Credit to Shalafi for this.
Here's a small and easy to use iptables based firewall script which works the other way around. Instead of allowing people to connect and block (illegal) users through iptables, you block access completely and only allow hosts to connect by allowing them in the firewall. The only downside is, your client needs to use a DNS or a non-dynamic IP-address so that you can allow him access. The plus is, this means more security since you only allow users with a DNS/ipaddress and your server is default not viewable from the internet. You can also expand your F-line for the client with the same DNS in the case your firewall doesn't start or work for some extra security
Keep in mind, that I tested this script on a NSLU2 running with the OpenSlug 3.10 Beta firmware. However, this script should work on regular Linux configurations without to many changes (disable the modprobe commands which is needed on the NSLU2). And to make sure that peers with a rotating IP-address can connect, you need to put this script in a cronjob setup to run every 15 minutes (see example at the bottom) during the day.
It's a regular init.d script which has a start (start firewall), stop (stop firewall) or restart (stop then start firewall) function. Make sure that after you create the firewall script, to chmod it to executable (chmod a+x /etc/init.d/firewall) and make sure it autostarts (depends on your distribution) using the example below.
Filename: /etc/init.d/firewall
Bash
#!/bin/sh
###############################################################################
#
# Default firewall script for your Linux server
#
# This one is used for allowing peers access to your CCcam configuration. It can
# be used with other sharing protocols as well.
#
# See the examples at the CCCAM section
#
###############################################################################
#
# Local Settings
#
# iptables Location - adjust if needed
IPT="/usr/sbin/iptables"
# Internet Interface
INET_IFACE="eth0"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
flush_existing() {
# Flush Any Existing Rules or Chains
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
# Erase all non-default chains
$IPT -X
}
create_chains() {
echo "Create custom rule chains ..."
# Create a chain to filter INVALID packets
$IPT -N bad_packets
# Create another chain to filter bad tcp packets
$IPT -N bad_tcp_packets
# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.
$IPT -N icmp_packets
# Used for udp packets inbound from the Internet
$IPT -N udp_inbound
# Used to block outbound udp services from internal network
# Default to allow all
$IPT -N udp_outbound
# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound
# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound
# Used to allow CCcam services
# Default fail except for established sessions
$IPT --new cccam
}
populate_chains() {
echo "Populate custom rule chains ..."
# bad_packets chain
# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets
# All good, so return
$IPT -A bad_packets -p ALL -j RETURN
# bad_tcp_packets chain
#
# All tcp packets will traverse this chain.
# Every new connection attempt should begin with
# a syn packet. If it doesn't, it is likely a
# port scan. This drops packets in state
# NEW that are not flagged as syn packets.
# Stealth scans
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN
# icmp_packets chain
#
# This chain is for inbound (from the Internet) icmp packets only.
# Type 8 (echo Request) is accepted by default
# Enable it if you want remote hosts to be able to reach you.
# 11 (Time Exceeded) is the only one accepted
# that would not already be covered by the established
# connection rule. Applied to INPUT on the external interface.
#
# See: http://www.ee.siue.edu/~rwalden/networking/icmp.html
# for more info on ICMP types.
#
# Note that the stateful settings allow replies to ICMP packets.
# These rules allow new packets of the specified types.
# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented. Fragmented ICMP packets are a typical sign
# of a denial of service attack.
#$IPT -A icmp_packets --fragment -p ICMP -j LOG \
#--log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
# Uncomment the LOG command if you want to log PING attempts
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
# --log-prefix "Ping detected: "
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# comment out above and uncomment below to drop pings without logging.
#$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
# see ping reply packets
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN
# tcp & udp
# Identify ports at:
# http://www.chebucto.ns.ca/~rakerman/port-table.html
# http://www.iana.org/assignments/port-numbers
#
# ADD udp-based services here
#
# udp_inbound chain
# ports you want to accept udp packets on
# netbios/samba
$IPT -A udp_inbound -p udp -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A udp_inbound -p udp -s 0/0 --destination-port 138 -j ACCEPT
# Network Time Protocol (NTP) Server
$IPT -A udp_inbound -p udp -s 0/0 --destination-port 123 -j ACCEPT
# External DHCP Server
# Allow DHCP client request packets inbound from external network
$IPT -A udp_inbound -p udp -s 0/0 --source-port 68 --destination-port 67 -j ACCEPT
# DNS in
#$IPT -A udp_inbound -p udp -s 0/0 --destination-port 53 -j ACCEPT
$IPT -A udp_inbound -p udp -s 0/0 --source-port 53 -j ACCEPT
# Not matched, so return for logging
$IPT -A udp_inbound -p udp -j RETURN
# udp_outbound chain
# ports you send udp packets to
# netbios/samba
$IPT -A udp_outbound -p udp -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A udp_outbound -p udp -s 0/0 --destination-port 138 -j ACCEPT
# Network Time Protocol (NTP) Server
$IPT -A udp_outbound -p udp -s 0/0 --destination-port 123 -j ACCEPT
# DHCP out
$IPT -A udp_outbound -p udp -s 0/0 --destination-port 68 -j ACCEPT
# DNS out
$IPT -A udp_outbound -p udp -s 0/0 --destination-port 53 -j ACCEPT
# No match, so ACCEPT
# make this DROP if you want to block any other outbound udp traffic
$IPT -A udp_outbound -p udp -s 0/0 -j ACCEPT
# tcp_inbound chain
#
# This chain is used to allow inbound connections to the SLUG
# smb
$IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 139 -j ACCEPT
$IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 445 -j ACCEPT
# HTTP
$IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 80 -j ACCEPT
# FTP
$IPT -A tcp_inbound -p tcp -s 0/0 --destination-port ftp -j ACCEPT
# Passive
$IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 33201:33210 -j ACCEPT
# Ctorrent incoming ports. Uncomment if you use ctorrent.
# $IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 2706:2700 -j ACCEPT
# DNS
$IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 53 -j ACCEPT
# sshd
$IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 22 -j ACCEPT
# If you have 2 ssh daemons running, add the second here
# $IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 999 -j ACCEPT
# telnet (not normally used in Openslug)
# $IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 23 -j ACCEPT
###############################################################################
# CCCAM SECTION - These are examples!
# Change the portnumbers accordingly to your configuration!
# 12000 = Default CCcam port
# 16001 = Default WEBINFO port
###############################################################################
# WEBINFO - Allow access to CCcam WEBINFO from the local network:
#
# In this case we use 192.168.1.x with a subnetmask of 255.255.255.0 (/24)
# Change it to your local network configuration
#
$IPT -A cccam -p tcp -s 192.168.1.0/24 --destination-port 16001 -j ACCEPT
# SERVER - Allow acces to the CCcam server
#
# These examples will show how you can allow a hostname, ipaddress or range to connect
# to the CCcam server instance
#
$IPT -A cccam -p tcp -s 192.168.1.0/24 --destination-port 12000 -j ACCEPT
$IPT -A cccam -p tcp -s hostname.dnsname.extension --destination-port 12000 -j ACCEPT
$IPT -A cccam -p tcp -s 83.149.116.40 --destination-port 12000 -j ACCEPT
# SERVER - Disabled peers
#
# With this example you can block a hostname, ipaddress or range to connect to
# your server. After a firewall restart it will happen instanly.
#
$IPT -A cccam -p tcp -s badclient.domainname.extension --destination-port 12000 -j DROP
$IPT -A cccam -p tcp -s 217.148.84.25 --destination-port 12000 -j DROP
# CCcam - Default disabled
#
# Default CCCAM server and webinfo access is disabled.
#
$IPT -A cccam -p tcp -s 0/0 --destination-port 16001 -j DROP
$IPT -A cccam -p tcp -s 0/0 --destination-port 12000 -j DROP
# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p tcp -j RETURN
# tcp_outbound chain
#
# This chain controlls what tcp traffic is allowed out
# http
$IPT -A tcp_outbound -p tcp -s 0/0 --destination-port 80 -j ACCEPT
# DNS
$IPT -A tcp_outbound -p tcp -s 0/0 --destination-port 53 -j ACCEPT
# sshd
$IPT -A tcp_outbound -p tcp -s 0/0 --destination-port 22 -j ACCEPT
# No match, so ACCEPT
# Note, you could make this DROP to block any other outbound traffic
$IPT -A tcp_outbound -p tcp -s 0/0 -j ACCEPT
}
process_input_chain() {
echo "Process INPUT chain ..."
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets
# ******************************
# Inbound Internet Packet Rules
# packet filter accepts inbound packets that are replies to an outbound connection
# this blocks all new connection attempts except to those allowed below
$IPT -A INPUT -p tcp -i $INET_IFACE ! --syn -j ACCEPT
# Route the rest to the appropriate user chain
$IPT -A INPUT -p tcp -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p tcp -i $INET_IFACE -j cccam
$IPT -A INPUT -p udp -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Drop without logging broadcasts that get this far.
# Comment this line if testing new rules that impact
# broadcast protocols.
#$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
}
process_output_chain() {
echo "Process OUTPUT chain ..."
# Generally trust the firewall on output
# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
# If you want to block outbound connections, uncomment first section below, comment
# out second section, and add rules to tcp_outbound/udp_outbound
# To internet - filtered
#$IPT -A OUTPUT -p tcp -o $INET_IFACE -j tcp_outbound
#$IPT -A OUTPUT -p udp -o $INET_IFACE -j udp_outbound
# To internet - unfiltered
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
}
case "$1" in
start)
echo "Starting iptables firewall"
# Only needed on NSLU2 - Disable them on regular Linux installations:
modprobe ip_tables
modprobe iptable_filter
flush_existing
create_chains
populate_chains
process_input_chain
process_output_chain
;;
stop)
echo "Stopping iptables firewall"
flush_existing
rmmod ip_tables
rmmod iptable_filter
echo "Firewall rules flushed"
;;
reload|force-reload)
echo "Reloading iptables firewall"
flush_existing
create_chains
populate_chains
process_input_chain
process_output_chain
;;
restart)
echo "Restarting iptables firewall"
flush_existing
create_chains
populate_chains
process_input_chain
process_output_chain
;;
*)
echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}"
exit 1
esac
exit 0To make the firewall script start at bootup on a NSLU2, use the following command in your SSH client:
Code
ln -s /etc/init.d/firewall /etc/rcS.d/S59firewallTo create a cronjob, run the command crontab -e and put in the following information:
Code
15,30,45,59 * * * * /etc/init.d/firewall restartAfter this, Cron will restart the firewall on 00:15, 00:30, 00:45, 00:59, 01:15, 01:30, etc, etc, etc.
Offcourse you can edit the script for use with newcs, mbox, etc, etc. Just make sure you use the correct protocols and/or portnumbers. Alternatively you can change the name of the chain (which is now cccam) to your program which you use.
