Hi Robert, William.
>> Another question:
>> Is it possible to apply rules to all ham interfaces with
>> FW_WORLD_DEV="scc0,scc1,scc2" or "scc0 scc1..."? What is
>> the correct syntax for multiple interfaces? I couldn't find
>> it in the SuSE documentation. There was only a hint that
>> multiple interfaces are possible.
>> I'll also need to protect ippp0 (isdn-ppp) with different
>> rules. (Very important because there shouldn't be any
>> possibilities to get traffic from a ham interface to my ISP
>> and reverse) Is it possible to use a modified copy of the
>> /sbin/init.d/firewall script a second time to do this? Is
>> there a better way, or is that unefficient?
> It's not as good as getting a unified firewall because the order
> in which the rules show up is important.
I've been thinking about the above, and something along the lines
of the following script is probably what you are looking for.
William: Perhaps you can comment on this?
===8<=== CUT ===>8===
#!/bin/bash
#
# Script to configure an IP Masqueraded firewall for a
# system with amateur radio TCP/IP connections and also
# with a standard PPP dial-up interface.
#
# This script makes the following assumptions:
#
# 1. All traffic coming from the amateur radio ports
# arrives with IP addresses in the Class A range
# 44.*.*.* (which corresponds to *.ampr.org in DNS
# terminology).
#
# 2. All traffic arriving from local network ports
# arrives with IP addresses in the Class B range
# 192.168.*.* which is reserved for local networks
#
#######################################################
#
# First, set up the default policies. The DENY in the
# forward chain prevents any traffic from being
# forwarded at this stage.
ipchains -P forward DENY
ipchains -P input ACCEPT
ipchains -P output ACCEPT
#######################################################
#
# Next, kill all existing rules, and delete all existing
# non-standard chains.
ipchains -F
ipchains -X
#######################################################
#
# Next, ensure that kernel forwarding is enabled.
echo 1 > /proc/sys/net/ipv4/ip_forward
#######################################################
#
# Next, create the user chains we require to ensure that
# we deal with all network sources sensibly.
ipchains -N HamRadio
ipchains -N Internet
ipchains -N LocalNet
#######################################################
#
# Next, sort the incoming traffic according to where
# it is coming from, sending each range into a separate
# chain for further rule processing. The chains referred
# to here will ensure that traffic from the respective
# domains is authorised to travel where it wishes to
# when the chain returns.
#
# Add other ports as required.
ipchains -A input -i scc+ -j HamRadio # SCC cards
ipchains -A input -i ppp+ -j Internet # PPP links
ipchains -A input -i eth+ -j LocalNet # Ethernet
ipchains -A input -i lo -j LocalNet # Loopback
#######################################################
#
# Next, specify what to do with traffic from the Ham Radio
# ports. This defines the HamRadio chain, and sets the
# following policies:
#
# 1. If this traffic arrives other than with a 44.* IP
# address, ignore it completely. Only 44.* addresses
# are legal over the amateur radio bands.
ipchains -A HamRadio -s ! 44.0/8 -j DENY
# 2. If this traffic is destined for the Internet, reject
# it, returning "Connection refused" to the caller.
ipchains -A HamRadio -d ! 192.168.0/16 -j REJECT
#######################################################
#
# Next, specify what to do with traffic from the Internet
# on the input chain. This defines the Internet chain, and
# sets the following policies:
#
# 1. If this traffic arrives claiming to be from a ham
# radio address, ignore it completely. These addresses
# are not valid from the Internet ports.
ipchains -A Internet -s 44.0/8 -j DENY
# 2. If this traffic arrives claiming to be from one of
# the localnet addresses, ignore it completely. Again,
# these addresses are not valid on the Internet ports.
ipchains -A Internet -s 10.0/8 -j DENY
ipchains -A Internet -s 172.16.0/16 -j DENY
ipchains -A Internet -s 192.168.0/16 -j DENY
# 3. If this traffic is destined for a ham radio address,
# reject it, returning "Connection refused" to the
# caller.
ipchains -A Internet -d 44.0/8 -j REJECT
# 4. If this traffic is aimed at one of our web servers
# or the web proxy, reject it, returning "Connection
# refused" to the caller. This is because our local
# web server is for our private use only.
if false ; then
ipchains -A Internet -d 0/0 80 -j REJECT
ipchains -A Internet -d 0/0 3128 -j REJECT
fi
#######################################################
#
# Next, deal with any traffic from the local ethernet or
# the loopback port. This defines the LocalNet chain, and
# sets the following policies:
#
# 1. No restrictions are placed on traffic originating
# from the local ethernet or the loopback port.
#######################################################
#
# Next, having filtered out all unwanted input traffic,
# feed all web traffic into the transparent proxy. Make
# sure your transparent proxy is configured before you
# enable this section, and also ensure that it listens
# on port 3128 as used here, or change the 3128 to be
# whatever port it listens on.
if false ; then
ipchains -A input -d 0/0 80 -p tcp -j REDIRECT 3128
ipchains -A input -d 0/0 81 -p tcp -j REDIRECT 3128
ipchains -A input -d 0/0 328 -p tcp -j REDIRECT 3128
ipchains -A output -d 0/0 80 -p tcp -j DENY
ipchains -A output -d 0/0 81 -p tcp -j DENY
ipchains -A output -d 0/0 328 -p tcp -j DENY
ipchains -A output -d 0/0 443 -p tcp -j DENY
fi
#######################################################
#
# Next, configure masquerading. This states that any traffic
# remaining on our local net is to be forwarded without being
# m,asqueraded.
ipchains -A forward -i eth+ -j ACCEPT
# This states that all other traffic is to be masqueraded.
ipchains -A forward -j MASQ
#######################################################
#
# EOF.
===8<=== CUT ===>8===
The comments therein should tell you what each stage is doing.
Note the "if false ; then" ... "fi" blocks. As they stand here,
they disable the block within, so can be left as they stand if
you don't require that particular function. If you require the
function described to be present, just replace "false" with
"true" as appropriate.
Best wishes from Riley GM7GOD / KB8PPG.
---
* God Made 7 Greedy Old Devils
* Kilroy Bought 8 Personal Pregnancy Guides
