18/04/00 9:29:28 PM
Ok I'm still having a hell of a time trying to get this firewall to werk...
The changes I've made have ***'s next to them, Also I have changed all refrences of
eth to ppp , because the
firewall came from a machine attached to a router.. my machine is a dial up 56k
modem.. so I figure that kinda
makes sense..
the errors I get when trying to run the firewall are:
Try `/sbin/ipchains -h' or '/sbin/ipchains --help' for more information.
It happens after ****** echo "part 1 done" ****** and before ***** echo "part 2 done."
******
Also after I try to run the firewall and stop it I cannot ping (or any other contact)
the outside world through the
server. BUT the server may still have full contact with the world around it..
Is there anything I can do to reset this problem other than rebooting the server? It
does terrible things to my
timeup (and the cost of redialing my ISP)
Thanks Marcus
#/bin/sh
#
# firewall Install firewall rules.
# Note: these rules are ordered by most frequently
# accessed to the least frequent. This saves kernel
# processing time in finding the rule to match an incoming
# packet.
#
# Version: @(#) /etc/init.d/firewall 1.02 November 18th 1999
#
# Author: Patrick D'Cruze,
# Modified by: Paul Raj Khangure
#
# Source function library.
. /etc/rc.d/init.d/functions
[ -f /sbin/ipchains ] || exit 0
# See how we were called.
case "$1" in
start)
# First, let's turn on Source Address Verification
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection..."
for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $file
done
echo "done."
else
echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
fi
# By default DENY all incoming services
/sbin/ipchains --flush
/sbin/ipchains --flush
/sbin/ipchains --flush
/sbin/ipchains --delete-chain ppp-in ***
# Create a new chain
/sbin/ipchains --new-chain ppp-in ***
# Some definitions
INT_IP="192.168.100.1/24" # Internal Network.
EXT_IP="203.57.131.0/32" # Here be hackers.
INTLAN="192.168.100.0/24" # Internal LAN.
LOKI="192.168.100.2/24" # Marcus machine.
IPCHAIN_IN="/sbin/ipchains --append ppp-in" ***
ACC1="--proto tcp --interface ppp+ --jump ACCEPT" ***
ACC2="--proto udp --interface ppp+ --jump ACCEPT" ***
ACC3="--proto icmp --interface ppp+ --jump ACCEPT" ***
DEN1="--proto tcp --interface ppp+ --jump DENY"
***
DEN2="--proto udp --interface ppp+ --jump DENY" ***
DEN3="--proto icmp --interface ppp+ --jump DENY" ***
echo "Def's done"
# Let local host contact itself
/sbin/ipchains -A input -s 255.255.255.0/8 -d 0/0 -p all --jump ACCEPT
***(was 127.0.0.0)
# Allow ICMP for the moment for MTU discovery
# ${IPCHAIN_IN} -s 0/0 -d 0/0 ${ACC3} ***(#'ed it)
# Allow this machine to receive web pages.
# ${IPCHAIN_IN} -s 0/0 80 -d ${EXT_IP} ${ACC1}
# ${IPCHAIN_IN} -s 0/0 80 -d ${INT_IP} ${ACC1}
# Allow SNMP polling of the routers for MRTG graphs
# ${IPCHAIN_IN} -s 203.38.127.36/32 -d 203.47.0.65/32 161:162 ${ACC2}
# ${IPCHAIN_IN} -s 203.47.0.65/32 161:162 -d 203.38.127.36/32 ${ACC2}
# ${IPCHAIN_IN} -s 203.38.127.36/32 -d 203.47.0.67/32 161:162 ${ACC2}
# ${IPCHAIN_IN} -s 203.47.0.67/32 161:162 -d 203.38.127.36/32 ${ACC2}
echo "part 1 done"
# Allow DNS traffic - the local LAN to use this server, and
# this server to make DNS requests of others.
${IPCHAIN_IN} -s ${INTLAN} -d ${INT_IP} 53 ${ACC1}
${IPCHAIN_IN} -s ${INTLAN} -d ${INT_IP} 53 ${ACC2}
${IPCHAIN_IN} -s 0/0 53 -d ${EXT_IP} ${ACC1}
${IPCHAIN_IN} -s 0/0 53 -d ${EXT_IP} ${ACC2}
# Allow the dirty side to use this server as a DNS server
${IPCHAIN_IN} -s ${EXTLAN} -d ${EXT_IP} 53 ${ACC1}
${IPCHAIN_IN} -s ${EXTLAN} -d ${EXT_IP} 53 ${ACC2}
# Block any other DNS
${IPCHAIN_IN} -s 0/0 -d 0/0 53 -l ${DEN1}
${IPCHAIN_IN} -s 0/0 -d 0/0 53 -l ${DEN2}
# Masquerade FTP SSH and Telnet out.
# /sbin/ipchains -A forward -p tcp -s ${INTLAN} -d 0/0 20:21 --jump MASQ
# /sbin/ipchains -A forward -p tcp -s ${INTLAN} -d 0/0 22 --jump MASQ
# /sbin/ipchains -A forward -p tcp -s ${INTLAN} -d 0/0 23 --jump MASQ
# Allow FTP and Telnet out.
${IPCHAIN_IN} -s ${INTLAN} -d 0/0 20:21 ${ACC1}
# ${IPCHAIN_IN} -s ${INTLAN} -d 0/0 23 ${ACC1} ***(#'ed it)
${IPCHAIN_IN} -s 0/0 20:21 -d ${EXT_IP} ${ACC1}
# ${IPCHAIN_IN} -s 0/0 23 -d ${EXT_IP} ${ACC1} ***(#'ed it)
# Only the internal LAN can view the web pages on here.
# ${IPCHAIN_IN} -s ${INTLAN} -d ${INT_IP} 80 ${ACC1}
# ${IPCHAIN_IN} -s 0/0 -d ${INT_IP} 80 -l ${DEN1}
# ${IPCHAIN_IN} -s 0/0 -d ${EXT_IP} 80 -l ${DEN1}
echo "part 2 done."
# Allow ssh traffic to/from the iiNet staff LAN
# Allow int lan to ssh out
# Block all other SSH traffic.
# ${IPCHAIN_IN} -s 203.59.130.0/24 -d ${INT_IP} 22 \
# ${ACC1}
# ${IPCHAIN_IN} -s 203.59.130.0/24 -d ${EXT_IP} 22 \
# ${ACC1}
# Paul's rig, Allans Rig and modem SSH
# ${IPCHAIN_IN} -s 203.57.128.68/32 -d ${EXT_IP} 22 ${ACC1}
# ${IPCHAIN_IN} -s 0/0 22 -d ${EXT_IP} ${ACC1}
# ${IPCHAIN_IN} -s 203.47.0.112/32 -d ${EXT_IP} 22 ${ACC1}
# ${IPCHAIN_IN} -s 0/0 22 -d ${EXT_IP} ${ACC1}
# ${IPCHAIN_IN} -s ${ALLAN} -d 0/0 22 ${ACC1}
# ${IPCHAIN_IN} -s 0/0 -d 0/0 22 -l ${DEN1}
echo "part 3 done."
# This lan is allowed to access the LAN
${IPCHAIN_IN} -s ${INTLAN} -d ${INTLAN} ${ACC1}
${IPCHAIN_IN} -s ${INTLAN} -d ${INTLAN} ${ACC2}
# Nothing else should get into the LAN.
${IPCHAIN_IN} -s 0/0 -d ${INTLAN} -l ${DEN1}
${IPCHAIN_IN} -s 0/0 -d ${INTLAN} -l ${DEN2}
# Now add the rules and set the default policy
/sbin/ipchains --append input --interface ppp+ --jump ppp-in
***
/sbin/ipchains --policy input REJECT
/sbin/ipchains --policy output ACCEPT
/sbin/ipchains --policy forward ACCEPT
# Firewall has been configured
echo "B AWARE, stay alert and trust no-one. Protection is active."
touch /var/lock/subsys/firewall
;;
stop)
/sbin/ipchains -F
/sbin/ipchains --policy input ACCEPT
/sbin/ipchains --policy output ACCEPT
/sbin/ipchains --policy forward ACCEPT
echo "You've dropped your guard. Death is but a soul away..."
rm -f /var/lock/subsys/firewall
;;
*)
echo "Usage: firewall {start|stop}"
exit 1
esac
exit 0
================Sig Start==================
Motto for the I.T. Industry:
BIGGER, <i>faster</i>, <b>more</b>, <u>NOW!</u>
Thought for the future:
If you thought the Y2k Bug was a media frenzie,
just you wait till the IPv6 issue is announced...
================Sig Stop==================
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.linux-learn.org/faqs
