Free mandriva multi network firewall 2 software for linux

Script for a multi-homed firewall is an example IPTables 1.2.1 script for a dual-homed firewall.

This script has not yet been tested thoroughly on a dual-homed firewall. If you find any problems, please drop me an email.

Current versions and documentation are available at http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/

## User-defined Chains ##

Chain KEEP_STATE
The KEEP_STATE chain holds a few rules for generic stateful packet filtering.
This chain is called from many of the INPUT/OUTPUT chains to DROP "INVALID"
and perhaps "UNCLEAN" packets and allow other packets from "RELATED" or
"ESTABLISHED" connections.

CHECK_FLAGS
The CHECK_FLAGS chain contains a few rules to filter based on TCP flags.
These rules do indeed filter mainly bogus/malicious traffic(scans, etc). It
would be a good idea to keep an eye on what these rules send to the logs.
Null scans are also logged and dropped, in the mangle table.

DENY_PORTS
The DENY_PORTS chains contains a few rules to DROP and/or LOG packets based
on the source and/or destination port number of the packet.

Packets destined to/from the following ports are dropped by default in the script. These are just some examples of some commonly used ports that certain daemons/trojans/DDoS agents may utilize.

## TCP ##
137:139 SMB
2049 NFS
6000:6063 X
20034 Netbus 2 Pro
12345:12346 Netbus
27374 SubSeven
27665,27444,31335 Trinoo
10498,12754 Mstream

## UDP ##
2049 NFS
31337 BO2k
27444,31335 Trinoo
10498 mstream

These are just examples to stare at. They guarantee no real protection against the associated trojans.

For more common port numbers check out:
http://www.sans.org/newlook/resources/IDFAQ/oddports.htm

ALLOW_PORTS
The ALLOW_PORTS chain simply ACCEPTs packets based on port number. If you have
a default FORWARD policy of DROP, then you would need to utilize a chain like
this if you are DNATing/routing connections behind the firewall or perhaps
running services on(!!!) the firewall.

ALLOW_ICMP
The ALLOW_ICMP chains simply allows packets based on ICMP type. Currently
the firewall allows the flow of the following ICMP types:
Echo Reply (pong)
Destination Unreachable
Echo Request (ping)
TTL Exceeded (traceroute)

SRC_EGRESS && DST_EGRESS
The SRC_EGRESS and DST_EGRESS chains filter packets that have a source or
destination IP address matching an array of private or reserved subnets.

TOS_OUTPUT
The TOS_OUTPUT chain exists in the mangle table and mangles the TOS(Type
of Service) field in the IP header of locally generated, outgoing packets.

TOS_PREROUTING
The TOS_PREROUTING chain exists in the mangle table and mangles the TOS(Type
of Service) field in the IP header of packets being routed through the firewall.

The following user-defined chains are pretty obvious. The firewall script is designed to have a user-defined INPUT and OUTPUT chain for every available interface. From these user-defined chains are called the user-defined chains
mentioned above, which I call "Special Chains". The chains below are then called by the built-in INPUT/OUTPUT/FORWARD chains. This isnt really the rule, of course, alot of the user-defined chains mentioned above are called directly from the built-in INPUT/OUTPUT/FORWARD chains. This is done to assure proper flow of the packets through the filters.

EXTERNAL_INPUT
INTERNAL_INPUT
DMZ_INPUT
LO_INPUT
EXTERNAL_OUTPUT
INTERNAL_OUTPUT
DMZ_OUTPUT
LO_OUTPUT

links2world Firewall is a very simple tool writen in C, that helps you generate iptables rules for Linux 2.4.x and newer kernels. Released under GNU General Public License, it is very easy to configure and designed to run on hosts with one or more network interfaces.
Furthermore, they are able to generate iptables rulesets for one or maximum two network interfaces.
Most of the existing iptables script generators are shell scripts. You have to dig in and to look through entire script in order to customize and configure it for your needs.
On the other hand, links2world Firewall uses a very human readable configuration file that is very easy to understand and write. Still more, it does not matter if you have one, two, three or twenty network interfaces, links2world Firewall is able to generate statefull iptables rulesets able to control the packet flows between all the networks your machine is connected to.
Enhancements:
- minor fixes that solved compilation errors when using older compiles

Alfandega is a strong and Modular IpTables Firewall. With Alfendanga you can provide NAT, port-forwarding, spoofing list, blacklist of crackers and spywares sites, protection for tcp/udp scans, DOS/DDOS and Smurf attacks, TCP tuning, DHCP and PPP support and much more (this will depends on your imagination).
To view the install instructions read the ./INSTALL file.
To read the terms of licence Alfandega released under see ./COPYING.
To know what other software Alfandega requires proceed to ./REQUIRES reading.
Note: Slackware and other non-rpm distros users must read carrefully the
./INSTALL file. Debian packages not supported yet.
Enhancements:
- Added Configurator
- Moved chains.conf, modules.conf and run-scripts.conf
- acl.conf and interfaces.conf concatened with alfandega.conf
- ACLs is now called as NVLs (because confusion with filesystem ACLs)
- Some changes in addons engine

redWall is a bootable CD-ROM Firewall. redWall Firewalls goal is to provide a feature rich firewall solution, with the main goal, to provide a webinterface for all the logfiles generated!
Main features:
- Configuration is currenty stored on a floppy/USB Memory Stick/Harddrive or sent by email (see todo !)
- Due the fact, that most reporting functionality is done via mysql (except for the squid reports), its possible to use the cd as a Mangagement/Logging Console for other firewalls running in your environment using the same cd! Take snort for instance.. you can have 10 firewalls :) running snort, reporting back to the main database on the management/Logging system, in order to have a central "overview" of all your firewalls... Using the SAME CD !! Its all up to you how you configure your firewall and/or Management box !
- based on redhat 9.0
- bridging support
- Mail Virusscanning, spamfiltering and gateway functionality
- /etc is writable (tmpfs) feeded by the configuration medium
- /var is writable (ramdisk or harddisk) (you are not going to run squid on a ramdisk... arent you ?)
- The cd will (at least it should) detect all your network cards (using kudzu) during the initial boot
- During the initial boot, you can setup some basic things like IP Address, Services to start (all disabled by default) and so on
Enhancements:
- A whole lot of new features have been added.
- vuurmuur has been installed again.
- The initial setup has been rewritten to be like a step-by-step configuration.
- A webmin module for openvpn has been added.
- A comprehensive reverse proxy called vultureng has been added.
- Major bugfixes have been applied.

Very restrictive set of firewall rules script is a sample firewall for ip_tables, the tool for doing firewalling and masquerading under the 2.3.x/2.4.x series of kernels.

Be warned, this is a very restrictive set of firewall rules (and they should be, for proper security). Anything that you do not _specifically_ allow is logged and dropped into /dev/null, so if youre wondering why something isnt working, check /var/log/messages.

This is about as close as you get to a secure firewall. Its nasty, its harsh, and it will make your machine nearly invisible to the rest of the internet world. Have fun.

To run this script you must chmod 700 iptables-script and then execute it. To stop it from running, run iptables -F

Sample:

#Point this to your copy of ip_tables
IPT="/usr/local/bin/iptables"

#Load the module.
modprobe ip_tables

#Flush old rules, delete the firewall chain if it exists
$IPT -F
$IPT -F -t nat
$IPT -X firewall

#Setup Masquerading. Change the IP to your internal network and uncomment
#this in order to enable it.
#$IPT -A POSTROUTING -t nat -s 192.168.1.0/24 -j MASQUERADE
#$IPT -P FORWARD ACCEPT
#echo 1 > /proc/sys/net/ipv4/ip_forward

#Set up the firewall chain
$IPT -N firewall
$IPT -A firewall -j LOG --log-level info --log-prefix "Firewall:"
$IPT -A firewall -j DROP

#Accept ourselves
$IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#If youre using IP Masquerading, change this IP to whatever your internl
#IP addres is and uncomment it
#$IPT -A INPUT -s 192.168.1.1/32 -d 0/0 -j ACCEPT

#Accept DNS, cause its warm and friendly
$IPT -A INPUT -p udp --source-port 53 -j ACCEPT
$IPT -A INPUT -p tcp --source-port 113 -j ACCEPT
$IPT -A INPUT -p tcp --destination-port 113 -j ACCEPT

#Allow ftp to send data back and forth.
$IPT -A INPUT -p tcp ! --syn --source-port 20 --destination-port 1024:65535 -j ACCEPT

#Accept SSH. Duh.
#$IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT

#Send everything else ot the firewall.
$IPT -A INPUT -p icmp -j firewall
$IPT -A INPUT -p tcp --syn -j firewall
$IPT -A INPUT -p udp -j firewall

LutelWall (formerly known as Lutel Firewall) is high-level linux firewall configuration tool. It uses human-readable and easy to understand configuration to set up Netfilter in most secure way. Its flexibility allows firewall admins build from very simple, single-homed firewalls, to most complex ones - with multiple subnets, DMZs and traffic redirections. It can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone system. Configuration method of this firewall is made to be as simple as possible without loosing Netfilter flexibility and its security facilities.
Main features:
- flexible control over traffic using rule set
- user-defined protocols support
- support for any kind multiple external and internal interaces (and aliases)
- automated MASQUERADE / SNAT support
- easy to set up DNAT (transparent proxy, redirections to LAN/DMZ etc.)
- rate limit extensions
- packet marking for 3rd party shapers
- TOS (Type of Service) traffic optimizer
- both passive and active FTP support
- DHCP support
- can work as "workstation" firewa
- stateful TCP connection tracking with restrictive TCP chain
- blocking all stealth mode scans (FIN, Xmas Tree, Null, Windows scan or ACK scan modes (nmap -sF -sX -sN -sW -sA)
- blocking IP protocol scans (nmap -sO)
- blocking UDP scans (nmap -sU)
- blocking identification via TCP/IP fingerprinting (nmap -O)
- anti-spoof protection, including protection for aliases
- anti-smurf protection
- TCP SYN Flood protection
- UDP / ICMP Flood protection
- IANA reserved addresses checking
- SYSCTL parameters set for increased strength
- logging stealth scans (FIN, Xmas Tree, Null), ACK scan modes (nmap -sF -sX -sN), IP protocol scans (nmap -sO), UDP scans (nmap -sU), nmap fingerprinting attempts.
- autodetect of connection type (static/dynamic, external/internal)
- auto update of firewall tool
- auto update IANA reserved list
- display firewall statistics in iptables native, csv or html format
- easy deployment on all distributions
Enhancements:
- fixed iptables version checking