> masquerading rules. Could somebody help me to find an example of addroute
> and delroute scripts for that case?
Here's my scripts (but I use ip-up and ip-down options, not addroute and
delroute):
Here's my initial firewall setup script, which I invoke from
/etc/rc.d/init.d/network:
#!/bin/sh
# this script is called by /etc/rc.d/init.d/network
# the ppp IP addresses
# ppp_isp_ip=$(/sbin/ifconfig ppp0 | grep inet | awk '{ print $3 }' | sed -e
s/P-t-P://)"/32"
# my LAN's address
my_lan="192.168.0.0/24"
# turn on antispoofing for all interfaces
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
# flush, then set all policies
ipchains -F
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
# create user chains
ipchains -N icmp-err
ipchains -N ppp-out
ipchains -N ppp-in
# set icmp-err chain
ipchains -A icmp-err -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-err -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-err -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-err -p icmp --icmp-type parameter-problem -j ACCEPT
# set ppp-out chain
ipchains -A ppp-out -j DENY -l
ipchains -A ppp-out -p tcp --dport http -t 0x01 0x10
ipchains -A ppp-out -p tcp --dport telnet -t 0x01 0x10
ipchains -A ppp-out -p tcp --dport ftp-data -t 0x01 0x02
ipchains -A ppp-out -p tcp --dport nntp -t 0x01 0x02
ipchains -A ppp-out -p tcp --dport pop -t 0x01 0x02
# set ppp-in chain
ipchains -A ppp-in -s $my_lan -j DENY -l
ipchains -A ppp-in -p tcp --dport 6000:6010 -j DENY
ipchains -A ppp-in -p udp --dport 61000:65096 -j ACCEPT
ipchains -A ppp-in -p tcp --dport 1024:65096 -j ACCEPT
ipchains -A ppp-in -p udp --dport 1024:65096 -j ACCEPT
ipchains -A ppp-in -p udp -s 207.66.20.12 53 -j ACCEPT
ipchains -A ppp-in -p udp -s 207.66.20.13 53 -j ACCEPT
ipchains -A ppp-in -p tcp -s 207.66.20.12 53 -j ACCEPT
ipchains -A ppp-in -p tcp -s 207.66.20.13 53 -j ACCEPT
ipchains -A ppp-in -p icmp --icmp-type pong -j ACCEPT
ipchains -A ppp-in -p icmp -j icmp-err
ipchains -A ppp-in -s 224.0.0.10:65535 -j DENY
ipchains -A ppp-in -j DENY -l
# set input chain
ipchains -A input -i ppp0 -j DENY
# set output chain
ipchains -A output -i ppp0 -j DENY
Here's the 'ip-up' option script from diald.conf (ie, /etc/ppp/pppfw_up):
#!/bin/sh
# this script is called by diald as ip-up script
ppp_dyn_ip=$(/sbin/ifconfig ppp0 | grep inet | awk '{ print $2 }' | sed -e
s/addr://)"/32"
# load per protocol masquerading module for ftp
/sbin/insmod ip_masq_ftp
# set forwarding rules
/sbin/ipchains -A forward -i ppp0 -j MASQ
/sbin/ipchains -A forward -j DENY -l
# replace first rule in ppp-out chain
/sbin/ipchains -R ppp-out 1 -s ! $3 -j DENY
# reset input rules
/sbin/ipchains -F input
/sbin/ipchains -A input -i ppp0 -j ppp-in
# reset output rules
/sbin/ipchains -F output
/sbin/ipchains -A output -i ppp0 -j ppp-out
# add newly brought up route
/sbin/route add default gw $4 ppp0
Here's the 'ip-up' option script from diald.conf (ie, /etc/ppp/pppfw_down):
#!/bin/sh
# this script is called by diald as delroute script
# default route to tap0
/sbin/route add default gw 192.168.0.102 tap0
# unload ftp masquerading module
/sbin/rmmod ip/masq_ftp
# reset forward chain to plain ACCEPT policy
/sbin/ipchains -F forward
# reset input chain
/sbin/ipchains -F input
/sbin/ipchains -A input -i ppp0 -j DENY
# reset output chain
/sbin/ipchains -F output
/sbin/ipchains -A output -i ppp0 -j DENY
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]
