Hi, This script is pretty self-explanitory. To change things, simply edit between quotes. For example, to make ssh available just to your lan, change SSH="no" to SSH="yes" If you want to make ssh available to everyone on the internet in addition to the above, change SSHPUBLIC="no" to SSHPUBLIC="yes" I have set your internet eth interface to eth0, and your lan device to eth1 since it sounds like that's what you want. I have also made ssh and ftp publically accessible. To get an idea how to modify this script for your needs, compare what you got off the endoshield sight to the edited version I'm attaching with the 3 above variables changed. I'm not sure what you mean by changing addresses (do you mean inputing the correct address for your internal lan, or allowing/denying certain hosts). Sorry I can't tell you how to remove the old firewall from your scripts, and add the new one to your scripts, since I don't know what distro you have, and where your current firewall starts (that could happen in a couple different scripts). Hth. Greg On Wed, Dec 26, 2001 at 02:35:47PM -0500, Deedra Waters wrote: > Ok, Greg told me about this one a little while ago, then I lost the email, > so couldn't reply to it.... > I need to know how to change certain options in the configuration in this > script. > example, I need to know how to change it to eth0, along with the fact that > I am running ssh, and an ftp server. I need to know how to tell it that, > and also how to make it available to people who are not on my network.I > also need to know how to give it the right addresses that it asks for, or > rather how to change them. > Last thing..... I need to figure out how to remove my current firewall > from the startup and add this one. > sorry for so much trouble.... > > # > #**ENDOSHIELD 1.2** > #Written by Endo (Dave Cheeseman) cheeseman at users.sourceforge.net > #EndoShield Site - http://www.sourceforge.net/projects/endoshield > > #****************************************************************************************************************************** > #Configuration Part of the script - If you are unsure of any of these points, leave them as the default setting, changing these > #options can seriously affect the security of your firewall. > > #Do you want to run a ipchains firewall or iptables? > #If you are unsure about this, you need to find out what kernel you are running. > #See the readme file for more information. > TYPE="iptables" > > # Change INETDEV to the network device connceted to the Internet (ppp0/eth0) > # This is ppp0 by default for dial-up connections. Most cable modem users > # will probably want eth0 or possibly eth1. When in doubt look at the command > # 'ifconfig'. > INETDEV="ppp0" > > # Change LAN to the correct network address and network mask for your LAN > # this can be found by using ifconfig from one of the clients > LAN="192.168.1.0/24" > > # Change LANDEV to the network device connected to your LAN > LANDEV="eth0" > > # There should be no need to change this > LOCALIP=`ifconfig $LANDEV | grep inet | cut -d : -f 2 | cut -d \ -f 1` > > #Do you want other machines on the internet to be able to PING your machine? > #(If unsure, leave as no) > PING="no" > > #If you selected no as the previous option, do you want the machine to log > #the dropped pings? > LOGPINGS="no" > > #If you trust all data coming from your local network, put yes. > TRUST="yes" > > #If you want to share this machines internet connection, put yes > #(This will provide Masquerading services for you LAN) > #Otherwise, put no > SHARE="yes" > > #Is this machine connected to a Samba Network? > #If yes, over a LAN? > SAMBALAN="no" > #Or over a WAN? > SAMBAWAN="no" > #Or over both? > SAMBA="no" > > #If you are running any servers on your machine, you need to specify them below, > #you also need to specify wether these servers/ports should be open to just your local > #network, or the whole world. If you answer yes to PORTNAMEPUBLIC, then the specified port > #will be open to the whole internet, if this is left to the default, which is no, but you > #have specified that you are running a server on the port, the port will only be available to > #your local lan. > > #Do you run a FTP server? > FTP="no" > FTPPUBLIC="no" > > #Do you run a SSH server? > SSH="yes" > SSHPUBLIC="yes" > > #Do you run a telnet server? > TELNET="no" > TELNETPUBLIC="no" > > #Do you run a Web server? > WEB="no" > WEBPUBLIC="no" > > #Do you run a mail server? > MAIL="no" > MAILPUBLIC="no" > > #Do you run identd? > IDENT="no" > IDENTPUBLIC="no" > > #If you want to add any trusted hosts, that is, machines on the internet or on your local network > #which you want to fully trust (Allow all data from these machines pass through the firewall), then > #list these machines below. > TRUSTEDHOST1="131.211.28.48" > TRUSTEDHOST2="195.92.249.253" > TRUSTEDHOST3="194.159.164.195" > TRUSTEDHOST4="129.27.3.9" > TRUSTEDHOST5="1.1.1.1" > > #If you want to block any hosts from accessing your machine, please list them below, these machines > #will not be able to access your machine at all, even your public access servers. > DENYHOST1="1.1.1.1" > DENYHOST2="1.1.1.1" > DENYHOST3="1.1.1.1" > DENYHOST4="1.1.1.1" > DENYHOST5="1.1.1.1" > > #End of Configuration. > #************************************************************************************************************ > > echo "---------------------------------------------------------" > echo "Local Network Device: $LANDEV" > echo "Local IP: $LOCALIP" > echo "Local Network Address: $LAN" > echo "External Network Device: $INETDEV" > echo "---------------------------------------------------------" > echo "" > > #Set default chain policy > echo -n "Setting default chain policies..." > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT ACCEPT > echo " Done!" > > #Flush all chains > echo -n "Flushing chains..." > iptables -F > iptables -X > iptables -t nat -F PREROUTING > iptables -t nat -F POSTROUTING > echo " Done!" > > #Add custom chains > echo -n "Adding custom chains..." > iptables -N inet-in > iptables -N inet-out > echo " Done!" > > #Set INPUT rules > echo -n "Setting rules for INPUT chain..." > iptables -A INPUT -i lo -j ACCEPT > if [ "$TRUST" = "yes" -o "$TRUST" = "YES" ]; then > iptables -A INPUT -i $LANDEV -j ACCEPT > else > iptables -A INPUT -i $LANDEV -j inet-in > fi > iptables -A INPUT -i $INETDEV -j inet-in > echo " Done!" > > #Set FORWARD rules > echo -n "Setting rules for FORWARD chain..." > if [ "$SHARE" = "yes" -o "$SHARE" = "YES" ]; then > modprobe iptable_nat > iptables -A FORWARD -s $LAN -j ACCEPT > iptables -A FORWARD -d $LAN -j ACCEPT > echo 1 > /proc/sys/net/ipv4/ip_forward > #Activate masquerade > echo -n "Activating masquerade..." > iptables -t nat -A POSTROUTING -o $INETDEV -j MASQUERADE > echo " Done!" > fi > echo " Done!" > > #Set OUTPUT rules > echo -n "Setting rules for OUTPUT chain..." > iptables -A OUTPUT -j inet-out > echo " Done!" > > #Set inet-in rules > echo -n "Setting rules for internet device incoming chain: " > echo -n "Setting open ports for specified servers / Network Services .... "i > if [ "$SAMBALAN" = "YES" -o "$SAMBALAN" = "yes" ]; then > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 138:139 -j ACCEPT > fi > if [ "$SAMBAWAN" = "YES" -o "$SAMBAWAN" = "yes" ]; then > iptables -A inet-in -p tcp -i $INETDEV -o $INETDEV --dport 138:139 -j ACCEPT > fi > if [ "$SAMBA" = "YES" -o "$SAMBA" = "yes" ]; then > iptables -A inet-in -p tcp --dport 138:139 -j ACCEPT > fi > if [ "$FTP" = "YES" -o "$FTP" = "yes" ]; then > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 21 -j ACCEPT > if [ "$FTPPUBLIC" = "YES" -o "$FTPPUBLIC" = "yes" ]; then > iptables -A inet-in -p tcp --dport 21 -j ACCEPT > fi > fi > if [ "$TELNET" = "YES" -o "$TELNET" = "yes" ]; then > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 23 -j ACCEPT > if [ "$TELNETPUBLIC" = "YES" -o "$TELNETPUBLIC" = "yes" ]; then > iptables -A inet-in -p tcp --dport 23 -j ACCEPT > fi > fi > if [ "$SSH" = "YES" -o "$SSH" = "yes" ]; then > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 22 -j ACCEPT > if [ "$SSHPUBLIC" = "YES" -o "$SSHPUBLIC" = "yes" ]; then > iptables -A inet-in -p tcp --dport 22 -j ACCEPT > fi > fi > if [ "$WEB" = "YES" -o "$WEB" = "yes" ]; then > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 80 -j ACCEPT > if [ "$WEBPUBLIC" = "YES" -o "$WEBPUBLIC" = "yes" ]; then > iptables -A inet-in -p tcp --dport 80 -j ACCEPT > fi > fi > if [ "$MAIL" = "YES" -o "$MAIL" = "yes" ]; then > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 110 -j ACCEPT > if [ "$MAILPUBLIC" = "YES" -o "$MAILPUBLIC" = "yes" ]; then > iptables -A inet-in -p tcp --dport 110 -j ACCEPT > fi > fi > if [ "$IDENT" = "YES" -o "$IDENT" = "yes" ]; then > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 113 -j ACCEPT > if [ "$IDENTPUBLIC" = "YES" -o "$IDENTPUBLIC" = "yes" ]; then > iptables -A inet-in -p tcp --dport 113 -j ACCEPT > fi > fi > echo "Done!" > > echo -n "Adding trusted hosts.... " > iptables -A inet-in -s $TRUSTEDHOST1 -j ACCEPT > iptables -A inet-in -s $TRUSTEDHOST2 -j ACCEPT > iptables -A inet-in -s $TRUSTEDHOST3 -j ACCEPT > iptables -A inet-in -s $TRUSTEDHOST4 -j ACCEPT > iptables -A inet-in -s $TRUSTEDHOST5 -j ACCEPT > echo "Done!" > > echo -n "Denying all specified hosts.... " > iptables -A inet-in -s $DENYHOST1 -j DROP > iptables -A inet-in -s $DENYHOST2 -j DROP > iptables -A inet-in -s $DENYHOST3 -j DROP > iptables -A inet-in -s $DENYHOST4 -j DROP > iptables -A inet-in -s $DENYHOST5 -j DROP > echo "Done!" > > echo -n " Setup ping option on/off..." > if [ "$PING" = "YES" -o "$PING" = "yes" ]; then > iptables -A inet-in -p ICMP -j ACCEPT > fi > if [ "$LOGPINGS" = "YES" -o "$LOGPINGS" = "yes" ]; then > iptables -A inet-in -p ICMP -j LOG > fi > echo "Done!" > > echo -n " Setup port blocking on vulnerable ports..." > #Block NFS > iptables -A inet-in -p tcp --dport 2049 -j LOG > iptables -A inet-in -p udp --dport 2049 -j LOG > iptables -A inet-in -p tcp --dport 2049 -j DROP > iptables -A inet-in -p udp --dport 2049 -j DROP > #Block postgres > iptables -A inet-in -p tcp --dport postgres -j LOG > iptables -A inet-in -p udp --dport postgres -j LOG > iptables -A inet-in -p tcp --dport postgres -j DROP > iptables -A inet-in -p udp --dport postgres -j DROP > #Block X > iptables -A inet-in -p tcp --dport 5999:6003 -j LOG > iptables -A inet-in -p udp --dport 5999:6003 -j LOG > iptables -A inet-in -p tcp --dport 5999:6003 -j DROP > iptables -A inet-in -p udp --dport 5999:6003 -j DROP > #Block XFS > iptables -A inet-in -p tcp --dport 7100 -j LOG > iptables -A inet-in -p udp --dport 7100 -j LOG > iptables -A inet-in -p tcp --dport 7100 -j DROP > iptables -A inet-in -p udp --dport 7100 -j DROP > #Block Back Orifice > iptables -A inet-in -p tcp --dport 31337 -j LOG > iptables -A inet-in -p udp --dport 31337 -j LOG > iptables -A inet-in -p tcp --dport 31337 -j DROP > iptables -A inet-in -p udp --dport 31337 -j DROP > #Block netbus > iptables -A inet-in -p tcp --dport 12345:12346 -j LOG > iptables -A inet-in -p udp --dport 12345:12346 -j LOG > iptables -A inet-in -p tcp --dport 12345:12346 -j DROP > iptables -A inet-in -p udp --dport 12345:12346 -j DROP > echo " Done!" > echo " Done!" > echo -n " Setting connection tracking..." > iptables -A INPUT -i $INETDEV -m state --state NEW,INVALID -j DROP > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > echo " Done!" > > if [ "$TYPE" = "ipchains" -o "$TYPE" = "IPCHAINS" ]; then > echo "MAJOR APOLOGIES - The ipchains version didnt make it into the first version, but it is the highest priority on my TODO list" > echo "Check http://www.endoshield.sourceforge.net for the next release" > fi -------------- next part -------------- # #**ENDOSHIELD 1.2** #Written by Endo (Dave Cheeseman) cheeseman at users.sourceforge.net #EndoShield Site - http://www.sourceforge.net/projects/endoshield #****************************************************************************************************************************** #Configuration Part of the script - If you are unsure of any of these points, leave them as the default setting, changing these #options can seriously affect the security of your firewall. #Do you want to run a ipchains firewall or iptables? #If you are unsure about this, you need to find out what kernel you are running. #See the readme file for more information. TYPE="iptables" # Change INETDEV to the network device connceted to the Internet (ppp0/eth0) # This is ppp0 by default for dial-up connections. Most cable modem users # will probably want eth0 or possibly eth1. When in doubt look at the command # 'ifconfig'. INETDEV="eth0" # Change LAN to the correct network address and network mask for your LAN # this can be found by using ifconfig from one of the clients LAN="192.168.1.0/24" # Change LANDEV to the network device connected to your LAN LANDEV="eth1" # There should be no need to change this LOCALIP=`ifconfig $LANDEV | grep inet | cut -d : -f 2 | cut -d \ -f 1` #Do you want other machines on the internet to be able to PING your machine? #(If unsure, leave as no) PING="no" #If you selected no as the previous option, do you want the machine to log #the dropped pings? LOGPINGS="no" #If you trust all data coming from your local network, put yes. TRUST="yes" #If you want to share this machines internet connection, put yes #(This will provide Masquerading services for you LAN) #Otherwise, put no SHARE="yes" #Is this machine connected to a Samba Network? #If yes, over a LAN? SAMBALAN="no" #Or over a WAN? SAMBAWAN="no" #Or over both? SAMBA="no" #If you are running any servers on your machine, you need to specify them below, #you also need to specify wether these servers/ports should be open to just your local #network, or the whole world. If you answer yes to PORTNAMEPUBLIC, then the specified port #will be open to the whole internet, if this is left to the default, which is no, but you #have specified that you are running a server on the port, the port will only be available to #your local lan. #Do you run a FTP server? FTP="yes" FTPPUBLIC="yes" #Do you run a SSH server? SSH="yes" SSHPUBLIC="yes" #Do you run a telnet server? TELNET="no" TELNETPUBLIC="no" #Do you run a Web server? WEB="no" WEBPUBLIC="no" #Do you run a mail server? MAIL="no" MAILPUBLIC="no" #Do you run identd? IDENT="no" IDENTPUBLIC="no" #If you want to add any trusted hosts, that is, machines on the internet or on your local network #which you want to fully trust (Allow all data from these machines pass through the firewall), then #list these machines below. TRUSTEDHOST1="131.211.28.48" TRUSTEDHOST2="195.92.249.253" TRUSTEDHOST3="194.159.164.195" TRUSTEDHOST4="129.27.3.9" TRUSTEDHOST5="1.1.1.1" #If you want to block any hosts from accessing your machine, please list them below, these machines #will not be able to access your machine at all, even your public access servers. DENYHOST1="1.1.1.1" DENYHOST2="1.1.1.1" DENYHOST3="1.1.1.1" DENYHOST4="1.1.1.1" DENYHOST5="1.1.1.1" #End of Configuration. #************************************************************************************************************ echo "---------------------------------------------------------" echo "Local Network Device: $LANDEV" echo "Local IP: $LOCALIP" echo "Local Network Address: $LAN" echo "External Network Device: $INETDEV" echo "---------------------------------------------------------" echo "" #Set default chain policy echo -n "Setting default chain policies..." iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT echo " Done!" #Flush all chains echo -n "Flushing chains..." iptables -F iptables -X iptables -t nat -F PREROUTING iptables -t nat -F POSTROUTING echo " Done!" #Add custom chains echo -n "Adding custom chains..." iptables -N inet-in iptables -N inet-out echo " Done!" #Set INPUT rules echo -n "Setting rules for INPUT chain..." iptables -A INPUT -i lo -j ACCEPT if [ "$TRUST" = "yes" -o "$TRUST" = "YES" ]; then iptables -A INPUT -i $LANDEV -j ACCEPT else iptables -A INPUT -i $LANDEV -j inet-in fi iptables -A INPUT -i $INETDEV -j inet-in echo " Done!" #Set FORWARD rules echo -n "Setting rules for FORWARD chain..." if [ "$SHARE" = "yes" -o "$SHARE" = "YES" ]; then modprobe iptable_nat iptables -A FORWARD -s $LAN -j ACCEPT iptables -A FORWARD -d $LAN -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward #Activate masquerade echo -n "Activating masquerade..." iptables -t nat -A POSTROUTING -o $INETDEV -j MASQUERADE echo " Done!" fi echo " Done!" #Set OUTPUT rules echo -n "Setting rules for OUTPUT chain..." iptables -A OUTPUT -j inet-out echo " Done!" #Set inet-in rules echo -n "Setting rules for internet device incoming chain: " echo -n "Setting open ports for specified servers / Network Services .... "i if [ "$SAMBALAN" = "YES" -o "$SAMBALAN" = "yes" ]; then iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 138:139 -j ACCEPT fi if [ "$SAMBAWAN" = "YES" -o "$SAMBAWAN" = "yes" ]; then iptables -A inet-in -p tcp -i $INETDEV -o $INETDEV --dport 138:139 -j ACCEPT fi if [ "$SAMBA" = "YES" -o "$SAMBA" = "yes" ]; then iptables -A inet-in -p tcp --dport 138:139 -j ACCEPT fi if [ "$FTP" = "YES" -o "$FTP" = "yes" ]; then iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 21 -j ACCEPT if [ "$FTPPUBLIC" = "YES" -o "$FTPPUBLIC" = "yes" ]; then iptables -A inet-in -p tcp --dport 21 -j ACCEPT fi fi if [ "$TELNET" = "YES" -o "$TELNET" = "yes" ]; then iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 23 -j ACCEPT if [ "$TELNETPUBLIC" = "YES" -o "$TELNETPUBLIC" = "yes" ]; then iptables -A inet-in -p tcp --dport 23 -j ACCEPT fi fi if [ "$SSH" = "YES" -o "$SSH" = "yes" ]; then iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 22 -j ACCEPT if [ "$SSHPUBLIC" = "YES" -o "$SSHPUBLIC" = "yes" ]; then iptables -A inet-in -p tcp --dport 22 -j ACCEPT fi fi if [ "$WEB" = "YES" -o "$WEB" = "yes" ]; then iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 80 -j ACCEPT if [ "$WEBPUBLIC" = "YES" -o "$WEBPUBLIC" = "yes" ]; then iptables -A inet-in -p tcp --dport 80 -j ACCEPT fi fi if [ "$MAIL" = "YES" -o "$MAIL" = "yes" ]; then iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 110 -j ACCEPT if [ "$MAILPUBLIC" = "YES" -o "$MAILPUBLIC" = "yes" ]; then iptables -A inet-in -p tcp --dport 110 -j ACCEPT fi fi if [ "$IDENT" = "YES" -o "$IDENT" = "yes" ]; then iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 113 -j ACCEPT if [ "$IDENTPUBLIC" = "YES" -o "$IDENTPUBLIC" = "yes" ]; then iptables -A inet-in -p tcp --dport 113 -j ACCEPT fi fi echo "Done!" echo -n "Adding trusted hosts.... " iptables -A inet-in -s $TRUSTEDHOST1 -j ACCEPT iptables -A inet-in -s $TRUSTEDHOST2 -j ACCEPT iptables -A inet-in -s $TRUSTEDHOST3 -j ACCEPT iptables -A inet-in -s $TRUSTEDHOST4 -j ACCEPT iptables -A inet-in -s $TRUSTEDHOST5 -j ACCEPT echo "Done!" echo -n "Denying all specified hosts.... " iptables -A inet-in -s $DENYHOST1 -j DROP iptables -A inet-in -s $DENYHOST2 -j DROP iptables -A inet-in -s $DENYHOST3 -j DROP iptables -A inet-in -s $DENYHOST4 -j DROP iptables -A inet-in -s $DENYHOST5 -j DROP echo "Done!" echo -n " Setup ping option on/off..." if [ "$PING" = "YES" -o "$PING" = "yes" ]; then iptables -A inet-in -p ICMP -j ACCEPT fi if [ "$LOGPINGS" = "YES" -o "$LOGPINGS" = "yes" ]; then iptables -A inet-in -p ICMP -j LOG fi echo "Done!" echo -n " Setup port blocking on vulnerable ports..." #Block NFS iptables -A inet-in -p tcp --dport 2049 -j LOG iptables -A inet-in -p udp --dport 2049 -j LOG iptables -A inet-in -p tcp --dport 2049 -j DROP iptables -A inet-in -p udp --dport 2049 -j DROP #Block postgres iptables -A inet-in -p tcp --dport postgres -j LOG iptables -A inet-in -p udp --dport postgres -j LOG iptables -A inet-in -p tcp --dport postgres -j DROP iptables -A inet-in -p udp --dport postgres -j DROP #Block X iptables -A inet-in -p tcp --dport 5999:6003 -j LOG iptables -A inet-in -p udp --dport 5999:6003 -j LOG iptables -A inet-in -p tcp --dport 5999:6003 -j DROP iptables -A inet-in -p udp --dport 5999:6003 -j DROP #Block XFS iptables -A inet-in -p tcp --dport 7100 -j LOG iptables -A inet-in -p udp --dport 7100 -j LOG iptables -A inet-in -p tcp --dport 7100 -j DROP iptables -A inet-in -p udp --dport 7100 -j DROP #Block Back Orifice iptables -A inet-in -p tcp --dport 31337 -j LOG iptables -A inet-in -p udp --dport 31337 -j LOG iptables -A inet-in -p tcp --dport 31337 -j DROP iptables -A inet-in -p udp --dport 31337 -j DROP #Block netbus iptables -A inet-in -p tcp --dport 12345:12346 -j LOG iptables -A inet-in -p udp --dport 12345:12346 -j LOG iptables -A inet-in -p tcp --dport 12345:12346 -j DROP iptables -A inet-in -p udp --dport 12345:12346 -j DROP echo " Done!" echo " Done!" echo -n " Setting connection tracking..." iptables -A INPUT -i $INETDEV -m state --state NEW,INVALID -j DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT echo " Done!" if [ "$TYPE" = "ipchains" -o "$TYPE" = "IPCHAINS" ]; then echo "MAJOR APOLOGIES - The ipchains version didnt make it into the first version, but it is the highest priority on my TODO list" echo "Check http://www.endoshield.sourceforge.net for the next release" fi
