Thanks for posting the firewall script, but it didn't
work. After reading the ipchains howto I now know
why:
> # 2. If this traffic is destined for the Internet, reject
> # it, returning "Connection refused" to the caller.
>
> ipchains -A HamRadio -d ! 192.168.0/16 -j REJECT
means that all packets in the HamRadio chain (defined
earlier: traffic coming from the scc+ interfaces) is
rejected (answered with ICMP unreachable) if it is
NOT destinated to 192.168.0/16
So I replaced the line with:
ipchains -A HamRadio -d ! 44.0/8 -j REJECT
which makes more sense I think.
The rest of the script seems to be very useable.
Thanks to the author.
PLEASE send me your comments about this script,
because I really want to use it.
The only things I want to change are:
- Forget the transproxy things (are anyway in 'if false')
- Protect most of the ports/services of the machine
against access from Internet, with exception of few
necessary ports
- Protect some of the ports/services of the machine
against access from HamRadio interface
- Make access to the webserver possible from the
internet to a special area. (access to the webcam ect.)
Give full access to the ham area IF the user has an ham
account with password on the machine.
(At the moment I don't have an idea how to do this,
but I hope to achieve this by a virtual host configuration
of the apache server. Any ideas? Working configurations?)
Please send me your comments and/or possible line for
the modifications I've listed. They could be very important
for me.
Thanks in advance
73
Robert / OE8RSQ
> ===8<=== CUT ===>8===
>
> #!/bin/bash
> #
> # Script to configure an IP Masqueraded firewall for a
> # system with amateur radio TCP/IP connections and also
> # with a standard PPP dial-up interface.
> #
> # This script makes the following assumptions:
> #
> # 1. All traffic coming from the amateur radio ports
> # arrives with IP addresses in the Class A range
> # 44.*.*.* (which corresponds to *.ampr.org in DNS
> # terminology).
> #
> # 2. All traffic arriving from local network ports
> # arrives with IP addresses in the Class B range
> # 192.168.*.* which is reserved for local networks
> #
> #######################################################
> #
> # First, set up the default policies. The DENY in the
> # forward chain prevents any traffic from being
> # forwarded at this stage.
>
> ipchains -P forward DENY
> ipchains -P input ACCEPT
> ipchains -P output ACCEPT
>
> #######################################################
> #
> # Next, kill all existing rules, and delete all existing
> # non-standard chains.
>
> ipchains -F
> ipchains -X
>
> #######################################################
> #
> # Next, ensure that kernel forwarding is enabled.
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> #######################################################
> #
> # Next, create the user chains we require to ensure that
> # we deal with all network sources sensibly.
>
> ipchains -N HamRadio
> ipchains -N Internet
> ipchains -N LocalNet
>
> #######################################################
> #
> # Next, sort the incoming traffic according to where
> # it is coming from, sending each range into a separate
> # chain for further rule processing. The chains referred
> # to here will ensure that traffic from the respective
> # domains is authorised to travel where it wishes to
> # when the chain returns.
> #
> # Add other ports as required.
>
> ipchains -A input -i scc+ -j HamRadio # SCC cards
> ipchains -A input -i ppp+ -j Internet # PPP links
> ipchains -A input -i eth+ -j LocalNet # Ethernet
> ipchains -A input -i lo -j LocalNet # Loopback
>
> #######################################################
> #
> # Next, specify what to do with traffic from the Ham Radio
> # ports. This defines the HamRadio chain, and sets the
> # following policies:
> #
> # 1. If this traffic arrives other than with a 44.* IP
> # address, ignore it completely. Only 44.* addresses
> # are legal over the amateur radio bands.
>
> ipchains -A HamRadio -s ! 44.0/8 -j DENY
>
> # 2. If this traffic is destined for the Internet, reject
> # it, returning "Connection refused" to the caller.
>
> ipchains -A HamRadio -d ! 192.168.0/16 -j REJECT
>
> #######################################################
> #
> # Next, specify what to do with traffic from the Internet
> # on the input chain. This defines the Internet chain, and
> # sets the following policies:
> #
> # 1. If this traffic arrives claiming to be from a ham
> # radio address, ignore it completely. These addresses
> # are not valid from the Internet ports.
>
> ipchains -A Internet -s 44.0/8 -j DENY
>
> # 2. If this traffic arrives claiming to be from one of
> # the localnet addresses, ignore it completely. Again,
> # these addresses are not valid on the Internet ports.
>
> ipchains -A Internet -s 10.0/8 -j DENY
> ipchains -A Internet -s 172.16.0/16 -j DENY
> ipchains -A Internet -s 192.168.0/16 -j DENY
>
> # 3. If this traffic is destined for a ham radio address,
> # reject it, returning "Connection refused" to the
> # caller.
>
> ipchains -A Internet -d 44.0/8 -j REJECT
>
> # 4. If this traffic is aimed at one of our web servers
> # or the web proxy, reject it, returning "Connection
> # refused" to the caller. This is because our local
> # web server is for our private use only.
>
> if false ; then
> ipchains -A Internet -d 0/0 80 -j REJECT
> ipchains -A Internet -d 0/0 3128 -j REJECT
> fi
>
> #######################################################
> #
> # Next, deal with any traffic from the local ethernet or
> # the loopback port. This defines the LocalNet chain, and
> # sets the following policies:
> #
> # 1. No restrictions are placed on traffic originating
> # from the local ethernet or the loopback port.
>
> #######################################################
> #
> # Next, having filtered out all unwanted input traffic,
> # feed all web traffic into the transparent proxy. Make
> # sure your transparent proxy is configured before you
> # enable this section, and also ensure that it listens
> # on port 3128 as used here, or change the 3128 to be
> # whatever port it listens on.
>
> if false ; then
> ipchains -A input -d 0/0 80 -p tcp -j REDIRECT 3128
> ipchains -A input -d 0/0 81 -p tcp -j REDIRECT 3128
> ipchains -A input -d 0/0 328 -p tcp -j REDIRECT 3128
>
> ipchains -A output -d 0/0 80 -p tcp -j DENY
> ipchains -A output -d 0/0 81 -p tcp -j DENY
> ipchains -A output -d 0/0 328 -p tcp -j DENY
>
> ipchains -A output -d 0/0 443 -p tcp -j DENY
> fi
>
> #######################################################
> #
> # Next, configure masquerading. This states that any traffic
> # remaining on our local net is to be forwarded without being
> # m,asqueraded.
>
> ipchains -A forward -i eth+ -j ACCEPT
>
> # This states that all other traffic is to be masqueraded.
>
> ipchains -A forward -j MASQ
>
> #######################################################
> #
> # EOF.
>
> ===8<=== CUT ===>8===
