Maybe someone from this group can help me. The script below can set up one of to sets of rules: masquerading with the interfaces wide open, or masquerading with a firewall. I apparently have something use up incorrectly because I can't connect to the machine from the intranet side of the the box. The internet side is at 24.x.x.x and the intranet side is at 192.168.1.1. Can anyone spot anything? Thanks in advance. Stephen ----------------- ipchains script ------------------ #! /bin/sh . /etc/rc.d/init.d/functions home2cox_setup() { # # rule(s) for going from the intranet to the internet # ipchains -A home2cox -i eth0 -j MASQ } cox2home_setup() { # # rule(s) for going from the internet to the intranet # # the only things allowed from the internet to the # intranet are masqueraded packets ipchains -A cox2home -j DENY -l } icmp_acc_setup() { # # rules for icmp packets in the internet interface chain # ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT } home_if_setup() { # # rule(s) for the intranet interface # # Wide open here ipchains -A home-if -j ACCEPT } cox_if_setup() { # # rule(s) for the internet interface # # Packet filter box: # # ping # traceroute # dns # dhcp # masqueraded packets (ports 61000 to 65095) # smtp # pop3 ipchains -A cox-if -p TCP --dport smtp -j ACCEPT ipchains -A cox-if -p TCP --dport pop3 -j ACCEPT ipchains -A cox-if -p TCP --dport domain -j ACCEPT ipchains -A cox-if -p UDP --dport domain -j ACCEPT ipchains -A cox-if -p TCP --dport bootps -j ACCEPT ipchains -A cox-if -p UDP --dport bootps -j ACCEPT ipchains -A cox-if -p TCP --dport 61000:65095 -j ACCEPT ipchains -A cox-if -p UDP --dport 61000:65095 -j ACCEPT ipchains -A cox-if -p ICMP --icmp-type pong -j ACCEPT ipchains -A cox-if -j icmp-acc ipchains -A cox-if -j DENY -l } Firewall() { # # This is used to set up a firewall. If you want a wid open # system, use the noFirewall call # # flush chains of the rules, delete empty chains and then set the policies ipchains -F ipchains -X ipchains -P input ACCEPT ipchains -P forward DENY ipchains -P output ACCEPT # Turn on anti-spoofing rules for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done # echo Turning on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # allow loopback traffic, but deny anything else (blocking rule) ipchains -A input -i ! lo -j DENY ipchains -A output -i ! lo -j DENY ipchains -A forward -i ! lo -j DENY # load module to handle special protocols insmod ip_masq_cuseeme > /dev/null 2>&1 insmod ip_masq_irc > /dev/null 2>&1 insmod ip_masq_raudio > /dev/null 2>&1 insmod ip_masq_vdolive > /dev/null 2>&1 insmod ip_masq_ftp > /dev/null 2>&1 insmod ip_masq_quake > /dev/null 2>&1 # split rules based on interfaces ipchains -N home2cox ipchains -N cox2home ipchains -N icmp-acc ipchains -N home-if ipchains -N cox-if #insert the chains into the forward rule chain ipchains -A forward -s 192.168.1.0/24 -i eth0 -j home2cox ipchains -A forward -i eth1 -j cox2home ipchains -A forward -j DENY -l # insert the chains for the interfaces into the input rule ipchains -A input -d 192.168.1.1 -j home-if ipchains -A input -d 24.16.129.51 -j cox-if # setup the individual chains home2cox_setup cox2home_setup icmp_acc_setup home_if_setup cox_if_setup # delete blocking rules ipchains -D input 1 ipchains -D forward 1 ipchains -D output 1 } noFirewall() { # # This is a wide open set of rules # # set the policy for the chains ipchains -F ipchains -X ipchains -P input ACCEPT ipchains -P forward DENY ipchains -P output ACCEPT # Turn on anti-spoofing rules for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done # echo Turning on packet filtering echo 1 > /proc/sys/net/ipv4/ip_forward ipchains -A forward -i eth0 -j MASQ # load module to handle special protocols insmod ip_masq_cuseeme > /dev/null 2>&1 insmod ip_masq_irc > /dev/null 2>&1 insmod ip_masq_raudio > /dev/null 2>&1 insmod ip_masq_vdolive > /dev/null 2>&1 insmod ip_masq_ftp > /dev/null 2>&1 insmod ip_masq_quake > /dev/null 2>&1 } turnoff() { # Turn off anti-spoofing rules for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Turning off IP forwarding echo 0 > /proc/sys/net/ipv4/ip_forward # flush chains of the rules, delete empty chains and then set the policies ipchains -F ipchains -X ipchains -P input ACCEPT ipchains -P forward ACCEPT ipchains -P output ACCEPT # unload modules /sbin/rmmod ip_masq_cuseeme > /dev/null 2>&1 /sbin/rmmod ip_masq_irc > /dev/null 2>&1 /sbin/rmmod ip_masq_raudio > /dev/null 2>&1 /sbin/rmmod ip_masq_vdolive > /dev/null 2>&1 /sbin/rmmod ip_masq_ftp > /dev/null 2>&1 /sbin/rmmod ip_masq_quake > /dev/null 2>&1 } list() { # # Output the Current rules # for i in input forward output home2cox cox2home icmp-acc home-if cox-if do echo "ipchains -L $i -n -v" ipchains -L $i -n -v echo "" done } case "$1" in start) Firewall ;; stop) turnoff ;; restart) Firewall ;; masq) noFirewall ;; *) list ;; esac -- Stephen Smith 1955 E. Bluefield Ave. Phoenix, AZ 85022 (602)971-9520