ok, I installed it, just don't have it running on startup, using debian, but still have no clue how to do that. I got one error when I started it, and this is what I got. eth1: error fetching interface information: Device not found and then it gives me ththis. Local Network Device: eth1 Local IP: Local Network Address: 192.168.1.0/24 External Network Device: eth0 - any ideas? On Wed, 26 Dec 2001, Gregory Nowak wrote: > Hi, > > This script is pretty self-explanitory. > To change things, simply edit between quotes. > For example, to make ssh available just to your lan, change > > SSH="no" > to > SSH="yes" > > > If you want to make ssh available to everyone on the internet in addition to the above, change > > > SSHPUBLIC="no" > to > SSHPUBLIC="yes" > > > I have set your internet eth interface to eth0, and your lan device to eth1 since it sounds like that's what you want. > I have also made ssh and ftp publically accessible. > To get an idea how to modify this script for your needs, compare what > you got off the endoshield sight to the edited version I'm attaching with the 3 above variables changed. > I'm not sure what you mean by changing addresses (do you mean inputing the correct address for your internal lan, or allowing/denying certain hosts). > > Sorry I can't tell you how to remove the old firewall from your scripts, and add the new one to your scripts, since I don't know what distro you have, and where your current firewall starts (that could happen in a couple different scripts). Hth. > Greg > > > On Wed, Dec 26, 2001 at 02:35:47PM -0500, Deedra Waters wrote: > > Ok, Greg told me about this one a little while ago, then I lost the email, > > so couldn't reply to it.... > > I need to know how to change certain options in the configuration in this > > script. > > example, I need to know how to change it to eth0, along with the fact that > > I am running ssh, and an ftp server. I need to know how to tell it that, > > and also how to make it available to people who are not on my network.I > > also need to know how to give it the right addresses that it asks for, or > > rather how to change them. > > Last thing..... I need to figure out how to remove my current firewall > > from the startup and add this one. > > sorry for so much trouble.... > > > > > # > > #**ENDOSHIELD 1.2** > > #Written by Endo (Dave Cheeseman) cheeseman at users.sourceforge.net > > #EndoShield Site - http://www.sourceforge.net/projects/endoshield > > > > #****************************************************************************************************************************** > > #Configuration Part of the script - If you are unsure of any of these points, leave them as the default setting, changing these > > #options can seriously affect the security of your firewall. > > > > #Do you want to run a ipchains firewall or iptables? > > #If you are unsure about this, you need to find out what kernel you are running. > > #See the readme file for more information. > > TYPE="iptables" > > > > # Change INETDEV to the network device connceted to the Internet (ppp0/eth0) > > # This is ppp0 by default for dial-up connections. Most cable modem users > > # will probably want eth0 or possibly eth1. When in doubt look at the command > > # 'ifconfig'. > > INETDEV="ppp0" > > > > # Change LAN to the correct network address and network mask for your LAN > > # this can be found by using ifconfig from one of the clients > > LAN="192.168.1.0/24" > > > > # Change LANDEV to the network device connected to your LAN > > LANDEV="eth0" > > > > # There should be no need to change this > > LOCALIP=`ifconfig $LANDEV | grep inet | cut -d : -f 2 | cut -d \ -f 1` > > > > #Do you want other machines on the internet to be able to PING your machine? > > #(If unsure, leave as no) > > PING="no" > > > > #If you selected no as the previous option, do you want the machine to log > > #the dropped pings? > > LOGPINGS="no" > > > > #If you trust all data coming from your local network, put yes. > > TRUST="yes" > > > > #If you want to share this machines internet connection, put yes > > #(This will provide Masquerading services for you LAN) > > #Otherwise, put no > > SHARE="yes" > > > > #Is this machine connected to a Samba Network? > > #If yes, over a LAN? > > SAMBALAN="no" > > #Or over a WAN? > > SAMBAWAN="no" > > #Or over both? > > SAMBA="no" > > > > #If you are running any servers on your machine, you need to specify them below, > > #you also need to specify wether these servers/ports should be open to just your local > > #network, or the whole world. If you answer yes to PORTNAMEPUBLIC, then the specified port > > #will be open to the whole internet, if this is left to the default, which is no, but you > > #have specified that you are running a server on the port, the port will only be available to > > #your local lan. > > > > #Do you run a FTP server? > > FTP="no" > > FTPPUBLIC="no" > > > > #Do you run a SSH server? > > SSH="yes" > > SSHPUBLIC="yes" > > > > #Do you run a telnet server? > > TELNET="no" > > TELNETPUBLIC="no" > > > > #Do you run a Web server? > > WEB="no" > > WEBPUBLIC="no" > > > > #Do you run a mail server? > > MAIL="no" > > MAILPUBLIC="no" > > > > #Do you run identd? > > IDENT="no" > > IDENTPUBLIC="no" > > > > #If you want to add any trusted hosts, that is, machines on the internet or on your local network > > #which you want to fully trust (Allow all data from these machines pass through the firewall), then > > #list these machines below. > > TRUSTEDHOST1="131.211.28.48" > > TRUSTEDHOST2="195.92.249.253" > > TRUSTEDHOST3="194.159.164.195" > > TRUSTEDHOST4="129.27.3.9" > > TRUSTEDHOST5="1.1.1.1" > > > > #If you want to block any hosts from accessing your machine, please list them below, these machines > > #will not be able to access your machine at all, even your public access servers. > > DENYHOST1="1.1.1.1" > > DENYHOST2="1.1.1.1" > > DENYHOST3="1.1.1.1" > > DENYHOST4="1.1.1.1" > > DENYHOST5="1.1.1.1" > > > > #End of Configuration. > > #************************************************************************************************************ > > > > echo "---------------------------------------------------------" > > echo "Local Network Device: $LANDEV" > > echo "Local IP: $LOCALIP" > > echo "Local Network Address: $LAN" > > echo "External Network Device: $INETDEV" > > echo "---------------------------------------------------------" > > echo "" > > > > #Set default chain policy > > echo -n "Setting default chain policies..." > > iptables -P INPUT DROP > > iptables -P FORWARD DROP > > iptables -P OUTPUT ACCEPT > > echo " Done!" > > > > #Flush all chains > > echo -n "Flushing chains..." > > iptables -F > > iptables -X > > iptables -t nat -F PREROUTING > > iptables -t nat -F POSTROUTING > > echo " Done!" > > > > #Add custom chains > > echo -n "Adding custom chains..." > > iptables -N inet-in > > iptables -N inet-out > > echo " Done!" > > > > #Set INPUT rules > > echo -n "Setting rules for INPUT chain..." > > iptables -A INPUT -i lo -j ACCEPT > > if [ "$TRUST" = "yes" -o "$TRUST" = "YES" ]; then > > iptables -A INPUT -i $LANDEV -j ACCEPT > > else > > iptables -A INPUT -i $LANDEV -j inet-in > > fi > > iptables -A INPUT -i $INETDEV -j inet-in > > echo " Done!" > > > > #Set FORWARD rules > > echo -n "Setting rules for FORWARD chain..." > > if [ "$SHARE" = "yes" -o "$SHARE" = "YES" ]; then > > modprobe iptable_nat > > iptables -A FORWARD -s $LAN -j ACCEPT > > iptables -A FORWARD -d $LAN -j ACCEPT > > echo 1 > /proc/sys/net/ipv4/ip_forward > > #Activate masquerade > > echo -n "Activating masquerade..." > > iptables -t nat -A POSTROUTING -o $INETDEV -j MASQUERADE > > echo " Done!" > > fi > > echo " Done!" > > > > #Set OUTPUT rules > > echo -n "Setting rules for OUTPUT chain..." > > iptables -A OUTPUT -j inet-out > > echo " Done!" > > > > #Set inet-in rules > > echo -n "Setting rules for internet device incoming chain: " > > echo -n "Setting open ports for specified servers / Network Services .... "i > > if [ "$SAMBALAN" = "YES" -o "$SAMBALAN" = "yes" ]; then > > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 138:139 -j ACCEPT > > fi > > if [ "$SAMBAWAN" = "YES" -o "$SAMBAWAN" = "yes" ]; then > > iptables -A inet-in -p tcp -i $INETDEV -o $INETDEV --dport 138:139 -j ACCEPT > > fi > > if [ "$SAMBA" = "YES" -o "$SAMBA" = "yes" ]; then > > iptables -A inet-in -p tcp --dport 138:139 -j ACCEPT > > fi > > if [ "$FTP" = "YES" -o "$FTP" = "yes" ]; then > > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 21 -j ACCEPT > > if [ "$FTPPUBLIC" = "YES" -o "$FTPPUBLIC" = "yes" ]; then > > iptables -A inet-in -p tcp --dport 21 -j ACCEPT > > fi > > fi > > if [ "$TELNET" = "YES" -o "$TELNET" = "yes" ]; then > > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 23 -j ACCEPT > > if [ "$TELNETPUBLIC" = "YES" -o "$TELNETPUBLIC" = "yes" ]; then > > iptables -A inet-in -p tcp --dport 23 -j ACCEPT > > fi > > fi > > if [ "$SSH" = "YES" -o "$SSH" = "yes" ]; then > > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 22 -j ACCEPT > > if [ "$SSHPUBLIC" = "YES" -o "$SSHPUBLIC" = "yes" ]; then > > iptables -A inet-in -p tcp --dport 22 -j ACCEPT > > fi > > fi > > if [ "$WEB" = "YES" -o "$WEB" = "yes" ]; then > > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 80 -j ACCEPT > > if [ "$WEBPUBLIC" = "YES" -o "$WEBPUBLIC" = "yes" ]; then > > iptables -A inet-in -p tcp --dport 80 -j ACCEPT > > fi > > fi > > if [ "$MAIL" = "YES" -o "$MAIL" = "yes" ]; then > > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 110 -j ACCEPT > > if [ "$MAILPUBLIC" = "YES" -o "$MAILPUBLIC" = "yes" ]; then > > iptables -A inet-in -p tcp --dport 110 -j ACCEPT > > fi > > fi > > if [ "$IDENT" = "YES" -o "$IDENT" = "yes" ]; then > > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 113 -j ACCEPT > > if [ "$IDENTPUBLIC" = "YES" -o "$IDENTPUBLIC" = "yes" ]; then > > iptables -A inet-in -p tcp --dport 113 -j ACCEPT > > fi > > fi > > echo "Done!" > > > > echo -n "Adding trusted hosts.... " > > iptables -A inet-in -s $TRUSTEDHOST1 -j ACCEPT > > iptables -A inet-in -s $TRUSTEDHOST2 -j ACCEPT > > iptables -A inet-in -s $TRUSTEDHOST3 -j ACCEPT > > iptables -A inet-in -s $TRUSTEDHOST4 -j ACCEPT > > iptables -A inet-in -s $TRUSTEDHOST5 -j ACCEPT > > echo "Done!" > > > > echo -n "Denying all specified hosts.... " > > iptables -A inet-in -s $DENYHOST1 -j DROP > > iptables -A inet-in -s $DENYHOST2 -j DROP > > iptables -A inet-in -s $DENYHOST3 -j DROP > > iptables -A inet-in -s $DENYHOST4 -j DROP > > iptables -A inet-in -s $DENYHOST5 -j DROP > > echo "Done!" > > > > echo -n " Setup ping option on/off..." > > if [ "$PING" = "YES" -o "$PING" = "yes" ]; then > > iptables -A inet-in -p ICMP -j ACCEPT > > fi > > if [ "$LOGPINGS" = "YES" -o "$LOGPINGS" = "yes" ]; then > > iptables -A inet-in -p ICMP -j LOG > > fi > > echo "Done!" > > > > echo -n " Setup port blocking on vulnerable ports..." > > #Block NFS > > iptables -A inet-in -p tcp --dport 2049 -j LOG > > iptables -A inet-in -p udp --dport 2049 -j LOG > > iptables -A inet-in -p tcp --dport 2049 -j DROP > > iptables -A inet-in -p udp --dport 2049 -j DROP > > #Block postgres > > iptables -A inet-in -p tcp --dport postgres -j LOG > > iptables -A inet-in -p udp --dport postgres -j LOG > > iptables -A inet-in -p tcp --dport postgres -j DROP > > iptables -A inet-in -p udp --dport postgres -j DROP > > #Block X > > iptables -A inet-in -p tcp --dport 5999:6003 -j LOG > > iptables -A inet-in -p udp --dport 5999:6003 -j LOG > > iptables -A inet-in -p tcp --dport 5999:6003 -j DROP > > iptables -A inet-in -p udp --dport 5999:6003 -j DROP > > #Block XFS > > iptables -A inet-in -p tcp --dport 7100 -j LOG > > iptables -A inet-in -p udp --dport 7100 -j LOG > > iptables -A inet-in -p tcp --dport 7100 -j DROP > > iptables -A inet-in -p udp --dport 7100 -j DROP > > #Block Back Orifice > > iptables -A inet-in -p tcp --dport 31337 -j LOG > > iptables -A inet-in -p udp --dport 31337 -j LOG > > iptables -A inet-in -p tcp --dport 31337 -j DROP > > iptables -A inet-in -p udp --dport 31337 -j DROP > > #Block netbus > > iptables -A inet-in -p tcp --dport 12345:12346 -j LOG > > iptables -A inet-in -p udp --dport 12345:12346 -j LOG > > iptables -A inet-in -p tcp --dport 12345:12346 -j DROP > > iptables -A inet-in -p udp --dport 12345:12346 -j DROP > > echo " Done!" > > echo " Done!" > > echo -n " Setting connection tracking..." > > iptables -A INPUT -i $INETDEV -m state --state NEW,INVALID -j DROP > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > echo " Done!" > > > > if [ "$TYPE" = "ipchains" -o "$TYPE" = "IPCHAINS" ]; then > > echo "MAJOR APOLOGIES - The ipchains version didnt make it into the first version, but it is the highest priority on my TODO list" > > echo "Check http://www.endoshield.sourceforge.net for the next release" > > fi > >
