help with firewall

Wed, 02 Jul 2003 16:38:15 -0500 

Hi,
Can anyone help me with this firewall.I would like to change
INTNET="192.168.0.0/24" to more exacts ips like 192.168.0.1,192.168.0.22 and
so one.
Thanks for any help.
Charls

IPTABLES="/sbin/iptables"

EXTDEV="ppp0"

EXTIP=`ifconfig $EXTDEV | grep "inet addr:" | \
 awk -F: {'print $2'} | cut -d\  -f 1`
if [ -z "${EXTIP}" ]; then
 exit 1
fi
#EXTIP="x.x.x.x"

INTDEV="eth0"


INTIP=`ifconfig $INTDEV | grep "inet addr:" | \
 awk -F: {'print $2'} | cut -d\  -f 1`
if [ -z "${INTIP}" ]; then
 exit 1
fi

#INTIP="y.y.y.y"


INTNET="192.168.0.0/24"



echo "EXTDEV: ${EXTDEV} z ${EXTIP}"
echo "INTDEV: ${INTDEV} z ${INTIP}"

case "$1" in

    start)

 echo -n "Starting firewall: "


 #modprobe ip_tables
 #modprobe ip_conntrack
 #modprobe ip_conntrack_ftp
 #modprobe ip_masq_ftp
 #modprobe ip_masq_irc
 #modprobe ip_masq_raudio



  $IPTABLES -t nat -A POSTROUTING -o $EXTDEV -j SNAT --to-source=$EXTIP




 $IPTABLES -F

  $IPTABLES -P INPUT DROP
 $IPTABLES -P OUTPUT DROP
 $IPTABLES -P FORWARD DROP

 #--==[ kernel ]==--
 #

  echo 1 > /proc/sys/net/ipv4/ip_forward

  /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

  /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

  /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

  /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

  /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

 /bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

  $IPTABLES -A INPUT -i lo -j ACCEPT
 $IPTABLES -A OUTPUT -o lo -j ACCEPT


 #$IPTABLES -I FORWARD -p tcp -d $DSTIP --dport $SRCPRT -j ACCEPT
 #$IPTABLES -I FORWARD -p udp -d $DSTIP --dport $SRCPRT -j ACCEPT
 #$IPTABLES -t nat -A PREROUTING -p tcp -i $LOCALIF -s $ALLOWFROM -d
$SRCIP --dport $SRCPRT -j DNAT --to $DSTIP
 #$IPTABLES -t nat -A PREROUTING -p udp -i $LOCALIF -s $ALLOWFROM -d
$SRCIP --dport $SRCPRT -j DNAT --to $DSTIP



 #---==[  INPUT ]==---

 $IPTABLES -A INPUT -i $EXTDEV -p icmp -m state --state ESTABLISHED -j
ACCEPT
 $IPTABLES -A INPUT -i $EXTDEV -p icmp -m state --state RELATED -j ACCEPT
 # Przepuszczamy nawiazywanie polaczen
 $IPTABLES -A OUTPUT -o $EXTDEV -p icmp -m state --state NEW -j ACCEPT
 $IPTABLES -A OUTPUT -o $EXTDEV -p icmp -m state --state ESTABLISHED -j
ACCEPT
 $IPTABLES -A OUTPUT -o $EXTDEV -p icmp -m state --state RELATED -j ACCEPT

 $IPTABLES -A INPUT -i $INTDEV -p udp -d 192.168.1.255 --dport 137:138 -j
DROP

  #** SSH **
  $IPTABLES -A INPUT -p tcp --sport 1024: --dport 22 -m state --state NEW -j
ACCEPT

 #** FTP **
  $IPTABLES -A INPUT  -p tcp --dport 21 -m state --state NEW -j ACCEPT
 $IPTABLES -A INPUT  -p udp --dport 21 -m state --state NEW -j ACCEPT

 #** DHCPD **
 $IPTABLES -A INPUT  -p tcp --dport 67 -m state --state NEW -j ACCEPT
 $IPTABLES -A INPUT  -p udp --dport 67 -m state --state NEW -j ACCEPT
 $IPTABLES -A INPUT  -p tcp --dport 68 -m state --state NEW -j ACCEPT
 $IPTABLES -A INPUT  -p udp --dport 68 -m state --state NEW -j ACCEPT



 #** HTTP **
 $IPTABLES -A INPUT -p tcp --sport 1024: --dport 80 -m state --state NEW -j
ACCEPT

 #** RPC **
 $IPTABLES -A INPUT -i $INTDEV -p tcp --dport 111 -m state --state NEW -j
ACCEPT
 $IPTABLES -A INPUT -i $INTDEV -p udp --dport 111 -m state --state NEW -j
ACCEPT

 $IPTABLES -A INPUT -i $INTDEV -p udp --dport 2049 -m state --state NEW -j
ACCEPT

 $IPTABLES -A INPUT -i $INTDEV -p udp --dport 1026 -m state --state NEW -j
ACCEPT
 $IPTABLES -A INPUT -i $INTDEV -p tcp --dport 1026 -m state --state NEW -j
ACCEPT

 #** DNS **
 $IPTABLES -A INPUT -i $INTDEV -p udp --sport 1024: --dport 53 -m
state --state NEW -j ACCEPT
 # Transakcje serwer-serwer
 $IPTABLES -A INPUT -i $INTDEV -p udp --sport 53 --dport 53 -m state --state
NEW -j ACCEPT


 $IPTABLES -A INPUT -p tcp --sport 1024: --dport 113 -m state --state NEW -j
REJECT --reject-with icmp-port-unreachable

 $IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
 $IPTABLES -A INPUT -m state --state RELATED -j ACCEPT

 #$IPTABLES -A INPUT -j LOG --log-prefix "IPT INPUT: "
 $IPTABLES -A INPUT -j DROP


 #---==[  OUTPUT ]==---

  $IPTABLES -A OUTPUT -m state --state ! INVALID -j ACCEPT

  #$IPTABLES -A OUTPUT -j LOG --log-prefix "IPT OUTPUT: "
 $IPTABLES -A OUTPUT -j DROP


 #---==[  FORWARD ]==---

 $IPTABLES -A FORWARD -i $INTDEV -p tcp -s $INTNET --sport 1024: -m
state --state NEW -j ACCEPT
 $IPTABLES -A FORWARD -i $INTDEV -p tcp -s $INTNET --sport 1024: -m
state --state ESTABLISHED -j ACCEPT
 $IPTABLES -A FORWARD -i $INTDEV -p tcp -s $INTNET --sport 1024: -m
state --state RELATED -j ACCEPT


 $IPTABLES -A FORWARD -i $INTDEV -p udp -s $INTNET --sport 1024: -m
state --state NEW -j ACCEPT
 $IPTABLES -A FORWARD -i $INTDEV -p udp -s $INTNET --sport 1024: -m
state --state ESTABLISHED -j ACCEPT
 $IPTABLES -A FORWARD -i $INTDEV -p udp -s $INTNET --sport 1024: -m
state --state RELATED -j ACCEPT

  $IPTABLES -A FORWARD -o $INTDEV -p tcp -d $INTNET --dport 1024: -m
state --state ESTABLISHED -j ACCEPT
 $IPTABLES -A FORWARD -o $INTDEV -p tcp -d $INTNET --dport 1024: -m
state --state RELATED -j ACCEPT

 $IPTABLES -A FORWARD -o $INTDEV -p udp -d $INTNET --dport 1024: -m
state --state ESTABLISHED -j ACCEPT
 $IPTABLES -A FORWARD -o $INTDEV -p udp -d $INTNET --dport 1024: -m
state --state RELATED -j ACCEPT

 $IPTABLES -A FORWARD -p icmp -m state --state ! INVALID -j ACCEPT

  #$IPTABLES -A FORWARD -j LOG --log-prefix "IPT FORWARD: "
 $IPTABLES -A FORWARD -j DROP




 #---==[ TOS ]==---
 #
 # typ    dec hex
 # Minimalize-delay  16 0x10
 # Maximalize-throughput  8 0x08
 # Maxymalize-Reliability  4 0x04
 # Minimalize-cost   2 0x02
 # Normal-service   0 0x00

 $IPTABLES -t mangle -A PREROUTING -p tcp -s $INTNET --dport 80 -j
TOS --set-tos 0x10
 $IPTABLES -t mangle -A OUTPUT  -p tcp -s $INTNET --dport 80 -j
TOS --set-tos 0x10


 #---==[ TTL ]==---

#$IPTABLES -A FORWARD -s $INTNET -m ttl --ttl-eq 127 -j DROP
#$IPTABLES -t mangle -A PREROUTING -i $EXTDEV -j TTL -ttl-set 1





 #---==[ QoS ]==---

 ## mark "mail/news" traffic to "1"
 #MAIL="25 110 119 143 993 995"
 #for marked in $MAIL
 # do
 #  $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p tcp --dport $marked -j
MARK --set-mark 1
 #  $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p udp --dport $marked -j
MARK --set-mark 1
 # done

 ## mark "interactive" traffic to "2"
 #LOGIN="22 23 6667"
 #for interactive in $LOGIN
 # do
 #  $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p tcp --dport
$interactive -j MARK --set-mark 2
 #  $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p udp --dport
$interactive -j MARK --set-mark 2
 # done

 ## mark "web" traffic to "3"
 #WEB="80 443"
 #for web in $WEB
 # do
 #  $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p tcp --dport $web -j
MARK --set-mark 3
 #  $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p udp --dport $web -j
MARK --set-mark 3
 # done

 ## mark "game" traffic to "4"
 #GAMES="27910:27980 7777 22450 26000 26950 27015 27020 27500 28000:28008
28910"
 #for games in $GAMES
 # do
 #  $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p tcp --dport $games -j
MARK --set-mark 4
 #  $IPTABLES -A PREROUTING -i $EXTERNAL -t mangle -p udp --dport $games -j
MARK --set-mark 4
 # done

 echo "done!"

Reply via email to