/[gentoo-src]/firewall/firewall
Gentoo

Contents of /firewall/firewall

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.2 - (show annotations) (download)
Thu Sep 30 14:44:52 2004 UTC (9 years, 9 months ago) by vapier
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +0 -0 lines
FILE REMOVED
use init scripts with iptables

1 #!/sbin/runscript
2 # Copyright 1999-2002 Gentoo Technologies, Inc.
3 # Distributed under the terms of the GNU General Public License, v2 or later
4 # /space/gentoo/cvsroot/gentoo-x86/net-nds/portmap/files/portmap.rc6,v 1.3 2001/12/29 00:22:51 azarah Exp
5
6 depend() {
7 need net
8 }
9
10 IPT=/sbin/iptables
11
12 #5901: tightvnc
13 SERVICES="http ssh"
14 FWDRULES="1022->192.168.1.4:22"
15 FWIP="216.223.235.2"
16
17 #interfaces:
18 FWIF="eth1"
19 # eth0: 192.168.1.1 (our LAN)
20 # eth1: 216.223.235.2 (our bridged DSL router)
21
22 start() {
23 # Enable IP forwarding
24 echo 1 > /proc/sys/net/ipv4/ip_forward
25
26 # Set a default policy of DROP; deny-by-default for security:
27 $IPT -P INPUT DROP
28 $IPT -P FORWARD DROP
29
30 #myfilter chain:
31 #this chain contains rules common to our FORWARD and INPUT chains, all in one place.
32 #first, we create a new "myfilter" chain;
33 #then, we add a rule to accept ESTABLISHED and RELATED connections from anywhere;
34 #then, we add a rule to accept NEW connections coming in from anywhere but our untrusted ${FWIF} interface;
35 #then, we add a rule to log any incoming INVALID packets;
36 #then, we add a rule to reject any incoming tcp connection with tcp-reset for fast, stealthy disconnect;
37 #then, we add a rule to reject any not-yet-handled connections with icmp-port-unreachable.
38 #everything else falls off the end of this chain and goes back to the parent INPUT or FORWARD chain.
39
40 $IPT -N myfilter
41 $IPT -A myfilter -m state --state ESTABLISHED,RELATED -j ACCEPT
42 $IPT -A myfilter -m state --state NEW -i ! ${FWIF} -j ACCEPT
43 $IPT -A myfilter -m state --state INVALID -j LOG --log-prefix "INVALID:" --log-level warning
44 $IPT -A myfilter -p tcp -j REJECT --reject-with tcp-reset
45 $IPT -A myfilter -j REJECT --reject-with icmp-port-unreachable
46
47 #INPUT chain:
48 #first, we loop through our SERVICES variable and add a rule for each public service on our firewall;
49 #then, we add a rule to log any pings to our firewall box from the Internet (max 1/minute);
50 #then, we add a rule to accept up to 2 pings per second to our firewall box from the Internet;
51 #then, we direct any traffic that doesn't match these rules to our standard myfilter chain.
52 #everything else falls off the end of this chain and gets a default policy of DENY.
53
54 local x
55
56 for x in $SERVICES
57 do
58 $IPT -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
59 done
60 $IPT -A INPUT -p icmp -i ${FWIF} --icmp-type echo-request -m limit --limit 1/minute -j LOG --log-prefix "PING:" --log-level notice
61 $IPT -A INPUT -p icmp -i ${FWIF} --icmp-type echo-request -m limit --limit 2/second -j ACCEPT
62 $IPT -A INPUT -j myfilter
63
64 #FORWARD chain:
65 #simply forward all FORWARD traffic to our myfilter chain.
66 #if any traffic were to make it through the myfilter chain, it would fall off the end of the FORWARD
67 #chain and get a default policy of DENY.
68
69 local fromport
70 local tocombo
71 local toip
72 local toport
73
74 for x in $FWDRULES
75 do
76 fromport=${x%->*}
77 tocombo=${x##*->}
78 toport=${tocombo##*:}
79 toip=${tocombo%:*}
80
81 $IPT -A FORWARD -p tcp -d ${toip} --dport ${toport} -m state --state NEW -j ACCEPT
82 iptables -t nat -A PREROUTING -d ${FWIP} -p tcp --dport ${fromport} -j DNAT --to-destination ${toip}:${toport}
83 done
84 $IPT -A FORWARD -j myfilter
85
86 #Set up SNAT so that machines on our LAN can use our DSL router:
87 $IPT -t nat -A POSTROUTING -o ${FWIF} -j SNAT --to ${FWIP}
88 }
89
90 stop() {
91 echo 0 > /proc/sys/net/ipv4/ip_forward
92 $IPT -F INPUT
93 $IPT -P INPUT ACCEPT
94 $IPT -F FORWARD
95 $IPT -P FORWARD ACCEPT
96 $IPT -t nat -F POSTROUTING
97 $IPT -t nat -F PREROUTING
98 $IPT -F myfilter
99 $IPT -X myfilter
100 }

  ViewVC Help
Powered by ViewVC 1.1.20