[EUG-LUG:379] Re: Specific questions on tar, gzip, and ipchains

Sun, 11 Mar 2001 23:16:21 -0800 

Regarding ipchains, the man page is good, but an example was helpful
for me to get masquerading working right.  The following is very 
simple, yet probably overkill for my needs.  

It seems like as soon as I thought I'd figured out how to use ipfwadm,
the standard changed to ipchains.  Now I'm behind again with the new
ip-tables(?) in the 2.4 kernel.  Cory, if ip-tables is simpler, it
will be a welcome improvement!  If anything looks wrong, please let 
me know.
---
#!/bin/sh
#
#My own goofy firewall. 
#For use at home.
#
#Enable masquerading
echo "1" >/proc/sys/net/ipv4/ip_forward

#Disable smurfing
echo "1" >/proc/sys/net/ipv4/tcp_syncookies

#Load the masquerading modules that I need (or want).
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_user
/sbin/modprobe ip_masq_raudio

#Don't need this it's handled by pppd
#/sbin/route add default gw ppp0

#Flush chains
/sbin/ipchains -F

#Setup input chains
#Accept by default
/sbin/ipchains -P input ACCEPT

#generally allow local traffic, this is a non-dedicated firewall.
/sbin/ipchains -A input -p tcp  -s 192.168.2.0/24 -d 192.168.2.0/24 -j
ACCEPT
/sbin/ipchains -A input -p udp  -s 192.168.2.0/24 -d 192.168.2.0/24 -j
ACCEPT

#reject netbios/smb with source OR destination unknown.
/sbin/ipchains -A input -p tcp  -d ! 192.168.2.0/24 137:139 -j REJECT
/sbin/ipchains -A input -p tcp  -s ! 192.168.2.0/24 137:139 -j REJECT
/sbin/ipchains -A input -p udp  -s ! 192.168.2.0/24 137:139 -j REJECT
/sbin/ipchains -A input -p udp  -d ! 192.168.2.0/24 137:139 -j REJECT

#deny ports I don't want exposed.
/sbin/ipchains -A input -p udp  -s ! 192.168.2.0/24 510:6535 -j DENY
/sbin/ipchains -A input -p tcp  -s ! 192.168.2.0/24 510:6535 -j DENY
/sbin/ipchains -A input -p udp  -s ! 192.168.2.0/24 111 -j DENY
/sbin/ipchains -A input -p tcp  -s ! 192.168.2.0/24 111 -j DENY
/sbin/ipchains -A input -p udp  -s ! 192.168.2.0/24 10000 -j DENY
/sbin/ipchains -A input -p tcp  -s ! 192.168.2.0/24 10000 -j DENY

#Do ip-masquerading for local network
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.2.0/24 -j MASQ

#Leave output chain open.  
---

Reply via email to