IPChain firewall rules problem
Stephen Smith
ischis2@home.com
Thu, 28 Dec 2000 10:43:14 -0700
Maybe someone from this group can help me. The script below can set up one of to sets of
rules: masquerading with the interfaces wide open, or masquerading with a firewall.
I apparently have something use up incorrectly because I can't connect to the machine from
the intranet side of the the box.
The internet side is at 24.x.x.x and the intranet side is at 192.168.1.1.
Can anyone spot anything?
Thanks in advance.
Stephen
----------------- ipchains script ------------------
#! /bin/sh
. /etc/rc.d/init.d/functions
home2cox_setup()
{
#
# rule(s) for going from the intranet to the internet
#
ipchains -A home2cox -i eth0 -j MASQ
}
cox2home_setup()
{
#
# rule(s) for going from the internet to the intranet
#
# the only things allowed from the internet to the
# intranet are masqueraded packets
ipchains -A cox2home -j DENY -l
}
icmp_acc_setup()
{
#
# rules for icmp packets in the internet interface chain
#
ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
}
home_if_setup()
{
#
# rule(s) for the intranet interface
#
# Wide open here
ipchains -A home-if -j ACCEPT
}
cox_if_setup()
{
#
# rule(s) for the internet interface
#
# Packet filter box:
#
# ping
# traceroute
# dns
# dhcp
# masqueraded packets (ports 61000 to 65095)
# smtp
# pop3
ipchains -A cox-if -p TCP --dport smtp -j ACCEPT
ipchains -A cox-if -p TCP --dport pop3 -j ACCEPT
ipchains -A cox-if -p TCP --dport domain -j ACCEPT
ipchains -A cox-if -p UDP --dport domain -j ACCEPT
ipchains -A cox-if -p TCP --dport bootps -j ACCEPT
ipchains -A cox-if -p UDP --dport bootps -j ACCEPT
ipchains -A cox-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A cox-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A cox-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A cox-if -j icmp-acc
ipchains -A cox-if -j DENY -l
}
Firewall()
{
#
# This is used to set up a firewall. If you want a wid open
# system, use the noFirewall call
#
# flush chains of the rules, delete empty chains and then set the policies
ipchains -F
ipchains -X
ipchains -P input ACCEPT
ipchains -P forward DENY
ipchains -P output ACCEPT
# Turn on anti-spoofing rules
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
# echo Turning on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# allow loopback traffic, but deny anything else (blocking rule)
ipchains -A input -i ! lo -j DENY
ipchains -A output -i ! lo -j DENY
ipchains -A forward -i ! lo -j DENY
# load module to handle special protocols
insmod ip_masq_cuseeme > /dev/null 2>&1
insmod ip_masq_irc > /dev/null 2>&1
insmod ip_masq_raudio > /dev/null 2>&1
insmod ip_masq_vdolive > /dev/null 2>&1
insmod ip_masq_ftp > /dev/null 2>&1
insmod ip_masq_quake > /dev/null 2>&1
# split rules based on interfaces
ipchains -N home2cox
ipchains -N cox2home
ipchains -N icmp-acc
ipchains -N home-if
ipchains -N cox-if
#insert the chains into the forward rule chain
ipchains -A forward -s 192.168.1.0/24 -i eth0 -j home2cox
ipchains -A forward -i eth1 -j cox2home
ipchains -A forward -j DENY -l
# insert the chains for the interfaces into the input rule
ipchains -A input -d 192.168.1.1 -j home-if
ipchains -A input -d 24.16.129.51 -j cox-if
# setup the individual chains
home2cox_setup
cox2home_setup
icmp_acc_setup
home_if_setup
cox_if_setup
# delete blocking rules
ipchains -D input 1
ipchains -D forward 1
ipchains -D output 1
}
noFirewall()
{
#
# This is a wide open set of rules
#
# set the policy for the chains
ipchains -F
ipchains -X
ipchains -P input ACCEPT
ipchains -P forward DENY
ipchains -P output ACCEPT
# Turn on anti-spoofing rules
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
# echo Turning on packet filtering
echo 1 > /proc/sys/net/ipv4/ip_forward
ipchains -A forward -i eth0 -j MASQ
# load module to handle special protocols
insmod ip_masq_cuseeme > /dev/null 2>&1
insmod ip_masq_irc > /dev/null 2>&1
insmod ip_masq_raudio > /dev/null 2>&1
insmod ip_masq_vdolive > /dev/null 2>&1
insmod ip_masq_ftp > /dev/null 2>&1
insmod ip_masq_quake > /dev/null 2>&1
}
turnoff()
{
# Turn off anti-spoofing rules
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Turning off IP forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# flush chains of the rules, delete empty chains and then set the policies
ipchains -F
ipchains -X
ipchains -P input ACCEPT
ipchains -P forward ACCEPT
ipchains -P output ACCEPT
# unload modules
/sbin/rmmod ip_masq_cuseeme > /dev/null 2>&1
/sbin/rmmod ip_masq_irc > /dev/null 2>&1
/sbin/rmmod ip_masq_raudio > /dev/null 2>&1
/sbin/rmmod ip_masq_vdolive > /dev/null 2>&1
/sbin/rmmod ip_masq_ftp > /dev/null 2>&1
/sbin/rmmod ip_masq_quake > /dev/null 2>&1
}
list()
{
#
# Output the Current rules
#
for i in input forward output home2cox cox2home icmp-acc home-if cox-if
do
echo "ipchains -L $i -n -v"
ipchains -L $i -n -v
echo ""
done
}
case "$1" in
start)
Firewall
;;
stop)
turnoff
;;
restart)
Firewall
;;
masq)
noFirewall
;;
*)
list
;;
esac
--
Stephen Smith
1955 E. Bluefield Ave.
Phoenix, AZ 85022
(602)971-9520