Re: Firewall start

Tue, 18 Jan 2000 11:14:41 -0800 

I use SuSE 6.1 but I dont start ipchains until I have connected -

Here is my /etc/ppp/ip-up script ( It gets called by pppd not diald )
by calling it from pppd it gets initialised quicker.
------------------------------------------------
#!/bin/sh
#
#       File - /etc/ppp/ip-up
#       Copyright 1999, D.H.McKay
#

#
#       Include common functions and variables
#
.. /etc/ppp/functions

# $1 = Interface
# $2 = Tty device
# $3 = speed
# $4 = local ip
# $5 = remote ip
# $6 = ipparam

logit "Starting firewall setup"

$ipchains -F input
$ipchains -P input DENY
$ipchains -A input -j ACCEPT -i eth0 -s 192.168.0.0/16 -d 0.0.0.0/0
$ipchains -A input -j DENY -p udp -i $1 -s 0.0.0.0/0 -d $4/32 0:52 -l
$ipchains -A input -j DENY -p udp -i $1 -s 0.0.0.0/0 -d $4/32 54:1023 -l
$ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 0:112 -l
$ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 114:1023 -l
$ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 6000:6010 -l
$ipchains -A input -j DENY -p icmp --icmp-type echo-request -i $1 -s 0.0.0.0/0 -l
$ipchains -A input -j DENY -p icmp -f -i $1 -s 0.0.0.0/0 -l
$ipchains -A input -j DENY -p udp -i $1 -s 0.0.0.0/0 -d $4/32 5555 -l
$ipchains -A input -j DENY -p udp -i $1 -s 0.0.0.0/0 -d $4/32 8000 -l
$ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 8000 -l
$ipchains -A input -j DENY -p udp -i $1 -s 0.0.0.0/0 -d $4/32 6667 -l
$ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 6667 -l
$ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 4557 -l
$ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 4559 -l
$ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 4001 -l
$ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 2005 -l
$ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 6711 -l
$ipchains -A input -j DENY -i $1 -s 192.168.0.0/16 -d 0.0.0.0/0 -l
$ipchains -A input -j ACCEPT -i $1 -s 0.0.0.0/0 -d $4/32
$ipchains -A input -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0
$ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l

$ipchains -F output
$ipchains -P output DENY
$ipchains -A output -j ACCEPT -i eth0 -s 0.0.0.0/0 -d 192.168.0.0/16
$ipchains -A output -j DENY -i $1 -s 192.168.0.0/16 -d 0.0.0.0/0 -l
$ipchains -A output -j ACCEPT -i $1 -s $4/32 -d 0.0.0.0/0
$ipchains -A output -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0
$ipchains -A output -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0

$ipchains -F forward
$ipchains -P forward DENY
$ipchains -M -S 120 120 120
$ipchains -A forward -j MASQ -s 192.168.1.0/24 
$ipchains -A forward -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0

#logit "Starting fetchmail"
/usr/bin/fetchmail -d 120 -a -v --postmaster rex >>/var/log/fetchmail 2>&1 &

logit "Firewall setup done"

exit 0
------------------------------------------------
#
#       File - /etc/ppp/functions
#       Copyright (c) 1999, D.H.McKay
#
#
#       This file contains functions and variables used by all scripts
#

[ !FIFO ] && FIFO=/var/run/diald.ctl

ipchains=/sbin/ipchains
iptables=/usr/local/bin/iptables
ipnatctl=/usr/local/bin/ipnatctl

function logit()
{
  date +"message %a %b %d %T %Y %Z <${0//*\/}[$$]> $1" > $FIFO
  logger -p local2.info -t "${0//*\/}[$$]" "$1"
}
-------------------------------------------------



On Sun, 16 Jan 2000, Clifford wrote:
> I'm currently setting up the ipchains rules set supplied with SuSE 6.3
> but i'm having problems starting them up from rc2.d and the like. My
> problem is that i'm not sure *when* they should be started as this was
> not set when i installed the rules. By this i mean should the firewall
> file be linked as S21firewall or S11firewall in the /sbin/init.d/rc2.d
> directory.
> 
> As i'm also going to be using them with wvdial.dod which we are advised
> to set as S20wvdial.dod, i'm not sure how this would work. As the
> firewall is going to take the ppp+ interface into account and this will
> only exist *after* wvdial.dod has started up. Since linking wvdial.dod
> as S20wvdial.dod, this would make the setting up of the ppp interface
> one of the last things done on booting up.
> 
> Basically i just need to know when to set up the firewall rules (via
> S**firewall) and when to call up wvdial.dod via S**wvdial.dod.
> 
> 
> Thanks y'all.
> 
> Clifford
> 
> --
> Well i know we're dying
> and there's no sign of a parachute...
> (Tori Amos)
> 
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-diald" in
> the body of a message to [EMAIL PROTECTED]


-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]

Reply via email to