another firewall question

David Johnson dgj-dave at pacbell.net
Thu Jan 27 19:58:55 PST 2000 

sorry .. below is the missing rc.firewall



#!/bin/bash
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_irc

# BEGIN FIREWALL SETUP
echo "1" > /proc/sys/net/ipv4/ip_forward

echo -n "Starting Spoof Protection..."
# Setup Spoofing Protection
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
   for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
   echo 1 > $f
   done
else
   echo "PROBLEMS SETTING UP SPOOFING PROTECTION, BE WORRIED!"
   echo "CONTROL-D will exit this shell and continue startup."
   echo
# Start single user shell on console
   /sbin/sulogin $CONSOLE
fi
echo "done."

### Start of ip filter rules....

echo -n "Setting IP filter rules..."
#First set default rule, deny EVERYTHING except localnet interface

ipchains -P input DENY
ipchains -A input -i lo -s 127.0.0.0/24 -j ACCEPT

# Deny SYN packets on external (DSL) interface
# I had to disable this because it wouldnt let me retrieve ftp dirs??
# ipchains -A input -i eth0 -p tcp -y -l -j DENY


# Set Filtering Rules for eth1 interface (internal net)
# Create a new chain for eth1 interface
ipchains -N eth1-in
ipchains -A input -i eth1 -j eth1-in

# Set filtering rules for eth1
ipchains -A eth1-in -b -s 192.168.0.0/24 -j ACCEPT
ipchains -A eth1-in -s 127.0.0.0/24 -l -j DENY


# Set Filtering Rules for eth0 interface (external DSL net)
# Create a new chain for eth0 interface
ipchains -N eth0-in
ipchains -A input -i eth0 -j eth0-in

# Set filtering rules for eth0
ipchains -A eth0-in -s 0/0 -j ACCEPT
ipchains -A eth0-in -s 127.0.0.0/24 -l -j DENY

### Uncomment to allow inbound sendmail connections
#ipchains -A eth0-in -p tcp -s 0/0 25 -y -j ACCEPT

### Uncomment to allow inbound www connections
#ipchains -A eth0-in -p tcp -s 0/0 80 -y -j ACCEPT

### Uncomment to allow inbound ftp connections
#ipchains -A eth0-in -p tcp -s 0/0 20 -y -j ACCEPT
#ipchains -A eth0-in -p tcp -s 0/0 21 -y -j ACCEPT

### This is old and not needed for most systems but it's good protection
for some....
# Deny "Ping-of-death" packets
ipchains -A input -p icmp -f -l -j DENY

### And lastly, forward internal packets to external interface and
Masqerade!
# Set ip forwading for local network to internet
ipchains -A forward -p udp -s 192.168.0.0/24 -j MASQ
ipchains -A forward -p tcp -s 192.168.0.0/24 -j MASQ
ipchains -A forward -p icmp -s 192.168.0.0/24 -j MASQ

echo "done."

More information about the talk mailing list