ANNEXE 1 - Parametrage du firewall Ipchains
===========================================

/home/system/scripts/fw/custom_net.sh : 
---------------------------------------

#!/bin/sh

#
# Debian-secinst v0.1.3 : ANNEXE 1 - Parametrage du firewall Ipchains
# Simon Castro
#

### NETWORK CUSTOMIZATION

echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "60" > /proc/sys/net/ipv4/ip_default_ttl
echo "0" > /proc/sys/net/ipv4/ip_forward

ZERO_FLAGS="accept_redirects accept_source_route forwarding proxy_arp send_redirects";
ONE_FLAGS="rp_filter log_martians";
CHEMIN="/proc/sys/net/ipv4/conf";

for repert in `ls "$CHEMIN"` ; do
  for fichier in `echo "$ZERO_FLAGS"`; do
    if [ -e "$CHEMIN/$repert/$fichier" ]
      then echo "0" > "$CHEMIN/$repert/$fichier"; fi
  done
  for fichier in `echo "$ONE_FLAGS"`; do
    if [ -e "$CHEMIN/$repert/$fichier" ]
      then echo "1" > "$CHEMIN/$repert/$fichier"; fi
  done
done

/etc/init.d/init_ipchains.sh :
------------------------------

#!/bin/sh

#
# Debian-secinst v0.1.3 : ANNEXE 1 - Parametrage du firewall Ipchains
# Simon Castro
#

RULES_UP=/home/system/scripts/fw/rules_up_ipchains.sh
RULES_DOWN=/home/system/scripts/fw/rules_down_ipchains.sh

case "$1" in
     start)
       if [ -f $RULES_UP ] && [ -x $RULES_UP ]
         then 
           $RULES_UP
         else
           echo "$0 : Cannot execute $RULES_UP !!!"
           exit 0
       fi
     ;;
     stop)
       if [ -f $RULES_DOWN ] && [ -x $RULES_DOWN ]
         then 
           $RULES_DOWN
         else
           echo "$0 : Cannot execute $RULES_DOWN !!!"
           exit 0
       fi
     ;;
     restart)
       $0 stop
       $0 start
     ;;
     *)
       echo "Usage: $0 {start|stop|restart}"
       exit 1
     ;;
esac

exit 0

/home/system/scripts/fw/rules_down_ipchains.sh :
------------------------------------------------

#!/bin/sh

#
# Debian-secinst v0.1.3 : ANNEXE 1 - Parametrage du firewall Ipchains
# Simon Castro
#

IPCH=/sbin/ipchains # IpChains binary

### CHECK KERNEL VERSION AND BINARY PRESENCE

if [ ! -f $IPCH ] && [ ! -x $IPCH ] ; then exit 0 ; fi
CHECK=`$IPCH -L -n 2>&1 > /dev/null || echo "bad"`  
if [ "$CHECK" ]
  then
    echo "$0 : Not with this kernel"
    exit 0
fi

### VARIABLES

DEFAULT_POL="input output forward" # Default policies

### BEGIN

# Flush and remove all chains then default the policies to ACCEPT
  $IPCH -F
  $IPCH -X
  for i in $DEFAULT_POL
    do
      $IPCH -P $i ACCEPT
   done

echo "$0 done"

/home/system/scripts/fw/rules_up_ipchains.sh :
----------------------------------------------

#!/bin/sh

#
# Debian-secinst v0.1.4 : ANNEXE 1 - Parametrage du firewall Ipchains
# Simon Castro
#

IPCH=/sbin/ipchains # IpChains binary

### CHECK KERNEL VERSION AND BINARY PRESENCE

if [ ! -f $IPCH ] && [ ! -x $IPCH ] ; then exit 0 ; fi
CHECK=`$IPCH -L -n 2>&1 > /dev/null || echo "bad"`  
if [ "$CHECK" ]
  then
    echo "$0 : Not with this kernel"
    exit 0
fi

### Set OUR value to the printk variable
echo "6 4 1 7" > /proc/sys/kernel/printk

### NETWORK CUSTOMIZATION

test -f /home/system/scripts/fw/custom_net.sh && test -x /home/system/scripts/fw/custom_net.sh && /home/system/scripts/fw/custom_net.sh

### VARIABLES

# Addresses
LOCAL_IP=`ifconfig eth0 | awk 'BEGIN { FS=":" ; RS=" " } /addr:/ { print $2 }'` # Get local Eth0 IP Address
BROADCAST_IP=`ifconfig eth0 | awk 'BEGIN { FS=":" ; RS=" " } /Bcast:/ { print $2 }'` # Get local Eth0 Broadcast IP Address    

ADM_IP="@IPS_OF_ADMINISTRATION_HOSTS"

DNS_IP="@IP_OF_DNS_SERVERS""
PROXY_IP="@IPS_OF_HTTP_PROXYS"
#NTP_IP="@IPS_OF_NTP_SERVERS"
#ICMP_IP="@IPS_OF_ALLOWED_ICMP_REQUESTER_HOSTS"
#WINS_IP="@IPS_OF_WINS_AND_DOMAIN_SERVERS"
#NETBIOS_IP="@IP_OF_ALLOWED_NETBIOS_REMOTE_HOSTS"

# Policies
DEFAULT_POL="input output forward"
LOG_ACCEPT="LogAcc"
LOG_DROP="LogDrop"

# Various
RPORTS=":1024"
NRPORTS="1024:"

### BEGIN

# Flush and remove all chains then default the policies to DROP
  $IPCH -F
  $IPCH -X
  for i in $DEFAULT_POL
    do
      $IPCH -P $i DENY
  done

### Create and set personnal chains

# Log and deny chain
  $IPCH -N $LOG_DROP # Create a new one
  $IPCH -A $LOG_DROP -j DENY -l # Log and deny

# Log and accept chain
  $IPCH -N $LOG_ACCEPT # Create a new one
  $IPCH -A $LOG_ACCEPT -j ACCEPT -l # Log and accept

### LOOPBACK AND REMOTE MANAGEMENT

# Allow whatever on loopback
  $IPCH -A output -i lo -j ACCEPT
  $IPCH -A input -i lo -j ACCEPT

# Allow SSH remote management and log connections
  for i in $ADM_IP
    do
      $IPCH -A input -p tcp -s $ADM_IP $NRPORTS -d $LOCAL_IP 22 -y -j $LOG_ACCEPT
      $IPCH -A input -p tcp -s $ADM_IP $NRPORTS -d $LOCAL_IP 22 -j ACCEPT
      $IPCH -A output -p tcp -s $LOCAL_IP 22 -d $ADM_IP $NRPORTS -j ACCEPT
  done

### ALLOW THESE TCP CONNECTIONS
 
# Allow HTTP/HTTPS to HTTP proxy servers and log Syn Scan profit port
  for i in $PROXY_IP
    do
      $IPCH -A output -p tcp --sport $NRPORTS -d $i 8080 -j ACCEPT
      $IPCH -A input -p tcp -s $i 8080 -y -j $LOG_DROP
      $IPCH -A input -p tcp -s $i 8080 --dport $NRPORTS -j ACCEPT
  done

### Uncomment if you want to use Prelude communications.
## Allow Prelude communications to Prelude server and log syn scan profit port
#  $IPCH -A output -p tcp --sport $NRPORTS -d {PRELUDE_SRV_IP} 5553:5554 -j ACCEPT
#  $IPCH -A input  -p tcp -s {PRELUDE_SRV_IP} 5553:5554 -y -j $LOG_DROP
#  $IPCH -A input  -p tcp -s {PRELUDE_SRV_IP} 5553:5554 --dport $NRPORTS -j ACCEPT

### ALLOW THESE UDP CONNECTIONS

# Allow DNS Protocol to DNS Servers
  for i in $DNS_IP
    do
    $IPCH -A output -p udp --sport $NRPORTS -d $i 53 -j ACCEPT
    $IPCH -A input -p udp -s $i 53 --dport $NRPORTS -j ACCEPT
  done

### Uncomment if you want to use communications to NTP servers.
###  => Also uncomment and set NTP_IP at the beginning of the script.
## Allow NTP Protocol to NTP Servers
#  for i in $NTP_IP
#    do
#    $IPCH -A output -p udp --sport $NRPORTS -d $i 123 -j ACCEPT
#    $IPCH -A input -p udp -s $i 123 --dport $NRPORTS -j ACCEPT
#  done

### ALLOW THESE ICMP REQUESTS AND RESPONSES

### Uncomment if you want to certain hosts to send us icmp requests
###  => Also uncomment and set ICMP_IP at the beginning of the script
## Allow some host's icmp requests
#for i in $ICMP_IP
#  do
#    $IPCH -A input  -p icmp --icmp-type echo-request -s $i -j ACCEPT
#    $IPCH -A input  -p icmp --icmp-type destination-unreachable -s $i -j ACCEPT
#    $IPCH -A input  -p icmp --icmp-type time-exceeded -s $i -j ACCEPT
#    $IPCH -A output -p icmp --icmp-type echo-reply -d $i -j ACCEPT
#done

### ALLOW SPECIFIC PROTOCOLS

### Uncomment if you want to allow NetBios networks streams
###  => Also uncomment and set WINS_IP and NETBIOS_IP at the beginning of the script
## Allow NetBios protocol with certains hosts
#$IPCH -A output -p udp --sport 137:138 -d $BROADCAST_IP 137:138 -j ACCEPT
#for i in $WINS_IP
#  do
#    $IPCH -A output -p udp --sport 137 -d $i 137 -j ACCEPT
#    $IPCH -A input  -p udp -s $i --dport 137 -j ACCEPT
#done
## Allow but log incoming syn connections on the 139 port number.
#for i in $NETBIOS_IP
#  do
#  $IPCH -A input  -p udp -s $i 137 --dport 137 -j ACCEPT
#  $IPCH -A output -p udp --sport 137 -d $i 137 -j ACCEPT
#  $IPCH -A input  -p tcp -s $i $NRPORTS --dport 139 -y -j $LOG_ACCEPT
#  $IPCH -A input  -p tcp -s $i $NRPORTS --dport 139 -j ACCEPT
#  $IPCH -A output -p tcp --sport 139 -d $i $NRPORTS -j ACCEPT
#done

### AND LAST : LOG AND DENY

for i in $DEFAULT_POL
  do
    $IPCH -A $i -j $LOG_DROP
done

echo "$0 done"