Some of you using DMZ's may have noticed there's no automated way to provide
"restricted" access to your DMZ network (allow a service only to specific
remote IP's). The current rules only allow all (0/0) or nothing. While
it's easy enough to hand-code a couple of rules in ipchains.forward (that's
kind of what it's for), I recently had need for a more general solution for
this, and thought others might be interested in the functionality.
The directory /etc/privileged/ is scanned for files, which should have the
naming convention of <protocol>[.<port>] with protocol being a protocol
understood by ipchains (ie tcp, udp, all, 50, 88), and the optional port
also being a port specification as understood by ipchains (note that this
can include numeric specifications and ranges, and you can't specify ports
for protocols that don't support them).
Inside each of these files is a list of which remote IP's are allowed to
access the service, and (optionally) which DMZ systems they are allowed to
connect to. If left blank, the remote IP is allowed to communicate on the
specified protocol/port to all DMZ IP's.
Comments and blank lines are allowed. See the example
/etc/privileged/tcp.pop-3, below.
NOTE: You may find it easier to administer a system like this by indexing
on the remote IP's or networks, rather than the protocol/port.
Modifications for this functionality are left to the reader...
And now, on with the code:
<START /etc/ipchains.forward>
# Read File procedure
# Skip blank lines and comments
ReadFile() {
local IFS='
'
while read line ; do
case "$line" in
\#*|"") continue ;;
*) echo "$line" ;;
esac
done <$1
}
OIFS="$IFS"
[ -d /etc/privileged ] || exit 0
cd /etc/privileged
for FILE in * ; do
[ -r $FILE ] || continue
PROTO=${FILE%.*}
PORT=${FILE#$PROTO}
PORT=${PORT#.}
IFS='
' # <linefeed>
for line in `ReadFile $FILE` ; do
IFS=" " # <space><tab>
set -- $line
$IPCH -A forward -j ACCEPT -p $PROTO \
-s $1 -d ${2:-$DMZ_NET} $PORT -i $DMZ_IF
done
done
IFS="$OIFS"
<END /etc/ipchains.forward>
<START /etc/privileged/tcp.pop-3>
# Comments and blank lines allowed
# Comments must start at beginning of line
#
# Filename Format:
# Protocol[.port]
#
# File Format:
# SourceIP [DestIP]
#
# If DestIP is not specified, it defaults to the whole DMZ network
1.2.65.53 3.4.8.236
1.2.78.155 3.4.8.236
<END /etc/privileged/tcp.pop-3>
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
