firewall stuff last time, I promise:)
Deedra Waters
dmwaters at tampabay.rr.com
Wed Dec 26 15:45:07 EST 2001
ok, I installed it, just don't have it running on startup, using debian,
but still have no clue how to do that. I got one error when I started it,
and this is what I got.
eth1: error fetching interface information: Device not found
and then it gives me ththis.
Local Network Device: eth1
Local IP:
Local Network Address: 192.168.1.0/24
External Network Device: eth0
-
any ideas?
On Wed, 26 Dec 2001, Gregory Nowak wrote:
> Hi,
>
> This script is pretty self-explanitory.
> To change things, simply edit between quotes.
> For example, to make ssh available just to your lan, change
>
> SSH="no"
> to
> SSH="yes"
>
>
> If you want to make ssh available to everyone on the internet in addition to the above, change
>
>
> SSHPUBLIC="no"
> to
> SSHPUBLIC="yes"
>
>
> I have set your internet eth interface to eth0, and your lan device to eth1 since it sounds like that's what you want.
> I have also made ssh and ftp publically accessible.
> To get an idea how to modify this script for your needs, compare what
> you got off the endoshield sight to the edited version I'm attaching with the 3 above variables changed.
> I'm not sure what you mean by changing addresses (do you mean inputing the correct address for your internal lan, or allowing/denying certain hosts).
>
> Sorry I can't tell you how to remove the old firewall from your scripts, and add the new one to your scripts, since I don't know what distro you have, and where your current firewall starts (that could happen in a couple different scripts). Hth.
> Greg
>
>
> On Wed, Dec 26, 2001 at 02:35:47PM -0500, Deedra Waters wrote:
> > Ok, Greg told me about this one a little while ago, then I lost the email,
> > so couldn't reply to it....
> > I need to know how to change certain options in the configuration in this
> > script.
> > example, I need to know how to change it to eth0, along with the fact that
> > I am running ssh, and an ftp server. I need to know how to tell it that,
> > and also how to make it available to people who are not on my network.I
> > also need to know how to give it the right addresses that it asks for, or
> > rather how to change them.
> > Last thing..... I need to figure out how to remove my current firewall
> > from the startup and add this one.
> > sorry for so much trouble....
> >
>
> > #
> > #**ENDOSHIELD 1.2**
> > #Written by Endo (Dave Cheeseman) cheeseman at users.sourceforge.net
> > #EndoShield Site - http://www.sourceforge.net/projects/endoshield
> >
> > #******************************************************************************************************************************
> > #Configuration Part of the script - If you are unsure of any of these points, leave them as the default setting, changing these
> > #options can seriously affect the security of your firewall.
> >
> > #Do you want to run a ipchains firewall or iptables?
> > #If you are unsure about this, you need to find out what kernel you are running.
> > #See the readme file for more information.
> > TYPE="iptables"
> >
> > # Change INETDEV to the network device connceted to the Internet (ppp0/eth0)
> > # This is ppp0 by default for dial-up connections. Most cable modem users
> > # will probably want eth0 or possibly eth1. When in doubt look at the command
> > # 'ifconfig'.
> > INETDEV="ppp0"
> >
> > # Change LAN to the correct network address and network mask for your LAN
> > # this can be found by using ifconfig from one of the clients
> > LAN="192.168.1.0/24"
> >
> > # Change LANDEV to the network device connected to your LAN
> > LANDEV="eth0"
> >
> > # There should be no need to change this
> > LOCALIP=`ifconfig $LANDEV | grep inet | cut -d : -f 2 | cut -d \ -f 1`
> >
> > #Do you want other machines on the internet to be able to PING your machine?
> > #(If unsure, leave as no)
> > PING="no"
> >
> > #If you selected no as the previous option, do you want the machine to log
> > #the dropped pings?
> > LOGPINGS="no"
> >
> > #If you trust all data coming from your local network, put yes.
> > TRUST="yes"
> >
> > #If you want to share this machines internet connection, put yes
> > #(This will provide Masquerading services for you LAN)
> > #Otherwise, put no
> > SHARE="yes"
> >
> > #Is this machine connected to a Samba Network?
> > #If yes, over a LAN?
> > SAMBALAN="no"
> > #Or over a WAN?
> > SAMBAWAN="no"
> > #Or over both?
> > SAMBA="no"
> >
> > #If you are running any servers on your machine, you need to specify them below,
> > #you also need to specify wether these servers/ports should be open to just your local
> > #network, or the whole world. If you answer yes to PORTNAMEPUBLIC, then the specified port
> > #will be open to the whole internet, if this is left to the default, which is no, but you
> > #have specified that you are running a server on the port, the port will only be available to
> > #your local lan.
> >
> > #Do you run a FTP server?
> > FTP="no"
> > FTPPUBLIC="no"
> >
> > #Do you run a SSH server?
> > SSH="yes"
> > SSHPUBLIC="yes"
> >
> > #Do you run a telnet server?
> > TELNET="no"
> > TELNETPUBLIC="no"
> >
> > #Do you run a Web server?
> > WEB="no"
> > WEBPUBLIC="no"
> >
> > #Do you run a mail server?
> > MAIL="no"
> > MAILPUBLIC="no"
> >
> > #Do you run identd?
> > IDENT="no"
> > IDENTPUBLIC="no"
> >
> > #If you want to add any trusted hosts, that is, machines on the internet or on your local network
> > #which you want to fully trust (Allow all data from these machines pass through the firewall), then
> > #list these machines below.
> > TRUSTEDHOST1="131.211.28.48"
> > TRUSTEDHOST2="195.92.249.253"
> > TRUSTEDHOST3="194.159.164.195"
> > TRUSTEDHOST4="129.27.3.9"
> > TRUSTEDHOST5="1.1.1.1"
> >
> > #If you want to block any hosts from accessing your machine, please list them below, these machines
> > #will not be able to access your machine at all, even your public access servers.
> > DENYHOST1="1.1.1.1"
> > DENYHOST2="1.1.1.1"
> > DENYHOST3="1.1.1.1"
> > DENYHOST4="1.1.1.1"
> > DENYHOST5="1.1.1.1"
> >
> > #End of Configuration.
> > #************************************************************************************************************
> >
> > echo "---------------------------------------------------------"
> > echo "Local Network Device: $LANDEV"
> > echo "Local IP: $LOCALIP"
> > echo "Local Network Address: $LAN"
> > echo "External Network Device: $INETDEV"
> > echo "---------------------------------------------------------"
> > echo ""
> >
> > #Set default chain policy
> > echo -n "Setting default chain policies..."
> > iptables -P INPUT DROP
> > iptables -P FORWARD DROP
> > iptables -P OUTPUT ACCEPT
> > echo " Done!"
> >
> > #Flush all chains
> > echo -n "Flushing chains..."
> > iptables -F
> > iptables -X
> > iptables -t nat -F PREROUTING
> > iptables -t nat -F POSTROUTING
> > echo " Done!"
> >
> > #Add custom chains
> > echo -n "Adding custom chains..."
> > iptables -N inet-in
> > iptables -N inet-out
> > echo " Done!"
> >
> > #Set INPUT rules
> > echo -n "Setting rules for INPUT chain..."
> > iptables -A INPUT -i lo -j ACCEPT
> > if [ "$TRUST" = "yes" -o "$TRUST" = "YES" ]; then
> > iptables -A INPUT -i $LANDEV -j ACCEPT
> > else
> > iptables -A INPUT -i $LANDEV -j inet-in
> > fi
> > iptables -A INPUT -i $INETDEV -j inet-in
> > echo " Done!"
> >
> > #Set FORWARD rules
> > echo -n "Setting rules for FORWARD chain..."
> > if [ "$SHARE" = "yes" -o "$SHARE" = "YES" ]; then
> > modprobe iptable_nat
> > iptables -A FORWARD -s $LAN -j ACCEPT
> > iptables -A FORWARD -d $LAN -j ACCEPT
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > #Activate masquerade
> > echo -n "Activating masquerade..."
> > iptables -t nat -A POSTROUTING -o $INETDEV -j MASQUERADE
> > echo " Done!"
> > fi
> > echo " Done!"
> >
> > #Set OUTPUT rules
> > echo -n "Setting rules for OUTPUT chain..."
> > iptables -A OUTPUT -j inet-out
> > echo " Done!"
> >
> > #Set inet-in rules
> > echo -n "Setting rules for internet device incoming chain: "
> > echo -n "Setting open ports for specified servers / Network Services .... "i
> > if [ "$SAMBALAN" = "YES" -o "$SAMBALAN" = "yes" ]; then
> > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 138:139 -j ACCEPT
> > fi
> > if [ "$SAMBAWAN" = "YES" -o "$SAMBAWAN" = "yes" ]; then
> > iptables -A inet-in -p tcp -i $INETDEV -o $INETDEV --dport 138:139 -j ACCEPT
> > fi
> > if [ "$SAMBA" = "YES" -o "$SAMBA" = "yes" ]; then
> > iptables -A inet-in -p tcp --dport 138:139 -j ACCEPT
> > fi
> > if [ "$FTP" = "YES" -o "$FTP" = "yes" ]; then
> > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 21 -j ACCEPT
> > if [ "$FTPPUBLIC" = "YES" -o "$FTPPUBLIC" = "yes" ]; then
> > iptables -A inet-in -p tcp --dport 21 -j ACCEPT
> > fi
> > fi
> > if [ "$TELNET" = "YES" -o "$TELNET" = "yes" ]; then
> > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 23 -j ACCEPT
> > if [ "$TELNETPUBLIC" = "YES" -o "$TELNETPUBLIC" = "yes" ]; then
> > iptables -A inet-in -p tcp --dport 23 -j ACCEPT
> > fi
> > fi
> > if [ "$SSH" = "YES" -o "$SSH" = "yes" ]; then
> > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 22 -j ACCEPT
> > if [ "$SSHPUBLIC" = "YES" -o "$SSHPUBLIC" = "yes" ]; then
> > iptables -A inet-in -p tcp --dport 22 -j ACCEPT
> > fi
> > fi
> > if [ "$WEB" = "YES" -o "$WEB" = "yes" ]; then
> > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 80 -j ACCEPT
> > if [ "$WEBPUBLIC" = "YES" -o "$WEBPUBLIC" = "yes" ]; then
> > iptables -A inet-in -p tcp --dport 80 -j ACCEPT
> > fi
> > fi
> > if [ "$MAIL" = "YES" -o "$MAIL" = "yes" ]; then
> > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 110 -j ACCEPT
> > if [ "$MAILPUBLIC" = "YES" -o "$MAILPUBLIC" = "yes" ]; then
> > iptables -A inet-in -p tcp --dport 110 -j ACCEPT
> > fi
> > fi
> > if [ "$IDENT" = "YES" -o "$IDENT" = "yes" ]; then
> > iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 113 -j ACCEPT
> > if [ "$IDENTPUBLIC" = "YES" -o "$IDENTPUBLIC" = "yes" ]; then
> > iptables -A inet-in -p tcp --dport 113 -j ACCEPT
> > fi
> > fi
> > echo "Done!"
> >
> > echo -n "Adding trusted hosts.... "
> > iptables -A inet-in -s $TRUSTEDHOST1 -j ACCEPT
> > iptables -A inet-in -s $TRUSTEDHOST2 -j ACCEPT
> > iptables -A inet-in -s $TRUSTEDHOST3 -j ACCEPT
> > iptables -A inet-in -s $TRUSTEDHOST4 -j ACCEPT
> > iptables -A inet-in -s $TRUSTEDHOST5 -j ACCEPT
> > echo "Done!"
> >
> > echo -n "Denying all specified hosts.... "
> > iptables -A inet-in -s $DENYHOST1 -j DROP
> > iptables -A inet-in -s $DENYHOST2 -j DROP
> > iptables -A inet-in -s $DENYHOST3 -j DROP
> > iptables -A inet-in -s $DENYHOST4 -j DROP
> > iptables -A inet-in -s $DENYHOST5 -j DROP
> > echo "Done!"
> >
> > echo -n " Setup ping option on/off..."
> > if [ "$PING" = "YES" -o "$PING" = "yes" ]; then
> > iptables -A inet-in -p ICMP -j ACCEPT
> > fi
> > if [ "$LOGPINGS" = "YES" -o "$LOGPINGS" = "yes" ]; then
> > iptables -A inet-in -p ICMP -j LOG
> > fi
> > echo "Done!"
> >
> > echo -n " Setup port blocking on vulnerable ports..."
> > #Block NFS
> > iptables -A inet-in -p tcp --dport 2049 -j LOG
> > iptables -A inet-in -p udp --dport 2049 -j LOG
> > iptables -A inet-in -p tcp --dport 2049 -j DROP
> > iptables -A inet-in -p udp --dport 2049 -j DROP
> > #Block postgres
> > iptables -A inet-in -p tcp --dport postgres -j LOG
> > iptables -A inet-in -p udp --dport postgres -j LOG
> > iptables -A inet-in -p tcp --dport postgres -j DROP
> > iptables -A inet-in -p udp --dport postgres -j DROP
> > #Block X
> > iptables -A inet-in -p tcp --dport 5999:6003 -j LOG
> > iptables -A inet-in -p udp --dport 5999:6003 -j LOG
> > iptables -A inet-in -p tcp --dport 5999:6003 -j DROP
> > iptables -A inet-in -p udp --dport 5999:6003 -j DROP
> > #Block XFS
> > iptables -A inet-in -p tcp --dport 7100 -j LOG
> > iptables -A inet-in -p udp --dport 7100 -j LOG
> > iptables -A inet-in -p tcp --dport 7100 -j DROP
> > iptables -A inet-in -p udp --dport 7100 -j DROP
> > #Block Back Orifice
> > iptables -A inet-in -p tcp --dport 31337 -j LOG
> > iptables -A inet-in -p udp --dport 31337 -j LOG
> > iptables -A inet-in -p tcp --dport 31337 -j DROP
> > iptables -A inet-in -p udp --dport 31337 -j DROP
> > #Block netbus
> > iptables -A inet-in -p tcp --dport 12345:12346 -j LOG
> > iptables -A inet-in -p udp --dport 12345:12346 -j LOG
> > iptables -A inet-in -p tcp --dport 12345:12346 -j DROP
> > iptables -A inet-in -p udp --dport 12345:12346 -j DROP
> > echo " Done!"
> > echo " Done!"
> > echo -n " Setting connection tracking..."
> > iptables -A INPUT -i $INETDEV -m state --state NEW,INVALID -j DROP
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > echo " Done!"
> >
> > if [ "$TYPE" = "ipchains" -o "$TYPE" = "IPCHAINS" ]; then
> > echo "MAJOR APOLOGIES - The ipchains version didnt make it into the first version, but it is the highest priority on my TODO list"
> > echo "Check http://www.endoshield.sourceforge.net for the next release"
> > fi
>
>
More information about the Speakup
mailing list