Here's the firewall script I had in the handout last night... Again, I have not tested it yet, so feel free to repost it with new comments.
It might be a cool idea for people to post the patches, and come up with a "iron clad" script that anyone can download and put on their boxes with minimal changes... Ricky ## rc.firewall ## Sample IP Tables Firewall Script #!/bin/bash #### Setup the interface aliases for easy maintenance ### Lan Interface ## Subnet Mask for this network is 255.255.255.0 LAN_IP="10.0.1.1" LAN_BCAST_ADDRESS="10.0.1.255" ## Ethernet interface for the lan is ETH1 LAN_IFACE="eth1" ### Loopback Interface ## These settings are almost always the same. ## You will know if they are different (as you would have set them like that) LO_IFACE="lo" LO_IP="127.0.0.1" ### Internet Interface ## IP Provided by ISP INET_IP="204.27.100.1" INET_IFACE="eth0" ## Location of the iptables executable IPTABLES="/usr/local/sbin/iptables" #### Presetup ### You can either compile these into the kernel, or leave them as ### loadable modules. If this is a dedicated machine acting as a ### firewall, you should compile them into the kernel. /sbin/depmod -a /sbin/modprobe ipt_MASQAUERADE ## Enable IP Forwading (Routing) echo "1" > /proc/sys/net/ipv4/ip_forward ## Starts NAT (Network Address Translation) $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP #### For fine tuned control of users on your LAN ## Loads module for logging certain situations /sbin/modprobe ipt_LOG ## Creates a chain for TCP connections out to the internet $IPTABLES -N outgoing ## Allows outgoing FTP Connections $IPTABLES -A outgoing -P TCP -s 0/0 --dport 21 -j allowed ## Allows outgoing HTTP (Web) Connections $IPTABLES -A outgoing -P TCP -s 0/0 --dport 80 -j allowed ## Allows outgoing SMTP (Sending Mail) Connections $IPTABLES -A outgoing -P TCP -s 0/0 --dport 25 -j allowed ## Allows outgoing POP3 (Checking Mail) Connections $IPTABLES -A outgoing -P TCP -s 0/0 --dport 110 -j allowed ## Allows outgoing DNS Lookups $IPTABLES -A outgoing -P UDP -s 0/0 --dport 53 -j allowed ## Rule BreakDown # Adds Rule Protocol Source Address Destination Port #$IPTABLES -A -P -s --dport # Adds Rule - Adds a rule to the chain after the -A (which you created with the -N switch) # Protocol - Transport Protocol used (TCP, UDP, ICMP) # Source Address - IP Address where the packets are coming from # Destination Port - Usually defines what user is trying to access (look at /etc/services) ================================================ BRLUG - The Baton Rouge Linux User Group Visit http://www.brlug.net for more information. Send email to [EMAIL PROTECTED] to change your subscription information. ================================================
