Sorry for the confusing post, I hope this is more helpful.
I am trying to get a LRP box going that does not use dhcpd, firewall or
masqarading. This is a diagram of the network at present. I can not
shutdown the office LAN, so this configuration is for testing, when I have
proved I can make it work my boss will let me switch it over to putting the
LRP before the hub. The router will still handle the DHCP, firewall, and
masquarding. I know that it looks like the LRP is going to be doing nothing
but passing along packets, but if this works I will put another NIC in the
LRP and connect it to a cable modem and hopefully combine the two
bandwidths. Because of the situation, I have to prove each step so that my
boss will let me proceed.
DSL router crossover
uses dhcp to eth1 192.168.1.254 cable
give out >----> hub >-----------LRP >------------>laptop
192.168.1.xxx eth0 192.168.1.144 manual configure
DSL router IP,DNS,and Gateway
IP is 192.168.1.1
This what I have done.
1. from the LRP disk - delete DHCPD.lrp and remove DHCPD from the line in
syslinux.cfg
2. in network.conf change IPFILTER_SWITCH=FIREWALL to be
IPFILTER_SWITCH=ROUTER and MASQ_SWITCH=YES to be MASQ_SWITCH=NO
3. in ipfilter.conf comment out lines under "RFC 1918/1627/1597
blocks" and "Rrevent RFC 1918/1627/1597 IP packets from coming in" and
"stop outgoing RFC 1918/1627/1597 packets" that have
...deny...192.168.0.0/16.... in it.
This is what I can do:
>From LRP I can Ping eth0, eth1, and laptop
>From laptop I can ping eth0 and eth1
This is what I can not do:
>From LRP I can not ping 192.168.1.1 (this is where the LRP is getting its IP
of 192.168.1.144) I can get an IP address, but can not ping it.
>From the laptop I can not ping 192.168.1.1
>From the LPR or laptop I can not ping anything on the internet, includeing
my DNS server.
I can not figure out why I can not ping the DSL router from either laptop or
LRP box when I can get an IP address from it, or ping the internet.
If there is anything else I need to do or if I am doing things I dont need
to do please let me know.
Thanks so much for any and all help,
David
BTW: what does the bonding.o module do?
Here is the acctual network.conf and ipfilter.conf on my LRP box.
NETWORK.CONF
############################################################################
###
# Brief instructions for this file
############################################################################
###
#
# VERBOSE=(YES/NO) Default: Yes
# Be verbose about settings.
#
# MAX_LOOP=(int) Default: 10
# Maximum number of incrementable entries to search for.
# IE: If you create a DNS7=, and MAX_LOOP=7, it will not be reached.
# (DNS0 - DNS7 == 8 entires)
# Setting this value too high will decrease the speed of the configuation
# system.
#
# IPFWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO
# Enable IP forwarding in the kernel. FILTER_ON means forwarding will
# only happen when IP filtering rules are loaded
#
# IPALWAYSDEFRAG_KERNEL=(YES/NO) Default: NO
# Enable IP Global defragmentation in the kernel.
#
# **WARNING** - If this was turned on everywhere in a network of routers,
# it can result in TCP connections failing and TCP connection resets.
#
# ONLY turn this on if the box is a firewall or the single point of
# entry for a network, or an endpoint for port forwarding or a load
# balancer for a WWW server farm. DO NOT turn this on if the box is a
# conventional router as it breaks the TCP/IP RFCes. This option is
# needed when using IP NAT, IP masquerading, IP autofw, IP portfw,
# transperent proxying or other kernel operations that intercept a
# packet flow and redirect it.
#
# It is a usful tool when using a packet filtering router to protect
# directly attached ethernet networks of servers as it stops fragment
# attacks on the servers in behind the router. Another use is packet
# filtering router to protect dial-in Internet users on NASes
# (Portmasters, TC racks etc) from various SMB and fragment attacks
# and to redirect all WWW connections into a WWW proxy-caching server.
#
# CONFIG_HOSTNAME=(YES/NO) Default: NO
# Create /etc/hostname file using HOSTNAME entry.
# Any current hostname file will be **OVERWRITTEN**
#
# CONFIG_HOSTSFILE=(YES/NO) Default: NO
# Create /etc/hosts file using HOSTSx entries.
# Any current hosts file will be **OVERWRITTEN**
#
# CONFIG_DNS=(YES/NO) Default: NO
# Create /etc/resolv.conf file using DOMAINS and DNSx entries.
# Any current resolv.conf file will be **OVERWRITTEN**
#
# IF_LIST Default: "$IF_AUTO"
# A space seperated list of interfaces that can be ACTIVE on this machine
# This controls which interfaces can be brought up and down manually.
#
# IF_AUTO Default: "eth0"
# A space seperated list of interfaces that get started on boot. Tunneling
# interfaces like CIPE should be after the raw interfaces they depend on.
# The interfaces are started in the order they occur on the list, and are
# shutdown in the reverse order of IF_LIST.
#
# IPFILTER_SWITCH=(none|router|firewall) Default: "none"
# Selects the basic IP filtering/firewalling setup of the router. "None"
# is used for a straight through router, "router" for a filtering router
with
# IP spoof protection and Martian protection and "firewall" for a basic IP
# masquerading/NAT firewall. The basic filter types are provided in
# /etc/ipfilter.conf. If you want more than what is provided read the man
# pages for ipchains or ipfwadm and BE CAREFUL when you edit this!
#
############################################################################
###
# General Settings
############################################################################
###
VERBOSE=YES
MAX_LOOP=10
IPFWDING_KERNEL=FILTER_ON
IPALWAYSDEFRAG_KERNEL=YES
CONFIG_HOSTNAME=YES
CONFIG_HOSTSFILE=YES
CONFIG_DNS=NO
############################################################################
###
# Interfaces
############################################################################
###
# Start pppd PPP interfaces first as pppd's use of DNS can delay startup.
#
# Interfaces to start on boot go here - ie "ppp0 eth0"
IF_AUTO="eth1"
# List of all configured interfaces, manual start and boot start
IF_LIST="$IF_AUTO"
# Accept ICMP Redirects on ALL interfaces, also depends on /proc
# per interface IP forwarding flag. - YES/NO
ALLIF_ACCEPT_REDIRECTS=NO
# Need these both for interfaces run by daemons - ie PPP, CIPE, some
# WAN interfaces
# IP spoofing protection by default for interfaces - YES/NO
DEF_IP_SPOOF=YES
# Kernel logging of spoofed packets by default for interfaces - YES/NO
DEF_IP_KRNL_LOGMARTIANS=YES
# Bridge Setup - Global stuff
#
# Enable bridging - YES/NO
BRG_SWITCH=NO
# Exempt ethernet protocol types - type "brcfg list" to find out allowed
# values
BRG_EXEMPT_PROTOS=""
eth0_IPADDR=0.0.0.0
eth0_MASKLEN=0
eth0_BROADCAST=0.0.0.0
# Use this to set the default route if required - ONLY one to be set.
# routed or gated could be used to set this so only use if not running
these.
eth0_DEFAULT_GW=0.0.0.0
# Secondary IP addresses/networks on same wire - add them here
#eth0_IP_EXTRA_ADDRS="192.168.1.193 192.168.2.1/24"
# IP spoofing protection on this interface - YES/NO
eth0_IP_SPOOF=YES
# Kernel logging of spoofed packets on this interface - YES/NO
eth0_IP_KRNL_LOGMARTIANS=YES
# This setting affects the processing of ICMP redirects. Setting it to NO
# makes this more secure. Don't turn this off if you have two IP
# networks/subnets on the same media - YES/NO
eth0_IP_SHARED_MEDIA=NO
# Bridge this interface - YES/NO
eth0_BRIDGE=NO
# Proxy-arp from this interface, no other config required to turn on proxy
ARP!
# - YES/NO
eth0_PROXY_ARP=NO
# Simple QoS/fair queueing support
# Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO
eth0_FAIRQ=NO
# Ethernet Transmit Queue Length
# eth0_TXQLEN=100
# Complex QoS - Enable all of these + above to turn it on
#eth0_BNDWIDTH=10Mbit # Device bandwidth
#eth0_HNDL=2 # Queue Handle - must be unique
#eth0_IABURST=100 # Interactive Burst
#eth0_IARATE=1Mbit # Interactive Rate
#eth0_PXMTU=1514 # Physical MTU - includes Link Layer header
eth1_IPADDR=192.168.1.254
eth1_MASKLEN=24
eth1_BROADCAST=192.168.1.255
eth1_IP_SPOOF=YES
eth1_IP_KRNL_LOGMARTIANS=YES
eth1_IP_SHARED_MEDIA=NO
eth1_BRIDGE=NO
eth1_PROXY_ARP=NO
eth1_FAIRQ=NO
# Sangoma FR example
#fr498_IPADDR=10.0.10.1
#fr498_PTPADDR=10.0.10.2
#fr498_IP_SPOOF=YES
#fr498_IP_KRNL_LOGMARTIANS=YES
# Simple QoS support
#fr498_FAIRQ=YES
#fr498_TXQLEN=50
# Complex FR QoS - Enable ALL of these + above to turn it on
#fr498_FRBURST=960Kbit # FR Burst capacity (a rate)
#fr498_BULKRATE=320Kbit # Usually you set this to the CIR
#fr498_BULKBURST=50 # Number of packets that can burst in bulk class
#fr498_BNDWIDTH=1920Kbit # The bandwidth of the interface
#fr498_IABURST=512 # No of Interactive Burst packets
#fr498_IARATE=640Kbit # Burst capicity bandwith between
# BURST and CIR
#fr498_HNDL=2 # The queue handle - must be unique Dialup PPP is
1000+
#fr498_PXMTU=1508 # The Physical MTU of the interface (data + MAC
header)
# PPP interface stuff - these apply to all ASYNC ppp interfaces, options
# same as ethernet above.
ppp_BNDWIDTH=30Kbit
ppp_FAIRQ=YES
ppp_TXQLEN=30
ppp_IABURST=20
ppp_IARATE=10Kbit
ppp_PXMTU=1500
############################################################################
###
# IP Filter setup - can pull in settings from above
############################################################################
###
# Set up the basic type of filtering. Can be one of (none|router|firewall)
# You must load the ip_masq_* modules to enable full IP masquerading, and
# ip_masq_portfw if you want to forward external ports pop-3, mtp, www
# to internal machines below.
IPFILTER_SWITCH=router
# This set of variables is used with both sets of filters
SNMP_BLOCK=YES # Block all SNMP (YES/NO)
# List of IP Nos used for SNMP management
SNMP_MANAGER_IPS=""
# Fair Queuing support
# List of Mark values
MRK_CRIT=1 # Critical traffic, routing, DNS
MRK_IA=2 # Interactive traffic - telnet, ssh, IRC
# List of traffic types and maps to mark
values
# Setting this variable turns on the
# fairq chain
CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route
${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain
${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh"
# This set of variables is used with the basic routing filter setup
# This set of variables is used with a basic IP masquerading firewall setup
#Notation - IP addresses/masklen
#
# NOTE: Do NOT turn on the DMZ network or ANY external port masquerading/
# port forwarding when EXTERN_DYNADDR is on because some security
# leaks will result. You may also want to limit the external open
# ports to domain (UDP) for DNS. Anyhow, these features are not that
# usable unless you have a static external address
#
EXTERN_IF="eth0" # External Interface
#
# Start of changes by Charles Steinkuehler for DHCP
#
# Added for DHCP support
# Setting this to YES causes the script to read EXTERN_IP directly from
# the interface
EXTERN_DHCP=YES # - YES/NO
# The interface to configure via dhcp
IF_DHCP=$EXTERN_IF
# If YES, your firewall filters use 0/0 for your IP address, instead of your
# actual IP address. Set this to NO for typical ethernet setups, even if
you
# are using DHCP
# External Address dynamically assigned
EXTERN_DYNADDR=NO # - YES/NO
# -- OR --
EXTERN_IP=0.0.0.0 # External Interface IP number
# If external interface is DHCP, read the IP address
# This should probably be moved to the init.d network script, but it seemed
# I put it here for now, as it is more obvious what it is doing, in case it
# messes something else up.
if [ "$EXTERN_DHCP" = "YES" ] || \
[ "$EXTERN_DHCP" = "Yes" ] || \
[ "$EXTERN_DHCP" = "yes" ]; then
# This computes the IP address of $EXTERN_IF
# Grep extracts just the line(s) with IP address information from the
output
# of ip addr. The first sed gets rid of all but the first line (in case
# there are several IP addresses for some reason), and next sed extracts
# just the IP address in dot quad notation.
EXTERN_IP=`ip addr list label $EXTERN_IF | \
grep inet | \
sed '1!d' | \
sed 's/^[^.0-9]*\([.0-9]*\).*$/\1/'`
# Debugging - Remove if you like
# echo Extern IP: $EXTERN_IP
# If the external address is not configured, use a bogus address for the
# external interface to prevent a bunch of (harmless) errors that spit out
# when the IPCHAINS script is called.
if [ x$EXTERN_IP = x ]; then
EXTERN_IP=192.168.254.254
fi
fi
# UDP Services open to outside world
# - srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
EXTERN_UDP_PORTS="0/0_domain 0/0_ntp 0/0_bootpc"
#
# End of changes made by Charles Steinkuehler for dhcp support
#
# TCP services open to outside world
# - srcip/mask_dstport
EXTERN_TCP_PORTS="0/0_ssh 0/0_smtp"
# Internal interface
INTERN_IF="eth1" # Internal Interface
INTERN_NET=192.168.1.0/24 # Internal network (to be masqueraded)
INTERN_IP=192.168.1.254 # IP number of Internal Interface
# (to allow forwarding to external IP)
MASQ_SWITCH=NO # Masquerade internal network to outside
# world - YES/NO
# These services are not masqueraded from inside to outside.
proto_destnet_port
# Allows the firewall to be trusted for ssh access to routers...
# Override for below
#NOMASQ_DEST_BYPASS="tcp_10.0.0.1_ssh"
# services not to be masqueraded
#NOMASQ_DEST="tcp_0/0_ssh"
# Uncomment following for internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
# <protocol>_<extern-ip>_<extern-port>_<intern-ip>_<intern-port>
#INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp
tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp"
# These lines use the primary external IP address...if you need to
port-forward
# an aliased IP address, use the INTERN_SERVERS setting above
#INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available
#INTERN_WWW_SERVER=192.168.1.1 # Internal WWW server to make available
#INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available
#INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available
#INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available
#INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available
#EXTERN_SSH_PORT=24 # External port to use for internal SSH
access
############################################################################
###
# Interface activation/deactivation functions
# Here so that special interface commands can be called and daemons started
#
# Arps can be set up here, network/host routes and so forth.
#
# This appears to be a little messy but is needed to achieve maximum
# functionality and flexibility.
#
############################################################################
###
if_up () {
local ADDR
# sort out a few things to make life easier - here so that you
# can see what is done and so that you can add anything if needed
eval local IPADDR=\${"$1"_IPADDR:-""} # I am also a good genius
eval local MASKLEN=\${"$1"_MASKLEN:-""}
eval local BROADCAST=\${"$1"_BROADCAST:-""}
eval local PTPADDR=\${"$1"_PTPADDR:-""}
eval local DEFAULT_GW=\${"$1"_DEFAULT_GW:-""}
eval local IP_EXTRA_ADDRS=\${"$1"_IP_EXTRA_ADDRS:-""}
eval local FAIRQ=\${"$1"_FAIRQ:-""}
eval local TXQLEN=\${"$1"_TXQLEN:-""}
eval local IP_SPOOF=\${"$1"_IP_SPOOF:-""}
eval local IP_KRNL_LOGMARTIANS=\${"$1"_IP_KRNL_LOGMARTIANS:-""}
eval local IP_SHARED_MEDIA=\${"$1"_IP_SHARED_MEDIA:-""}
eval local BRIDGE=\${"$1"_BRIDGE:-""}
eval local PROXY_ARP=\${"$1"_PROXY_ARP:-""}
if [ -n "$BROADCAST" ] ; then
IFCFG_BROADCAST="broadcast $BROADCAST"
fi
# Do dee global bridge stuff
brg_global
# Set default interface flags here - used for PPP and WAN interfaces
if_setproc default rp_filter $DEF_IP_SPOOF
if_setproc default log_martians $DEF_IP_KRNL_LOGMARTIANS
if_setproc all accept_redirects $ALLIF_ACCEPT_REDIRECTS
# Set up each interface
case $1 in
ppp0)
pppd call provider
;;
fr*)
wanconfig card wanpipe1 dev $1 start
ip addr add $IPADDR peer $PTPADDR dev $1
ip link set $1 up
# Fair queuing - this can be selected for any interface
ip_frQoS $1
;;
*) # default interface startup
brg_iface $1 up $BRIDGE
[ -n "$IPADDR" ] \
&& ip addr add $IPADDR/$MASKLEN $IFCFG_BROADCAST dev
$1
for ADDR in $IP_EXTRA_ADDRS; do
ip addr add $ADDR dev $1
done
ip link set $1 up
# Fair queuing - this can be selected for any interface
ip_QoS $1
;;
esac
# Do universal interface config items here
# Default route support
[ -n "$DEFAULT_GW" ] \
&& ip route replace default nexthop via $DEFAULT_GW dev $1
# Set the TX Queue Length
[ -n "$TXQLEN" ] \
&& ip link set $1 txqlen $TXQLEN
# Spoof protection
if_setproc $1 rp_filter $IP_SPOOF
# Kernel logging of martians on this interface
if_setproc $1 log_martians $IP_KRNL_LOGMARTIANS
# Shared Media stuff
if_setproc $1 shared_media $IP_SHARED_MEDIA
# Proxy ARP support
if_setproc $1 proxy_arp $PROXY_ARP
return 0
}
if_down () {
# Do Dee global bridge stuff
brg_global
case $1 in
ppp*)
[ -f /var/run/$1.pid ] && qt kill `cat /var/run/$1.pid`
sleep 5 # Wait for pppd to die
;;
fr*)
qt ip link set $1 down
qt ip addr flush dev $1
qt wanconfig card wanpipe1 dev $1 stop
;;
*) # default action
brg_iface $1 down
ip link set $1 down # This also kills any routes
qt ip addr flush dev $1
;;
esac
# Clean up any QoS/fair queuing stuff
ip_QoSclear $1
true
} #END if_down
############################################################################
###
# Hostname Requires:
CONFIG_HOSTNAME=YES
############################################################################
###
HOSTNAME=myrouter
############################################################################
###
# Hosts file (Static domainname entires) Requires:
CONFIG_HOSTSFILE=YES
############################################################################
###
# IP FQDN hostname alias1
alias2..
HOSTS0="$eth0_IPADDR $HOSTNAME.private.network $HOSTNAME mr rtr"
#HOSTS1="192.168.1.22 host2.private.network host2 h2"
############################################################################
###
# Domain Search Order and Name Servers Requires: CONFIG_DNS=YES
############################################################################
###
DOMAINS="private.network"
DNS0=192.168.1.254
#DNS1=0.0.0.0
############################################################################
###
# QoS/Fariqueing functions
############################################################################
###
ip_QoSclear () {
[ -x /sbin/tc ] \
&& qt tc qdisc del dev $1 root
return 0
}
ip_frQoS () {
# Set some vaiables
eval local FAIRQ=\${"$1"_FAIRQ:-""}
eval local BULKRATE=\${"$1"_BULKRATE:-""}
eval local BULKBURST=\${"$1"_BULKBURST:-""}
eval local FRBURST=\${"$1"_FRBURST:-""}
eval local HNDL=\${"$1"_HNDL:-""}
eval local BNDWIDTH=\${"$1"_BNDWIDTH:-""}
eval local IARATE=\${"$1"_IARATE:-""}
eval local IABURST=\${"$1"_IABURST:-""}
eval local PXMTU=\${"$1"_PXMTU:-""}
if [ ! -x /sbin/tc ]; then
return 1
fi
if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ]
then
return 1
fi
if [ -z "$BULKRATE" -o -z "$FRBURST" -o -z "$HNDL" -o -z "$PXMTU" \
-o -z "$BNDWIDTH" -o -z "$IARATE" -o -z "$IABURST" \
-o -z "$BULKBURST" ]; then
tc qdisc replace dev $1 root sfq
return 0
fi
# Attach CBQ to device
tc qdisc add dev $1 root handle $HNDL: cbq \
bandwidth $BNDWIDTH avpkt 1000
# Set up classes
# Bulk class
tc class add dev $1 parent $HNDL:0 classid :1 \
est 1sec 8sec cbq bandwidth $BNDWIDTH \
rate $BULKRATE allot $PXMTU bounded weight 1 prio 6 \
avpkt 1000 maxburst $BULKBURST \
split $HNDL:0 defmap ff7f
tc qdisc add dev $1 parent $HNDL:1 sfq perturb 15
# Interactive Class
tc class add dev $1 parent $HNDL:0 classid :2 \
est 2sec 16sec cbq bandwidth $BNDWIDTH \
rate $IARATE allot $PXMTU bounded weight 1 prio 6 \
avpkt 1000 maxburst $IABURST \
split $HNDL:0 defmap 80
tc qdisc add dev $1 parent $HNDL:2 sfq perturb 15
# Priority class
tc class add dev $1 parent $HNDL:0 classid :3 \
est 1sec 8sec cbq bandwidth $BNDWIDTH \
rate $FRBURST allot $PXMTU bounded weight 1 prio 1 \
avpkt 1000 maxburst 21
tc qdisc add dev $1 parent $HNDL:3 pfifo
# Add filters
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 50 handle $MRK_CRIT fw classid $HNDL:3
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 60 handle $MRK_IA fw classid $HNDL:2
return 0
}
ip_QoS () {
# Set some vaiables
eval local HNDL=\${"$1"_HNDL:-""}
eval local FAIRQ=\${"$1"_FAIRQ:-""}
if [ -z "$FAIRQ" -a -n "$2" ]; then
local FAIRQ=$2
fi
eval local BNDWIDTH=\${"$1"_BNDWIDTH:-""}
if [ -z "$BNDWIDTH" -a -n "$3" ]; then
local BNDWIDTH=$3
fi
eval local PXMTU=\${"$1"_PXMTU:-""}
if [ -z "$PXMTU" -a -n "$4" ]; then
local PXMTU=$4
fi
eval local IARATE=\${"$1"_IARATE:-""}
if [ -z "$IARATE" -a -n "$5" ]; then
local IARATE=$5
fi
eval local IABURST=\${"$1"_IABURST:-""}
if [ -z "$IABURST" -a -n "$6" ]; then
local IABURST=$6
fi
if [ ! -x /sbin/tc ]; then
return 1
fi
if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ]
then
return 1
fi
if [ -z "$BNDWIDTH" -o -z "$IABURST" -o -z "$IARATE" -o -z "$HNDL" \
-o -z "$PXMTU" ]; then
tc qdisc replace dev $1 root sfq
return 0
fi
# Attach CBQ to device
tc qdisc add dev $1 root handle $HNDL: cbq \
bandwidth $BNDWIDTH \
avpkt 1000
# Set up classes
# Bulk class
tc class add dev $1 parent $HNDL:0 classid :1 est 1sec 8sec \
cbq bandwidth $BNDWIDTH rate $BNDWIDTH \
allot $PXMTU avpkt 1000 bounded weight 1 prio 6 \
split $HNDL:0 defmap ff7f
tc qdisc add dev $1 parent $HNDL:1 sfq perturb 15
# Interactive class
tc class add dev $1 parent $HNDL:0 classid :2 est 2sec 16sec \
cbq bandwidth $BNDWIDTH rate $IARATE maxburst $IABURST \
allot $PXMTU avpkt 1000 bounded isolated weight 1 \
prio 2 split $HNDL:0 defmap 80
tc qdisc add dev $1 parent $HNDL:2 sfq perturb 15
# Priority class
tc class add dev $1 parent $HNDL:0 classid :3 est 1sec 8sec \
cbq bandwidth $BNDWIDTH rate $BNDWIDTH \
allot $PXMTU avpkt 1000 bounded weight 1 prio 1
tc qdisc add dev $1 parent $HNDL:3 pfifo
# Add filters
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 50 handle $MRK_CRIT fw classid $HNDL:3
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 60 handle $MRK_IA fw classid $HNDL:2 \
return 0
}
############################################################################
###
# End
############################################################################
###
IPFILTER.CONF
#
#
# ipfilter.conf This file contains the functions that contain the firewall
# and ipfilter configuration. This is an example setup for
# IP masquearding
#
# set -x # Uncomment for script debug
IPCH="/sbin/ipchains --no-warnings"
IPMASQADM=/usr/sbin/ipmasqadm
# DONT change this!
LOCAL_NET=127.0.0.0/8
LOCAL_IP=127.0.0.1
# Some functions to handle Protocol IP Port tuples
echoProto () {
local IFS='_'
set -- $1
echo $1
}
echoIpPort () {
local IFS='_'
set -- $1
echo "$2 $3"
}
echoSrvIpPort () {
local IFS='_'
set -- $1
echo "$4 $5"
}
echoMrkMark () {
local IFS='_'
set -- $1
echo $1
}
echoMrkProto () {
local IFS='_'
set -- $1
echo $2
}
echoMrkIpPort () {
local IFS='_'
set -- $1
echo "$3 $4"
}
echoBpSrc () {
local IFS='_'
set -- $1
echo "$2"
}
echoBpDstPort () {
local IFS='_'
set -- $1
echo "$3 $4"
}
echoFwDstPort () {
local IFS='_'
set -- $1
echo "$2"
}
echoFwSrcIp () {
local IFS='_'
set -- $1
echo "$1"
}
# A function to filter out Martian source addresses
stopMartians () {
local LIST=$1
shift
# The source addresses listed here are conservatively
# invalid as they are either used as broadcast/multicast
# destation addresses, a special value in IP stacks, loopback
# networks and illegal/ambiguous Classed IP addressing networks.
#
# You can add your 'martian/invalid' source address blocks to the
# MARTIAN_NETS list in /etc/network.conf
# All ones, all zeroes
$IPCH -A $LIST -j DENY -p all -s 0.0.0.0 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 255.255.255.255 -d 0/0 -l $*
# Loop back addresses
$IPCH -A $LIST -j DENY -p all -s 127.0.0.0/8 -d 0/0 -l $*
# Multicast source addresses
$IPCH -A $LIST -j DENY -p all -s 224.0.0.0/4 -d 0/0 -l $*
# RFC 1918/1627/1597 blocks
$IPCH -A $LIST -j DENY -p all -s 10.0.0.0/8 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 172.16.0.0/12 -d 0/0 -l $*
# $IPCH -A $LIST -j DENY -p all -s 192.168.0.0/16 -d 0/0 -l $*
# IANA reserved blocks (Martians from the gated restricted list
# - actually impossible/ambiguous classed networks)
$IPCH -A $LIST -j DENY -p all -s 0.0.0.0/8 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 128.0.0.0/16 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 191.255.0.0/16 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 192.0.0.0/24 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 223.255.255.0/24 -d 0/0 -l $*
# Class E address (experimental use)
$IPCH -A $LIST -j DENY -p all -s 240.0.0.0/4 -d 0/0 -l $*
# Addtions/other IANA reserved blocks
for NET in $MARTIAN_NETS; do
$IPCH -A $LIST -j DENY -p all -s $NET -d 0/0 -l $*
done; unset NET
}
# A function to block services that give trouble on an IFACE
standardBlock () {
local LIST=$1
shift
# Block SMB/Windows networking to protect Windows boxes and to stop
# Windows NT doing braindead things with mail, www, etc
# This also prevents Internet Explorer spraying user logins
# and passwords everywhere
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 -d 0/0 netbios-ns $*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 -d 0/0 135 $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d 0/0 netbios-ns $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d 0/0 135 $*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 -d 0/0
netbios-dgm:netbios-ssn $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d 0/0 netbios-dgm $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 netbios-ns:netbios-dgm -d 0/0
$*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 135 -d 0/0 $*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 netbios-ns:netbios-ssn -d 0/0
$*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 135 -d 0/0 $*
}
# A function to control SNMP access on a network
snmpBlock () {
local LIST=$1
local DEST_IP=$2
local SNMP_IP
shift 2
if [ "$SNMP_BLOCK" != "YES" -a "$SNMP_BLOCK" != "Yes" \
-a "$SNMP_BLOCK" != "yes" ] ; then
return 0
fi
for SNMP_IP in $SNMP_MANAGER_IPS; do
$IPCH -A $LIST -j ACCEPT -p udp -s $SNMP_IP -d $DEST_IP
161:162 $*
done; unset SNMP_IP
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d $DEST_IP 161:162 -l $*
}
# A function to mark packets for classification
ipfilter_fairq () {
[ -z "$CLS_FAIRQ" ] && return 0
# Create new chain
$IPCH -N fairq
# Populate chain
for CLS in $CLS_FAIRQ; do
$IPCH -A fairq -j RETURN -m `echoMrkMark $CLS` -p `echoMrkProto
$CLS` \
-d `echoMrkIpPort $CLS` -b
done; unset CLS
return 0
}
# A function to flush the filters (for internal use)
ipfilter_flush () {
# Flush the filters out
$IPCH -F input # input firewall list
$IPCH -F output # output firewall list
$IPCH -F forward # forwarding firewall list
# Flush fairq chain!
[ -n "$CLS_FAIRQ" ] && qt $IPCH -F fairq && qt $IPCH -X fairq
# Flush portfw rules
[ "$IPPORTFW" ] && $IPMASQADM portfw -f
# Flush autofw rules
[ "$IPAUTOFW" ] && $IPMASQADM autofw -F
# Flush mfw rules
[ "$IPMFW" ] && $IPMASQADM mfw -F
}
# A function to set the filter default policies
ipfilter_policy () {
$IPCH -P input $1
$IPCH -P output $1
$IPCH -P forward $1
}
# A function to clear the filters
ipfilter_clear () {
# Flush the filters
ipfilter_flush
# Reset the default policy
#
# ONLY DENY FORWARDING ETC IF YOU KNOW WHAT YOU ARE DOING! If
# you turn off the filters, the box will become opaque to any traffic!
#
ipfilter_policy ACCEPT
}
# A function to configure the filters for routing
ipfilter_router_cfg () {
#
# set default policies
#
# ONLY DENY FORWARDING ETC IF YOU KNOW WHAT YOU ARE DOING! If
# you turn off the filters, the box will become opaque to any traffic!
#
ipfilter_policy DENY
# Clear any garbage rules out of the filters
ipfilter_flush
# Set up Fair Queueing classifier lists
ipfilter_fairq
# Forwarding
$IPCH -A forward -j DENY -p icmp --icmp-type redirect -l
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
$IPCH -A forward -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A forward -j ACCEPT -p all -s 0/0 -d 0/0
# Incoming Stuff
# Do this here to control junk coming in - good for defending against flood
# attacks
if [ "$BORDER_RTR" = "YES" -o "$BORDER_RTR" = "Yes" -o "$BORDER_RTR" = "yes"
];
then
# Origin blocking
for SRC in $BLOCKED_INSRC; do
$IPCH -A input -j DENY -p `echoProto $SRC` \
-s `echoIpPort $SRC` -i $EXTERN_RIF
done; unset SRC
for SRC in $LOGGED_BLOCKED_INSRC; do
$IPCH -A input -j DENY -p `echoProto $SRC` \
-s `echoIpPort $SRC` -i $EXTERN_RIF -l
done; unset SRC
fi
# Stop ICMP time stamp messages - don't need these
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-request -l
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-reply -l
# Border router stuff
if [ "$BORDER_RTR" = "YES" -o "$BORDER_RTR" = "Yes" -o "$BORDER_RTR" = "yes"
];
then
# Get rid of incoming Martians
stopMartians input -i $EXTERN_RIF
# Prevent RFC 1918/1627/1597 IP packets from coming in
$IPCH -A input -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF
# $IPCH -A input -j DENY -p all -s 0/0 -d 192.168.0.0/16 -i
$EXTERN_RIF
$IPCH -A input -j DENY -p all -s 0/0 -d 172.16.0.0/12 -i $EXTERN_RIF
# Allow icmp/BGP coming in on our link net
if [ -n "$LINK_NET" ]; then
$IPCH -A input -j ACCEPT -p icmp -s $LINK_NET -d 0/0 \
-i $EXTERN_RIF
$IPCH -A input -j ACCEPT -p tcp -s $LINK_NET -d $LINK_NET
bgp \
-i $EXTERN_RIF
$IPCH -A input -j ACCEPT -p tcp -s $LINK_NET bgp \
-d $LINK_NET 1024:65535 ! -y -i $EXTERN_RIF
# $IPCH -A input -j ACCEPT -p udp -s $LINK_NET -d $LINK_NET
egp \
# -i $EXTERN_RIF
# $IPCH -A input -j ACCEPT -p udp -s $LINK_NET egp \
# -d $LINK_NET 1024:65535 -i $EXTERN_RIF
fi
# Get rid of fake packets from our internal source addresses
for IP in $IP_BLOCKS; do
$IPCH -A input -j DENY -p all -s $IP -d 0/0 -i $EXTERN_RIF
-l
done; unset IP
# Destination blocking
for DEST in $BLOCKED_INDEST; do
$IPCH -A input -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF
done; unset DEST
for DEST in $LOGGED_BLOCKED_INDEST; do
$IPCH -A input -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF -l
done; unset DEST
# SNMP control - Prevent SNMP access to our network
if [ "$SNMP_BLOCK" = "YES" -o "$SNMP_BLOCK" = "Yes" \
-o "$SNMP_BLOCK" = "yes" ] ; then
$IPCH -A input -j REJECT -p udp -s 0/0 -d 0/0 161:162 \
-i $EXTERN_RIF -l
fi
# Block SMB stuff on input interface
if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \
"$SMB_BLOCK" = "yes" ]; then
standardBlock input -i $EXTERN_RIF
fi
# DNS control - only allow certain machines to do zone transfers
if [ -n "$DNS_IPS" ]; then
for IP in $DNS_IPS; do
$IPCH -A input -j ACCEPT -p tcp -d 0/0 domain -i
$EXTERN_RIF
done; unset IP
$IPCH -A input -j REJECT -p tcp -d 0/0 domain -i $EXTERN_RIF
-l
fi
fi
# Stop address spoofing - uncomment the next two lines if needed
# $IPCH -A input -j ACCEPT -p all -s $LOCAL_IP -d 0/0 -i lo
# stopMartians input
# Control SNMP access in network
snmpBlock input 0/0 -b
# On all other interfaces accept everything.
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
$IPCH -A input -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A input -j ACCEPT -p all -s 0/0 -d 0/0
# Outgoing stuff
# Classify packets, apply TOS etc
[ -n "$CLS_FAIRQ" ] && $IPCH -A output -j fairq
# Border router stuff
if [ "$BORDER_RTR" = "YES" -o "$BORDER_RTR" = "Yes" -o "$BORDER_RTR" = "yes"
]
then
# Stop outgoing RFC 1918/1627/1597 packets
$IPCH -A output -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF
#$IPCH -A output -j DENY -p all -s 0/0 -d 192.168.0.0/16 -i
$EXTERN_RIF
$IPCH -A output -j DENY -p all -s 0/0 -d 172.16.0.0/12 -i
$EXTERN_RIF
# Log and stop certain outgoing traffic
for DEST in $BLOCKED_OUTDEST; do
$IPCH -A output -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF
done; unset DEST
for DEST in $LOGGED_BLOCKED_OUTDEST; do
$IPCH -A output -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF -l
done; unset DEST
# Block SMB stuff on output interface
if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \
"$SMB_BLOCK" = "yes" ]; then
standardBlock output -i $EXTERN_RIF
fi
# Control Outgoing Source addresses
for IP in $IP_BLOCKS; do
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
$IPCH -A output -j ACCEPT -f -p all -s $IP -d 0/0 \
-i $EXTERN_RIF
fi
$IPCH -A output -j ACCEPT -p all -s $IP -d 0/0 -i
$EXTERN_RIF
done; unset IP
$IPCH -A output -j DENY -p all -i $EXTERN_RIF -l
fi
#
# Server screening control.
#
for IF in $SERVER_RIFS; do
# localise variables
eval local BYPASS=\${"$IF"_BYPASS:-""}
eval local PORT_BLOCK=\${"$IF"_PORT_BLOCK:-""}
eval local LOGGED_PORT_BLOCK=\${"$IF"_LOGGED_PORT_BLOCK:-""}
eval local SMB_BLOCK=\${"$IF"_SMB_BLOCK:-""}
eval local HOST_BYPASS=\${"$IF"_HOST_BYPASS:-""}
eval local HOST_ACKPASS=\${"$IF"_HOST_ACKPASS:-""}
eval local HOST_BLOCK=\${"$IF"_HOST_BLOCK:-""}
# Block Martians
stopMartians output -i $IF
# Bypass for port blocks
for PASS in $BYPASS; do
$IPCH -A output -j ACCEPT -p `echoProto $PASS` \
-s `echoBpSrc $PASS` -d `echoBpDstPort $PASS` -i $IF
done; unset PASS
# Port Blocks
for DEST in $PORT_BLOCK; do
$IPCH -A output -j REJECT -p `echoProto $DEST` \
-s 0/0 -d 0/0 `echoIpPort $DEST` -i $IF
done; unset DEST
for DEST in $LOGGED_PORT_BLOCK; do
$IPCH -A output -j REJECT -p `echoProto $DEST` \
-s 0/0 -d 0/0 `echoIpPort $DEST` -i $IF -l
done; unset DEST
# SMB blocking
if [ "$SMB_BLOCK" != "NO" -a "$SMB_BLOCK" != "No" \
-a "$SMB_BLOCK" != "no" ]; then
standardBlock output -i $IF
fi
#Host Bypassing
for PASS in $HOST_BYPASS; do
$IPCH -A output -j ACCEPT -p `echoProto $PASS` \
-s `echoBpSrc $PASS` -d `echoBpDstPort $PASS` -i $IF
done; unset PASS
#Host Blocking
for DEST in $HOST_BLOCK; do
$IPCH -A output -j REJECT -p tcp -s 0/0 -d $DEST auth -i $IF
done; unset DEST
for PASS in $HOST_ACKPASS; do
$IPCH -A output -j ACCEPT -p tcp \
-s 0/0 -d $PASS 1024:65535 -i $IF ! -y
done; unset PASS
for DEST in $HOST_BLOCK; do
$IPCH -A output -j DENY -p all -s 0/0 -d $DEST -i $IF -l
done; unset DEST
# Otherwise, accept all output on this interface
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
# Handle fragmented packets
$IPCH -A output -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A output -j ACCEPT -p all -s 0/0 -d 0/0 -i $IF
done; unset IF
# On all other interfaces accept anything
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
$IPCH -A output -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A output -j ACCEPT -p all -s 0/0 -d 0/0
}
# A function to configure the filters for firewalling
ipfilter_firewall_cfg () {
local ADDR
local DEST
local NET
#
# set default policies
#
# ONLY DENY FORWARDING ETC IF YOU KNOW WHAT YOU ARE DOING! If
# you turn off the filters, the box will become opaque to any traffic!
#
ipfilter_policy DENY
# Clear any garbage rules out of the filters
ipfilter_flush
# Set up Fair Queueing classifier lists
ipfilter_fairq
#
# Set up forwarding
#
# Set up masquerading timout values
$IPCH -M -S 14400 0 0
# Stop forwarding of ICMP redirects
$IPCH -A forward -j DENY -p icmp --icmp-type redirect -l
# Handle masquerading denial - always valid because this controls access
# to DMZ from inside etc.
for PORT in $NOMASQ_DEST_BYPASS; do
for NET in $INTERN_NET; do
$IPCH -A forward -j MASQ -p `echoProto $PORT` \
-s $NET -d `echoIpPort $PORT`
done; unset NET
done; unset PORT
for PORT in $NOMASQ_DEST; do
for NET in $INTERN_NET; do
$IPCH -A forward -j REJECT -p `echoProto $PORT` \
-s $NET -d `echoIpPort $PORT`
done; unset NET
done; unset PORT
# Connect DMZ to internet
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" ]; then
# Masquerade internal network to DMZ network
for NET in $INTERN_NET; do
$IPCH -A forward -j MASQ -p all -s $NET -d $DMZ_NET -i
$DMZ_IF
done; unset NET
for DEST in $DMZ_CLOSED_DEST; do
$IPCH -A forward -j REJECT -p `echoProto $DEST` \
-d `echoIpPort $DEST` -i $DMZ_IF
done; unset DEST
for DEST in $DMZ_OPEN_DEST; do
$IPCH -A forward -j ACCEPT -p `echoProto $DEST` \
-d `echoIpPort $DEST` -i $DMZ_IF
done; unset DEST
if [ "$DMZ_HIGH_TCP_CONNECT" = "YES" \
-o "$DMZ_HIGH_TCP_CONNECT" = "Yes" \
-o "$DMZ_HIGH_TCP_CONNECT" = "yes" ]; then
$IPCH -A forward -j ACCEPT -p tcp -s 0/0 \
-d $DMZ_NET 1024:65535 -i $DMZ_IF
else
$IPCH -A forward -j ACCEPT -p tcp -s 0/0 \
-d $DMZ_NET 1024:65535 -i $DMZ_IF ! -y
fi
$IPCH -A forward -j ACCEPT -p icmp -s 0/0 -d $DMZ_NET -i $DMZ_IF
$IPCH -A forward -j ACCEPT -p tcp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
$IPCH -A forward -j ACCEPT -p icmp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
$IPCH -A forward -j ACCEPT -p udp -s $DMZ_NET domain \
-d 0/0 -i $EXTERN_IF
$IPCH -A forward -j MASQ -p udp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
fi
# Set up port forwards for internal services
for DEST in $INTERN_SERVERS; do
# Can't deal with PASV mode
$IPMASQADM portfw -a -P `echoProto $DEST` \
-L `echoIpPort $DEST` -R `echoSrvIpPort $DEST`
$IPCH -A forward -j MASQ -p `echoProto $DEST` \
-s `echoSrvIpPort $DEST`
done; unset DEST
if [ -n "$INTERN_FTP_SERVER" ] ; then
# Can't deal with PASV mode
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP ftp -R $INTERN_FTP_SERVER ftp
fi
if [ -n "$INTERN_WWW_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP www -R $INTERN_WWW_SERVER www
fi
if [ -n "$INTERN_SMTP_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP smtp -R $INTERN_SMTP_SERVER
smtp
fi
if [ -n "$INTERN_POP3_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP pop-3 -R $INTERN_WWW_SERVER
pop-3
fi
if [ -n "$INTERN_IMAP_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP imap -R $INTERN_IMAP_SERVER
imap
fi
if [ -n "$INTERN_SSH_SERVER" ] ; then
if [ -n "$EXTERN_SSH_PORT" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP $EXTERN_SSH_PORT \
-R $INTERN_SSH_SERVER ssh
else
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP ssh \
-R $INTERN_SSH_SERVER ssh
fi
fi
# Masquerade internal network to world
if [ "$MASQ_SWITCH" = "YES" -o "$MASQ_SWITCH" = "Yes" \
-o "$MASQ_SWITCH" = "yes" ]; then
for NET in $INTERN_NET; do
$IPCH -A forward -j MASQ -p all -s $NET -d 0/0 -i $EXTERN_IF
done; unset NET
fi
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" ]; then
$IPCH -A forward -j DENY -p all -s 0/0 -d $DMZ_NET -i $DMZ_IF -l
fi
$IPCH -A forward -j DENY -p all -s 0/0 -d 0/0
#
# EXTERNAL INTERFACE
#
# Input filter
# Stop ICMP time stamp messages - don't need these
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-request -l
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-reply -l
# Spoofing prevention
stopMartians input -i $EXTERN_IF
for NET in $INTERN_NET; do
$IPCH -A input -j DENY -p all -s $NET -d 0/0 -i $EXTERN_IF -l
done; unset NET
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" ]; then
$IPCH -A input -j DENY -p all -s $DMZ_NET -d 0/0 -i $EXTERN_IF -l
fi
if [ "$EXTERN_DYNADDR" = "YES" -o "$EXTERN_DYNADDR" = "Yes" \
-o "$EXTERN_DYNADDR" = "yes" ]; then
# Spoof protection
if_setproc $EXTERN_IF rp_filter YES
# Kernel logging of martians on this interface
if_setproc $EXTERN_IF log_martians YES
local EX_IP=0/0
else
for ADDR in $EXTERN_IP; do
$IPCH -A input -j DENY -p all -s $ADDR -d 0/0 \
-i $EXTERN_IF -l
done; unset ADDR
local EX_IP=0/0
fi
# Turn off all traffic from net to internal IP numbers
$IPCH -A input -j REJECT -p all -s 0/0 -d $LOCAL_NET -i $EXTERN_IF -l
for NET in $INTERN_NET; do
$IPCH -A input -j REJECT -p all -s 0/0 -d $NET -i $EXTERN_IF -l
done; unset NET
# Stop Netbios shenanagans
standardBlock input -i $EXTERN_IF
# Bypass filters below for DMZ_NET access - port control done in forwarding
# firewall
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" ]; then
$IPCH -A input -j ACCEPT -p all -s 0/0 -d $DMZ_NET -i $EXTERN_IF
fi
# TCP
# Open specified TCP services to the world
for SERVICE in $EXTERN_TCP_PORTS; do
$IPCH -A input -j ACCEPT -p tcp -s `echoFwSrcIp $SERVICE` \
-d $EX_IP `echoFwDstPort $SERVICE` -i $EXTERN_IF
done; unset SERVICE
# auth - send a reject packet. You may want to to forward this to an
internal bo# x if using IRC. Here so that a rule above can override
$IPCH -A input -j REJECT -p tcp -s 0/0 -d 0/0 auth -i $EXTERN_IF
# NFS server protection
# $IPCH -A input -j DENY -p tcp -s 0/0 -d 0/0 2049 -i $EXTERN_IF -l
# Accept all incoming TCP packets to the External interface on
non-priveleged
# ports
$IPCH -A input -j ACCEPT -p tcp -s 0/0 -d $EX_IP 1024:65535 -i $EXTERN_IF
#UDP
# SNMP control
snmpBlock input $EX_IP -i $EXTERN_IF
# Open specfied UDP services to the world
for SERVICE in $EXTERN_UDP_PORTS; do
$IPCH -A input -j ACCEPT -p udp -s `echoFwSrcIp $SERVICE` \
-d $EX_IP `echoFwDstPort $SERVICE` -i $EXTERN_IF
done; unset SERVICE
# Block NFS access
#$IPCH -A input -j DENY -p udp -s 0/0 -d 0/0 2049 -i $EXTERN_IF -l
# Block all incoming DHCP/BOOTP queries - this bypasses the logging further
down
$IPCH -A input -j DENY -p udp -s 0/0 -d 0/0 bootps -i $EXTERN_IF
# Allow UDP masquerading for non-priviliged services Comment this out for
# higher security
$IPCH -A input -j ACCEPT -p udp -s 0/0 -d $EX_IP 1024:65535 -i $EXTERN_IF
#ICMP
# Uncomment the following to protect against ping bomb attacks on Windows
# $IPCH -A input -j DENY -p icmp -s 0/0 0 8 -d 0/0 -i $EXTERN_IF -l
$IPCH -A input -j ACCEPT -p icmp -s 0/0 -d $EX_IP -i $EXTERN_IF
# Allow OSPF through - this is for gated to work
$IPCH -A input -j ACCEPT -p 89 -s 0/0 -d 0/0 -i $EXTERN_IF
# Bottom line - DENY anything that does not match
$IPCH -A input -j DENY -p all -s 0/0 -d 0/0 -i $EXTERN_IF -l
#
# Global Incoming
#
# Global control on SNMP
snmpBlock input 0/0 -b
# Allow input on all other interfaces
$IPCH -A input -j ACCEPT -p all -s 0/0 -d 0/0
# Outgoing stuff
# Classify packets, apply TOS etc
[ -n "$CLS_FAIRQ" ] && $IPCH -A output -j fairq
#Guard against sending rubbish onto Internet
stopMartians output -i $EXTERN_IF
for NET in $INTERN_NET; do
$IPCH -A output -j DENY -p all -s $NET -d 0/0 -i $EXTERN_IF
done; unset NET
# Stop Netbios
standardBlock output -i $EXTERN_IF
# Allow output on all other interfaces
$IPCH -A output -j ACCEPT -p all -s 0/0 -d 0/0
}
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
