On Mon, 29 Apr 2002, Moti wrote:
> Hi ,
> I'm moving our checkpoint firewall ( 4.1 ) to iptables and linux .
> this alone is worth your comments ;-) ..
> we have a lot of objects and i was thinking of a way to put them all in a
> script .
> i was wondering if anyone uses external files and loops for objects .
> i think an example will be more efficent ( my english sucks .. )
> i have a file called internal_networks ->
> cat internal_networks >
> 192.168.0.0/24
> 192.168.1.0/24
> 192.168.2.0/24
> and so on
> and the script has a loop
> for net in `cat internal_networks` ;do
> iptables -t nat -A PREROUTING -o eth0 -s $net -j MASQUARADE
> done
Do it all the time. I have one main config file that lists "objects" - in
some cases these objects are actual such as 192.168.1.0/24 and in some
cases virtual as in "/etc/sysconfig/myinternalnets.conf".
Then I have several function files that contain functions to do the
various stuff. FE:
log_firewall() {
[ ${FWLOG} -eq 0 ] && return 0
fwlog=0
while [ $fwlog -lt $FWLOG_HIGH ]; do
for INT in `eval echo -n '$FWLOG_INT'$fwlog` ; do
for PROTO in `eval echo -n '$FWLOG_PROTO'$fwlog`; do
for PORTS in `eval echo -n '$FWLOG_PORTS'${fwlog}'_'${PROTO}`; do
pakfw "$INT:$PROTO:$PORTS" "log_firewall" /sbin/iptables -I \
acctfwd -i $INT -p $PROTO -s 0/0 -d 0/0 --dport $PORTS - \
j LOG --log-prefix "In-$INT-Forward:" --log-tcp-sequence \
--log-tcp-options --log-ip-options --log-level debug
pakfw "$INT:$PROTO:$PORTS" "log_firewall" /sbin/iptables \
-I acctin -p $PROTO -s 0/0 -d 0/0 --dport $PORTS -j LOG \
--log-prefix "In-$INT-Forward:" --log-tcp-sequence \
--log-tcp-options --log-ip-options --log-level debug
pakfw "$INT:$PROTO:$PORTS" "log_firewall" /sbin/iptables -I \
acctout -p $PROTO -s 0/0 -d 0/0 --dport $PORTS -j LOG \
--log-prefix "In-$INT-Forward:" --log-tcp-sequence \
--log-tcp-options --log-ip-options --log-level debug
done
done
done
fwlog=$((fwlog+=1))
done
} &>/dev/null
Which does a triple loop over the variables FWLOG_INT, FWLOG_PROTO, and
FWLOG_PORTS for each FWLOG_HIGH. These variables are coded in the firewall
logging file as in:
# These define the packet logging for the interfaces. This is the standard
# logging through iptables.
FWLOG_HIGH=2
FWLOG_INT0=eth0
FWLOG_PROTO0="tcp udp"
FWLOG_PORTS0_tcp="0:21 23:79 81:1023"
FWLOG_PORTS0_udp="0:52 54:1023"
FWLOG_INT1=eth1
FWLOG_PROTO1="tcp udp"
FWLOG_PORTS1_tcp="0:21 23:79 81:1023"
FWLOG_PORTS1_udp="0:52 54:1023"
You get the picture...
> will that be a good idea ? or would you recommend putting the vars n the
> script and looping it ( e.g INTERNAL_NETS=`blah blah ` )
> thanks
> Moti
You could probably write a simple parser for the objects.C and your *.W
files that generates most of the netfilter actions for you. I considered
this a while ago but decided it was too much work. But if you did write a
parser converter from FW-1 -> NetFilter that would be cool.
--------------------------------------------------
Matthew G. Marsh, President
Paktronix Systems LLC
1506 North 59th Street
Omaha NE 68104
Phone: (402) 932-7250 x101
Email: [EMAIL PROTECTED]
WWW: http://www.paktronix.com
--------------------------------------------------
