Speaking of firewalls... This is my first real try at making an ipchains firewall, so don't expect greatness, but it hope it helps out all the 2.2.0-pre people. #!/bin/sh # # IPChains firewall and MASQ setup. # Jan 12, 1999 # # Version 0.9 alpha # # Mangled together by Clifford Hammerschmidt ([EMAIL PROTECTED]). # Assumes eth0->internet (DHCP) # eth1->intranet (192.168.1.x) # # Stolen from various HOW-TO's from around the net. # For lots more info goto http://www.rustcorp.com/linux/ipchains/ # # Requires: awk in the path, used to get eth0's IP. # # USE AT YOUR OWN RISK # echo "Enableing MASQ" #(and add any other masq modules you need) /sbin/modprobe ip_masq_ftp # MASQ /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0 /sbin/ipchains -M -S 7200 10 7200 echo "Enabling Firewall" # Turn on Source Address Verification and get # spoof protection on all current and future interfaces. if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo -n "Setting up IP spoofing protection..." for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done echo "done." else echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED. fi # Get eth0's IP (eth0 connects to the internet.) LOCALIP=`ifconfig eth0 | awk '/inet addr/ {print substr($2,6)}'` ALL="0.0.0.0/0" BCAST="255.255.255.255/32" LOCAL="192.168.1.0/24" DNS1="209.53.0.1/32" DNS2="209.53.0.17/32" # Define two eth interfaces with input and output echo "Creating eth0 chains" /sbin/ipchains -N eth0-in /sbin/ipchains -A input -i eth0 -j eth0-in /sbin/ipchains -N eth0-out /sbin/ipchains -A output -i eth0 -j eth0-out echo "Creating eth1 chains" /sbin/ipchains -N eth1-in /sbin/ipchains -A input -i eth1 -j eth1-in /sbin/ipchains -N eth1-out /sbin/ipchains -A output -i eth1 -j eth1-out # Close the door echo "Deny all external incomming packets" /sbin/ipchains -P input DENY echo "Allow all ICMP on eth1" /sbin/ipchains -A input -p ICMP -s $ALL -d $LOCALIP -j ACCEPT echo "Allow all local packets" /sbin/ipchains -A input -i lo -j ACCEPT echo "Allow local on eth1" /sbin/ipchains -A eth1-in -s $LOCAL -j ACCEPT echo "DENY local on eth0" /sbin/ipchains -l -A eth0-in -s $LOCAL -j DENY echo "Setup rules for output (applys to all eth's)" /sbin/ipchains -A output -p TCP -d $ALL telnet -t 0x01 0x10 /sbin/ipchains -A output -p TCP -s $ALL ftp-data -t 0x01 0x08 /sbin/ipchains -A output -p TCP -d $ALL pop-3 -t 0x01 0x02 echo "Setup rules for eth0-in" echo "Allow DHCP" /sbin/ipchains -A eth0-in -p UDP -s $ALL 68 -d $BCAST 67 -j ACCEPT /sbin/ipchains -A eth0-in -p TCP -s $ALL 68 -d $BCAST 67 -j ACCEPT echo "Allow DNS" # sub in your own servers /sbin/ipchains -A eth0-in -p UDP -s $DNS1 domain -d $LOCALIP -j ACCEPT /sbin/ipchains -A eth0-in -p TCP -s $DNS1 domain -d $LOCALIP -j ACCEPT /sbin/ipchains -A eth0-in -p UDP -s $DNS2 domain -d $LOCALIP -j ACCEPT /sbin/ipchains -A eth0-in -p TCP -s $DNS2 domain -d $LOCALIP -j ACCEPT echo "Allow FTP" /sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP ftp -j ACCEPT /sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP ftp-data -j ACCEPT echo "Allow telnet" /sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP telnet -j ACCEPT echo "Allow httpd" /sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP http -j ACCEPT echo "Allow smtp (sendmail)" /sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP smtp -j ACCEPT echo "Allow ident" /sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP auth -j ACCEPT echo "Allow TCP Replies" /sbin/ipchains -A input -p TCP \! -y -d $ALL 1024: -j ACCEPT --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
