网络防火墙安全策略
一个组织的全面性安全策略必须根据安全分析和业务需求分析来决定。因为防火墙只与网络安全有关,所以只有在正确定义了全局安全策略的情况下,防火墙才具有一定的价值。网络防火墙安全策略是指要明确定义那些允许使用或禁止使用的网络服务,以及这些服务的使用规定和规定中的一些特殊情况。而且,网络防火墙安全策略中的每一条规定都应该在实际应用时得到实现。总的来说,一个防火墙应该使用以下方法之一。
* 每一个没有明确允许的都被拒绝
这种方法堵塞了两个网络之间的所有流量,除了那些被明确允许的服务和应用程序(application)。因此,每一个想保留的服务和应用程序都应该挨个实现,而任何一个可能成为防火墙漏洞的服务和应用程序都不能允许使用。刚才所说的是一个最安全的方法,那就是除非是系统管理员明确允许使用的服务和应用程序,否则都必须拒绝。另一方面,从用户的角度来看,这样可能会限制更多,不是非常方便。在本书中,我们在防火墙配置中会使用这种方法。
* 每一个没有明确拒绝的都允许
这种方法允许两个网络之间所有流量,除非那些被明确禁止的服务和应用程序。因此,每一个不信任或有潜在危害的服务和应用程序都应该逐个拒绝。但是,虽然这对用户是一个灵活和方便的方法,它却可能引起一些严重的安全问题。
包过滤
包过滤是一种内置于Linux 核心的防火墙类型。过滤型防火墙工作在网络层。资料只有在防火墙规定允许的情况下才能发出去,而到达的包要则根据它们的类型,源地址,目的地址和每个包中包含的端口信息进行过滤。
在绝大部分时间里,包过滤的工作是由一个能根据过滤规定转发数据封包的路由器完成的。当一个数据封包到达一个能进行包过滤的路由器时,这个路由器从该数据封包的包头中解读某些信息,然后根据过滤规定决定数据包是通过还是被丢弃。
下面是能从包头中解读的信息:
* 源IP地址
* 目的IP地址
* TCP/UDP源端口
* TCP/UDP目的端口
* ICMP消息类型
* 协议信息(TCP,UDP,ICMP或IP隧道)
因为只需要分析很少的数据,而且登录到防火墙只占用很少CPU时间,网络延迟也非常小,所以如果想使用防火墙保护网络系统,可以通过很多种方法来建设网络。
拓扑结构
在网络中,所有的服务器都至少必须关闭所有没有用的端口,即使它不是一个防火墙服务器。这样做是为了更安全。想像一下,有人获得了对防火墙服务器的访问权,而这只是因为你邻近的服务器没有配置成关闭所有端口,才造成这种情况。对于本地连接,这也是一样的,没有安全认证的员工能从内部的其他服务器获得对另一个服务器的访问权。
在我们下面的配置中,我们将会给出三个例子,它们有助于你根据要保护的服务器类型和它们在网络结构中的地位决定防火墙规定。第一个防火墙规定适用于Web服务器,第二个适用于邮件服务器,最后一个适用于作为内部代理服务器使用的网关服务器。详见图。
openarch.com... Caching Only DNS
208.164.186.3
Deep.openarch.com
Master DNS Server
208.164.186.1
mail.openarch.com
Slave DNS Server
208.164.186.2
1. Unlimited traffic on the loopback interface allowed
2. ICMP traffic allowed
3. DNS Caching and Client Server on port 53 allowed
4. SSH Server on port 22 allowed
5. HTTP Server on port 80 allowed
6. HTTPS Server on port 443 allowed
7. SMTP Client on port 25 allowed
8. FTP Server on ports 20, 21 allowed
9. Outgoing traceroute request allowed
1. Unlimited traffic on the loopback interface allowed
2. ICMP traffic allowed
3. DNS Server and Client on port 53 allowed
4. SSH Server and Client on port 22 allowed
5. HTTP Server and Client on port 80 allowed
6. HTTPS Server and Client on port 443 allowed
7. WWW-CACHE Client on port 8080 allowed
8. External POP Client on port 110 allowed
9. External NNTP NEWS Client on port 119 allowed
10. SMTP Server and Client on port 25 allowed
11. IMAP Server on port 143 allowed
12. IRC Client on port 6667 allowed
13. ICQ Client on port 4000 allowed
14. FTP Client on port 20, 21 allowed
15. RealAudio / QuickTime Client allowed
16. Outgoing traceroute request allowed
1. Unlimited traffic on the loopback interface allowed
2. ICMP traffic allowed
3. DNS Server and Client on port 53 allowed
4. SSH Server on port 22 allowed
5. SMTP Server and Client on port 25 allowed
6. IMAP Server on port 143 allowed
7. Outgoing traceroute request allowed
上表显示了根据防火墙脚本文件在不同SERVER上打开的端口。根据SERVER必须要对外提供的服务,你必须配置相应的防火墙脚本文件,以允许在指定端口上的通讯。表中,www.openarch.com是我们的Web服务器,mail.openarch.com是唯一对外的邮件服务器, deep.openarch.com是网关服务器。它们会用在本章所有的例子中。
编译一个支持IPCHAINS防火墙的核心
首先,必须确信LINUX核心已经编译成「Network Firewall support」和「Firewalling」(支持网络防火墙-译者注)。记住,所有服务器都至少必须关闭所有不使用的端口,即使它不是防火墙服务器。在核心2.2.14中,必须对下面两个问题回答「Y」。
Networking 选项:
Network firewalls (CONFIG_FIREFALL) [N] Y
IP: Firewalling (CONFIG_FIREWALL) [N] Y
IP: TCP syncookie support(CONFIG_SYN_COOKIES) [N] Y
注释:如果你在阅读《Linux 核心》一节时就重新编译了核心,那么上面这些选项应该已经设置好了。
只对网关服务器有用的IP Masquerading 和 IP ICMP Masquerading:
IP: Masquerading (CONFIG_IP_MASQUERADE) [N] Y
IP: ICMP Masquerading (CONFIG_IP_MASQUERADE_ICMP) [N] Y
注释:只有网关服务器才需要支持「IP: Masquerading」和「IP: ICMP Masquerading」内核选项,它需要把内部网对外界伪装起来。
在这里,伪装的意思是,如果在本地网中的一台PC想要发送一些东西到网络外部,而这个本地网络由一个Linux盒 (Linux box:可以是任何简易的Linux 设备-译者注) 充当网络防火墙,那么这个Linux盒就可以伪装成那台要发送内容的计算机。例如,Linux盒转发了到网络外部的所有流量,但是对外部来说,这些都像是来自防火墙本身。
它可以通过两种方式工作:如果外部主机应答,Linux防火墙就将把这些流量转发到相应的本地计算机,在这种情况下,在本地网络中的计算机对于外部是完全不可见的,即使它们可以访问外界并收到应答。这样,即使本地网络中的计算机没有合法的IP地址也能够访问Internet。
IP伪装的代码只能工作在下面这种条件下,即在系统启动并安装(mount)了/proc 文件系统之后,「IP转发」能够通过下面这行代码执行:
echo "1" > /proc/sys/net/ipv4/ip_forward
你可以在「/etc/rc.d/rc.local」文件中加上这一行,这样在下次计算机重新启动时就会自动支持IP转发。
编辑rc.local文件 (通过 vi /etc/rc.d/rc.local )并加上下面这行:
echo "1" > /proc/sys/net/ipv4/ip_forward
注释:上面有关IP转发的命令行只有在对内核选项「IP: Masquerading (CONFIG_IP_MASQUERDE)」回答「Y」,并且配置了网关服务器来伪装内部网络的情况下才是必须的。
如果选择了支持IP Masquerading,模块ip_masq_ftp.o(用于ftp文件传输),ip_masq_irc.o(用于 irc chats),ip_masq_quake.o (用途你可以猜得到),ip_masq_vdolive.o(用于VDOLive 的视频连接),ip_masq_cuseeme.o(用于CU-SeeMe 广播)和ip_masq_raudio.o(用于RealAudio 下载)将会自动编译,它们是这些协议工作时所需要的。
同时,你需要在回答「Enable loadale module support (CONFIG_MODULES)」时选择「Y」以编译一个模块化的内核而不是整体型的内核,这样就可以在网关服务器上使用伪装功能和象ip_masq_ftp.o之类的模块。
上面所讲的对「IP: masquerading」而言的基本伪装代码只能处理TCP或UDP包(以及当前连接的ICMP错误)。IP: ICMP Masquerading 增加了对伪装ICMP包的附加支持, 比如Windows 95 跟踪程序使用的ping 或 probe。
注释:记住,其它类型的服务器象Web 服务器和邮件服务器并不需要支持这些选项,因为它们要不是拥有一个真实的IP地址,就是不用担任内部网络的网关。
注意事项
如果你的系统与Internet相连,那你确实可以假设你处在潜在的危险中。因为你的网关是对Internet的暴露点,所以我们建议以下几点:
* 网关服务器除非确实有必要,一定不要在上面新增任何应用程序。
* 网关服务器上应该严格限制能够通过的协议种类和数量(许多协议都是潜在的安全漏洞,比如FTP和telnet )。
* 任何装有机密和敏感信息的系统都不应该能从Internet 上直接访问。
解释一下防火墙脚本文件的一些规则
下面列出了对将用于防火墙例子的一些规则的解释。这些只是一个参考,防火墙脚本文件都有很清晰的注释说明,也非常好修改。
脚本文件中使用的常量
在脚本文件中,常量定义了大部分将会使用的数值。其中最基本的常量是:
EXTERNAL_INTERFACE
这是与Internet 相连的对外网卡名字。在以后的例子中定义成「eth0」。
LOCAL_INTERFACE_1
这是与内部局域网相连的对内网卡名字。在以后的例子中定义成「eth1」。
LOOPBACK_INTERFACE
这是回馈网卡名字。在以后的例子中定义成「lo」。
IPADDR
这是对外网卡的IP地址。这或者是一个与InterNIC(网卡-译者注)绑定的静态地址,或者是由ISP动态分配的地址(通常是通过DHCP)。
LOCALNET_1
这是局域网的网络地址。这应该是局域网中所有机器使用的IP地址范围。它应该是静态指定的,可以用一个DHCP服务器来分配。在后面的例子中,IP地址范围是192.168.1.0/24,是C类地址的一部分。
ANYWHERE
这是ipchains 用来匹配所有地址(非广播地址)的地址的一个标志。所有程序都为这个地址提供一个「any/0」的标志,这个地址是0.0.0.0/0。
NAMESERVER_1
这是主DNS服务器或ISP的IP地址。
NAMESERVER_1
这是第二DNS服务器或ISP的IP地址。
LOOPBACK
回馈地址的范围是127.0.0.0/8。网卡自己的地址是127.0.0.1(在/etc/hosts文件中指定)。
PRIVPORTS
指定优先端口,通常从0到1023。
UNPRIVPORTS
指定非优先端口,通常从1024到65535。它们是动态分配给连接客户端的。
Default Policy
一个防火墙通常有一个缺省的安全策略,以及一系列对应于特殊消息类型的反应动作。这意味着如果有一个数据包不适用于任何已定义的策略,这个缺省策略就会发挥作用。
注释:一个IP转发性质(IPFW)的防火墙有两个基本策略,一个是缺省拒绝所有信息,只允许明确规定允许的信息;另一个是缺省接受一切信息,只拒绝明确规定不允许的信息。其中,缺省拒绝一切的策略是我们推荐的,因为通过它更容易建立一个安全得多的防火墙。
允许本地流量
因为缺省策略是拒绝一切信息,所以其中一些需要放开。本地网络服务不通过对外的网卡进行,它们只通过一个特殊的、私有的网卡,叫做回馈网卡。只有回馈网卡允许工作了,本地网络才能正常工作。
#Unlimited traffic on the loopback interface.
ichains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ichains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
源地址过滤
在IP数据包头中,在IP协议中唯一有标识含义的是包的源地址。这种情况就为利用源地址进行欺骗开了后门,因为只要把源地址替换成一个不存在的地址,或是另外一个地址就可以了。这就允许有恶意的人侵入你的系统或伪装成你去攻击别人。
# Refuse spoofed packets pretending to be from the external address.
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -l -j DENY
在任何情况下,起码有7种源地址需要在对外网卡上设置成拒绝。
下面这些地址是从外面进来的数据包所需要的:
* 自己对外的IP地址
* A类私有地址
* B类私有地址
* C类私有地址
* D类多址地址
* E类保留地址
* 回馈网卡地址
除了你自己的IP地址以外,应该阻塞所有包含这些源地址的外出数据包,这样才能保护自己避免因为配置上的错误而受到攻击。
其余的规定
在防火墙脚本文件中使用的其它规定是:
* 从外部访问一个服务(Access a Service from the Outside World)
* 向外部提供一个服务
* 伪装内部网络中的计算机
防火墙脚本文件
使用ipchains 可以建立防火墙,使用IP伪装等等。Ipchains 与系统核心交互,并告诉内核过滤哪些数据包。因此所有的防火墙设置都保存在内核中,在系统重新启动时就丢掉了。
为了避免出现这种情况,我们推荐使用 System V(系统V)的init 脚本来使安全策略永远有效。要达到这个目的,就应该像下面的例子一样,为每一个服务器在 「/etc/rc.d/init.d」下创建一个防火墙脚本文件。为了保险起见,每一个服务器提供不同的服务,并使用不同的防火墙配置。由于这个原因,我们提供了一系列不同的防火墙配置,你可以对它们进行测试并修改成自己所需要的样子。同时,我们也假设你具有关于过滤型防火墙和防火墙规定工作过程的最基本知识。
为Web服务器配置「/etc/rc.d/init.d/firewall」脚本文件
下面是用于我们Web服务器的配置脚本文件。这个配置允许在回馈网卡上的所有流量,缺省情况下是ICMP ,DNS 缓存(Caching)和客户服务器(53), SSH服务器(22),HTTP服务器(80),HTTPS 服务器(443),SMTP 客户机(25),FTP 服务器(20,21)和 OUTGOING TRACEROUTE请求(用于了解在访问某个地址过程中出现的错误----译者注)。
如果不需要我在下面文件中缺省列出的某些服务,你可以用行开头加「#」来注释掉该行。如果需要某些被注释掉的服务,去掉该行开头的「#」就可以了。
请在Web服务器上创建如下的防火墙脚本文件(用 touch /etc/rc.d/init.d/firewall ):
#!/bin/sh
#
# ----------------------------------------------------------------------------
# Last modified by Gerhard Mourani: 02-01-2000
# ----------------------------------------------------------------------------
# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# This software is provided as an example and basis for individual firewall
# development. This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an
# "as is" basis. He makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
# ----------------------------------------------------------------------------
#
# Invoked from /etc/rc.d/init.d/firewall.
# chkconfig: - 60 95
# description: Starts and stops the IPCHAINS Firewall
# used to provide Firewall network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewalling Services: "
# Some definitions for easy maintenance.
# ----------------------------------------------------------------------------
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="eth0" # whichever you use
LOOPBACK_INTERFACE="lo"
IPADDR="208.164.186.3"
ANYWHERE="any/0"
NAMESERVER_1="208.164.186.1" # Your primary name server
NAMESERVER_2="208.164.186.2" # Your secondary name server
SMTP_SERVER="mail.openarch.com" # Your Mail Hub Server.
SYSLOG_SERVER="mail.openarch.com" # Your syslog internal server
SYSLOG_CLIENT="208.164.168.0/24" # Your syslog internal client
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
# ----------------------------------------------------------------------------
# SSH starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
SSH_PORTS="1022:1023" # range for SSH privileged ports
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
ipchains -F
# Set the default policy of the filter to deny.
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT
# ----------------------------------------------------------------------------
# Enable TCP SYN Cookie Protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# ----------------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
# Network Ghouls
# Deny access to jerks
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
# rules to block from any access.
# Refuse any connection from problem sites
#if [ -f /etc/rc.d/rc.firewall.blocked ]; then
# . /etc/rc.d/rc.firewall.blocked
#fi
# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse spoofed packets pretending to be from the external address.
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l
# Refuse packets claiming to be to or from a Class A private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l
# Refuse packets claiming to be to or from a Class B private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l
# Refuse packets claiming to be to or from a Class C private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l
# Refuse packets claiming to be from the loopback interface
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l
# Refuse broadcast address SOURCE packets
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
# Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)
# Multicast is illegal as a source address.
# Multicast uses UDP.
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l
# Refuse Class E reserved IP addresses
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l
# refuse addresses defined as reserved by the IANA
# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
# 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l
#65: 01000001 - /3 includes 64 - need 65-79 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l
#80: 01010000 - /4 masks 80-95
ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l
# 96: 01100000 - /4 makses 96-111
ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l
#126: 01111110 - /3 includes 127 - need 112-126 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l
#217: 11011001 - /5 includes 216 - need 217-219 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l
#223: 11011111 - /6 masks 220-223
ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l
# ----------------------------------------------------------------------------
# ICMP
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
-s $ANYWHERE 0 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
-s $ANYWHERE 3 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
-s $ANYWHERE 4 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
-s $ANYWHERE 11 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
-s $ANYWHERE 12 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
-s 208.164.186.0/24 8 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp
-s $IPADDR 0 -d 208.164.186.0/24 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp
-s $IPADDR 3 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp
-s $IPADDR 4 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp
-s $IPADDR 8 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp
-s $IPADDR 12 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp
-s $IPADDR 11 -d 208.164.186.0/24 -j ACCEPT
# ----------------------------------------------------------------------------
# UDP INCOMING TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-s 208.164.186.0/24 $TRACEROUTE_SRC_PORTS
-d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-s $ANYWHERE $TRACEROUTE_SRC_PORTS
-d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l
# ----------------------------------------------------------------------------
# DNS server
# ----------
# DNS forwarding, caching only nameserver (53)
# --------------------------------------------
# server to server query or response
# Caching only name server only requires UDP, not TCP
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-s $NAMESERVER_1 53
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp
-s $IPADDR 53
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-s $NAMESERVER_2 53
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp
-s $IPADDR 53
-d $NAMESERVER_2 53 -j ACCEPT
# DNS client (53)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-s $NAMESERVER_1 53
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp
-s $IPADDR $UNPRIVPORTS
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $NAMESERVER_1 53
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp
-s $IPADDR $UNPRIVPORTS
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-s $NAMESERVER_2 53
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp
-s $IPADDR $UNPRIVPORTS
-d $NAMESERVER_2 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $NAMESERVER_2 53
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp
-s $IPADDR $UNPRIVPORTS
-d $NAMESERVER_2 53 -j ACCEPT
# ----------------------------------------------------------------------------
# TCP accept only on selected ports
# ---------------------------------
# ------------------------------------------------------------------
# SSH server (22)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $IPADDR 22
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $SSH_PORTS
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $IPADDR 22
-d $ANYWHERE $SSH_PORTS -j ACCEPT
# SSH client (22)
# ---------------
# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
# -s $ANYWHERE 22
# -d $IPADDR $UNPRIVPORTS -j ACCEPT
# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp
# -s $IPADDR $UNPRIVPORTS
# -d $ANYWHERE 22 -j ACCEPT
# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
# -s $ANYWHERE 22
# -d $IPADDR $SSH_PORTS -j ACCEPT
# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp
# -s $IPADDR $SSH_PORTS
# -d $ANYWHERE 22 -j ACCEPT
# ------------------------------------------------------------------
# HTTP server (80)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS
-d $IPADDR 80 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $IPADDR 80
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# HTTPS server (443)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS
-d $IPADDR 443 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $IPADDR 443
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# SYSLOG server (514)
# -----------------
# Provides full remote logging. Using this feature you're able to
# control all syslog messages on one host.
# ipchains -A input -i $EXTERNAL_INTERFACE -p udp
# -s $SYSLOG_CLIENT
# -d $IPADDR 514 -j ACCEPT
# SYSLOG client (514)
# -----------------
# ipchains -A output -i $EXTERNAL_INTERFACE -p udp
# -s $IPADDR 514
# -d $SYSLOG_SERVER 514 -j ACCEPT
# ------------------------------------------------------------------
# AUTH server (113)
# -----------------
# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE
-d $IPADDR 113 -j REJECT
# ------------------------------------------------------------------
# SMTP client (25)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $SMTP_SERVER 25
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp
-s $IPADDR $UNPRIVPORTS
-d $SMTP_SERVER 25 -j ACCEPT
# ------------------------------------------------------------------
# FTP server (20, 21)
# -------------------
# incoming request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS
-d $IPADDR 21 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $IPADDR 21
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# PORT MODE data channel responses
#
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE $UNPRIVPORTS
-d $IPADDR 20 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp
-s $IPADDR 20
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# PASSIVE MODE data channel responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $IPADDR $UNPRIVPORTS
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# OUTGOING TRACEROUTE
# -------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp
-s $IPADDR $TRACEROUTE_SRC_PORTS
-d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT
# ----------------------------------------------------------------------------
# Enable logging for selected denied packets
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-d $IPADDR -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-d $IPADDR $PRIVPORTS -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-d $IPADDR $UNPRIVPORTS -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
-s $ANYWHERE 5 -d $IPADDR -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
-s $ANYWHERE 13:255 -d $IPADDR -j DENY -l
# ----------------------------------------------------------------------------
;;
stop)
echo -n "Shutting Firewalling Services: "
# Remove all existing rules belonging to this filter
ipchains -F
# Reset the default policy of the filter to accept.
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
# Reset TCP SYN Cookie Protection to off.
echo 0 >/proc/sys/net/ipv4/tcp_syncookies
# Reset IP spoofing protection to off.
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
# Reset ICMP Redirect Acceptance to on.
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 1 > $f
done
# Reset Source Routed Packets to on.
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 1 > $f
done
;;
status)
echo -n "Now do you show firewalling stats?"
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: firewall {start|stop|status|restart|reload}"
exit 1
esac
现在,让这个脚本文件成为可执行的,并改变它的缺省权限:
[root@deep]# chmod 700 /etc/rc.d/init.d/firewall
[root@deep]# chown 0.0 /etc/rc.d/init.d/firewall
创建防火墙文件与rc.d的符号链接:
[root@deep]# chkconfig --add firewall
[root@deep]# chkconfig --level 345 firewall on
现在,防火墙规则就通过使用系统V的init 配置好了(系统V的init 负责启动所有在系统引导阶段需要运行的普通程序),并且它会在服务器重起时自动执行。
要手工停止防火墙,用命令:
[root@deep]# /etc/rc.d/init.d/firewall stop
要手工运行防火墙,用命令:
[root@deep]# /etc/rc.d/init.d/firewall start
为邮件服务器配置「/etc/rc.d/init.d/firewall」脚本文件
下面是用于我们邮件服务器的配置脚本文件。这个配置允许在回馈网卡上的所有流量,缺省情况下是ICMP ,DNS服务器和客户机(53),SSH服务器(22),SMTP 服务器和客户机(25),IMAP 服务器(143)和OUTGOING TRACEROUTE请求。
如果你不需要我在下面文件中缺省列出的某些服务,可以用行开头加「#」来注释掉该行。如果需要那些被注释掉的服务,去掉该行开头的「#」就可以了。
请在邮件服务器上创建如下的防火墙脚本文件(用 touch /etc/rc.d/init.d/firewall ):
#!/bin/sh
#
# ----------------------------------------------------------------------------
# Last modified by Gerhard Mourani: 02-01-2000
# ----------------------------------------------------------------------------
# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# This software is provided as an example and basis for individual firewall
# development. This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an
# "as is" basis. He makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
# ----------------------------------------------------------------------------
#
# Invoked from /etc/rc.d/init.d/firewall.
# chkconfig: - 60 95
# description: Starts and stops the IPCHAINS Firewall
# used to provide Firewall network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewalling Services: "
# Some definitions for easy maintenance.
# ----------------------------------------------------------------------------
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="eth0" # whichever you use
LOOPBACK_INTERFACE="lo"
IPADDR="208.164.186.2"
ANYWHERE="any/0"
NAMESERVER_1="208.164.186.1" # Your primary name server
NAMESERVER_2="208.164.186.2" # Your secondary name server
SYSLOG_SERVER="mail.openarch.com" # Your syslog internal server
SYSLOG_CLIENT="208.164.168.0/24" # Your syslog internal client
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
# ----------------------------------------------------------------------------
# SSH starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
SSH_PORTS="1022:1023" # range for SSH privileged ports
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
ipchains -F
# Set the default policy of the filter to deny.
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT
# ----------------------------------------------------------------------------
# Enable TCP SYN Cookie Protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# ----------------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
# Network Ghouls
# Deny access to jerks
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
# rules to block from any access.
# Refuse any connection from problem sites
#if [ -f /etc/rc.d/rc.firewall.blocked ]; then
# . /etc/rc.d/rc.firewall.blocked
#fi
# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse spoofed packets pretending to be from the external address.
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l
# Refuse packets claiming to be to or from a Class A private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l
# Refuse packets claiming to be to or from a Class B private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l
# Refuse packets claiming to be to or from a Class C private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l
# Refuse packets claiming to be from the loopback interface
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l
# Refuse broadcast address SOURCE packets
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
# Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)
# Multicast is illegal as a source address.
# Multicast uses UDP.
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l
# Refuse Class E reserved IP addresses
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l
# refuse addresses defined as reserved by the IANA
# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
# 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l
#65: 01000001 - /3 includes 64 - need 65-79 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l
#80: 01010000 - /4 masks 80-95
ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l