ipwfadm script for Cable Modem or DSL

By unwire, January 15, 2007

Originally posted December 30th 1998 on my old website. Today it would have been considered a blog. Does that mean that I’ve been blogging almost 10 years?

Original location:
http://www.pasadena.net/linux/linuxsecure.html

#!/bin/sh
#
# My ipfwadm rules on a Cable Modem
#
#
# Use at your own risk!

# My external ip address:
#
EXTIP="169.254.2.2/32"
#
# Misc. startup:
#
echo "1" > /proc/sys/net/ipv4/ip_forward
sbin/depmod -a
/sbin/modprobe ip_masq_ftp.o
/sbin/modprobe ip_masq_raudio.o
#
# Flush rules:
#
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
#
# Set default to deny:
#
ipfwadm -F -p deny
ipfwadm -I -p deny
ipfwadm -O -p deny
#
# Allow masquerading from my internal network:
#
/sbin/ipfwadm -F -a m -S 172.30.30.0/24 -D 0.0.0.0/0
# -----------------------
# EXTERNAL INBOUND RULES:
# -----------------------
#
# Deny packets with localhost, broadcast and multicast addresses:
#
ipfwadm -I -a deny -Weth0 -S 224.0.0.0/3 -D $EXTIP -o
ipfwadm -I -a deny -Weth0 -S 127.0.0.0/8 -D $EXTIP -o
ipfwadm -I -a deny -Weth0 -S 255.0.0.0/8 -D $EXTIP -o
#
# Deny rfc 1918 addresses:
#
ipfwadm -I -a deny -Weth0 -S 10.0.0.0/8 -D $EXTIP -o
ipfwadm -I -a deny -Weth0 -S 172.16.0.0/12 -D $EXTIP -o
ipfwadm -I -a deny -Weth0 -S 192.168.0.0/16 -D $EXTIP -o
#
# Deny packets without ip address.
#
ipfwadm -I -a deny -Weth0 -S 0.0.0.0/32 -D $EXTIP -o
#
# Prevent spoofing. Deny incoming packets that have
# our external address:
ipfwadm -I -a deny -Weth0 -S $EXTIP -o
#
# Allow only specific ICMP:
#
# http://www.iana.org/assignments/icmp-parameters
# http://www.pasadena.net/cisco/mtu.html
#
ipfwadm -I -a accept -Weth0 -S any/0 3 4 11 -P icmp
#
# Allow only ACKed tcp packets to our network:
#
ipfwadm -I -a accept -Weth0 -S any/0 -D $EXTIP 1024:65535 -P tcp -k
#
# For ftp clients:
#
ipfwadm -I -a accept -Weth0 -S any/0 20 -D $EXTIP 1024:65535 -P tcp
#
# Allow telnet and ssh from this network:
#
ipfwadm -I -a accept -Weth0 -S 196.254.92.0/24 -D $EXTIP 22 23 -P tcp
#
# Allow inbound DNS queries on our server:
#
ipfwadm -I -a accept -Weth0 -S any/0 -D $EXTIP 53 -P udp
#
# Allow outbound DNS queries:
#
ipfwadm -I -a accept -Weth0 -S any/0 53 -D $EXTIP 1024:65535 -P udp
#
# Important!! Deny and log anything else:
#
ipfwadm -I -a deny -Weth0 -S any/0 -D any/0 -o
#
# -----------------------
# EXTERNAL OUTBOUND RULES:
# -----------------------
#
# Prevent leakage of rfc 1918 addresses:
#
ipfwadm -O -a deny -Weth0 -S 10.0.0.0/8 -o
ipfwadm -O -a deny -Weth0 -S 172.16.0.0/12 -o
ipfwadm -O -a deny -Weth0 -S 192.168.0.0/16 -o
ipfwadm -O -a deny -Weth0 -D 10.0.0.0/255.0.0.0 -o
ipfwadm -O -a deny -Weth0 -D 172.16.0.0/255.240.0.0 -o
ipfwadm -O -a deny -Weth0 -D 192.168.0.0/255.255.0.0 -o
#
# Allow everything else:
#
ipfwadm -O -a accept -Weth0 -S any/0
#
# Deny and log anything else:
#
ipfwadm -O -a deny -Weth0 -S any/0 -o
# -----
# Misc:
# -----
#
# Allow localhost:
#
ipfwadm -I -a accept -Wlo -S any/0 -D any/0
ipfwadm -O -a accept -Wlo -S any/0 -D any/0
#
# Allow everything on the internal network:
#
ipfwadm -I -a accept -Weth1 -S any/0 -D any/0
ipfwadm -O -a accept -Weth1 -S any/0 -D any/0
#
# End of script.

 



 
	                
	 
                

One Comment

  1. Pleasance says:

    Good for people to know.