I was just about to write a script for my LAN, when you posted yours.
Good script!!
Seeing that it was for a "real" network, I optimized it for a home LAN
with a dial-up ISP.
The only "problem" was line 78: echo "DENY and log ppp0-in packets with
$LOCALIP as source"
Your original did not have a $, making in echo LOCALIP instead of the
actual address.
I put problem in quotations, because you might have meant this, anyway,
I changed it here because I like having my address echoed. Also, I added
line 94, because nothing was passing without that. I think that's a
problem on my end and will have to look into it.
I hope that you don't mind me screwing with your script, but I hoped to
make it easier for a home LANer to modify it :-)
----------------Cut Here-------------------------
#!/bin/sh
#
# IPChains firewall and MASQ setup.
# Jan 29, 1999
#
# Version 1.0.1
#
# Mangled together by Clifford Hammerschmidt ([EMAIL PROTECTED]).
# Modified by Jonathan Pennington <[EMAIL PROTECTED]>.
# Assumes ppp0->internet (DHCP)
# eth0->intranet (192.168.10.x)
#
# Stolen from various HOW-TO's from around the net.
# For lots more info goto http://www.rustcorp.com/linux/ipchains/
#
# USE AT YOUR OWN RISK
#
echo "Clear all IPCHAINS"
/sbin/ipchains -F
/sbin/ipchains -X ppp0-in
/sbin/ipchains -X ppp0-out
/sbin/ipchains -X eth0-in
/sbin/ipchains -X eth0-out
echo "Enableing MASQ"
# if using modules uncomment the line below...
#(and add any other masq modules you need)
/sbin/modprobe ip_masq_ftp
# Get ppp0's IP (ppp0 connects to the internet.)
LOCALIP=`ifconfig ppp0 | awk '/inet addr/ {print substr($2,6)}'`
ALL="0.0.0.0/0"
BCAST="255.255.255.255/32"
LANADDRS="192.168.10.0/24"
DNS1="208.140.99.13/32"
DNS2="208.140.99.14/32"
# MASQ
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -j MASQ -s $LANADDRS -d $ALL
/sbin/ipchains -M -S 7200 10 7200
echo "Enabling Firewall"
# Turn on Source Address Verification and get
# spoof protection on all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
echo "done."
else
echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
fi
# Define two eth interfaces with input and output
echo "Creating ppp0 chains"
/sbin/ipchains -N ppp0-in
/sbin/ipchains -A input -i ppp0 -j ppp0-in
/sbin/ipchains -N ppp0-out
/sbin/ipchains -A output -i ppp0 -j ppp0-out
echo "Creating eth1 chains"
/sbin/ipchains -N eth0-in
/sbin/ipchains -A input -i eth0 -j eth0-in
/sbin/ipchains -N eth0-out
/sbin/ipchains -A output -i eth0 -j eth0-out
# Close the door
echo "Deny all external incoming packets"
/sbin/ipchains -P input DENY
echo "Allow all ICMP on input"
/sbin/ipchains -A input -p ICMP -s $ALL -d $LOCALIP -j ACCEPT
echo "DENY and log ppp0-in packets with $LOCALIP as source"
/sbin/ipchains -A ppp0-in -s $LOCALIP -d $LOCALIP -j DENY -l
echo "Allow all local packets"
/sbin/ipchains -A input -i lo -j ACCEPT
echo "Allow local on eth0"
/sbin/ipchains -A eth0-in -s $LANADDRS -j ACCEPT
echo "DENY local on ppp0"
/sbin/ipchains -l -A ppp0-in -s $LANADDRS -j DENY
echo "Setup rules for output (applys to all interfaces)"
/sbin/ipchains -A output -p TCP -d $ALL telnet -t 0x01 0x10
/sbin/ipchains -A output -p TCP -s $ALL ftp-data -t 0x01 0x08
/sbin/ipchains -A output -p TCP -d $ALL pop-3 -t 0x01 0x02
# I need this, I'll have to look into it further when I have time,
Jonathan
/sbin/ipchains -A output -p TCP -d $ALL -j ACCEPT
echo "Setup rules for ppp0-in"
echo "Allow DHCP"
/sbin/ipchains -A ppp0-in -p UDP -s $ALL 68 -d $BCAST 67 -j ACCEPT
/sbin/ipchains -A ppp0-in -p TCP -s $ALL 68 -d $BCAST 67 -j ACCEPT
echo "Allow DNS"
# sub in your own servers
/sbin/ipchains -A ppp0-in -p UDP -s $DNS1 domain -d $LOCALIP -j ACCEPT
/sbin/ipchains -A ppp0-in -p TCP -s $DNS1 domain -d $LOCALIP -j ACCEPT
/sbin/ipchains -A ppp0-in -p UDP -s $DNS2 domain -d $LOCALIP -j ACCEPT
/sbin/ipchains -A ppp0-in -p TCP -s $DNS2 domain -d $LOCALIP -j ACCEPT
echo "Allow FTP..."
# echo "From external hosts"
# /sbin/ipchains -A ppp0-in -p TCP -s $ALL -d $LOCALIP ftp -j ACCEPT
# /sbin/ipchains -A ppp0-in -p TCP -s $ALL -d $LOCALIP ftp-data -j
ACCEPT
echo "From internal hosts"
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP ftp -j ACCEPT
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP ftp-data -j ACCEPT
echo "Allow telnet..."
# echo "From external hosts"
# /sbin/ipchains -A ppp0-in -p TCP -s $ALL -d $LOCALIP telnet -j ACCEPT
echo "From internal hosts"
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP telnet -j ACCEPT
# echo "Allow httpd"
# /sbin/ipchains -A ppp0-in -p TCP -s $ALL -d $LOCALIP http -j ACCEPT
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP http -j ACCEPT
# echo "Allow smtp (sendmail)"
# /sbin/ipchains -A ppp0-in -p TCP -s $ALL -d $LOCALIP smtp -j ACCEPT
echo "Allow ident"
/sbin/ipchains -A ppp0-in -p TCP -s $ALL -d $LOCALIP auth -j ACCEPT
echo "Allow TCP Replies"
/sbin/ipchains -A input -p TCP \! -y -d $ALL 1024: -j ACCEPT
# echo "Allow ssh"
# /sbin/ipchains -A ppp0-in -p TCP -s $ALL -d $LOCALIP ssh -j ACCEPT
# /sbin/ipchains -A ppp0-in -p tcp -s $ALL -d $LOCALIP ssh -j ACCEPT
echo "Firewalling complete"
------------------Cut Here-------------------------
--
________________________________________
Jonathan Pennington
-Anthropologist/Geologist
-Linux User and Advocate
-Bart Simpson Sympathizer
Email at jwp(at)awod.com
_______________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
