Kubuntu 6.06 Dapper Laptop used at home and various cafe's.
My primary goal is to simply secure my laptop while connected at home and at several places I frequently haunt which have wireless internet. I don't want a barmate trying to attack me.
I know the open TCP/UDP range is insecure but I'm running some tests with various services between those ports. I'll close them as soon as the testing is complete.
Also, I'm going to restrict outgoing as well but I'd like input on the script thus far.
Any comments would be appreciated!
Nick
#!/bin/sh # # copyright (c) the KMyFirewall developers 2002-2005 # mail to: Christian Hubinger # # KMyFirewall v1.0 # This is an automatic generated file DO NOT EDIT # startFirewall() {
echo -n "Starting iptables (created by KMyFirewall)... "
if [ "$verbose" = "1" ]; then echo -n " Loading needed modules... " fi
$MOD ip_tables $MOD ip_conntrack $MOD ipt_LOG $MOD ipt_limit $MOD ipt_state $MOD ip_conntrack_ftp $MOD ip_conntrack_irc $MOD iptable_filter
if [ "$verbose" = "1" ]; then echo "Done." fi
# Define all custom chains if [ "$verbose" = "1" ]; then echo -n "Create custom chains... " fi
# Create Chain: ANTISPOOF $IPT -t filter -N ANTISPOOF || { status="1"; echo "Setting up Chain: ANTISPOOF FAILED !!!"; exit 1; }
# Create Chain: ICMP_FILTER $IPT -t filter -N ICMP_FILTER || { status="1"; echo "Setting up Chain: ICMP_FILTER FAILED !!!"; exit 1; }
# Create Chain: SERVICES $IPT -t filter -N SERVICES || { status="1"; echo "Setting up Chain: SERVICES FAILED !!!"; exit 1; }
# Create Chain: TCP_CHECKS $IPT -t filter -N TCP_CHECKS || { status="1"; echo "Setting up Chain: TCP_CHECKS FAILED !!!"; exit 1; }
# Create Chain: LOCAL_LANS $IPT -t filter -N LOCAL_LANS || { status="1"; echo "Setting up Chain: LOCAL_LANS FAILED !!!"; exit 1; }
if [ "$verbose" = "1" ]; then echo " Done." fi
# Rules: if [ "$verbose" = "1" ]; then echo "Settup Rules in Table FILTER:" fi
# Define Rules for Chain: INPUT if [ "$verbose" = "1" ]; then echo "Create Rules for Chain: INPUT" fi
$IPT -t filter -A INPUT --in-interface lo -j ACCEPT || { status="1"; echo " Setting up Rule: LOOPBACK FAILED! "; exit 1; }
$IPT -t filter -A INPUT -p tcp --destination-port bootpc -j ACCEPT || { status="1"; echo " Setting up Rule: DHCP FAILED! "; exit 1; }
$IPT -t filter -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT || { status="1"; echo " Setting up Rule: CONNTRACK FAILED! "; exit 1; }
$IPT -t filter -A INPUT -j LOCAL_LANS || { status="1"; echo " Setting up Rule: FWD_LOCAL_LANS FAILED! "; exit 1; }
$IPT -t filter -A INPUT -j ANTISPOOF || { status="1"; echo " Setting up Rule: FWD_ANTISPOOF FAILED! "; exit 1; }
$IPT -t filter -A INPUT -j TCP_CHECKS || { status="1"; echo " Setting up Rule: FWD_TCP_CHECKS FAILED! "; exit 1; }
$IPT -t filter -A INPUT -j ICMP_FILTER || { status="1"; echo " Setting up Rule: FWD_ICMP_FILTER FAILED! "; exit 1; }
$IPT -t filter -A INPUT -j SERVICES || { status="1"; echo " Setting up Rule: FWD_SERVICES FAILED! "; exit 1; }
$IPT -t filter -P INPUT DROP || { status="1"; echo " Setting up Rule: Chain: INPUT Default Target FAILED! "; exit 1; }
# Define Rules for Chain: OUTPUT if [ "$verbose" = "1" ]; then echo "Create Rules for Chain: OUTPUT" fi
$IPT -t filter -P OUTPUT ACCEPT || { status="1"; echo " Setting up Rule: Chain: OUTPUT Default Target FAILED! "; exit 1; }
# Define Rules for Chain: FORWARD if [ "$verbose" = "1" ]; then echo "Create Rules for Chain: FORWARD" fi
$IPT -t filter -P FORWARD DROP || { status="1"; echo " Setting up Rule: Chain: FORWARD Default Target FAILED! "; exit 1; }
# Define Rules for Chain: ANTISPOOF if [ "$verbose" = "1" ]; then echo "Create Rules for Chain: ANTISPOOF" fi
$IPT -t filter -A ANTISPOOF --in-interface ! lo --source 127.0.0.1/8 -j DROP || { status="1"; echo " Setting up Rule: Loopback_Spoof FAILED! "; exit 1; }
# Define Rules for Chain: ICMP_FILTER if [ "$verbose" = "1" ]; then echo "Create Rules for Chain: ICMP_FILTER" fi
$IPT -t filter -A ICMP_FILTER -p icmp --icmp-type echo-request -j ACCEPT || { status="1"; echo " Setting up Rule: ECHO_REQUEST FAILED! "; exit 1; }
$IPT -t filter -A ICMP_FILTER -p icmp --icmp-type echo-reply -j LOCAL_LANS || { status="1"; echo " Setting up Rule: ECHO_REPLY FAILED! "; exit 1; }
$IPT -t filter -A ICMP_FILTER -p icmp --icmp-type host-unreachable -j ACCEPT || { status="1"; echo " Setting up Rule: HOST_UNREACHABLE FAILED! "; exit 1; }
$IPT -t filter -A ICMP_FILTER -p icmp --icmp-type network-unreachable
-j ACCEPT || { status="1"; echo " Setting up Rule: NET_UNREACHABLE FAILED! "; exit 1; }
# Define Rules for Chain: SERVICES if [ "$verbose" = "1" ]; then echo "Create Rules for Chain: SERVICES" fi
$IPT -t filter -A SERVICES -p tcp --source-port 1024:65535
--destination-port 8000:10000 -j ACCEPT || { status="1"; echo " Setting up Rule: Custom_TCP_Ports FAILED! "; exit 1; }
$IPT -t filter -A SERVICES -p udp --source-port 1024:65535
--destination-port 8000:10000 -j ACCEPT || { status="1"; echo " Setting up Rule: Custom_UDP_Ports FAILED! "; exit 1; }
$IPT -t filter -A SERVICES -p tcp --destination-port 137:139 -j LOCAL_LANS || { status="1"; echo " Setting up Rule: SMB FAILED! "; exit 1; }
$IPT -t filter -A SERVICES -p tcp --destination-port 445 -j LOCAL_LANS || { status="1"; echo " Setting up Rule: SSMB FAILED! "; exit 1; }
$IPT -t filter -A SERVICES -p tcp --source-port 1024:65535
--destination-port ssh -j LOCAL_LANS || { status="1"; echo " Setting up Rule: SSH FAILED! "; exit 1; }
$IPT -t filter -A SERVICES -p tcp --source-port 1024:65535
--destination-port 20:21 -j LOCAL_LANS || { status="1"; echo " Setting up Rule: FTP FAILED! "; exit 1; }
$IPT -t filter -A SERVICES -p tcp --source-port 1024:65535
--destination-port www -j LOCAL_LANS || { status="1"; echo " Setting up Rule: HTTP FAILED! "; exit 1; }
$IPT -t filter -A SERVICES -p tcp --source-port 1024:65535
--destination-port https -j LOCAL_LANS || { status="1"; echo " Setting up Rule: HTTPS FAILED! "; exit 1; }
# Define Rules for Chain: TCP_CHECKS if [ "$verbose" = "1" ]; then echo "Create Rules for Chain: TCP_CHECKS" fi
$IPT -t filter -A TCP_CHECKS -p tcp --tcp-flags ALL NONE -j DROP || { status="1"; echo " Setting up Rule: TCP_FLAGS_1 FAILED! "; exit 1; }
$IPT -t filter -A TCP_CHECKS -p tcp --tcp-flags FIN,ACK FIN -j DROP || { status="1"; echo " Setting up Rule: TCP_FLAGS_2 FAILED! "; exit 1; }
$IPT -t filter -A TCP_CHECKS -p tcp --tcp-flags ACK,PSH PSH -j DROP || { status="1"; echo " Setting up Rule: TCP_FLAGS_3 FAILED! "; exit 1; }
$IPT -t filter -A TCP_CHECKS -p tcp --tcp-flags ACK,URG URG -j DROP || { status="1"; echo " Setting up Rule: TCP_FLAGS_4 FAILED! "; exit 1; }
$IPT -t filter -A TCP_CHECKS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP || { status="1"; echo " Setting up Rule: TCP_FLAGS_5 FAILED! "; exit
1; }$IPT -t filter -A TCP_CHECKS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP || { status="1"; echo " Setting up Rule: TCP_FLAGS_6 FAILED! "; exit
1; }$IPT -t filter -A TCP_CHECKS -p tcp --tcp-flags FIN,RST FIN,RST -j DROP || { status="1"; echo " Setting up Rule: TCP_FLAGS_7 FAILED! "; exit
1; }$IPT -t filter -A TCP_CHECKS -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP || { status="1"; echo " Setting up Rule: TCP_FLAGS_8 FAILED! "; exit
1; }# Define Rules for Chain: LOCAL_LANS if [ "$verbose" = "1" ]; then echo "Create Rules for Chain: LOCAL_LANS" fi
$IPT -t filter -A LOCAL_LANS --source 192.168.1.0/24 -j ACCEPT || { status="1"; echo " Setting up Rule: Trusted_Network_1 FAILED! "; exit
1; }if [ "$verbose" = "1" ]; then echo -n "Disable IP Forwarding. " fi echo 0 > /proc/sys/net/ipv4/ip_forward if [ "$verbose" = "1" ]; then echo "Done." fi
if [ "$verbose" = "1" ]; then echo -n "Enable Reverse Path Filtering " fi
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 2 > $i done
if [ "$verbose" = "1" ]; then echo "Done." fi
if [ "$verbose" = "1" ]; then echo -n "Enable log_martians (logging). " fi
for i in /proc/sys/net/ipv4/conf/*/log_martians ; do echo 1 > $i done
if [ "$verbose" = "1" ]; then echo "Done." fi
if [ "$verbose" = "1" ]; then echo -n "Enable Syn Cookies. " fi
echo 1 > /proc/sys/net/ipv4/tcp_syncookies if [ "$verbose" = "1" ]; then echo "Done." fi
echo Done. }
stopFirewall() { echo -n "Clearing iptables (created by KMyFirewall)... " $IPT -t filter -F || status="1" $IPT -t filter -X || status="1" $IPT -t filter -P INPUT ACCEPT || status="1" $IPT -t filter -P OUTPUT ACCEPT || status="1" $IPT -t filter -P FORWARD ACCEPT || status="1" echo "Done." }
IPT="/sbin/iptables" MOD="/sbin/modprobe" status="0" verbose="0" action="$1"
if [ "$1" = "-v" ]; then verbose="1" fi
if [ "$1" = "--verbose" ]; then verbose="1" fi
if [ "$verbose" = "1" ]; then if [ "$2" = "" ]; then echo "Usage: sh kmyfirewall.sh [-v|--verbose] { start | stop | restart }" exit 1 fi
action="$2" fi
case $action in start) stopFirewall startFirewall ;; stop) stopFirewall ;; restart) stopFirewall startFirewall ;; *) echo "Invalid action! Usage: sh kmyfirewall.sh [-v|--verbose] { start | stop | restart }" ;; esac if [ "$status" = "1" ]; then exit 1 else exit 0 fi