Upgrading my Firewall script

Thu, 12 Nov 2009 09:27:43 -0800 

Jamin
It's hard to believe, but I've been using your Firewall stuff since 2001. It has performed perfectly as Linux has changed. I've gone from Redhat <low-number>, and am now on Centos 5.4 (equivalent to RHEL 5.4). I've gone from 32-bit to 64-bit, but have not yet taken the leap to IPV6. 


During my experimentation with KVM (Kernel Virtual Machine), I came 
across the need to issue a command to IPTABLES every time the 
firewall started, and found no convenient way to do it in the ancient 
version of your script that I was running.  The command would allow 
all traffic to/from the bridge.

So, I downloaded the current one and started reading the configuration file.

I found that POSTSTART and POSTRESTART would allow me to issue the command:

  $IPTABLES -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT


However, a quick scan of the configuration file did not reveal the 
ability to forward GRE (the PPTP interface) to a windows box 
inside.  This was, as I recall, added at my request way back when, 
and used the symbol


  PROTO_FORWARDS


In that ancient copy of the firewall script, the "temp" function 
(invoked to run everything) included at the end an invocation of the 
following function, copied from that script


______________CODE_______________
#
# This forwards protocols, primarily to support GRE
# into an inside PPTP server.
#
# Assumes $PROTO_FORWARDS has the format:
#    PROTO_FORWARDS="1.2.3.4(47)-192.168.0.100 1.2.3.4(48)-192.168.0.101"
# or   <external-address>(protocol)-<internal-address>
#
# For PPTP, however, don't forget to forward port 1723 to the server
#

forward_protocols () {
 for PROTO_FORWARD in $PROTO_FORWARDS; do

  # separate local and remote addresses

  EXT_F=`echo $PROTO_FORWARD | cut -f1 -d-`
  INT_F=`echo $PROTO_FORWARD | cut -f2 -d-`
  E_IP=`echo $EXT_F | sed "s/(.*)//g"`
  PROTO=`echo $EXT_F | sed "s/.*(\|)//g"`
  I_IP=`echo $INT_F | sed "s/(.*)//g"`

  echo -n "Forwarding proto $PROTO from $E_IP to $I_IP:"

  $IPTABLES -t filter -A FORWARD     -p $PROTO -d $I_IP -j ACCEPT && \
  $IPTABLES -t nat    -A POSTROUTING -p $PROTO -d $I_IP -j ACCEPT && \
  $IPTABLES -t mangle -A PREROUTING  -p $PROTO -d $E_IP -j ACCEPT && \
  $IPTABLES -t nat    -A PREROUTING  -p $PROTO -d $E_IP -j DNAT \
           --to-destination $I_IP
  success $"Forwarding proto $PROTO from $E_IP to $I_IP:" || \
  failure $"Forwarding proto $PROTO from $E_IP to $I_IP:"
  echo ""
 done
}
______________END CODE ______________________


I realize that I could actually do this by myself in the POST... 
routines,  but perhaps you'd like to re-introduce this into your 
script.  If I've missed something, please let me know.


David Kurn


--

To UNSUBSCRIBE, email to firewall-requ...@asgardsrealm.net 
with a subject of "unsubscribe". Trouble? Contact li...@asgardsrealm.net

List archives:  http://asgardsrealm.net/lurker/splash/index.html















    











					Reply via email to