On Wed, 2006-11-15 at 20:29 +0000, Mick wrote:
> Hi All,
>
> I have been using Daniel Robbins' basic script for years but now on a laptop
> I
> have more than one ways of connecting to the Internet. The script uses the
> variable UPLINK to define the incoming interface like so:
> ==============================================
> #change this to the name of the interface that provides your "uplink"
> #(connection to the Internet)
you could try modifying the script slightly:
> UPLINK="eth0"
make that
UPLINK="eth0 ppp0" # space separated
then I was going to say use a
for i in x; do ...; done
loop, but I realised that won't work exactly, because of the line
> iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
then something strange would happen.
What you're really saying is "for every interface not specified, accept
incoming packets". This gets a bit tricky, cause you either have to
parse the output of ifconfig (ugly) or specify the interface that are
NOT "uplinks" (prone to user error).
You could say:
UPLINK="eth0 wlan0 ppp0"
if [ "$1" = "start" ]
then
echo "Starting firewall..."
iptables -P INPUT DROP
for IFS in `ifconfig | grep "Link encap:" | awk '{print $1}'`; do
for UPIFS in ${UPLINK}; do
# if IFS isn't in UPIFS, then accept all trafic on IFS
if ...
forget that! too ugly. What are you really trying to do? Make all your
interface the "uplink", ie. firewalled?
In that case, just say this:
> UPLINK="who cares?"
>
> if [ "$1" = "start" ]
> then
> echo "Starting firewall..."
> iptables -P INPUT DROP
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
done! Now everything is firewalled, and only lo is trusted.
However, I haven't seen the rest of this script, so I don't know if that
will break things. Maybe you want to post back with some more info if
that doesn't suit your needs...
cya!
--
Iain Buchanan <iaindb at netspace dot net dot au>
"How many people work here?"
"Oh, about half."
--
gentoo-user@gentoo.org mailing list
