Firewall script for Linux
Hi, I managed to answer my own questions and have posted the results below in case anyone else is interested.
1) Kde/gnome locking up at their start-up screens.
Searching around it appears that X needs access to port 9000 to work correctly. I guess this must be a throwback to its client server origins. I could have opened port 9000 explicitly but in the end just gave localhost 127.0.0.1 full access. All now works as it should. I have posted the updated script at the end of this message in case anyone is interested.
2) How to configure the script for standard system startup.
A fould a very useful article from PCPlus.co.uk at:
http://davidcoulson.net/writing/pcp/167/masterclass-linuxhelp.pdf
On Red Hat systems the scripts which start or stop the various services are located in /etc/rc.d/init.d/. On other systems they may be in /etc/init.d/. These scripts are fairly straightforward and take simple ‘start, stop, restart, status’ arguments. If you take a simple example, such as the one that launches atd, you could hack it to load or kill whichever service you’re interested in. To make the service run at start-up you need to set it up to start when the machine enters the default runlevel (usually 5 if you have a graphical login under Red Hat). If you look in /etc/rc.d/rc5.d/ you’ll notice a lot of files with names like S10atd which is symlinked to ../init.d/atd. Rather than duplicating the whole script or putting a command in a script, the init process looks in /etc/rc.d/rc5.d for everything beginning with a K, in numerical order, and does filename stop. If you had K10atd and K40crond, it would stop atd first, then crond. It then looks for everything beginning with an S and does filename start.
****
iptables script:
#!/bin/bash
# block_internet_access script
# Control internet access using IPTABLES rules
case "$1" in
start)
# Apply firewall restrictions
# First set up so default policy is set to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Now flush out any existing rules and non-default chains
iptables -F
iptables -X
# Now allow full access to local lan only
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT
# Allow full access for localhost, need access
# to at least port 9000 for X windows to be able
# to function
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
;;
stop)
# Now remove all rules and allow full access
# firewall is ineffect disabled. This is safe
# when behind a hardware firewall interface
# to the internet
# Now flush out any existing rules and non-default chains
iptables -F
iptables -X
# Set up default policy to ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
;;
restart)
# First set up so default policy is set to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Now flush out any existing rules and non-default chains
iptables -F
iptables -X
# Now allow full access to local lan only
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT
# Allow full access for localhost, need access
# to at least port 9000 for X windows to be able
# to function
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
;;
*)
echo 'Only start, stop and restart arguments with this script'
exit 1
;;
esac
exit 0
;;
1) Kde/gnome locking up at their start-up screens.
Searching around it appears that X needs access to port 9000 to work correctly. I guess this must be a throwback to its client server origins. I could have opened port 9000 explicitly but in the end just gave localhost 127.0.0.1 full access. All now works as it should. I have posted the updated script at the end of this message in case anyone is interested.
2) How to configure the script for standard system startup.
A fould a very useful article from PCPlus.co.uk at:
http://davidcoulson.net/writing/pcp/167/masterclass-linuxhelp.pdf
On Red Hat systems the scripts which start or stop the various services are located in /etc/rc.d/init.d/. On other systems they may be in /etc/init.d/. These scripts are fairly straightforward and take simple ‘start, stop, restart, status’ arguments. If you take a simple example, such as the one that launches atd, you could hack it to load or kill whichever service you’re interested in. To make the service run at start-up you need to set it up to start when the machine enters the default runlevel (usually 5 if you have a graphical login under Red Hat). If you look in /etc/rc.d/rc5.d/ you’ll notice a lot of files with names like S10atd which is symlinked to ../init.d/atd. Rather than duplicating the whole script or putting a command in a script, the init process looks in /etc/rc.d/rc5.d for everything beginning with a K, in numerical order, and does filename stop. If you had K10atd and K40crond, it would stop atd first, then crond. It then looks for everything beginning with an S and does filename start.
****
iptables script:
#!/bin/bash
# block_internet_access script
# Control internet access using IPTABLES rules
case "$1" in
start)
# Apply firewall restrictions
# First set up so default policy is set to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Now flush out any existing rules and non-default chains
iptables -F
iptables -X
# Now allow full access to local lan only
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT
# Allow full access for localhost, need access
# to at least port 9000 for X windows to be able
# to function
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
;;
stop)
# Now remove all rules and allow full access
# firewall is ineffect disabled. This is safe
# when behind a hardware firewall interface
# to the internet
# Now flush out any existing rules and non-default chains
iptables -F
iptables -X
# Set up default policy to ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
;;
restart)
# First set up so default policy is set to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Now flush out any existing rules and non-default chains
iptables -F
iptables -X
# Now allow full access to local lan only
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT
# Allow full access for localhost, need access
# to at least port 9000 for X windows to be able
# to function
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
;;
*)
echo 'Only start, stop and restart arguments with this script'
exit 1
;;
esac
exit 0
;;
posted by john at 11:39 a.m.
0 Comments:
Een reactie posten
<< Home