Free mandriva multi network firewall software for linux

NATting SOHO firewall is a firewall script for iptables.

# Model NATting SOHO firewall for SP article
# by Jay Beale (jay@bastille-linux.org)
#
# Warning: youre going to have to hack this for your own purposes.
#

# Assumptions:
# your internal network is 192.168.1.0/24 on eth1
# your internet IP is 10.0.0.1 on eth0
# your internal network IP on eth1 is 192.168.1.1
#
# Additonally:
# you have another internal network, a DMZ: 192.168.2.0/24 on eth2

$INTERNAL_IP = 192.168.1.1
$INTERNAL_NET = 192.168.1.0/24

$INTERNET = 10.0.0.1

$DMZ = 192.168.2.0/24

# Insert the required kernel modules
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Set default policies for packets going through this firewall box

iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP
iptables -P FORWARD DROP

# Set default policies for packet entering this box

iptables -P OUTPUT ALLOW
iptables -P INPUT ALLOW

# Kill spoofed packets

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Anything coming from our internal network should have only our addresses!
iptables -A FORWARD -i eth1 -s ! $INTERNAL_NET -j DROP

# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP

# Note:There are more "reserved" networks, but these are the classical ones.

# Block outgoing network filesharing protocols that arent designed
# to leave the LAN

# SMB / Windows filesharing
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
# NFS Mount Service (TCP/UDP 635)
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
# NFS (TCP/UDP 2049)
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
# Portmapper (TCP/UDP 111)
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP

# Block incoming syslog, lpr, rsh, rexec...
iptables -A FORWARD -i eth0 -p udp --dport syslog -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 515 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 514 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 512 -j DROP

###
# Transparently proxy all web-surfing through Squid box

$SQUID = 192.168.1.2:8080
$SQUIDSSL = 192.168.1.2:443
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 80 -j DNAT --to $SQUID
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 443 -j DNAT --to $SQUIDSSL

# Transparently forward all outgoing mail to a relay host

$SMTP = 192.168.1.3
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 25 -j DNAT --to $SMTP

# Transparently redirect web connections from outside to the DMZ web
# server

$DMZ_WEB = 192.168.2.2
iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.1 -dport 80 -j DNAT --to $DMZ_WEB

# Source NAT to get Internet traffic through
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $INTERNET


# Activate the forwarding!
echo 1 >/proc/sys/net/ipv4/ip_forward

Trustix Enterprise Firewall represents a revolution within firewall management software. Trustix Enterprise Firewall is the worlds first WYSIWYG Enterprise Firewall, making it easy-to-use and easy-to-deploy. By utilizing the WYSIWYG GUI, your Enterprise Firewall will be out of the box and implemented in an unbeatable 25 minutes- and without the need for a dedicated systems administrator!
A fully-featured packet-filtering router, Trustix Enterprise Firewall has advanced capabilities including an intuitive graphical user interface (GUI) for visualizing and editing firewall policy.
This unique GUI enables you to manage traffic for all your zones (up to 24) as well as port forwarding, network address translation (NAT) and virtual private network (VPN) configurations.
Packet-filtering enables Enterprise Firewall to act as a router to accelerate data transmission. Meaning no more bottle necks due to time consuming proxies.
IP-address sharing by masquerading or NAT.
The underlying rules generated by the program are then fully optimized before being deployed- thereby optimizing the security and performance of your firewalls architecture, and avoiding errors and duplications.
Trustix Enterprise Firewall uses the IPsec protocol to encrypt data transmitted over the net- extending the security of your network to all arms of your business. Communications between your office and home users are protected using 168-bit 3DES encryption- triple the encryption, triple the security! Enables remote, secure configuration of multiple firewalls from one Windows or Linux desktop.
Trustix Enterprise Firewall Blockades and repel malicious attacks from hackers, Trojans, worms and infected files.
Main features:
- Visualise DMZs - drag and drop security policy deployment
- Integrate branch offices with 3DES encrypted VPN tunnels
- Accelerate internet access times with proxy caching server
- Authenticate remote workers with PKI X.509 certificates
- Ensure high availability with fault tolerant automatic failover

Script for a multi-homed firewall is an example IPTables 1.2.1 script for a dual-homed firewall.

This script has not yet been tested thoroughly on a dual-homed firewall. If you find any problems, please drop me an email.

Current versions and documentation are available at http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/

## User-defined Chains ##

Chain KEEP_STATE
The KEEP_STATE chain holds a few rules for generic stateful packet filtering.
This chain is called from many of the INPUT/OUTPUT chains to DROP "INVALID"
and perhaps "UNCLEAN" packets and allow other packets from "RELATED" or
"ESTABLISHED" connections.

CHECK_FLAGS
The CHECK_FLAGS chain contains a few rules to filter based on TCP flags.
These rules do indeed filter mainly bogus/malicious traffic(scans, etc). It
would be a good idea to keep an eye on what these rules send to the logs.
Null scans are also logged and dropped, in the mangle table.

DENY_PORTS
The DENY_PORTS chains contains a few rules to DROP and/or LOG packets based
on the source and/or destination port number of the packet.

Packets destined to/from the following ports are dropped by default in the script. These are just some examples of some commonly used ports that certain daemons/trojans/DDoS agents may utilize.

## TCP ##
137:139 SMB
2049 NFS
6000:6063 X
20034 Netbus 2 Pro
12345:12346 Netbus
27374 SubSeven
27665,27444,31335 Trinoo
10498,12754 Mstream

## UDP ##
2049 NFS
31337 BO2k
27444,31335 Trinoo
10498 mstream

These are just examples to stare at. They guarantee no real protection against the associated trojans.

For more common port numbers check out:
http://www.sans.org/newlook/resources/IDFAQ/oddports.htm

ALLOW_PORTS
The ALLOW_PORTS chain simply ACCEPTs packets based on port number. If you have
a default FORWARD policy of DROP, then you would need to utilize a chain like
this if you are DNATing/routing connections behind the firewall or perhaps
running services on(!!!) the firewall.

ALLOW_ICMP
The ALLOW_ICMP chains simply allows packets based on ICMP type. Currently
the firewall allows the flow of the following ICMP types:
Echo Reply (pong)
Destination Unreachable
Echo Request (ping)
TTL Exceeded (traceroute)

SRC_EGRESS && DST_EGRESS
The SRC_EGRESS and DST_EGRESS chains filter packets that have a source or
destination IP address matching an array of private or reserved subnets.

TOS_OUTPUT
The TOS_OUTPUT chain exists in the mangle table and mangles the TOS(Type
of Service) field in the IP header of locally generated, outgoing packets.

TOS_PREROUTING
The TOS_PREROUTING chain exists in the mangle table and mangles the TOS(Type
of Service) field in the IP header of packets being routed through the firewall.

The following user-defined chains are pretty obvious. The firewall script is designed to have a user-defined INPUT and OUTPUT chain for every available interface. From these user-defined chains are called the user-defined chains
mentioned above, which I call "Special Chains". The chains below are then called by the built-in INPUT/OUTPUT/FORWARD chains. This isnt really the rule, of course, alot of the user-defined chains mentioned above are called directly from the built-in INPUT/OUTPUT/FORWARD chains. This is done to assure proper flow of the packets through the filters.

EXTERNAL_INPUT
INTERNAL_INPUT
DMZ_INPUT
LO_INPUT
EXTERNAL_OUTPUT
INTERNAL_OUTPUT
DMZ_OUTPUT
LO_OUTPUT

Very restrictive set of firewall rules script is a sample firewall for ip_tables, the tool for doing firewalling and masquerading under the 2.3.x/2.4.x series of kernels.

Be warned, this is a very restrictive set of firewall rules (and they should be, for proper security). Anything that you do not _specifically_ allow is logged and dropped into /dev/null, so if youre wondering why something isnt working, check /var/log/messages.

This is about as close as you get to a secure firewall. Its nasty, its harsh, and it will make your machine nearly invisible to the rest of the internet world. Have fun.

To run this script you must chmod 700 iptables-script and then execute it. To stop it from running, run iptables -F

Sample:

#Point this to your copy of ip_tables
IPT="/usr/local/bin/iptables"

#Load the module.
modprobe ip_tables

#Flush old rules, delete the firewall chain if it exists
$IPT -F
$IPT -F -t nat
$IPT -X firewall

#Setup Masquerading. Change the IP to your internal network and uncomment
#this in order to enable it.
#$IPT -A POSTROUTING -t nat -s 192.168.1.0/24 -j MASQUERADE
#$IPT -P FORWARD ACCEPT
#echo 1 > /proc/sys/net/ipv4/ip_forward

#Set up the firewall chain
$IPT -N firewall
$IPT -A firewall -j LOG --log-level info --log-prefix "Firewall:"
$IPT -A firewall -j DROP

#Accept ourselves
$IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#If youre using IP Masquerading, change this IP to whatever your internl
#IP addres is and uncomment it
#$IPT -A INPUT -s 192.168.1.1/32 -d 0/0 -j ACCEPT

#Accept DNS, cause its warm and friendly
$IPT -A INPUT -p udp --source-port 53 -j ACCEPT
$IPT -A INPUT -p tcp --source-port 113 -j ACCEPT
$IPT -A INPUT -p tcp --destination-port 113 -j ACCEPT

#Allow ftp to send data back and forth.
$IPT -A INPUT -p tcp ! --syn --source-port 20 --destination-port 1024:65535 -j ACCEPT

#Accept SSH. Duh.
#$IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT

#Send everything else ot the firewall.
$IPT -A INPUT -p icmp -j firewall
$IPT -A INPUT -p tcp --syn -j firewall
$IPT -A INPUT -p udp -j firewall

InJoy Firewall is a flexible firewall security solution for businesses of any size. It offers preconfigured policy templates, including full customization options, IPSec VPN integration, gateway capabilities, intuitive management, access control, many documented deployment examples, and comprehensive documentation.

Without question, the Linux Operating System provides a proven and cost-effective platform, as well as a wealth of high-quality open source software. For business use, however, it often proves difficult to find supported linux firewall solutions that provide the required level of confidence, reliability and trust. With the InJoy Firewall™, businesses can benefit from Linux without having to give up the safety of a responsible vendor and a traditional business relationship.

Security as never before — the InJoy Firewall™ for Linux provides customers with next generation intrusion and anomaly detection. These technologies provides network administrators with the ultimate tools to keep track of network activity and eliminate Internet threats of any type.

As a busy and responsible network administrator, you will find great relief in the InJoy Firewall™. As the only Linux firewall, it is designed from the ground up to be self-contained, thus ensuring optimal performance and minimum impact from third-party problems. This means you dont have to worry about dependencies with Linux connectivity software, software libraries or kernel compilation.


Manage your remote Linux-based Firewall Server from your Windows-based desktop (or any other supported Operating Systems), using the intuitive InJoy firewall™ GUI. Linux users that prefer plain-text configuration can opt for that with the InJoy firewall™ as well.

The InJoy firewall™ works the same under all the supported operating systems, meaning you can deploy a complete and unified protection strategy throughout the business and effortlessly set up fully capable VPNs without having to worry about interoperability issues.

The InJoy firewall™ installs in minutes and can be prepared for distributed, company-wide deployment, using the same simple installation scripts everywhere.

Simple IPTABLES firewall is a very simple firewall constructed with basic iptables commands. It is meant to be a guideline only, since any firewall is specific to the services the host offers, and the services the administrator permits local users to use.

NOTE: As is, the script only allows ident (port 113) requests, ftp only works in PASV mode from the client side, IRC DCC sends and chats initiated from behind the firewall are blocked, but incoming DCC requests work (hint: to DCC chat from behind this firewall, use /ctcp nick chat). ICQ is also broken in a few ways, although you can send messages.

This is a self contained script, and it assumes kernel support, and modules.