Hi Guys,, gotta problem with the mdk implementation of iptables.
mdk 8.1 kernel 2.4.16.
2 NICs one running dhcp on a cable modem
the othe other on a LAN
machine address is in the same Class A address as the local network,
Everything through from the LAN is Masqueraded to the address of the
INET NIC, 62.x.x.x
The machine is also running IP-IP prto 93 and at the other ends of the
tunnel are more subnets of the same Class A network the local network
at this end.
the dynamic addres of the PC is 62.31.195.81, the actual machine address
is 44.131.90.252, and the local subnet hanging off the machine is
44.131.90.0/24.
after moddifying bastille-netfilter, I can ping through the tunnel
either from the PC on a virtual term or from any pc on the local
network.
I can also telnet under the same conditions...BUT not to someone at
another end of the tunnel with an address of 44.131.142.x..
but this works if the adress at the other end of the tunnels second
8bits are not 131, ie 44.24.104.x.
Its not a routing prob, its definatly caused by the netfilter config,
turning it off cures the prob.
Ive attached my version of bastill-netfilter, there's alot hashed out,
to aid me try and get to the bottom of this.
any ideas appriciated
tia
richard
#!/bin/sh
#
# /sbin/bastille-netfilter Load/unload netfilter rulesets
#
# version 0.99-beta7
# Copyright (C) 1999-2001 Peter Watkins
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Thanks to David Ranch, Brad A, Don G, Jay Beale and others
# (especially the netfilter mailing list!) for their suggestions
#
# This script is designed to be called BY a SysV-style init script.
#
# It should be run with a "start" argument
# 1) BY an rc?.d "S" script, _before_ the "network" script
# (normally via the "bastille-firewall" init script;
# as of 2001/02/14, the only purpose of bastille-firewall
# is to start this script)
# 2) any time an interface is brought up or changed, e.g.
# establishing a PPP conection or renewing a DHCP lease
# [also copy 'bastille-firewall-reset', 'bastille-firewall-schedule' and
# 'ifup-local' to /sbin/ (in addition to the bastille-firewall init script]
#
# Normally you Do Not _Ever_ Want to run this with a "stop" argument!
#
# Note that running this with "stop" will disable the firewall and open
# your system to all network traffic; if you make changes to these rules,
# apply them by running the script again with a "start" argument.
PATH=/bin:/sbin:/usr/bin:/usr/sbin
IPTABLES=/sbin/iptables
CONFIG=/etc/Bastille/bastille-firewall.cfg
if [ ! -x ${IPTABLES} ]; then
echo "ERROR: \"${IPTABLES}\" does not exist!"
if [ -x /sbin/bastille-ipchains ]; then
# better to fall back to 'ipchains' than do nothing
unset IPTABLES
echo "Executing /sbin/bastille-ipchains $1"
/sbin/bastille-ipchains $1
exit
fi
exit 1
fi
if [ ! -f ${CONFIG} ]; then
echo "ERROR: unable to read configuration file \"${CONFIG}\""
exit 1
fi
# source the configuration file, which will set environment variables
. ${CONFIG}
if [ -z "${REJECT_METHOD}" ]; then
echo "ERROR: no reject method specified (corrupt config file?) Exiting!"
exit 1
fi
#
# Computed values
#
# These things should be queried/computed at run time
#
# LOCAL_ADDRESSES
#
# LOCAL_ADDRESSES lists all IP addresses for this server
# (for the INTERNAL_SERVICES rules); if you have virtual
# network devices, you may want to hand-code this, e.g.
# LOCAL_ADDRESSES="127.0.0.0/8"
#
# The following makes a list of all current IP addresses
LOCAL_ADDRESSES=`ifconfig | grep "inet addr" | awk '{print $2}' | awk -F: '{print $2"/32"}' | sed s:127\.0\.0\.1/32:127.0.0.1/8: `
#
#
# DEFAULT_GW_IFACE
#
# The name of the address that is the default gateway (for SNAT)
DEFAULT_GW_IFACE=`netstat -nr | awk '$1 == "0.0.0.0" {print $8}'`
#
#
# INTERNAL_NETWORKS
#
# INTERNAL_NETWORKS lists the masked networks for the INT_INTERFACES
# e.g. INTERNAL_NETWORKS="10.0.0.0/255.0.0.0"
# The following makes a list of all current internal IP addresses _with netmasks_
for i in ${INTERNAL_IFACES} ; do
INTERNAL_NETWORKS="${INTERNAL_NETWORKS} `ifconfig ${i} | grep "inet addr" | awk '{print $2":"$4}' | awk -F: '{print $2"/"$4}' | sed 's:127\.0\.0\.1/$:127.0.0.1/8:'`"
if [ $i = "${DEFAULT_GW_IFACE}" ]; then
DEFAULT_GW_IP=`ifconfig ${i} | grep "inet addr" | awk '{print $2}'`
fi
done
#
#
# CALLED_METHOD
#
# Variable to hold $1, for use in functions (which have their own $1 vars)
CALLED_METHOD="$1"
#
#
# REJECT_METHOD
#
# Convert ipchains/DENY to netfilter/DROP
if [ "${REJECT_METHOD}" = "DENY" ]; then
REJECT_METHOD="DROP"
fi
# counter number to help toubleshoot
RULENUM=0
#
# Shell functions
#
#; incr_rule_num
# Increment counter number to help toubleshoot
incr_rule_num()
{
RULENUM=`expr $RULENUM + 1`
return 0
}
#
# do_masq_mods
# Function to load/unload NAT kernel modules
do_masq_mods()
{
# args: $1 = "load" or "unload"
#
# find the currently loaded modules
masq_mods=`lsmod | awk '{print $1}' | grep '^ip_nat_'`
#
# Step 1: unload unwanted modules
for m in ${masq_mods} ; do
UNLOAD_THIS_MOD=Y
for normal_mod in ${IP_MASQ_MODULES} ; do
if [ "ip_nat_${normal_mod}" = $m -o "ip_nat_${normal_mod}_conntrack" = $m ]; then
# this module is _supposed_ to be loaded
UNLOAD_THIS_MOD=N
fi
done
if [ "${CALLED_METHOD}" = "stop" -o -z "${IP_MASQ_NETWORK}" ]; then
# we're either disabling the firewall or we've disabled masquerading,
# so we should unload _all_ masq modules
UNLOAD_THIS_MOD=Y
fi
if [ $UNLOAD_THIS_MOD = "Y" -a $1 = "unload" ]; then
rmmod ${m} || echo "Error unloading ${m} module"
fi
done
# Step 2: load wanted modules that are not already loaded
if [ $1 = "load" ]; then
for normal_mod in ${IP_MASQ_MODULES} ; do
MOD_LOADED=N
for m in ${masq_mods} ; do
if [ "ip_nat_${normal_mod}" = $m ]; then
MOD_LOADED=Y
fi
done
if [ $MOD_LOADED = "N" ]; then
insmod "ip_nat_${normal_mod}" || echo "Error loading ip_nat_${normal_mod} module"
fi
# try to load any _conntrack variants
modprobe "ip_nat_${normal_mod}_conntrack" 2>/dev/null
done
fi
}
# See how we were called.
case "$1" in
start)
#
# Make sure we don't have any ipchains rules!
for c in INPUT OUTPUT FORWARD; do
ipchains -P ${c} DENY 2>/dev/null
ipchains -F ${c} 2>/dev/null
done
ipchains -X 2>/dev/null
rmmod ipchains 2>/dev/null
#
# For Red Hat users, let's ensure that its firewalls are disabled
rhtest_ipchains=`chkconfig --list ipchains 2>/dev/null | grep :on`
rhtest_iptables=`chkconfig --list iptables 2>/dev/null | grep :on`
bftest=`chkconfig --list bastille-firewall 2>/dev/null | grep :on`
if [ \( -n "${rhtest_ipchains}" -o -n "${rhtest_iptables}" \) -a -n "${bftest}" ]; then
echo
echo "bastille-firewall conflicts with Red Hat 7.1's 'ipchains'"
echo "and 'iptables' firewalls. We are disabling Red Hat's firewalls."
[ -n "${rhtest_ipchains}" ] && chkconfig --level 0123456 ipchains off
[ -n "${rhtest_iptables}" ] && chkconfig --level 0123456 iptables off
echo
fi
#
# Make sure the iptables/netfilter kernel module is loaded
modprobe ip_tables
#
# Clean up the default chains
#
# we set defaults to DROP to minimize possible interruptions
# if this script is re-run to reset rules
#
for chain in INPUT OUTPUT FORWARD ; do
${IPTABLES} -P ${chain} DROP
# flush rules
${IPTABLES} -F ${chain}
done
#
for chain in PREROUTING POSTROUTING ; do
${IPTABLES} -t nat -F ${chain}
done
${IPTABLES} -t mangle -F PREROUTING
# Our custom chains
for chain in PUB_IN PUB_OUT INT_IN INT_OUT ; do
${IPTABLES} -N ${chain} 2> /dev/null
${IPTABLES} -F ${chain}
${IPTABLES} -A ${chain} -j DROP
done
# Run our "early" custom script if it exists
[ -f /etc/Bastille/bastille-firewall-early.sh ] && . /etc/Bastille/bastille-firewall-early.sh
# enable stateful rules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_LOG
# from the ipchains HOWTO
if [ "${ENABLE_SRC_ADDR_VERIFY}" = "Y" ]; then
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
echo " done."
else
echo "WARNING: errors encountered while trying to enable IP spoofing protection!"
fi
fi
${IPTABLES} -A INPUT -p tcp -s 192.168.0.0/16 -j ${REJECT_METHOD}
${IPTABLES} -A INPUT -p tcp -s 10.0.0.0/8 -j ${REJECT_METHOD}
${IPTABLES} -A INPUT -p tcp -s 172.16.0.0/16 -j ${REJECT_METHOD}
# Block any non-local attempts to get localhost addresses
# per [EMAIL PROTECTED]'s bugtraq post
[ "${LOG_FAILURES}" = "Y" ] && \
${IPTABLES} -A INPUT -p tcp -d 127.0.0.0/8 ! -i lo -j LOG --log-prefix "INPUT ${REJECT_METHOD} $RULENUM" ; incr_rule_num
${IPTABLES} -A INPUT -p tcp -d 127.0.0.0/8 ! -i lo -j ${REJECT_METHOD}
# Uncomment this to really, truly block active FTP
# (shouldn't be necessary if ip_conntrack_ftp does its job)
#if [ ${FORCE_PASV_FTP} = "Y" ]; then
# [ "${LOG_FAILURES}" = "Y" ] && \
# ${IPTABLES} -A INPUT -p tcp --sport ftp-data -j LOG --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
# ${IPTABLES} -A INPUT -p tcp --sport ftp-data -j ${REJECT_METHOD}
# [ "${LOG_FAILURES}" = "Y" ] && \
# ${IPTABLES} -A FORWARD -p tcp --sport ftp-data -j LOG --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num
# ${IPTABLES} -A FORWARD -p tcp --sport ftp-data -j ${REJECT_METHOD}
#fi
# Stateful data returns (this should include ICMP messages)
# ...for data to this box
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Fragments
if [ "${ALLOW_FRAGMENTS}" = "N" ]; then
[ "${LOG_FAILURES}" = "Y" ] && \
${IPTABLES} -A INPUT -f -j LOG --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
${IPTABLES} -A INPUT -f -j ${REJECT_METHOD}
fi
# Allow all traffic from trusted interfaces
echo -n "Allowing traffic from trusted interfaces..."
for t_iface in ${TRUSTED_IFACES} ; do
# we could be pickier here, e.g. only allow traffic
# that looks valid
${IPTABLES} -A INPUT -i ${t_iface} -j ACCEPT
done
echo " done. "
# If you have networks that route traffic to each other through this
# server, you may want to add some forwarding rules, here, e.g.
# one way, 192.168.*.* -> 10.*.*.* with 192.168.*.* on "eth0"
#
# Note: I _think_ this is right; if not, please let me know!
#enabled friday 28/12
${IPTABLES} -A FORWARD -i eth0 -s 44.131.90.0/24 -d 44.0.0.0/8 -j ACCEPT
${IPTABLES} -A FORWARD -i eth0 -s 44.131.91.0/24 -d 44.0.0.0/8 -j ACCEPT
${IPTABLES} -A FORWARD -i eth0 -s 44.131.74.0/24 -d 44.0.0.0/8 -j ACCEPT
# the other direction, 10.*.*.* -> 192.168.*.* with 10.*.*.* on "eth1"
${IPTABLES} -A FORWARD -i eth1 -s 44.131.142.162 -d 44.131.90.0/24 -j ACCEPT
${IPTABLES} -A FORWARD -i eth1 -s 44.0.0.0/8 -d 44.131.0.0/16 -j ACCEPT
${IPTABLES} -A INPUT -i eth1 -s 44.0.0.0/8 -d 44.131.0.0/16 -j ACCEPT
# No packets with multicast source addresses (Joshua K, RFC 1122)
# (If you want to enable multicast, comment this out!)
#[ "${LOG_FAILURES}" = "Y" ] && \
#${IPTABLES} -A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
#${IPTABLES} -A INPUT -s 224.0.0.0/4 -j ${REJECT_METHOD}
# Forwarding
# IP Masquerading/forwarding
#
# Unload masq modules (maybe we're disabling masquerading, maybe we changed the module list)
#do_masq_mods unload
#
if [ -n "${IP_MASQ_NETWORK}" ]; then
echo -n "Loading NAT modules..."
modprobe iptable_nat
echo " done."
echo -n "Setting up masquerading rules..."
# since we've set the default forwarding policy to
# reject, we can enable forwarding now
echo 1 > /proc/sys/net/ipv4/ip_forward
# set up rules for masqueraded networks
for net in ${IP_MASQ_NETWORK} ; do
for pub in ${PUBLIC_IFACES} ; do
# NAT should be one-way, deny traffic from public
# interfaces that is addresses to masq'ed networks
#[ "${LOG_FAILURES}" = "Y" ] && \
#${IPTABLES} -A INPUT -d ${net} -i ${pub} -j LOG --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
#${IPTABLES} -A INPUT -d ${net} -i ${pub} -j ${REJECT_METHOD}
# spoofed addreses from outside
#[ "${LOG_FAILURES}" = "Y" ] && \
#${IPTABLES} -A INPUT -s ${net} -i ${pub} -j LOG --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
#${IPTABLES} -A INPUT -s ${net} -i ${pub} -j ${REJECT_METHOD}
#if [ "${DROP_SMB_NAT_BCAST}" = "Y" ]; then
# NetBIOS
# [ "${LOG_FAILURES}" = "Y" ] && \
# ${IPTABLES} -A FORWARD -p tcp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j LOG --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num
# ${IPTABLES} -A FORWARD -p tcp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j ${REJECT_METHOD}
# [ "${LOG_FAILURES}" = "Y" ] && \
# ${IPTABLES} -A FORWARD -p udp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j LOG --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num
# ${IPTABLES} -A FORWARD -p udp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j ${REJECT_METHOD}
#fi
# set up a NAT rule with MASQ -- se below for SNAT
${IPTABLES} -t nat -A POSTROUTING -s ${net} -o ${pub} -j MASQUERADE
${IPTABLES} -A FORWARD -s ${net} -o ${pub} -j ACCEPT
done
done
# If you have a statuc address for the public interface,
# you might prefer setting upp static NAT instead of the
# -j MASQUERADE code above:
#${IPTABLES} -t nat -A POSTROUTING -o ${DEFAULT_GW_IFACE} -j SNAT --to ${DEFAULT_GW_IP}
echo " done."
echo -n "Loading masquerading modules..."
do_masq_mods load
echo " done."
fi
echo -n "Setting up chains for public/internal interface traffic..."
# direct packets to the INTERNAL_* chains
for iface in ${INTERNAL_IFACES} ; do
${IPTABLES} -A INPUT -i ${iface} -j INT_IN
${IPTABLES} -A OUTPUT -o ${iface} -j INT_OUT
done
# Direct PUBLIC interface traffic to the proper chain
for iface in ${PUBLIC_IFACES} ; do
${IPTABLES} -A INPUT -i ${iface} -j PUB_IN
${IPTABLES} -A OUTPUT -o ${iface} -j PUB_OUT
done
# modified friday
# disallow any attempts to get to internal interfaces from outside
# not good if this is supposed to route between normal networks
#for int in ${INTERNAL_NETWORKS} ; do
# deny traffic from public
# interfaces that is addressed to internal networks
#[ "${LOG_FAILURES}" = "Y" ] && \
#${IPTABLES} -A PUB_IN -d ${int} -j LOG --log-prefix "PUB_IN ${REJECT_METHOD} $RULENUM " ; incr_rule_num
#${IPTABLES} -A PUB_IN -d ${int} -j ${REJECT_METHOD}
#${IPTABLES} -A PUB_IN -d ${int} -j ACCEPT
# spoofed addreses from outside
#[ "${LOG_FAILURES}" = "Y" ] && \
#${IPTABLES} -A PUB_IN -s ${int} -j LOG --log-prefix "PUB_IN ${REJECT_METHOD} $RULENUM " ; incr_rule_num
#${IPTABLES} -A PUB_IN -s ${int} -j ${REJECT_METHOD}
#done
echo " done. "
echo -n "starting custom rules"
# custom rules -------------------------------------------------
#
# Put custom rules for public services here before we set up the normal
# rules for the public interfaces
#
# custom rules -------------------------------------------------
echo -n "Setting up general rules..."
# Allow response from DHCP servers
for iface in ${DHCP_IFACES} ; do
# make link so dhcpcd runs firewall when IP changes (if no such file already)
[ ! -d /etc/dhcpc ] && mkdir /etc/dhcpc -m 0750
if [ -x /sbin/bastille-firewall-reset -a ! -L /etc/dhcpc/dhcpcd-${iface}.exe ]; then
ln -s /sbin/bastille-firewall-reset /etc/dhcpc/dhcpcd-${iface}.exe
fi
done
# internal interface rules
# Allow accessses to TCP services on this system
for serv in ${TCP_INTERNAL_SERVICES} ; do
${IPTABLES} -A INT_IN -p tcp --dport ${serv} -j ACCEPT
done
# UDP services
for serv in ${UDP_INTERNAL_SERVICES} ; do
${IPTABLES} -A INT_IN -p udp --dport ${serv} -j ACCEPT
done
# ICMP
# hopefully you don't care about hiding from internal hosts!
${IPTABLES} -A INT_IN -p icmp -j ACCEPT
${IPTABLES} -A INT_OUT -p icmp -j ACCEPT
# ...but if you do... try this... (and see the PUB_IN rules below)
for type in ${ICMP_ALLOWED_TYPES} ; do
${IPTABLES} -A INT_IN -p icmp --icmp-type ${type} -j ACCEPT
done
#for type in ${ICMP_OUTBOUND_DISABLED_TYPES} ; do
# ${IPTABLES} -A INT_OUT -p icmp --icmp-type ${type} -j REJECT
#done
# input rules
#
# public interfaces
# --------------------- ICMP --------------------------
for type in ${ICMP_ALLOWED_TYPES} ; do
${IPTABLES} -A PUB_IN -p icmp --icmp-type ${type} -j ACCEPT
done
# --------------------- TCP --------------------------
for serv in ${TCP_PUBLIC_SERVICES} ; do
${IPTABLES} -A PUB_IN -p tcp --dport ${serv} -j ACCEPT
#${IPTABLES} -A PREROUTING -t nat -p tcp -i eth1 --dport 3602 -j DNAT --to 44.131.90.2:6300
done
# --------------------- UDP --------------------------
for serv in ${UDP_PUBLIC_SERVICES} ; do
${IPTABLES} -A PUB_IN -p udp --dport ${serv} -j ACCEPT
done
# Reject other UDP (redundant)
#[ "${LOG_FAILURES}" = "Y" ] && \
# ${IPTABLES} -A ${chain} -p tcp -j LOG --log-prefix "${chain} ${REJECT_METHOD} $RULENUM " ; incr_rule_num
# ${IPTABLES} -A ${chain} -p tcp -j ${REJECT_METHOD}
#
# -------------- Public interface input auditing ---------------
# Note that this will only audit services that are not actually available
#
#for service in ${TCP_AUDIT_SERVICES} ; do
# ${IPTABLES} -A PUB_IN -p tcp --dport ${service} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-prefix "audit"
#done
#for service in ${UDP_AUDIT_SERVICES} ; do
# ${IPTABLES} -A PUB_IN -p udp --dport ${service} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-prefix "audit"
#done
#for type in ${ICMP_AUDIT_TYPES} ; do
# ${IPTABLES} -A PUB_IN -p icmp --icmp-type ${type} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-prefix "audit"
#done
# if you're disallowing ICMP, you may be trying to look
# invisible/disable ping, so let's just drop these attempts
#[ "${LOG_FAILURES}" = "Y" ] && \
#${IPTABLES} -A PUB_IN -p icmp -j LOG --log-prefix "PUB_IN DROP $RULENUM" ; incr_rule_num
#${IPTABLES} -A PUB_IN -p icmp -j DROP
# --------------------- catch-all --------------------------
# Reject all other traffic (redundant if not logging)
if [ ${LOG_FAILURES} = "Y" ]; then
for chain in INPUT PUB_IN INT_IN ; do
[ "${LOG_FAILURES}" = "Y" ] && \
${IPTABLES} -A ${chain} -j LOG --log-prefix "${chain} ${REJECT_METHOD} $RULENUM " ; incr_rule_num
${IPTABLES} -A ${chain} -j ${REJECT_METHOD}
done
fi
#
echo " done."
echo -n "Setting up outbound rules..."
#
# block outbound ICMP types (usu. to hide from traceroute)
for type in ${ICMP_OUTBOUND_DISABLED_TYPES} ; do
# ** The following will limit ICMP on public and internal interfaces:
# for chain in PUB_OUT INT_OUT ; do
# ** but our default is to only limit outbound ICMP on public interfaces
for chain in PUB_OUT ; do
[ "${LOG_FAILURES}" = "Y" ] && \
${IPTABLES} -A ${chain} -p icmp --icmp-type ${type} -j LOG --log-prefix "${chain} REJECT $RULENUM" ; incr_rule_num
${IPTABLES} -A ${chain} -p icmp --icmp-type ${type} -j REJECT
done
done
#
# Here you might really lock things down if this is a server,
# e.g., to keep it from doing anything but connecting to
# SMTP servers and responding to Web requests, or whatever
# the specific requirements are.
#
# Such lockdowns are recommended if the situation affords you
# that flexibility.
#
# If you want to only allow the server to respond to requests
# (and not even make DNS/dhcp/ntp queries!), then uncomment these lines:
# # Note: if the connection table fills, you won't be able to
# # respond to requests if you rely on "-m state" with these rules
# ${IPTABLES} -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ${IPTABLES} -A OUTPUT -j REJECT
#
# default is to enable outbound traffic
${IPTABLES} -P OUTPUT ACCEPT
# Now that all rules are set, we can change the policies
# to the user preference safely
[ ${REJECT_METHOD} != "DROP" ] && ${IPTABLES} -A FORWARD -j ${REJECT_METHOD}
[ ${REJECT_METHOD} != "DROP" ] && ${IPTABLES} -A INPUT -j ${REJECT_METHOD}
# to set default "policies" for PUB_* and INT_* chains, add a final rule
if [ ${LOG_FAILURES} != "Y" ]; then
# if LOG_FAILURES were set, we would have already done this
for chain in PUB_IN INT_IN ; do
[ "${LOG_FAILURES}" = "Y" ] && \
${IPTABLES} -A ${chain} -j LOG --log-prefix "${chain} ${REJECT_METHOD} $RULENUM " ; incr_rule_num
${IPTABLES} -A ${chain} -j ${REJECT_METHOD}
done
fi
for chain in PUB_OUT INT_OUT ; do
${IPTABLES} -A ${chain} -j ACCEPT
done
# rule 1 in all of these chains is a deny rule; remove it so other rules work
for chain in PUB_IN INT_IN PUB_OUT INT_OUT ; do
${IPTABLES} -D ${chain} -j DROP
done
echo " done."
;;
stop)
echo
echo "WARNING: reverting to default settings (dropping firewall)"
# We should disable NAT/forwarding even if not set to restore defaults
echo -n "disabling IP forwarding..."
echo 0 > /proc/sys/net/ipv4/ip_forward
echo " done."
echo -n "unloading masquerading modules..."
do_masq_mods unload
echo " done."
# flushing leaves the default input at ${REJECT_METHOD}
echo -n "resetting default input rules to accept..."
${IPTABLES} -P INPUT ACCEPT
echo " done."
echo -n "resetting default output rule to accept..."
${IPTABLES} -P OUTPUT ACCEPT
echo " done."
# We disabled forwarding with the /proc interface, but we
# reset FORWARD to ACCEPT because that;s the normal default
echo -n "resetting default forward rule to accept..."
${IPTABLES} -P FORWARD ACCEPT
echo " done."
for chain in INPUT OUTPUT FORWARD ; do
echo -n "flushing ${chain} rules..."
${IPTABLES} -F ${chain}
echo " done."
done
for chain in PREROUTING POSTROUTING ; do
${IPTABLES} -t nat -F ${chain}
done
${IPTABLES} -t mangle -F PREROUTING
# flush and delete the user-defined chains
echo -n "removing user-defined chains..."
for chain in PUB_IN PUB_OUT INT_IN INT_OUT ; do
${IPTABLES} -F ${chain}
${IPTABLES} -X ${chain}
done
echo " done."
;;
status)
${IPTABLES} -L -v -n
;;
*)
echo "Usage: $0 {start|stop|status}"
exit 1
esac
exit 0
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
