FYI, I added the firewall script that Ricky presented to the event's webpage.
Regards, Dustin --- Dustin Puryear <[EMAIL PROTECTED]> Information Systems Consultant http://members.telocity.com/~dpuryear In the beginning the Universe was created. This has been widely regarded as a bad move. - Douglas Adams > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Ricky Salmon > Sent: Tuesday, December 04, 2001 10:51 AM > To: [EMAIL PROTECTED] > Subject: [brluglist] Firewall Script > > > Here's the firewall script I had in the handout last night... > Again, I have > not tested it yet, so feel free to repost it with new comments. > > It might be a cool idea for people to post the patches, and come up with a > "iron clad" script that anyone can download and put on their boxes with > minimal changes... > > Ricky > > > > > ## rc.firewall > ## Sample IP Tables Firewall Script > > #!/bin/bash > > > #### Setup the interface aliases for easy maintenance > > ### Lan Interface > > ## Subnet Mask for this network is 255.255.255.0 > LAN_IP="10.0.1.1" > LAN_BCAST_ADDRESS="10.0.1.255" > > ## Ethernet interface for the lan is ETH1 > LAN_IFACE="eth1" > > ### Loopback Interface > > ## These settings are almost always the same. > ## You will know if they are different (as you would have set them like > that) > LO_IFACE="lo" > LO_IP="127.0.0.1" > > ### Internet Interface > > ## IP Provided by ISP > INET_IP="204.27.100.1" > INET_IFACE="eth0" > > ## Location of the iptables executable > IPTABLES="/usr/local/sbin/iptables" > > #### Presetup > ### You can either compile these into the kernel, or leave them as > ### loadable modules. If this is a dedicated machine acting as a > ### firewall, you should compile them into the kernel. > > /sbin/depmod -a > /sbin/modprobe ipt_MASQAUERADE > > ## Enable IP Forwading (Routing) > echo "1" > /proc/sys/net/ipv4/ip_forward > > > ## Starts NAT (Network Address Translation) > > $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT > --to-source $INET_IP > > > > #### For fine tuned control of users on your LAN > > ## Loads module for logging certain situations > /sbin/modprobe ipt_LOG > > > ## Creates a chain for TCP connections out to the internet > $IPTABLES -N outgoing > > ## Allows outgoing FTP Connections > $IPTABLES -A outgoing -P TCP -s 0/0 --dport 21 -j allowed > > ## Allows outgoing HTTP (Web) Connections > $IPTABLES -A outgoing -P TCP -s 0/0 --dport 80 -j allowed > > ## Allows outgoing SMTP (Sending Mail) Connections > $IPTABLES -A outgoing -P TCP -s 0/0 --dport 25 -j allowed > > ## Allows outgoing POP3 (Checking Mail) Connections > $IPTABLES -A outgoing -P TCP -s 0/0 --dport 110 -j allowed > > ## Allows outgoing DNS Lookups > $IPTABLES -A outgoing -P UDP -s 0/0 --dport 53 -j allowed > > > > ## Rule BreakDown > # Adds Rule Protocol Source Address > Destination Port > #$IPTABLES -A -P -s --dport > > > # Adds Rule - Adds a rule to the chain after the -A (which you > created with > the -N switch) > # Protocol - Transport Protocol used (TCP, UDP, ICMP) > # Source Address - IP Address where the packets are coming from > # Destination Port - Usually defines what user is trying to > access (look at > /etc/services) > > ================================================ > BRLUG - The Baton Rouge Linux User Group > Visit http://www.brlug.net for more information. > Send email to [EMAIL PROTECTED] to change > your subscription information. > ================================================ > ================================================ BRLUG - The Baton Rouge Linux User Group Visit http://www.brlug.net for more information. Send email to [EMAIL PROTECTED] to change your subscription information. ================================================
