Contents of /firewall/firewall

#!/sbin/runscript
# Copyright 1999-2002 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License, v2 or later
# /space/gentoo/cvsroot/gentoo-x86/net-nds/portmap/files/portmap.rc6,v 1.3 2001/12/29 00:22:51 azarah Exp

depend() {
        need net
}

IPT=/sbin/iptables

#5901: tightvnc
SERVICES="http ssh"
FWDRULES="1022->192.168.1.4:22"
FWIP="216.223.235.2"

#interfaces:
FWIF="eth1"
# eth0: 192.168.1.1 (our LAN)
# eth1: 216.223.235.2 (our bridged DSL router)

start() {
        # Enable IP forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward

        # Set a default policy of DROP; deny-by-default for security:
        $IPT -P INPUT DROP
        $IPT -P FORWARD DROP

        #myfilter chain:
        #this chain contains rules common to our FORWARD and INPUT chains, all in one place.
        #first, we create a new "myfilter" chain;
        #then, we add a rule to accept ESTABLISHED and RELATED connections from anywhere;
        #then, we add a rule to accept NEW connections coming in from anywhere but our untrusted ${FWIF} interface;
        #then, we add a rule to log any incoming INVALID packets;
        #then, we add a rule to reject any incoming tcp connection with tcp-reset for fast, stealthy disconnect;
        #then, we add a rule to reject any not-yet-handled connections with icmp-port-unreachable.
        #everything else falls off the end of this chain and goes back to the parent INPUT or FORWARD chain.

        $IPT -N myfilter
        $IPT -A myfilter -m state --state ESTABLISHED,RELATED -j ACCEPT
        $IPT -A myfilter -m state --state NEW -i ! ${FWIF} -j ACCEPT
        $IPT -A myfilter -m state --state INVALID -j LOG --log-prefix "INVALID:" --log-level warning
        $IPT -A myfilter -p tcp -j REJECT --reject-with tcp-reset
        $IPT -A myfilter -j REJECT --reject-with icmp-port-unreachable

        #INPUT chain:
        #first, we loop through our SERVICES variable and add a rule for each public service on our firewall;
        #then, we add a rule to log any pings to our firewall box from the Internet (max 1/minute);
        #then, we add a rule to accept up to 2 pings per second to our firewall box from the Internet;
        #then, we direct any traffic that doesn't match these rules to our standard myfilter chain.
        #everything else falls off the end of this chain and gets a default policy of DENY.

        local x

        for x in $SERVICES
        do
                $IPT -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
        done
        $IPT -A INPUT -p icmp -i ${FWIF} --icmp-type echo-request -m limit --limit 1/minute -j LOG --log-prefix "PING:" --log-level notice
        $IPT -A INPUT -p icmp -i ${FWIF} --icmp-type echo-request -m limit --limit 2/second -j ACCEPT
        $IPT -A INPUT -j myfilter

        #FORWARD chain:
        #simply forward all FORWARD traffic to our myfilter chain.
        #if any traffic were to make it through the myfilter chain, it would fall off the end of the FORWARD
        #chain and get a default policy of DENY.

        local fromport
        local tocombo
        local toip
        local toport
        
        for x in $FWDRULES
        do
                fromport=${x%->*}
                tocombo=${x##*->}
                toport=${tocombo##*:}
                toip=${tocombo%:*}
                
                $IPT -A FORWARD -p tcp -d ${toip} --dport ${toport} -m state --state NEW -j ACCEPT
                iptables -t nat -A PREROUTING -d ${FWIP} -p tcp --dport ${fromport} -j DNAT --to-destination ${toip}:${toport}
        done
        $IPT -A FORWARD -j myfilter

        #Set up SNAT so that machines on our LAN can use our DSL router:
        $IPT -t nat -A POSTROUTING -o ${FWIF} -j SNAT --to ${FWIP}
}

stop() {
        echo 0 > /proc/sys/net/ipv4/ip_forward
        $IPT -F INPUT
        $IPT -P INPUT ACCEPT
        $IPT -F FORWARD
        $IPT -P FORWARD ACCEPT
        $IPT -t nat -F POSTROUTING
        $IPT -t nat -F PREROUTING
        $IPT -F myfilter
        $IPT -X myfilter
}

1	#!/sbin/runscript
2	# Copyright 1999-2002 Gentoo Technologies, Inc.
3	# Distributed under the terms of the GNU General Public License, v2 or later
4	# /space/gentoo/cvsroot/gentoo-x86/net-nds/portmap/files/portmap.rc6,v 1.3 2001/12/29 00:22:51 azarah Exp
5
6	depend() {
7	need net
8	}
9
10	IPT=/sbin/iptables
11
12	#5901: tightvnc
13	SERVICES="http ssh"
14	FWDRULES="1022->192.168.1.4:22"
15	FWIP="216.223.235.2"
16
17	#interfaces:
18	FWIF="eth1"
19	# eth0: 192.168.1.1 (our LAN)
20	# eth1: 216.223.235.2 (our bridged DSL router)
21
22	start() {
23	# Enable IP forwarding
24	echo 1 > /proc/sys/net/ipv4/ip_forward
25
26	# Set a default policy of DROP; deny-by-default for security:
27	$IPT -P INPUT DROP
28	$IPT -P FORWARD DROP
29
30	#myfilter chain:
31	#this chain contains rules common to our FORWARD and INPUT chains, all in one place.
32	#first, we create a new "myfilter" chain;
33	#then, we add a rule to accept ESTABLISHED and RELATED connections from anywhere;
34	#then, we add a rule to accept NEW connections coming in from anywhere but our untrusted ${FWIF} interface;
35	#then, we add a rule to log any incoming INVALID packets;
36	#then, we add a rule to reject any incoming tcp connection with tcp-reset for fast, stealthy disconnect;
37	#then, we add a rule to reject any not-yet-handled connections with icmp-port-unreachable.
38	#everything else falls off the end of this chain and goes back to the parent INPUT or FORWARD chain.
39
40	$IPT -N myfilter
41	$IPT -A myfilter -m state --state ESTABLISHED,RELATED -j ACCEPT
42	$IPT -A myfilter -m state --state NEW -i ! ${FWIF} -j ACCEPT
43	$IPT -A myfilter -m state --state INVALID -j LOG --log-prefix "INVALID:" --log-level warning
44	$IPT -A myfilter -p tcp -j REJECT --reject-with tcp-reset
45	$IPT -A myfilter -j REJECT --reject-with icmp-port-unreachable
46
47	#INPUT chain:
48	#first, we loop through our SERVICES variable and add a rule for each public service on our firewall;
49	#then, we add a rule to log any pings to our firewall box from the Internet (max 1/minute);
50	#then, we add a rule to accept up to 2 pings per second to our firewall box from the Internet;
51	#then, we direct any traffic that doesn't match these rules to our standard myfilter chain.
52	#everything else falls off the end of this chain and gets a default policy of DENY.
53
54	local x
55
56	for x in $SERVICES
57	do
58	$IPT -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
59	done
60	$IPT -A INPUT -p icmp -i ${FWIF} --icmp-type echo-request -m limit --limit 1/minute -j LOG --log-prefix "PING:" --log-level notice
61	$IPT -A INPUT -p icmp -i ${FWIF} --icmp-type echo-request -m limit --limit 2/second -j ACCEPT
62	$IPT -A INPUT -j myfilter
63
64	#FORWARD chain:
65	#simply forward all FORWARD traffic to our myfilter chain.
66	#if any traffic were to make it through the myfilter chain, it would fall off the end of the FORWARD
67	#chain and get a default policy of DENY.
68
69	local fromport
70	local tocombo
71	local toip
72	local toport
73
74	for x in $FWDRULES
75	do
76	fromport=${x%->*}
77	tocombo=${x##*->}
78	toport=${tocombo##*:}
79	toip=${tocombo%:*}
80
81	$IPT -A FORWARD -p tcp -d ${toip} --dport ${toport} -m state --state NEW -j ACCEPT
82	iptables -t nat -A PREROUTING -d ${FWIP} -p tcp --dport ${fromport} -j DNAT --to-destination ${toip}:${toport}
83	done
84	$IPT -A FORWARD -j myfilter
85
86	#Set up SNAT so that machines on our LAN can use our DSL router:
87	$IPT -t nat -A POSTROUTING -o ${FWIF} -j SNAT --to ${FWIP}
88	}
89
90	stop() {
91	echo 0 > /proc/sys/net/ipv4/ip_forward
92	$IPT -F INPUT
93	$IPT -P INPUT ACCEPT
94	$IPT -F FORWARD
95	$IPT -P FORWARD ACCEPT
96	$IPT -t nat -F POSTROUTING
97	$IPT -t nat -F PREROUTING
98	$IPT -F myfilter
99	$IPT -X myfilter
100	}
101