網絡防火牆安全策略 一個組織的全局性安全策略必須根據安全分析和業務需求分析來決定。因為防火牆只與網絡安全有關,所以只有在正確定義了全局安全策略的情況下,防火牆才具有一定的價值。網絡防火牆安全策略是指要明確定義那些允許使用或禁止使用的網絡服務,以及這些服務的使用規定和規定中的一些特殊情況。而且,網絡防火牆安全策略中的每一條規定都應該在實際應用時得到實現。總的來說,一個防火牆應該使用以下方法之一。 * 每一個沒有明確允許的都被拒絕 這種方法堵塞了兩個網絡之間的所有流量,除了那些被明確允許的服務和應用程序(application)。因此,每一個想保留的服務和應用程序都應該挨個實現,而任何一個可能成為防火牆漏洞的服務和應用程序都不能允許使用。剛才所說的是一個最安全的方法,那就是除非是系統管理員明確允許使用的服務和應用程序,否則都必須拒絕。另一方面,從用戶的角度來看,這樣可能會限制更多,不是非常方便。在本書中,我們在防火牆配置中會使用這種方法。 * 每一個沒有明確拒絕的都允許 這種方法允許兩個網絡之間所有流量,除非那些被明確禁止的服務和應用程序。因此,每一個不信任或有潛在危害的服務和應用程序都應該逐個拒絕。但是,雖然這對用戶是一個靈活和方便的方法,它卻可能引起一些嚴重的安全問題。 包過濾 包過濾是一種內置於Linux 核心的防火牆類型。過濾型防火牆工作在網絡層。數據只有在防火牆規定允許的情況下才能發出去,而到達的包要則根據它們的類型,源地址,目的地址和每個包中包含的端口信息進行過濾。 在絕大部分時間裡,包過濾的工作是由一個能根據過濾規定轉發數據包的路由器完成的。當一個數據包到達一個能進行包過濾的路由器時,這個路由器從該數據包的包頭中解讀某些信息,然後根據過濾規定決定數據包是通過還是被丟棄。 下面是能從包頭中解讀的信息: * 源IP地址 * 目的IP地址 * TCP/UDP源端口 * TCP/UDP目的端口 * ICMP消息類型 * 協議信息(TCP,UDP,ICMP或IP隧道) 因為只需要分析很少的數據,而且登錄到防火牆只占用很少CPU時間,網絡延遲也非常小,所以如果想使用防火牆保護網絡系統,可以通過很多種方法來建設網絡。 拓撲結構 在網絡中,所有的服務器都至少必須關閉所有沒有用的端口,即使它不是一個防火牆服務器。這樣做是為了更安全。想象一下,有人獲得了對防火牆服務器的訪問權,而這只是因為你鄰近的服務器沒有配置成關閉所有端口,才造成這種情況。對於本地連接,這也是一樣的,沒有安全認證的員工能從內部的其他服務器獲得對另一個服務器的訪問權。 在我們下面的配置中,我們將會給出三個例子,它們有助於你根據要保護的服務器類型和它們在網絡結構中的地位決定防火牆規定。第一個防火牆規定適用於Web服務器,第二個適用於郵件服務器,最後一個適用於作為內部代理服務器使用的網關服務器。詳見圖。 www.openarch.com Caching Only DNS 208.164.186.3 Deep.openarch.com Master DNS Server 208.164.186.1 mail.openarch.com Slave DNS Server 208.164.186.2 1. Unlimited traffic on the loopback interface allowed 2. ICMP traffic allowed 3. DNS Caching and Client Server on port 53 allowed 4. SSH Server on port 22 allowed 5. HTTP Server on port 80 allowed 6. HTTPS Server on port 443 allowed 7. SMTP Client on port 25 allowed 8. FTP Server on ports 20, 21 allowed 9. Outgoing traceroute request allowed 1. Unlimited traffic on the loopback interface allowed 2. ICMP traffic allowed 3. DNS Server and Client on port 53 allowed 4. SSH Server and Client on port 22 allowed 5. HTTP Server and Client on port 80 allowed 6. HTTPS Server and Client on port 443 allowed 7. WWW-CACHE Client on port 8080 allowed 8. External POP Client on port 110 allowed 9. External NNTP NEWS Client on port 119 allowed 10. SMTP Server and Client on port 25 allowed 11. IMAP Server on port 143 allowed 12. IRC Client on port 6667 allowed 13. ICQ Client on port 4000 allowed 14. FTP Client on port 20, 21 allowed 15. RealAudio / QuickTime Client allowed 16. Outgoing traceroute request allowed 1. Unlimited traffic on the loopback interface allowed 2. ICMP traffic allowed 3. DNS Server and Client on port 53 allowed 4. SSH Server on port 22 allowed 5. SMTP Server and Client on port 25 allowed 6. IMAP Server on port 143 allowed 7. Outgoing traceroute request allowed 上表顯示了根據防火牆腳本文件在不同服務器上缺省打開的端口。根據服務器必須要對外提供的服務,你必須配置相應的防火牆腳本文件,以允許在指定端口上的通訊。表中,www.openarch.com是我們的Web服務器,mail.openarch.com是唯一對外的郵件服務器,deep.openarch.com是網關服務器。它們會用在本章所有的例子中。 編譯一個支持IPCHAINS防火牆的內核 首先,必須確信LINUX內核已經編譯成“Network Firewall support”和“Firewalling”(支持網絡防火牆-譯者注)。記住,所有服務器都至少必須關閉所有不使用的端口,即使它不是防火牆服務器。在內核2.2.14中,必須對下面兩個問題回答“Y”。 Networking 選項: Network firewalls (CONFIG_FIREFALL) [N] Y IP: Firewalling (CONFIG_FIREWALL) [N] Y IP: TCP syncookie support(CONFIG_SYN_COOKIES) [N] Y 注釋:如果你在閱讀《Linux 內核》一節時就重新編譯了內核,那麼上面這些選項應該已經設置好了。 只對網關服務器有用的IP Masquerading 和 IP ICMP Masquerading: IP: Masquerading (CONFIG_IP_MASQUERADE) [N] Y IP: ICMP Masquerading (CONFIG_IP_MASQUERADE_ICMP) [N] Y 注釋:只有網關服務器才需要支持“IP: Masquerading”和“IP: ICMP Masquerading”內核選項,它需要把內部網對外界偽裝起來。 在這裡,偽裝的意思是,如果在本地網中的一台計算機想要發送一些東西到網絡外部,而這個本地網絡由一個Linux盒 (Linux box:可以是任何簡易的Linux 設備-譯者注) 充當網絡防火牆,那麼這個Linux盒就可以偽裝成那台要發送內容的計算機。例如,Linux盒轉發了到網絡外部的所有流量,但是對外部來說,這些都象是來自防火牆本身。 它可以通過兩種方式工作:如果外部主機應答,Linux防火牆就將把這些流量轉發到相應的本地計算機,在這種情況下,在本地網絡中的計算機對於外部是完全不可見的,即使它們可以訪問外界並收到應答。這樣,即使本地網絡中的計算機沒有合法的IP地址也能夠訪問Internet。 IP偽裝的代碼只能工作在下面這種條件下,即在系統啟動並安裝(mount)了/proc 文件系統之後,“IP轉發”能夠通過下面這行代碼執行: echo "1" > /proc/sys/net/ipv4/ip_forward 你可以在“/etc/rc.d/rc.local”文件中加上這一行,這樣在下次計算機重新啟動時就會自動支持IP轉發。 編輯rc.local文件 (通過 vi /etc/rc.d/rc.local )並加上下面這行: echo "1" > /proc/sys/net/ipv4/ip_forward 注釋:上面有關IP轉發的命令行只有在對內核選項“IP: Masquerading (CONFIG_IP_MASQUERDE)”回答“Y”,並且配置了網關服務器來偽裝內部網絡的情況下才是必須的。 如果選擇了支持IP Masquerading,模塊ip_masq_ftp.o(用於ftp文件傳輸),ip_masq_irc.o(用於irc chats),ip_masq_quake.o (用途你可以猜得到),ip_masq_vdolive.o(用於VDOLive 的視頻連接),ip_masq_cuseeme.o(用於CU-SeeMe 廣播)和ip_masq_raudio.o(用於RealAudio 下載)將會自動編譯,它們是這些協議工作時所需要的。 同時,你需要在回答“Enable loadale module support (CONFIG_MODULES)”時選擇“Y”以編譯一個模塊化的內核而不是整體型的內核,這樣就可以在網關服務器上使用偽裝功能和象ip_masq_ftp.o之類的模塊。 上面所講的對“IP: masquerading”而言的基本偽裝代碼只能處理TCP或UDP包(以及當前連接的ICMP錯誤)。IP: ICMP Masquerading 增加了對偽裝ICMP包的附加支持, 比如Windows 95 跟蹤程序使用的ping 或 probe。 注釋:記住,其它類型的服務器象Web 服務器和郵件服務器並不需要支持這些選項,因為它們要不是擁有一個真實的IP地址,就是不用擔任內部網絡的網關。 注意事項 如果你的系統與Internet相連,那你確實可以假設你處在潛在的危險中。因為你的網關是對Internet的暴露點,所以我們建議以下幾點: * 網關服務器除非確實有必要,一定不要在上面新增任何應用程序。 * 網關服務器上應該嚴格限制能夠通過的協議種類和數量(許多協議都是潛在的安全漏洞,比如FTP和telnet )。 * 任何裝有機密和敏感信息的系統都不應該能從Internet 上直接訪問。 解釋一下防火牆腳本文件的一些規則 下面列出了對將用於防火牆例子的一些規則的解釋。這些只是一個參考,防火牆腳本文件都有很清晰的注釋說明,也非常好修改。 腳本文件中使用的常量 在腳本文件中,常量定義了大部分將會使用的數值。其中最基本的常量是: EXTERNAL_INTERFACE 這是與Internet 相連的對外網卡名字。在以後的例子中定義成“eth0”。 LOCAL_INTERFACE_1 這是與內部局域網相連的對內網卡名字。在以後的例子中定義成“eth1”。 LOOPBACK_INTERFACE 這是回饋網卡名字。在以後的例子中定義成“lo”。 IPADDR 這是對外網卡的IP地址。這或者是一個與InterNIC(網卡-譯者注)綁定的靜態地址,或者是由ISP動態分配的地址(通常是通過DHCP)。 LOCALNET_1 這是局域網的網絡地址。這應該是局域網中所有機器使用的IP地址范圍。它應該是靜態指定的,可以用一個DHCP服務器來分配。在後面的例子中,IP地址范圍是192.168.1.0/24,是C類地址的一部分。 ANYWHERE 這是ipchains 用來匹配所有地址(非廣播地址)的地址的一個標志。所有程序都為這個地址提供一個“any/0”的標志,這個地址是0.0.0.0/0。 NAMESERVER_1 這是主DNS服務器或ISP的IP地址。 NAMESERVER_1 這是第二DNS服務器或ISP的IP地址。 LOOPBACK 回饋地址的范圍是127.0.0.0/8。網卡自己的地址是127.0.0.1(在/etc/hosts文件中指定)。 PRIVPORTS 指定優先端口,通常從0到1023。 UNPRIVPORTS 指定非優先端口,通常從1024到65535。它們是動態分配給連接客戶端的。 Default Policy 一個防火牆通常有一個缺省的安全策略,以及一系列對應於特殊消息類型的反應動作。這意味著如果有一個數據包不適用於任何已定義的策略,這個缺省策略就會發揮作用。 注釋:一個IP轉發性質(IPFW)的防火牆有兩個基本策略,一個是缺省拒絕所有信息,只允許明確規定允許的信息;另一個是缺省接受一切信息,只拒絕明確規定不允許的信息。其中,缺省拒絕一切的策略是我們推薦的,因為通過它更容易建立一個安全得多的防火牆。 允許本地流量 因為缺省策略是拒絕一切信息,所以其中一些需要放開。本地網絡服務不通過對外的網卡進行,它們只通過一個特殊的、私有的網卡,叫做回饋網卡。只有回饋網卡允許工作了,本地網絡才能正常工作。 #Unlimited traffic on the loopback interface. ichains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ichains -A output -i $LOOPBACK_INTERFACE -j ACCEPT 源地址過濾 在IP數據包頭中,在IP協議中唯一有標識含義的是包的源地址。這種情況就為利用源地址進行欺騙開了後門,因為只要把源地址替換成一個不存在的地址,或是另外一個地址就可以了。這就允許有惡意的人侵入你的系統或偽裝成你去攻擊別人。 # Refuse spoofed packets pretending to be from the external address. ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -l -j DENY 在任何情況下,起碼有7種源地址需要在對外網卡上設置成拒絕。 下面這些地址是從外面進來的數據包所需要的: * 自己對外的IP地址 * A類私有地址 * B類私有地址 * C類私有地址 * D類多址地址 * E類保留地址 * 回饋網卡地址 除了你自己的IP地址以外,應該阻塞所有包含這些源地址的外出數據包,這樣才能保護自己避免因為配置上的錯誤而受到攻擊。 其余的規定 在防火牆腳本文件中使用的其它規定是: * 從外部訪問一個服務(Access a Service from the Outside World) * 向外部提供一個服務 * 偽裝內部網絡中的計算機 防火牆腳本文件 使用ipchains 可以建立防火牆,使用IP偽裝等等。Ipchains 與系統核心交互,並告訴內核過濾哪些數據包。因此所有的防火牆設置都保存在內核中,在系統重新啟動時就丟掉了。 為了避免出現這種情況,我們推薦使用 System V(系統V)的init 腳本來使安全策略永遠有效。要達到這個目的,就應該象下面的例子一樣,為每一個服務器在 “/etc/rc.d/init.d”下創建一個防火牆腳本文件。為了保險起見,每一個服務器提供不同的服務,並使用不同的防火牆配置。由於這個原因,我們提供了一系列不同的防火牆配置,你可以對它們進行測試並修改成自己所需要的樣子。同時,我們也假設你具有關於過濾型防火牆和防火牆規定工作過程的最基本知識。 為Web服務器配置“/etc/rc.d/init.d/firewall”腳本文件 下面是用於我們Web服務器的配置腳本文件。這個配置允許在回饋網卡上的所有流量,缺省情況下是ICMP ,DNS 緩存(Caching)和客戶服務器(53),SSH服務器(22),HTTP服務器(80),HTTPS 服務器(443),SMTP 客戶機(25),FTP 服務器(20,21)和OUTGOING TRACEROUTE請求(用於了解在訪問某個地址過程中出現的錯誤----譯者注)。 如果不需要我在下面文件中缺省列出的某些服務,你可以用行開頭加“#”來注釋掉該行。如果需要某些被注釋掉的服務,去掉該行開頭的“#”就可以了。 請在Web服務器上創建如下的防火牆腳本文件(用 toUCh /etc/rc.d/init.d/firewall ): #!/bin/sh # # ---------------------------------------------------------------------------- # Last modified by Gerhard Mourani: 02-01-2000 # ---------------------------------------------------------------------------- # Copyright (C) 1997, 1998, 1999 Robert L. Ziegler # # Permission to use, copy, modify, and distribute this software and its # documentation for educational, research, private and non-profit purposes, # without fee, and without a written agreement is hereby granted. # This software is provided as an example and basis for individual firewall # development. This software is provided without warranty. # # Any material furnished by Robert L. Ziegler is furnished on an # "as is" basis. He makes no warranties of any kind, either eXPressed # or implied as to any matter including, but not limited to, warranty # of fitness for a particular purpose, exclusivity or results oBTained # from use of the material. # ---------------------------------------------------------------------------- # # Invoked from /etc/rc.d/init.d/firewall. # chkconfig: - 60 95 # description: Starts and stops the IPCHAINS Firewall # used to provide Firewall network services. # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 # See how we were called. case "$1" in start) echo -n "Starting Firewalling Services: " # Some definitions for easy maintenance. # ---------------------------------------------------------------------------- # EDIT THESE TO SUIT YOUR SYSTEM AND ISP. EXTERNAL_INTERFACE="eth0" # whichever you use LOOPBACK_INTERFACE="lo" IPADDR="208.164.186.3" ANYWHERE="any/0" NAMESERVER_1="208.164.186.1" # Your primary name server NAMESERVER_2="208.164.186.2" # Your secondary name server SMTP_SERVER="mail.openarch.com" # Your Mail Hub Server. SYSLOG_SERVER="mail.openarch.com" # Your syslog internal server SYSLOG_CLIENT="208.164.168.0/24" # Your syslog internal client LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" BROADCAST_SRC="0.0.0.0" BROADCAST_DEST="255.255.255.255" PRIVPORTS="0:1023" UNPRIVPORTS="1024:65535" # ---------------------------------------------------------------------------- # SSH starts at 1023 and works down to 513 for # each additional simultaneous incoming connection. SSH_PORTS="1022:1023" # range for SSH privileged ports # traceroute usually uses -S 32769:65535 -D 33434:33523 TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" # ---------------------------------------------------------------------------- # Default policy is DENY # Explicitly accept desired INCOMING & OUTGOING connections # Remove all existing rules belonging to this filter ipchains -F # Set the default policy of the filter to deny. ipchains -P input DENY ipchains -P output REJECT ipchains -P forward REJECT # ---------------------------------------------------------------------------- # Enable TCP SYN Cookie Protection echo 1 >/proc/sys/net/ipv4/tcp_syncookies # Enable IP spoofing protection # turn on Source Address Verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # ---------------------------------------------------------------------------- # LOOPBACK # Unlimited traffic on the loopback interface. ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT # ---------------------------------------------------------------------------- # Network Ghouls # Deny access to jerks # /etc/rc.d/rc.firewall.blocked contains a list of # ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY # rules to block from any access. # Refuse any connection from problem sites #if [ -f /etc/rc.d/rc.firewall.blocked ]; then # . /etc/rc.d/rc.firewall.blocked #fi # ---------------------------------------------------------------------------- # SPOOFING & BAD ADDRESSES # Refuse spoofed packets. # Ignore blatantly illegal source addresses. # Protect yourself from sending to bad addresses. # Refuse spoofed packets pretending to be from the external address. ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l # Refuse packets claiming to be to or from a Class A private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l # Refuse packets claiming to be to or from a Class B private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l # Refuse packets claiming to be to or from a Class C private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l # Refuse packets claiming to be from the loopback interface ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l # Refuse broadcast address SOURCE packets ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l # Refuse Class D multicast addresses (in.h) (NET-3-HOWTO) # Multicast is illegal as a source address. # Multicast uses UDP. ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l # Refuse Class E reserved IP addresses ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l # refuse addresses defined as reserved by the IANA # 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.* # 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.* # 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.* ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l #65: 01000001 - /3 includes 64 - need 65-79 spelled out ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l #80: 01010000 - /4 masks 80-95 ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l # 96: 01100000 - /4 makses 96-111 ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l #126: 01111110 - /3 includes 127 - need 112-126 spelled out ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l #217: 11011001 - /5 includes 216 - need 217-219 spelled out ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l #223: 11011111 - /6 masks 220-223 ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l # ---------------------------------------------------------------------------- # ICMP # To prevent denial of service attacks based on ICMP bombs, filter # incoming Redirect (5) and outgoing Destination Unreachable (3). # Note, however, disabling Destination Unreachable (3) is not # advisable, as it is used to negotiate packet fragment size. # For bi-directional ping. # Message Types: Echo_Reply (0), Echo_Request (8) # To prevent attacks, limit the src addresses to your ISP range. # # For outgoing traceroute. # Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11) # default UDP base: 33434 to base+nhops-1 # # For incoming traceroute. # Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11) # To block this, deny OUTGOING 3 and 11 # 0: echo-reply (pong) # 3: destination-unreachable, port-unreachable, fragmentation-needed, etc. # 4: source-quench # 5: redirect # 8: echo-request (ping) # 11: time-exceeded # 12: parameter-problem ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 0 -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 3 -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 4 -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 11 -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 12 -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s 208.164.186.0/24 8 -d $IPADDR -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -s $IPADDR 0 -d 208.164.186.0/24 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -s $IPADDR 3 -d $ANYWHERE -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -s $IPADDR 4 -d $ANYWHERE -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -s $IPADDR 8 -d $ANYWHERE -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -s $IPADDR 12 -d $ANYWHERE -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -s $IPADDR 11 -d 208.164.186.0/24 -j ACCEPT # ---------------------------------------------------------------------------- # UDP INCOMING TRACEROUTE # traceroute usually uses -S 32769:65535 -D 33434:33523 ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 208.164.186.0/24 $TRACEROUTE_SRC_PORTS -d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $ANYWHERE $TRACEROUTE_SRC_PORTS -d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l # ---------------------------------------------------------------------------- # DNS server # ---------- # DNS forwarding, caching only nameserver (53) # -------------------------------------------- # server to server query or response # Caching only name server only requires UDP, not TCP ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $NAMESERVER_1 53 -d $IPADDR 53 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR 53 -d $NAMESERVER_1 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $NAMESERVER_2 53 -d $IPADDR 53 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR 53 -d $NAMESERVER_2 53 -j ACCEPT # DNS client (53) # --------------- ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $NAMESERVER_1 53 -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR $UNPRIVPORTS -d $NAMESERVER_1 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $NAMESERVER_1 53 -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d $NAMESERVER_1 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $NAMESERVER_2 53 -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR $UNPRIVPORTS -d $NAMESERVER_2 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $NAMESERVER_2 53 -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d $NAMESERVER_2 53 -j ACCEPT # ---------------------------------------------------------------------------- # TCP accept only on selected ports # --------------------------------- # ------------------------------------------------------------------ # SSH server (22) # --------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $UNPRIVPORTS -d $IPADDR 22 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 22 -d $ANYWHERE $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $SSH_PORTS -d $IPADDR 22 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 22 -d $ANYWHERE $SSH_PORTS -j ACCEPT # SSH client (22) # --------------- # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y # -s $ANYWHERE 22 # -d $IPADDR $UNPRIVPORTS -j ACCEPT # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp # -s $IPADDR $UNPRIVPORTS # -d $ANYWHERE 22 -j ACCEPT # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y # -s $ANYWHERE 22 # -d $IPADDR $SSH_PORTS -j ACCEPT # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp # -s $IPADDR $SSH_PORTS # -d $ANYWHERE 22 -j ACCEPT # ------------------------------------------------------------------ # HTTP server (80) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $UNPRIVPORTS -d $IPADDR 80 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 80 -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # HTTPS server (443) # ------------------ ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $UNPRIVPORTS -d $IPADDR 443 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 443 -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # SYSLOG server (514) # ----------------- # Provides full remote logging. Using this feature you're able to # control all syslog messages on one host. # ipchains -A input -i $EXTERNAL_INTERFACE -p udp # -s $SYSLOG_CLIENT # -d $IPADDR 514 -j ACCEPT # SYSLOG client (514) # ----------------- # ipchains -A output -i $EXTERNAL_INTERFACE -p udp # -s $IPADDR 514 # -d $SYSLOG_SERVER 514 -j ACCEPT # ------------------------------------------------------------------ # AUTH server (113) # ----------------- # Reject, rather than deny, the incoming auth port. (NET-3-HOWTO) ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE -d $IPADDR 113 -j REJECT # ------------------------------------------------------------------ # SMTP client (25) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $SMTP_SERVER 25 -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d $SMTP_SERVER 25 -j ACCEPT # ------------------------------------------------------------------ # FTP server (20, 21) # ------------------- # incoming request ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $UNPRIVPORTS -d $IPADDR 21 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 21 -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # PORT MODE data channel responses # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE $UNPRIVPORTS -d $IPADDR 20 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR 20 -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # PASSIVE MODE data channel responses ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $UNPRIVPORTS -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR $UNPRIVPORTS -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # OUTGOING TRACEROUTE # ------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR $TRACEROUTE_SRC_PORTS -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT # ---------------------------------------------------------------------------- # Enable logging for selected denied packets ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -d $IPADDR -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $IPADDR $PRIVPORTS -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $IPADDR $UNPRIVPORTS -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 5 -d $IPADDR -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 13:255 -d $IPADDR -j DENY -l # ---------------------------------------------------------------------------- ;; stop) echo -n "Shutting Firewalling Services: " # Remove all existing rules belonging to this filter ipchains -F # Reset the default policy of the filter to accept. ipchains -P input ACCEPT ipchains -P output ACCEPT ipchains -P forward ACCEPT # Reset TCP SYN Cookie Protection to off. echo 0 >/proc/sys/net/ipv4/tcp_syncookies # Reset IP spoofing protection to off. # turn on Source Address Verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f done # Reset ICMP Redirect Acceptance to on. for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 1 > $f done # Reset Source Routed Packets to on. for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 1 > $f done ;; status) echo -n "Now do you show firewalling stats?" ;; restartreload) $0 stop $0 start ;; *) echo "Usage: firewall {startstopstatusrestartreload}" exit 1 esac 現在,讓這個腳本文件成為可執行的,並改變它的缺省權限: [root@deep]# chmod 700 /etc/rc.d/init.d/firewall [root@deep]# chown 0.0 /etc/rc.d/init.d/firewall 創建防火牆文件與rc.d的符號鏈接: [root@deep]# chkconfig --add firewall [root@deep]# chkconfig --level 345 firewall on 現在,防火牆規則就通過使用系統V的init 配置好了(系統V的init 負責啟動所有在系統引導階段需要運行的普通程序),並且它會在服務器重起時自動執行。 要手工停止防火牆,用命令: [root@deep]# /etc/rc.d/init.d/firewall stop 要手工運行防火牆,用命令: [root@deep]# /etc/rc.d/init.d/firewall start 為郵件服務器配置“/etc/rc.d/init.d/firewall”腳本文件 下面是用於我們郵件服務器的配置腳本文件。這個配置允許在回饋網卡上的所有流量,缺省情況下是ICMP ,DNS服務器和客戶機(53),SSH服務器(22),SMTP 服務器和客戶機(25),IMAP 服務器(143)和OUTGOING TRACEROUTE請求。 如果你不需要我在下面文件中缺省列出的某些服務,可以用行開頭加“#”來注釋掉該行。如果需要那些被注釋掉的服務,去掉該行開頭的“#”就可以了。 請在郵件服務器上創建如下的防火牆腳本文件(用 touch /etc/rc.d/init.d/firewall ): #!/bin/sh # # ---------------------------------------------------------------------------- # Last modified by Gerhard Mourani: 02-01-2000 # ---------------------------------------------------------------------------- # Copyright (C) 1997, 1998, 1999 Robert L. Ziegler # # Permission to use, copy, modify, and distribute this software and its # documentation for educational, research, private and non-profit purposes, # without fee, and without a written agreement is hereby granted. # This software is provided as an example and basis for individual firewall # development. This software is provided without warranty. # # Any material furnished by Robert L. Ziegler is furnished on an # "as is" basis. He makes no warranties of any kind, either expressed # or implied as to any matter including, but not limited to, warranty # of fitness for a particular purpose, exclusivity or results obtained # from use of the material. # ---------------------------------------------------------------------------- # # Invoked from /etc/rc.d/init.d/firewall. # chkconfig: - 60 95 # description: Starts and stops the IPCHAINS Firewall # used to provide Firewall network services. # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 # See how we were called. case "$1" in start) echo -n "Starting Firewalling Services: " # Some definitions for easy maintenance. # ---------------------------------------------------------------------------- # EDIT THESE TO SUIT YOUR SYSTEM AND ISP. EXTERNAL_INTERFACE="eth0" # whichever you use LOOPBACK_INTERFACE="lo" IPADDR="208.164.186.2" ANYWHERE="any/0" NAMESERVER_1="208.164.186.1" # Your primary name server NAMESERVER_2="208.164.186.2" # Your secondary name server SYSLOG_SERVER="mail.openarch.com" # Your syslog internal server SYSLOG_CLIENT="208.164.168.0/24" # Your syslog internal client LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" BROADCAST_SRC="0.0.0.0" BROADCAST_DEST="255.255.255.255" PRIVPORTS="0:1023" UNPRIVPORTS="1024:65535" # ---------------------------------------------------------------------------- # SSH starts at 1023 and works down to 513 for # each additional simultaneous incoming connection. SSH_PORTS="1022:1023" # range for SSH privileged ports # traceroute usually uses -S 32769:65535 -D 33434:33523 TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" # ---------------------------------------------------------------------------- # Default policy is DENY # Explicitly accept desired INCOMING & OUTGOING connections # Remove all existing rules belonging to this filter ipchains -F # Set the default policy of the filter to deny. ipchains -P input DENY ipchains -P output REJECT ipchains -P forward REJECT # ---------------------------------------------------------------------------- # Enable TCP SYN Cookie Protection echo 1 >/proc/sys/net/ipv4/tcp_syncookies # Enable IP spoofing protection # turn on Source Address Verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # ---------------------------------------------------------------------------- # LOOPBACK # Unlimited traffic on the loopback interface. ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT # ---------------------------------------------------------------------------- # Network Ghouls # Deny access to jerks # /etc/rc.d/rc.firewall.blocked contains a list of # ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY # rules to block from any access. # Refuse any connection from problem sites #if [ -f /etc/rc.d/rc.firewall.blocked ]; then # . /etc/rc.d/rc.firewall.blocked #fi # ---------------------------------------------------------------------------- # SPOOFING & BAD ADDRESSES # Refuse spoofed packets. # Ignore blatantly illegal source addresses. # Protect yourself from sending to bad addresses. # Refuse spoofed packets pretending to be from the external address. ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l # Refuse packets claiming to be to or from a Class A private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l # Refuse packets claiming to be to or from a Class B private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l # Refuse packets claiming to be to or from a Class C private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l # Refuse packets claiming to be from the loopback interface ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l # Refuse broadcast address SOURCE packets ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l # Refuse Class D multicast addresses (in.h) (NET-3-HOWTO) # Multicast is illegal as a source address. # Multicast uses UDP. ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l # Refuse Class E reserved IP addresses ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l # refuse addresses defined as reserved by the IANA # 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.* # 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.* # 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.* ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l #65: 01000001 - /3 includes 64 - need 65-79 spelled out ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l #80: 01010000 - /4 masks 80-95 ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l
