Hacking Linux Exposed

About
Authors
Contents
Reviews
Foreword
Purchase

Articles
Books
Sourcecode
Tools
Errata

Home

 


(view this code in a separate window)

#!/bin/sh
#
# egress_filtering_ipchains.sh
#
# Sample Ingress/Egress filters with ipchains
# on a machine that also acts as a forwarding
# (not IP masquerading) gateway.
#
# Change IP networks, salt to taste.
#
# Copyright 2002, Bri Hatch
#
# Released under the GPL.  See COPYING file
# for more information.



# Internal network is assumed to be eth0
internal_net=192.168.5.0/24

# External network is assumed to be eth1
my_ip_addr=192.168.4.2/32


# Egress Filters: Allow only our internal IPs and
# external interface addrs out of eth1
/sbin/ipchains -A output -i eth1 -s $my_ip_addr -j ACCEPT
/sbin/ipchains -A output -i eth1 -s $internal_net -j ACCEPT

# Ingress Filters: Allow only our internal IPs and
# external interface addrs in from eth1
/sbin/ipchains -A input -i eth1 -d $my_ip_addr -j ACCEPT
/sbin/ipchains -A input -i eth1 -d $internal_net -j ACCEPT

# Egress/Ingress Filters on eth0:
# Allow only traffic to/from the internal net through eth0
/sbin/ipchains -A output -i eth0 -d $internal_net -j ACCEPT
/sbin/ipchains -A input  -i eth0 -s $internal_net -j ACCEPT


# Block clearly-spoofed packets
# Deny any restricted ip networks from traversing Carbon at all
for badnet in   127.0.0.1/32      10.0.0.0/8   172.16.0.0/12  \
	      192.168.0.0/16     224.0.0.0/4    240.0.0.0/5
 do
   /sbin/ipchains -A input  -i eth0 -s $badnet -j DENY
   /sbin/ipchains -A output -i eth0 -s $badnet -j DENY
   /sbin/ipchains -A input  -i eth1 -s $badnet -j DENY
   /sbin/ipchains -A output -i eth1 -s $badnet -j DENY
done