#!/bin/sh # # rc.firewall-2.2 FWVER="2.21 03/06/2002" # # Copied and pasted from the latest IP Masquerading FAQ 08/04/2002 Rob D # # - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels # using IPCHAINS. echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the NATing will occur and the internal network # should preferably be addressed with a RFC1918 private addressing # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # EXTIF="ppp0" # # if you are a modem user. # # ** Please change this to reflect your specific configuration ** # EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" # Network Address of the Internal Network # # This example rc.firewall file uses the 192.168.0.0 network # with a /24 or 255.255.255.0 netmask. # # ** Change this variable to reflect your specific setup ** # INTLAN="192.168.0.0/24" echo -e " Internal Interface: $INTLAN\n" # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules # are shown below but are commented out from loading. echo " loading required IPMASQ kernel modules.." # Needed to initially load modules # /sbin/depmod -a echo -en " Loading modules: " # Supports the proper masquerading of FTP file transfers using the PORT method # echo -en "FTP, " /sbin/modprobe ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # #echo -en "RealAudio, " #/sbin/modprobe ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #echo -en "Irc, " #/sbin/modprobe ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. This modules is # for for multiple users behind the Linux MASQ server. If you are going to # play Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #echo -en "Quake, " #Quake I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #echo -en "CuSeeme, " #/sbin/modprobe ip_masq_cuseeme #Supports the masquerading of the VDO-live video conferencing software # #echo -en "VdoLive " #/sbin/modprobe ip_masq_vdolive echo ". Done loading modules." #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward #CRITICAL: Enable automatic IP defragmenting since it is disabled by default # in 2.2.x kernels. This used to be a compile-time option but the # behavior was changed in 2.2.12 # echo " enabling AlwaysDefrag.." echo "1" > /proc/sys/net/ipv4/ip_always_defrag # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this # following option. This enables dynamic-ip address hacking in IP MASQ, # making the life with Diald and similar programs much easier. # echo " enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr # **** NOTE 2 SELF : this looks reasonable !!!!!!!!!!!!!!!!!!!!!!!!! # Enable the LooseUDP patch which some Internet-based games require # # If you are trying to get an Internet game to work through your IP MASQ box, # and you have set it up to the best of your ability without it working, try # enabling this option (delete the "#" character). This option is disabled # by default due to possible internal machine UDP port scanning # vunerabilities. # #echo " enabling LooseUDP.." #echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is REJECT # echo " clearing any existing rules and setting default policy.." /sbin/ipchains -P input DENY /sbin/ipchains -P output REJECT /sbin/ipchains -P forward REJECT /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # echo " setting default timers.." /sbin/ipchains -M -S 7200 10 160 # DHCP: For people who receive their external IP address from either DHCP or # BOOTP such as ADSL or Cablemodem users, it is necessary to use the # following before the deny command. # /sbin/ipchains -A input -j ACCEPT -i $EXTIF -s 0/0 67 -d 0/0 68 -p udp # Enable simple IP forwarding and Masquerading # # NOTE: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on interface eth0. # # ** Please change this network number, subnet mask, and your Internet # ** connection interface name to match your internal LAN setup # echo " enabling IPMASQ functionality on $EXTIF" /sbin/ipchains -P forward DENY # NOTE 2 SELF : could change this to be only machines I have working !!!! /sbin/ipchains -A forward -i $EXTIF -s $INTLAN -j MASQ echo "Enabling DHCP traffic" # assign all the varibles that dhcp has setup . /etc/dhcpc/dhcpcd-eth0.info #:: allow dhcp :67/68(UDP) all are needed, this does work !! ipchains -A output -i eth0 -p UDP -s 0.0.0.0 68 -d 255.255.255.255 67 -j ACCEPT ipchains -A input -i eth0 -p UDP -s 0.0.0.0 67 -d 255.255.255.255 68 -j ACCEPT ipchains -A input -p UDP -i eth0 -s $DHCPSIADDR 67 -d 255.255.255.255 68 -j ACCEPT ipchains -A output -p UDP -i eth0 -s 0.0.0.0 68 -d $DHCPSIADDR 67 -j ACCEPT ipchains -A input -i eth0 -p UDP -s $DHCPSIADDR 67 -d any/0 68 -j ACCEPT ipchains -A input -i eth0 -p UDP -s $IPADDR 67 -d any/0 68 -j ACCEPT ipchains -A input -i eth0 -p UDP -s $DHCPSIADDR 67 -d $IPADDR 68 -j ACCEPT # Http requests port 80 & 443 echo "Enabling HTTP port 80/443 requests(in/out)[int/ext]" /sbin/ipchains -A output -i $EXTIF -p TCP -d 0.0.0.0/0 80 -j ACCEPT /sbin/ipchains -A input -i $EXTIF -p TCP -s 0.0.0.0/0 80 -j ACCEPT /sbin/ipchains -A input -i $INTIF -p TCP -s $INTLAN -d 0.0.0.0/0 80 -j ACCEPT /sbin/ipchains -A output -i $INTIF -p TCP -d $INTLAN -s 0.0.0.0/0 80 -j ACCEPT /sbin/ipchains -A output -i $EXTIF -p TCP -d 0.0.0.0/0 443 -j ACCEPT /sbin/ipchains -A input -i $EXTIF -p TCP -s 0.0.0.0/0 443 -j ACCEPT /sbin/ipchains -A input -i $INTIF -p TCP -s $INTLAN -d 0.0.0.0/0 443 -j ACCEPT /sbin/ipchains -A output -i $INTIF -p TCP -d $INTLAN -s 0.0.0.0/0 443 -j ACCEPT # DNS in and out - for this machine echo "Enabling DNS requests(in/out)" /sbin/ipchains -A output -i $EXTIF -p UDP -d 0.0.0.0/0 53 -j ACCEPT /sbin/ipchains -A input -i $EXTIF -p UDP -s 0.0.0.0/0 53 -j ACCEPT /sbin/ipchains -A input -i $INTIF -p UDP -s $INTLAN -d any/0 53 -j ACCEPT /sbin/ipchains -A output -i $INTIF -p UDP -d $INTLAN -s any/0 53 -j ACCEPT # Stop win98 NBS bothering us echo "NetBios Service explictly denied on this machine (fine else where)" /sbin/ipchains -A input -i $INTIF -p UDP -s $INTLAN -d any/0 137 -j DENY /sbin/ipchains -A output -i $INTIF -p UDP -d $INTLAN -s any/0 137 -j DENY /sbin/ipchains -A input -i $INTIF -p UDP -s $INTLAN -d any/0 138 -j DENY /sbin/ipchains -A output -i $INTIF -p UDP -d $INTLAN -s any/0 138 -j DENY # Allow dnet port 2064 echo "Allow dnet from internal net out" /sbin/ipchains -A input -i $INTIF -p TCP -s $INTLAN -d any/0 2064 -j ACCEPT /sbin/ipchains -A output -i $EXTIF -p TCP -d any/0 2064 -j ACCEPT /sbin/ipchains -A input -i $EXTIF -p TCP -s any/0 2064 -j ACCEPT /sbin/ipchains -A output -i $INTIF -p TCP -s any/0 2064 -j ACCEPT # NNTP news service for internal machines echo "Enabling NNTP pass through for internal machines" /sbin/ipchains -A input -i $INTIF -p TCP -s $INTLAN -d any/0 119 -j ACCEPT /sbin/ipchains -A output -i $EXTIF -p TCP -d any/0 119 -j ACCEPT /sbin/ipchains -A input -i $EXTIF -p TCP -s any/0 119 -j ACCEPT /sbin/ipchains -A output -i $INTIF -p TCP -s any/0 119 -j ACCEPT # POP3 mail service for internal machines echo "Enabling POP3 pass through for internal machines" /sbin/ipchains -A input -i $INTIF -p TCP -s $INTLAN -d any/0 110 -j ACCEPT /sbin/ipchains -A output -i $EXTIF -p TCP -d any/0 110 -j ACCEPT /sbin/ipchains -A input -i $EXTIF -p TCP -s any/0 110 -j ACCEPT /sbin/ipchains -A output -i $INTIF -p TCP -s any/0 110 -j ACCEPT # SMTP outgoing mail service for internal machines specific IP echo "Enabling SMTP pass through for internal machines, specific IP" /sbin/ipchains -A input -i $INTIF -p TCP -s $INTLAN -d smtp.blueyonder.co.uk 25 -j ACCEPT /sbin/ipchains -A output -i $EXTIF -p TCP -d smtp.blueyonder.co.uk 25 -j ACCEPT /sbin/ipchains -A input -i $EXTIF -p TCP -s smtp.blueyonder.co.uk 25 -j ACCEPT /sbin/ipchains -A output -i $INTIF -p TCP -s smtp.blueyonder.co.uk 25 -j ACCEPT # ftp requests port 20 & 21 echo "Enabling FTP port 20/21 requests(in/out)[int/ext]" /sbin/ipchains -A output -i $EXTIF -p TCP -d 0.0.0.0/0 20 -j ACCEPT /sbin/ipchains -A input -i $EXTIF -p TCP -s 0.0.0.0/0 20 -j ACCEPT /sbin/ipchains -A input -i $INTIF -p TCP -s $INTLAN -d 0.0.0.0/0 20 -j ACCEPT /sbin/ipchains -A output -i $INTIF -p TCP -d $INTLAN -s 0.0.0.0/0 20 -j ACCEPT /sbin/ipchains -A output -i $EXTIF -p TCP -d 0.0.0.0/0 21 -j ACCEPT /sbin/ipchains -A input -i $EXTIF -p TCP -s 0.0.0.0/0 21 -j ACCEPT /sbin/ipchains -A input -i $INTIF -p TCP -s $INTLAN -d 0.0.0.0/0 21 -j ACCEPT /sbin/ipchains -A output -i $INTIF -p TCP -d $INTLAN -s 0.0.0.0/0 21 -j ACCEPT # allow shh control from ip 192.168.0.2 echo "SSH internal control is being activated" /sbin/ipchains -A input -i $INTIF -p TCP -s 192.168.0.2 -d 192.168.0.1 22 -j ACCEPT /sbin/ipchains -A output -i $INTIF -p TCP -s 192.168.0.1 22 -d 192.168.0.2 -j ACCEPT # allow 5432 sql from ip 192.168.0.2 echo "Internal SQL postgre" /sbin/ipchains -A input -i $INTIF -p TCP -s 192.168.0.2 -d 192.168.0.1 5432 -j ACCEPT /sbin/ipchains -A output -i $INTIF -p TCP -s 192.168.0.1 5432 -d 192.168.0.2 -j ACCEPT # http requests port 82 & 81 echo "Enabling HTTP port 82/81 requests(in/out)[int/ext]" /sbin/ipchains -A output -i $EXTIF -p TCP -d 0.0.0.0/0 82 -j ACCEPT /sbin/ipchains -A input -i $EXTIF -p TCP -s 0.0.0.0/0 82 -j ACCEPT /sbin/ipchains -A input -i $INTIF -p TCP -s $INTLAN -d 0.0.0.0/0 82 -j ACCEPT /sbin/ipchains -A output -i $INTIF -p TCP -d $INTLAN -s 0.0.0.0/0 82 -j ACCEPT /sbin/ipchains -A output -i $EXTIF -p TCP -d 0.0.0.0/0 81 -j ACCEPT /sbin/ipchains -A input -i $EXTIF -p TCP -s 0.0.0.0/0 81 -j ACCEPT /sbin/ipchains -A input -i $INTIF -p TCP -s $INTLAN -d 0.0.0.0/0 81 -j ACCEPT /sbin/ipchains -A output -i $INTIF -p TCP -d $INTLAN -s 0.0.0.0/0 81 -j ACCEPT # NOTE 2 SELF : log anything else /sbin/ipchains -A input -l /sbin/ipchains -A output -l /sbin/ipchains -A forward -l echo "rc.firewall-2.2 v$FWVER done.\n" ifconfig eth1 192.168.0.1 netmask 255.255.255.0 up echo "::Enabled internal 255.255.255.0 network as 192.168.0.1::\n"