" case $1 in up) if [ "$3" != "0.0.0.0" ]; then logger "Starting gShield Firewall..." /etc/firewall/gShield.rc echo $3 > /etc/firewall/ipaddr-$2 fi ;; renewal) if [ "`cat /etc/firewall/ipaddr-$2`" != "$3" ]; then logger "Restarting gShield Firewall..." /etc/firewall/gShield.rc -f /etc/firewall/gShield.rc echo $3 > /etc/firewall/ipaddr-$2 fi ;; down) logger "Stopping gShield Firewall..." /etc/firewall/gShield.rc -f ;; esac gShield-2.8/tools/README0100644000175000017500000000052707422723712014007 0ustar godotgodotHere are several tools which may make using gShield easier. * gforward.pl - perl script which sets up proper port-forwarding rulesets * tracker.pl - perl script by rajak which makes the connection tracking log a bit easier to read * gshield.pump - contributed script by Don Munroe to ease use of gShield with pump gShield-2.8/sourced/0040700000175000017500000000000007474540620013422 5ustar godotgodotgShield-2.8/sourced/services.rules0100500000175000017500000005732707474540617016343 0ustar godotgodot#!/bin/sh # vim: set sw=4 ts=4 et: # Services construction -- part of # Godot's gShield # ------ [ FTP_SERVICE ] ------ # case "$FTP_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "ftpd publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 21 -j PUBLIC $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 20 -j PUBLIC ;; forward|FORWARD) SYSLOG "ftpd accessible and forwarded to $FTP_HOST" $IPTABLES -A FORWARD -p tcp -d $FTP_HOST --dport ftp-data -j ACCEPT $IPTABLES -A FORWARD -p tcp -d $FTP_HOST --dport ftp -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 21 -j DNAT --to $FTP_HOST:21 $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 20 -j DNAT --to $FTP_HOST:20 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined FTPD variables in gShield.conf" esac # ------ [ HTTP_SERVICE ] ------ # # create http string match chains if [ "$HTTP_STRING_MATCH" = "YES" -o "$HTTP_STRING_MATCH" = "yes" ]; then $IPTABLES -N HTTP_STRING 2> /dev/null $IPTABLES -F HTTP_STRING fi case "$HTTP_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "httpd publically accessible" # string matching for HTTP if [ "$HTTP_STRING_MATCH" = "YES" -o "$HTTP_STRING_MATCH" = "yes" ]; then SYSLOG "http-string matching -> $HTTP_STRING_MATCH" # log or not if [ "$HTTP_STRING_MATCH_LOG" = "YES" -o "$HTTP_STRING_MATCH_LOG" = "yes" ]; then $IPTABLES -I HTTP_STRING -j LOG --log-level $LOG_LEVEL --log-prefix "gShield (http string drop) " $IPTABLES -I HTTP_STRING -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A HTTP_STRING -p udp -j DROP else $IPTABLES -I HTTP_STRING -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A HTTP_STRING -p udp -j DROP fi # strings to match for all in $HTTP_BAD_STRING do $IPTABLES -A INPUT -p tcp -m string --string $all --dport 80 -j HTTP_STRING done fi # allow all other connections to HTTP $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 80 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 80 -j PUBLIC ;; forward|FORWARD) SYSLOG "httpd accessible and forwarded to $HTTP_HOST" if [ "$HTTP_STRING_MATCH" = "YES" -o "$HTTP_STRING_MATCH" = "yes" ]; then SYSLOG "http-string matching -> $HTTP_STRING_MATCH" # log or not if [ "$HTTP_STRING_MATCH_LOG" = "YES" -o "$HTTP_STRING_MATCH_LOG" = "yes" ]; then $IPTABLES -I HTTP_STRING -j LOG --log-level $LOG_LEVEL --log-prefix "gShield (http string drop) " $IPTABLES -I HTTP_STRING -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A HTTP_STRING -p udp -j DROP else $IPTABLES -I HTTP_STRING -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A HTTP_STRING -p udp -j DROP fi # drop "bad" strings to forwarded httpd for all in $HTTP_BAD_STRING do $IPTABLES -A FORWARD -p tcp -m string --string $all --dport 80 -j HTTP_STRING done fi # allow all other connections to HTTP $IPTABLES -A FORWARD -p tcp -d $HTTP_HOST --dport 80 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $HTTP_HOST --dport 80 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 80 -j DNAT --to $HTTP_HOST:80 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 80 -j DNAT --to $HTTP_HOST:80 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined HTTPD variables in gShield.conf" esac # ------ [ HTTPS_SERVICE ] ------ # case "$HTTPS_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "httpd-ssl publically accessible" # string matching for HTTPS if [ "$HTTP_STRING_MATCH" = "YES" -o "$HTTP_STRING_MATCH" = "yes" ]; then SYSLOG "http-string matching -> $HTTP_STRING_MATCH" # log or not if [ "$HTTP_STRING_MATCH_LOG" = "YES" -o "$HTTP_STRING_MATCH_LOG" = "yes" ]; then $IPTABLES -I HTTP_STRING -j LOG --log-level $LOG_LEVEL --log-prefix "gShield (http string drop) " $IPTABLES -I HTTP_STRING -j DROP else $IPTABLES -I HTTP_STRING -j DROP fi # strings to match for all in $HTTP_BAD_STRING do $IPTABLES -A INPUT -p tcp -m string --string $all --dport 443 -j HTTP_STRING done # allow all other connections to HTTPS $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 443 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 443 -j PUBLIC else $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 443 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 443 -j PUBLIC fi ;; forward|FORWARD) SYSLOG "httpd-ssl accessible and forwarded to $HTTPS_HOST" if [ "$HTTP_STRING_MATCH" = "YES" -o "$HTTP_STRING_MATCH" = "yes" ]; then SYSLOG "String filtering HTTP connections" # log or not if [ "$HTTP_STRING_MATCH_LOG" = "YES" -o "$HTTP_STRING_MATCH_LOG" = "yes" ]; then $IPTABLES -I HTTP_STRING -j LOG --log-level $LOG_LEVEL --log-prefix "gShield (http string drop) " $IPTABLES -I HTTP_STRING -j DROP else $IPTABLES -I HTTP_STRING -j DROP fi # strings to match for all in $HTTP_BAD_STRING do $IPTABLES -A FORWARD -p tcp -m string --string $all --dport 443 -j HTTP_STRING done fi $IPTABLES -A FORWARD -p tcp -d $HTTPS_HOST --dport 443 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $HTTPS_HOST --dport 443 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 443 -j DNAT --to $HTTPS_HOST:443 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 443 -j DNAT --to $HTTPS_HOST:443 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined httpd-ssl variables in gShield.conf" esac # ------ [ SMTP_SERVICE ] ------ # case "$SMTP_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "SMTP daemon publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 25 -j PUBLIC ;; forward|FORWARD) SYSLOG "SMTPD accessible and forwarded to $SMTP_HOST" $IPTABLES -A FORWARD -p tcp -d $SMTP_HOST --dport 25 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 25 -j DNAT --to $SMTP_HOST:25 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined SMTPD variables in gShield.conf" esac # ------ [ POP_SERVICE ] ------ # case "$POP_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "POP3 daemon publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 110 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 110 -j PUBLIC ;; forward|FORWARD) SYSLOG "POP3 accessible and forwarded to $POP_HOST" $IPTABLES -A FORWARD -p tcp -d $POP_HOST --dport 110 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $POP_HOST --dport 110 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 110 -j DNAT --to $POP_HOST:110 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 110 -j DNAT --to $POP_HOST:110 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined POP variables in gShield.conf" esac # ------ [ IMAPD_SERVICE ] ------ # case "$IMAPD_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "IMAP daemon publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 143 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 143 -j PUBLIC ;; forward|FORWARD) SYSLOG "IMAP accessible and forwarded to $IMAPD_HOST" $IPTABLES -A FORWARD -p tcp -d $IMAPD_HOST --dport 143 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $IMAPD_HOST --dport 143 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 143 -j DNAT --to $IMAPD_HOST:143 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 143 -j DNAT --to $IMAPD_HOST:143 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined IMAPD variables in gShield.conf" esac # ------ [ IMAPD_SSL_SERVICE ] ------ # case "$IMAPDSSL_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "IMAP daemon (ssl) publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 993 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 993 -j PUBLIC ;; forward|FORWARD) SYSLOG "IMAP (ssl) accessible and forwarded to $IMAPDSSL_HOST" $IPTABLES -A FORWARD -p tcp -d $IMAPDSSL_HOST --dport 993 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $IMAPDSSL_HOST --dport 993 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 993 -j DNAT --to $IMAPDSSL_HOST:993 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 993 -j DNAT --to $IMAPDSSL_HOST:993 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined IMAPD-SSL variables in gShield.conf" esac # ------ [ BIND_SERVICE ] ------ # if [ "$BIND_SERVICE" = "YES" -o "$BIND_SERVICE" = "yes" -o "$BIND_SERVICE" = "OPEN" -o "$BIND_SERVICE" = "open" ]; then if [ "$ALLOW_ZONE_TRANSFERS" = "YES" -o "$ALLOW_ZONE_TRANSFERS" = "yes" ]; then $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 53 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 53 -j PUBLIC else $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 53 -j PUBLIC fi if [ "$LOCAL_BIND" = "YES" -o "$LOCAL_BIND" = "yes" ]; then SYSLOG "BIND publically accessible" else if [ "$FORWARD_BIND" = "YES" -o "$FORWARD_BIND" = "yes" ]; then if [ "$ALLOW_ZONE_TRANSFERS" = "YES" -o "$ALLOW_ZONE_TRANSFERS" = "yes" ]; then $IPTABLES -A INPUT -p tcp -d $DNS_HOST --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p tcp -d $DNS_HOST --dport 53 -j ACCEPT $IPTABLES -A INPUT -p udp -d $DNS_HOST --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $DNS_HOST --dport 53 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 53 -j DNAT --to $DNS_HOST:53 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 53 -j DNAT --to $DNS_HOST:53 SYSLOG "BIND publically accessible and redirecting [$DNS_HOST]" else $IPTABLES -A INPUT -p udp -d $DNS_HOST --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $DNS_HOST --dport 53 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 53 -j DNAT --to $DNS_HOST:53 fi else SYSLOG "BIND open for re-direction" fi fi fi # ------ [ SSHD_SERVICE] ------ # case "$SSHD_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "SSH daemon publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 22 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 22 -j PUBLIC ;; forward|FORWARD) SYSLOG "SSH accessible and forwarded to $SSHD_HOST" $IPTABLES -A FORWARD -p tcp -d $SSHD_HOST --dport 22 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $SSHD_HOST --dport 22 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 22 -j DNAT --to $SSHD_HOST:22 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 22 -j DNAT --to $SSHD_HOST:22 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined SSHD variables in gShield.conf" esac # ------ [ TELNET_SERVICE ] ------ # case "$TELNET_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "telnet publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 23 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 23 -j PUBLIC ;; forward|FORWARD) SYSLOG "telnet accessible and forwarded to $TELNETD_HOST" $IPTABLES -A FORWARD -p tcp -d $TELNETD_HOST --dport 23 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $TELNETD_HOST --dport 23 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 23 -j DNAT --to $TELNETD_HOST:23 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 23 -j DNAT --to $TELNETD_HOST:23 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined telnet variables in gShield.conf" esac # ------ [ NFS_SERVICE ] ------ # case "$NFS_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "NFS publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 111 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 111 -j PUBLIC $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 2049 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 2049 -j PUBLIC ;; forward|FORWARD) SYSLOG "NFS accessible and forwarded to $NFS_SERVICE_HOST" $IPTABLES -A FORWARD -p tcp -d $NFS_SERVICE_HOST --dport 111 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $NFS_SERVICE_HOST --dport 111 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $REMOTENET -d $NFS_SERVICE_HOST --dport 2049 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $REMOTENET -d $NFS_SERVICE_HOST --dport 2049 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 111 -j DNAT --to $NFS_SERVICE_HOST:111 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 111 -j DNAT --to $NFS_SERVICE_HOST:111 $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 2049 -j DNAT --to $NFS_SERVICE_HOST:2049 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 2049 -j DNAT --to $NFS_SERVICE_HOST:2049 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined NFS variables in gShield.conf" esac # ------ [ IDENTD_SERVICE ] ------ # case "$IDENTD_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "identd publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 113 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 113 -j PUBLIC ;; forward|FORWARD) SYSLOG "identd accessible and forwarded to $IDENTD_HOST" $IPTABLES -A FORWARD -p tcp -d $IDENTD_HOST --dport 113 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $IDENTD_HOST --dport 113 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 113 -j DNAT --to $IDENTD_HOST:113 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 113 -j DNAT --to $IDENTD_HOST:113 ;; return|RETURN) $IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset ;; reject|REJECT) $IPTABLES -A INPUT -p tcp --dport 113 -j REJECT ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined identd variables in gShield.conf" esac # ------ [ FINGER_SERVICE ] ------ # case "$FINGER_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "fingerd publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 79 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 79 -j PUBLIC ;; forward|FORWARD) SYSLOG "fingerd accessible and forwarded to $FINGER_HOST" $IPTABLES -A FORWARD -p tcp -d $FINGER_HOST --dport 79 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $FINGER_HOST --dport 79 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 79 -j DNAT --to $FINGER_HOST:79 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 79 -j DNAT --to $FINGER_HOST:79 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined fingerd variables in gShield.conf" esac # ------ [ TIME_SERVICE ] ------ # case "$TIME_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "time services publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 123 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 123 -j PUBLIC ;; forward|FORWARD) SYSLOG "time services accessible and forwarded to $TIME_SERVICE_HOST" $IPTABLES -A FORWARD -p tcp -d $TIME_SERVICE_HOST --dport 123 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $TIME_SERVICE_HOST --dport 123 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 123 -j DNAT --to $TIME_SERVICE_HOST:123 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 123 -j DNAT --to $TIME_SERVICE_HOST:123 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined time variables in gShield.conf" esac # ------ [ POSTGRES_SERVICE ] ------ # case "$POSTGRES_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "postgresql publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 5432 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 5432 -j PUBLIC ;; forward|FORWARD) SYSLOG "postgresql accessible and forwarded to $POSTGRES_SERVICE_HOST" $IPTABLES -A FORWARD -p tcp -d $POSTGRES_SERVICE_HOST --dport 5432 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $POSTGRES_SERVICE_HOST --dport 5432 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 5432 -j DNAT --to $POSTGRES_SERVICE_HOST:5432 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 5432 -j DNAT --to $POSTGRES_SERVICE_HOST:5432 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined postgresql variables in gShield.conf" esac # ------ [ MYSQL_SERVICE ] ------ # case "$MYSQL_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "mysql publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 3306 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 3306 -j PUBLIC ;; forward|FORWARD) SYSLOG "mysql accessible and forwarded to $MYSQL_SERVICE_HOST" $IPTABLES -A FORWARD -p tcp -d $MYSQL_SERVICE_HOST --dport 3306 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $MYSQL_SERVICE_HOST --dport 3306 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 3306 -j DNAT --to $MYSQL_SERVICE_HOST:3306 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 3306 -j DNAT --to $MYSQL_SERVICE_HOST:3306 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined mysql variables in gShield.conf" esac # ------ [ SOCKS_SERVICE ] ------ # case "$SOCKS_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "socks publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 1080 -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 1080 -j PUBLIC ;; forward|FORWARD) SYSLOG "socks accessible and forwarded to $SOCKS_SERVICE_HOST" $IPTABLES -A FORWARD -p tcp -d $SOCKS_SERVICE_HOST --dport 1080 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $SOCKS_SERVICE_HOST --dport 1080 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 1080 -j DNAT --to $SOCKS_SERVICE_HOST:1080 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 1080 -j DNAT --to $SOCKS_SERVICE_HOST:1080 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined socks variables in gShield.conf" esac # ------ [ P2P_SERVICE ] ------ # case "$P2P_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "peer-to-peer services publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport $P2P_PORT -j PUBLIC $IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport $P2P_PORT -j PUBLIC ;; forward|FORWARD) SYSLOG "p2p services accessible (port $P2P_PORT) and forwarded to $P2P_HOST" $IPTABLES -A FORWARD -p tcp -d $P2P_HOST --dport $P2P_PORT -j ACCEPT $IPTABLES -A FORWARD -p udp -d $P2P_HOST --dport $P2P_PORT -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport $P2P_PORT -j DNAT --to $P2P_HOST:$P2P_PORT $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport $P2P_PORT -j DNAT --to $P2P_HOST:$P2P_PORT ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined P2P variables in gShield.conf" esac # ------ [ TS_SERVICE ] ------ # case "$TS_SERVICE" in forward|FORWARD) SYSLOG "terminal services accessible and forwarded to $TS_HOST" $IPTABLES -A FORWARD -p tcp -d $TS_HOST --dport 3389 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $TS_HOST --dport 3389 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 3389 -j DNAT --to $TS_HOST:3389 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 3389 -j DNAT --to $TS_HOST:3389 ;; no|NO|CLOSED|closed) ;; *) SYSLOG "Error: Please check defined TS variables in gShield.conf" esac # ------------ [ PPTP SERVICE ] --------------# case "$PPTP_SERVICE" in open|OPEN|PUBLIC|public|YES|yes) SYSLOG "PPTP publically accessible" $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 1723 -j PUBLIC $IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 1723 -j PUBLIC ;; forward|FORWARD) SYSLOG "PPTP accessible and forwarded to $PPTP_HOST" $IPTABLES -A INPUT -p tcp -d $PPTP_HOST --dport 1723 -j ACCEPT $IPTABLES -A INPUT -p udp -d $PPTP_HOST --dport 1723 -j ACCEPT $IPTABLES -A FORWARD -p tcp -d $PPTP_HOST --dport 1723 -j ACCEPT $IPTABLES -A FORWARD -p udp -d $PPTP_HOST --dport 1723 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNALIP --dport 1723 -j DNAT --to $PPTP_HOST:1723 $IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNALIP --dport 1723 -j DNAT --to $PPTP_HOST:1723 $IPTABLES -t nat -I PREROUTING -p 47 -j DNAT --to $PPTP_HOST $IPTABLES -A FORWARD -p 47 -d $PPTP_HOST -j ACCEPT ;; no|NO|CLOSED|closed) ;; RESTRICTED|restricted) for all in $PPTP_ALLOWED do SYSLOG "PPTP accessible from $PPTP_ALLOWED and forwarded to $PPTP_HOST" $IPTABLES -A INPUT -p tcp -s $PPTP_ALLOWED -d $PPTP_HOST --dport 1723 -j ACCEPT $IPTABLES -A INPUT -p udp -s $PPTP_ALLOWED -d $PPTP_HOST --dport 1723 -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $PPTP_ALLOWED -d $PPTP_HOST --dport 1723 -j ACCEPT $IPTABLES -A FORWARD -p udp -s $PPTP_ALLOWED -d $PPTP_HOST --dport 1723 -j ACCEPT $IPTABLES -t nat -A PREROUTING -s $PPTP_ALLOWED -p tcp -d $EXTERNALIP --dport 1723 -j DNAT --to $PPTP_HOST:1723 $IPTABLES -t nat -A PREROUTING -s $PPTP_ALLOWED -p udp -d $EXTERNALIP --dport 1723 -j DNAT --to $PPTP_HOST:1723 $IPTABLES -t nat -I PREROUTING -s $PPTP_ALLOWED -p 47 -j DNAT --to $PPTP_HOST $IPTABLES -A FORWARD -s $PPTP_ALLOWED -p 47 -d $PPTP_HOST -j ACCEPT done ;; *) SYSLOG "Error: Please check defined PPTP variables in gShield.conf" esac gShield-2.8/DMZ/0040700000175000017500000000000007261033667012412 5ustar godotgodotgShield-2.8/DMZ/dmz_hosts0100600000175000017500000000104207277136453014347 0ustar godotgodot# Add hosts here which you want gShield to allow # COMPLETE access TO but should NOT TRUST to # connect to the firewall itself. In essence # this means DMZ hosts are NOT protected by # the firewall. # gShield will happily forward traffic to the DMZ machine # and drop all traffic coming from that machine to the # segment it "protects" # I personally -do not- recommend using private # subnets as a DMZ, though many folks seem to think # this is fine. gShield is currently -not- setup # to deal with private addresses as a DMZ #182.12.12.12 gShield-2.8/docs/0040755000175000017500000000000007465036732012724 5ustar godotgodotgShield-2.8/docs/readme0100644000175000017500000001510607424277552014106 0ustar godotgodotgShield is a iptables firewall script which should run "out of the box" for most folks with minimal fuss. gShield has the following features: - handles dynamic or static IP's without problem - can selectively enable NAT for multiple private ranges - adds tcpwrapper-like functionality for access to services - aggressive defaults; only default 'open' service is auth - easily configurable via a well commented BSD-style conf file. iptables configuration ============================== gShield does not require the use of the experiemental patches contained in the iptables source. There are -some- cases where the functionality of one or more of those patches was absolutely necessary in some cases (the TCPMSS fix for PPPoE folks is one example) -- but in general gShield does not make use of these modules. That said, my personally approach to compiling iptables support is simple: - ensure Prompt for development drivers is enabled - compile -ALL- listed iptables options directly unless the specifically require passed arguments to be useful (such as the irc connection tracking stuff) Yes, compiling them as modules should be fine for a properly configured system-- it's just the way I do it. Getting started =============== All major configuration settings are stored in /etc/firewall/gShield.conf You -WILL- need to look over this file before running the firewall, but for most cases, the defaults should work fine for most folks. Go ahead, open another term and take a peek; it's commented. gShield itself has some runtime options you can use to ease some typical administrative tasks. These are detailed below and in USAGE. * ACL's gShield tries to incorporate Access Control lists in a more direct manner than the "usual" approach with firewall scripts. An ACL is simply a list of hosts which are allowed to connect to pre-defined services. In this way, we can protect core services (such as POP, SMTP, FTP, etc) from "the world", while still having unrestricted access to "trusted" hosts. A good example: You wish to have access to your home machine from work, but worry about leaving the sorts of services you'd like access to open to the world. One way to accomplish protecting these services would be via tcpwrappers or xinetd. gShield takes this a bit further by allowing you to set what hosts even get to have a packet touch the service in the first place. In the case of our "I want to have access to my home machine from work" scenerio, we simply drop the ip (or range) of our work machine into /etc/firewall/conf/client_hosts. Any ip (or range) in client-hosts is allowed access to those services as defined in /etc/firewall/conf/client_services, while "other" hosts cannot. So one can easily restrict access to services by distinguishing between "clients" and "the public". ---------------------------------------------- Other ACL's /etc/firewall/conf contains the following 'other' files: NATS black_listed_hosts client_hosts client_services closed_ports highport_access reserved_addresses open_ports blocked_outgoing blocked_addresses no_log_ports client_hosts and client_services we've touched on already. * NATS should contain the private addresses you wish to provide NAT services for. You can specify multiple ranges here. * black_listed_hosts drop "problem" hosts in here. gShield will drop -all- connections from these hosts (and log them at no extra cost!) IF you have BLACKLISTED set to "AUTO" in gShield.conf, gShield will attempt to parse /etc/hosts.deny for this information (see gShield.conf for more details). * highport_access IRC bots like to connect to high (unreserved) ports, which gShield drops by default. Many services like to establish high TCP connections as well -- simply drop those hosts in here (if you need unrestricted access from the public to high ports, this can be configured in gShield.conf). This -may- be resolved by using the irc connection tracking stuff. * closed_ports These are ports you simply want -fully- closed off for whatever reason. In most cases, this is over-kill given gShield's defaults. These ports are closed to -everyone-, even those hosts listed as clients, so be aware. * reserved_addresses These are ip ranges which have no business hitting the external interface in the first place (i.e., private ranges) * open_ports Sometimes, you just want that port open. Add those ports you want open ON the firewall machine. gShield will open both tcp and udp on those specified ports. * blocked_outgoing ports which you wish to -prevent- access to (both for the firewall itself, as well as NAT'd clients) # blocked_addresses addresses which you wish to -prevent- access to (both for the firewall itself, as well as NAT'd clients) * no_log_ports ports which you do not wish logged, regardless of the default logging policy * forwards this file allows one to configure custom port-forwards ---------------------------------------------- RUNTIME options Beginning with 2.4, gShield adds additional run-time options to make some tasks easier. From ./gShield.rc --help gShield.rc accepts the following command line args: -s|--start .............. Bring up the firewall. -r|--restart ............ Reload the firewall. -f|--flush|--stop ....... Disable the firewall. -c HOST|--client HOST ... Add HOST to client_hosts file and gives immediate access. HOST can be either an IP or a FQDN. -b HOST|--blacklist HOST Add HOST to your blacklist and block all access immediately. HOST can be either an IP or a FQDN. -H HOST|--highport HOST . Give HOST access to ports > 1024 HOST can be either an IP or a FQDN. -V|--version ............ Display version info. -?|-h|--help ............ Display this help. Briefly put, you can add ips to the client list, highport list or blacklist all from the command line without having to re-load gShield to re-read the ACL for that service. For example, say I want to allow 1.2.3.4 as a client. Starting with gShield 2.4, this is a single step: /etc/firewall/gShield.rc --client 1.2.3.4 gShield will: - add 1.2.3.4 to the -current- client list for immediate access - add 1.2.3.4 to /etc/firewall/conf/client_hosts (for next time) and date its insertion. There ARE some limitations: - you have to use an -ip- address; hostnames are no good (this isn't totally true) - you can only use -single- ip addresses, not ranges or nets ---------------------------------------------- Feel free to contact me with suggestions and/or problems Godot (godot@mindspring.com) I can also generally be found on EFNet, #Linuxhelp gShield-2.8/docs/applied_patches0100600000175000017500000000201207465036732015754 0ustar godotgodotBelow are the patches which iptables was patched with during development of gShield. These have been applied against iptables 1.2.6a and kernel 2.4.18 submitted/2.4.14 submitted/2.4.18 submitted/2.4.4 submitted/REJECT-dont_fragment submitted/TOS-oops-fix submitted/ah-esp submitted/config-cleanup submitted/conntrack+nat-helper-unregister submitted/ip6t_mac-fix-ipv6 submitted/ip6tables-export-symbols submitted/ip_conntrack_protocol_unregister submitted/ip_nat_irc-srcaddr-fix submitted/ipqueue-ipv6 submitted/ipt_MIRROR-ttl submitted/ipt_REJECT-checkentry submitted/ipt_mac-fix submitted/ipt_unclean-ecn submitted/irc-dcc-mask submitted/local-nat submitted/macro-trailing-semicolon-fix submitted/mangle5hooks submitted/module-license submitted/nat-export_symbols submitted/sackperm submitted/skb_clone_copy submitted/tcp-MSS submitted/ulog pending/ip_conntrack_protocol_destroy base/IPV4OPTSSTRIP base/NETLINK base/NETMAP base/SAME base/TTL base/conntrack base/ipv4options base/mport base/ownercmd base/pkttype base/psd base/time gShield-2.8/docs/usage0100444000175000017500000000256207400776137013752 0ustar godotgodotBeginning with 2.4, gShield adds additional run-time options to make some tasks easier. From ./gShield help gShield run-time options: ------------------------- flush: flush all rulesets and disable firewall --client x: add ip "x" to clientlist blacklist x: add ip "x" to blacklist highport x: add ip "x" to highport access list help: this list Briefly put, you can add ips to the client list, highport list or blacklist all from the command line without having to re-load gShield to re-read the ACL for that service. For example, say I want to allow 1.2.3.4 as a client. Starting with gShield 2.4, this is a single step: /etc/firewall/gShield.rc --client 1.2.3.4 gShield will: - add 1.2.3.4 to the -current- client list for immediate access - add 1.2.3.4 to /etc/firewall/conf/client_hosts (for next time) and date its insertion. There ARE some limitations: - you have to use an -ip- address; hostnames are no good - you can only use -single- ip addresses, not ranges or nets Starting with 2.6.1, the 'blacklist' run-time option is a bit smarter too. Running: /etc/firewall/gShield.rc blackist 1.2.3.4 will: - immediately block all access from that ip - either: a) add that ip to /etc/firewall/conf/black_listed_hosts or b) add that ip to /etc/hosts.deny (prefixing ALL) if you have gShield.conf configured to use hosts.deny as a blacklist source. gShield-2.8/docs/common_problems0100644000175000017500000000072707375530501016036 0ustar godotgodot* FTP doesn't work from behind the firewall! I get "illegal port" errors and whatnot. ----------------------- FTP is problematic with respect to firewalls. RFC1579 describes the problem in more detail, but possible fixes: 1) You probably do not have FTP nat support compiled into the kernel: Networking Options --> Netfilter configuration: <*> Connection tracking (required for masq/NAT) <*> FTP protocol support 2) set ftp clients to use PASSIVE mode gShield-2.8/docs/new_features0100444000175000017500000000740707312543474015336 0ustar godotgodot--------------------------- 2.1 Configuration Additions --------------------------- 2.1 adds additional frameworks, and thus some additional configuration files. * conf/no_log_ports Often, there are port drops which are showing up in your logs which you simply do not want logged. Instead of having to turn off default logging, you can just add the port to conf/no_log_ports, and connections to that port will not be logged. * conf/blocked_outgoing Many folks requested the ability to block specific outgoing connections (napster, etc). To prevent connections -TO- specific ports, add those ports to conf/blocked_outgoing. This drops connections to that port for BOTH NAT'd clients -and- the firewall itself - gShield now pulls DNS server information from /etc/resolv.conf if you set that variable to "AUTO" in gShield.cof - gShield contains a new option: NAT_LOG_INVALID If set to yes, it gShield will log additional information related to INVALID drops which often show in the log (see section 3.1 of the netfilter FAQ). --------------------------- 2.6 Additions --------------------------- * gShield.conf Changes The services.rules script for gShield has undergone serious revision in v2.6-- it has been converted to case statements to make the script more readable. What this means for users of gShield is that the main configuration file (gShield.conf) has undergone some changes. Don't worry, the changes are well commented in gShield.conf The good news is that just about every service is now forwardable; the bad news is you should change your "old" configurations to take advantage of these changes. I -have- built in some logic to the new services file such that if you REALLY like putting "YES" as opposed to "OPEN" for a service, gShield will still understand what you mean. * User-defined files gShield now can easily deal with any specific commands you need it to run. gShield does this by looking for two files in FW_ROOT: - gshield.first - gshield.last gshield.first is sourced immediately after the tables are flushed; gshield.last is sourced at the very end of gShield. So, for example, say I want to get mail each time gShield is run: $ echo "echo 'gShield run on `date`' | mail godot" > /etc/firewall/gshield.first Or, for example, I want to ensure my host at 187.12.12.12 has full access to the firewall machine, and I want this rule pushed to the top of the firewall rules: $ echo "iptables -I INPUT -s 187.12.12.12 -j ACCEPT > /etc/firewall/gshield.last --------------------------- 2.6.1 Additions --------------------------- Starting with 2.6.1, you can set BLACKLISTED to "AUTO" in gShield.conf Setting this to AUTO will cause gShield to pull out any client addresses in in hosts.deny which are prefixed prefixed by ALL and drop all and use those addresses to generate its blacklisted client list. If you do not know how to deal with hosts.deny see 'man hosts_access' There -are- some limitations: a) gShield pays attention -only- to listings prefixed by ALL b) gShield cannot deal with hole domains like tcpd can -- it needs to be a numeric ip, resolvable hostname or range. range (no more using .aol.com ;p) c) If set to AUTO, gShield WILL NOT read black_listed_hosts --------------------------- 2.6.7 Additions --------------------------- * conf/blocked_outgoing an extension to blocking specific ports, many folks requested the ability to completely block access to specific addresses or ranges -- drop those address you wish NO access to from within the firewall milieu (which includes NAT'd clients) * GRE specific logging you can guess where I'm going here, but the first step is to set up a framework for at least adding GRE protocol logging * Basic VNC forwarding support at least for -single- VNC forwards, this can be configured directly in services.rules gShield-2.8/docs/errors0100444000175000017500000000227507301002614014141 0ustar godotgodotgShield will produce diagnostic messages in cases where it cannot find certain features. Below is more information relating to these errors: [gShield] error: seems you do not have the unclean extension compiled. If you've enabled experimental extensions during your kernel compile you should have a UNCLEAN extension under the netfilter options. This is a useful thing to have, but should not prevent gShield from functioning properly. [gShield] error: problem munching BLACKLIST. Check options in gShield.conf For some reason, gShield was unable to properly parse your BLACKLIST option in gShield.conf -- check the variable. [gShield] error: cannot load services.rules. For some reason, gShield was unable to read services.rules, which by default lives in /etc/firewall/sourced/ -- perhaps you've placed gShield in another location and didn't set FW_ROOT in gShield.conf? [gShield] error: problem loading TCPMSS extension. The patch-o-matic directory in the iptables source contains many "experimental" patches which need to be applied if you wish to use them -- TCPMSS addresses problems with some brain-dead PPPoE providers -- it seems you didn't patch+compile support for TCPMSS. gShield-2.8/docs/readme_first0100444000175000017500000000034007276423032015274 0ustar godotgodotgShield requires iptables in order to work it's magic. gShield makes -no- provisions for loading iptables-related modules within the script itself. In a properly configured system, needed modules will be loaded as needed.