hello guys,
i have a linux firewall with ipchains ( it works now ) but i think it must
be a mistake in the configuration, because when i look at the logfile of my
web/ftp server in the dmz i always see as incomming ip "222.22.222.89".
my question : what must i change in the configuration to get the "real" ip�s
form outside , and is there any other mistake in the script file
thx in advance, davidm
#!/bin/sh
############################################################################
####
#
# FIREWALL - Script
#
############################################################################
####
# mit Flush alle evtl. aktiven Firewall-Regeln loeschen:
ipchains -F
# DENY ist die default-Regel mit Ausnahme dem Loopback Interface:
ipchains -A input -i ! lo -j DENY
ipchains -A output -i ! lo -j DENY
ipchains -A forward -j DENY
# FTP Masquerading Module fuer aktives und passives FTP:
insmod ip_masq_ftp
# Splitting Forward Chain:
ipchains -N good-bad
ipchains -N bad-good
ipchains -N bad-dmz
ipchains -N good-dmz
#ipchains -N dmz-good
ipchains -N dmz-bad
# Jumps aus der Forward Chain:
ipchains -A forward -s 10.60.0.0/16 -i eth1 -j good-bad
ipchains -A forward -i eth0 -j bad-good
ipchains -A forward -i eth2 -j bad-dmz
ipchains -A forward -s 10.60.0.0/16 -i eth2 -j good-dmz
#ipchains -A forward -i eth2 -d 10.60.0.0/16 -j dmz-good
ipchains -A forward -s 222.22.222.88/29 -i eth1 -j dmz-bad
ipchains -A forward -j DENY -l
# "good" to "bad" :
ipchains -A good-bad -p tcp --dport www -j MASQ
ipchains -A good-bad -p udp --dport 53 -j MASQ
ipchains -A good-bad -p tcp --dport 20:21 --j MASQ
ipchains -A good-bad -p tcp --dport 22 --j MASQ -l
ipchains -A good-bad -p tcp --dport 1024:65535 --j MASQ
ipchains -A good-bad -p tcp --dport 110 -j MASQ
ipchains -A good-bad -p tcp --dport 25 -j MASQ
ipchains -A good-bad -p tcp --dport 119 -j MASQ
ipchains -A good-bad -j REJECT -l
# "bad" to "good" :
ipchains -A bad-good -j DENY -l
# "bad" to "dmz" :
ipchains -A bad-dmz -p tcp -d 222.22.222.90 www -j MASQ
ipchains -A bad-dmz -p tcp -d 222.22.222.90 20:21 --j MASQ
ipchains -A bad-dmz -p tcp --dport 1024:65535 --j MASQ
ipchains -A bad-dmz -j DENY
# "good" to "dmz"
ipchains -A good-dmz -p tcp -d 222.22.222.90 www -j MASQ
ipchains -A good-dmz -p tcp -d 222.22.222.90 20:21 -j MASQ
ipchains -A good-dmz -p tcp --dport 1024:65535 --j MASQ
ipchains -A good-dmz -j DENY
# "dmz" to "good"
#ipchains -A dmz-good -p tcp -d 10.60.0.0/16 www -j ACCEPT
#ipchains -A dmz-good -p tcp -d 10.60.0.0/16 20:21 -j ACCEPT
#ipchains -A dmz-good -p tcp --dport 1024:65535 --j ACCEPT
#ipchains -A dmz-good -j DENY
# "dmz" to "bad"
ipchains -A dmz-bad -p tcp --dport www -j MASQ
ipchains -A dmz-bad -p tcp --dport 20:21 -j MASQ
ipchains -A dmz-bad -p tcp --dport 1024:65535 --j MASQ
ipchains -A dmz-bad -j DENY
# Filtering der Firewall selbst:
ipchains -N bad-if
ipchains -N good-if
ipchains -N dmz-if
# Jumps in die Interface Chains:
ipchains -A input -d 222.22.222.82 -j bad-if
ipchains -A input -d 10.60.1.1 -j good-if
ipchains -A input -d 222.22.222.89 -j dmz-if
# Bad Interface:
ipchains -A bad-if -i ! eth1 -j DENY -l
ipchains -A bad-if -p tcp -s 222.22.222.81 -j ACCEPT
ipchains -A bad-if -p tcp --dport 61000:65096 -j ACCEPT
ipchains -A bad-if -p udp --dport 61000:65096 -j ACCEPT
ipchains -A bad-if -j DENY
# Good Interface:
ipchains -A good-if -i ! eth0 -j DENY -l
ipchains -A good-if -p tcp -j DENY -l
ipchains -A good-if -j DENY -l
# DMZ Interface
ipchains -A dmz-if -i ! eth2 -j DENY -l
ipchains -A dmz-if -p tcp --dport 61000:65096 -j ACCEPT
ipchains -A dmz-if -p udp --dport 61000:65096 -j ACCEPT
ipchains -A dmz-if -j DENY
# Delete blocking Rules:
ipchains -D input 1
ipchains -D forward 1
ipchains -D output 1
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
