aovfirewall - Angel Ortega's firewall script
aovfirewall [-n] [start|stop|try|restart]
This is the firewall script I use in all servers I maintain. It's designed to be as simple as possible. In its default configuration, it drops all incoming connections except for ssh (with a maximum of 5 connections per minute), allows all outgoing connections, filters many kinds of malformed packets, limits icmp pings and logs all rejected things (taking care of not flooding logfiles).
If the /etc/network/if-up.d and /etc/network/if-down.d directories exist
(as on Debian systems) this script is also installed there, so touching the
file /etc/network/interfaces is no longer needed.
The /etc/aovfirewall.conf file is processed if existent and can be used to set
any of the following shell variables:
| ALLOW_TCP | A blank separated list of TCP services, ports or port ranges which connection will be allowed (default: ssh). |
| ALLOW_UDP | The same for UDP services (default: domain). |
| LIMIT_5MIN | A blank separated list of TCP services to be filtered to allow a maximum of 5 new connections per minute (default: ssh). |
| FORWARDING | If forwarding is wanted (default: no, values: 0/1). |
| NAT | If NAT is wanted (default: no, values: 0/1). |
| DHCP | If DHCP packets are allowed. If set, all DHCP packets are logged (default: no, values: 0/1). |
| ALLOW_NET | A blank separated list of networks that will be blindly accepted (default: none). |
| IFACE | The network interface (default: eth0). |
| LOG_CHAIN | The iptables chain that does logging. The only useful values here are LOG (the default) or ULOG. In the latter case, you'll need to have the ulogd server installed to receive any useful logging (this option is worth a look, as it confines all firewall logs without the need to tweak the settings in /etc/syslogd.conf).
|
| REDIRECT_TCP | A blank separated list of port=ip pairs that will be used as DNAT redirections (default: none). |
| REDIRECT_UDP | The same for UDP services (default: none). |
Copy and paste these examples to /etc/aovfirewall.conf.
For a desktop computer directly connected to Internet, static IP, with only ssh remotely accessible (these are the defaults, so there is no real need to create the configuration file):
ALLOW_TCP="ssh" ALLOW_UDP="domain" LIMIT_5MIN="ssh" FORWARDING=0 NAT=0 DHCP=0 ALLOW_NET=""
For a desktop computer directly connected to Internet, an IP address dinamically assigned by a DHCP server (as the ones in ADSL routers) on a wireless connection, that have an smtp server and do ocassional BitTorrent connections:
ALLOW_TCP="ssh smtp 6881:6889" ALLOW_UDP="domain" LIMIT_5MIN="ssh" FORWARDING=0 NAT=0 DHCP=1 ALLOW_NET="" IFACE=wifi0
For a home Linux firewall/router on the 192.168.1.* network, that does NAT, have a web and smtp servers and a DHIS client (that uses UDP), serves DHCP leases (with dnsmasq(8) or similar), serves other network services to the internal network (as printing), and redirects Bittorrent and eMule connections to an internal machine:
ALLOW_TCP="ssh www smtp" ALLOW_UDP="domain 58800" LIMIT_5MIN="ssh" FORWARDING=1 NAT=1 DHCP=1 ALLOW_NET="192.168.1.0/24" REDIRECT_TCP="6881:6889=192.168.1.48 4662=192.168.1.48"
For a server on the Internet, that serve all kinds of daemons and has the
ulogd daemon installed:
ALLOW_TCP="ssh www https domain smtp imap2 ftp ftp-data" ALLOW_UDP="domain" LIMIT_5MIN="ssh smtp" FORWARDING=0 NAT=0 DHCP=0 ALLOW_NET="" LOG_CHAIN="ULOG"
aovfirewall has been written by Angel Ortega <angel@triptico.com>.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.