IPChain firewall rules problem

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: StephenSmithischis2@home.com
Date:  
Subject: IPChain firewall rules problem
Maybe someone from this group can help me. The script below can set up one of to sets of
rules: masquerading with the interfaces wide open, or masquerading with a firewall.

I apparently have something use up incorrectly because I can't connect to the machine from
the intranet side of the the box.

The internet side is at 24.x.x.x and the intranet side is at 192.168.1.1.

Can anyone spot anything?

Thanks in advance.
Stephen

----------------- ipchains script ------------------

#! /bin/sh

. /etc/rc.d/init.d/functions

home2cox_setup()
{
    #
    # rule(s) for going from the intranet to the internet
    # 
    ipchains -A home2cox -i eth0 -j MASQ
}


cox2home_setup()
{
    #
    # rule(s) for going from the internet to the intranet
    #
    # the only things allowed from the internet to the 
    # intranet are masqueraded packets
    ipchains -A cox2home -j DENY -l
}


icmp_acc_setup()
{
    #
    # rules for icmp packets in the internet interface chain
    #
    ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
    ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
    ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
    ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
}


home_if_setup()
{
    #
    # rule(s) for the intranet interface
    #
    # Wide open here
    ipchains -A home-if -j ACCEPT
}


cox_if_setup()
{
    #
    # rule(s) for the internet interface
    #
    # Packet filter box:
    # 
    #    ping
    #    traceroute
    #    dns
    #    dhcp
    #    masqueraded packets (ports 61000 to 65095)
    #    smtp
    #    pop3


    ipchains -A cox-if -p TCP  --dport smtp        -j ACCEPT
    ipchains -A cox-if -p TCP  --dport pop3        -j ACCEPT
    ipchains -A cox-if -p TCP  --dport domain      -j ACCEPT
    ipchains -A cox-if -p UDP  --dport domain      -j ACCEPT
    ipchains -A cox-if -p TCP  --dport bootps      -j ACCEPT
    ipchains -A cox-if -p UDP  --dport bootps      -j ACCEPT
    ipchains -A cox-if -p TCP  --dport 61000:65095 -j ACCEPT
    ipchains -A cox-if -p UDP  --dport 61000:65095 -j ACCEPT
    ipchains -A cox-if -p ICMP --icmp-type pong    -j ACCEPT
    ipchains -A cox-if -j icmp-acc
    ipchains -A cox-if -j DENY -l
}



Firewall()
{
    #
    # This is used to set up a firewall.  If you want a wid open 
    # system, use the noFirewall call
    #


    # flush chains of the rules, delete empty chains and then set the policies
    ipchains -F
    ipchains -X
    ipchains -P input ACCEPT
    ipchains -P forward DENY
    ipchains -P output ACCEPT


    # Turn on anti-spoofing rules 
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done


    # echo Turning on IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward


    # allow loopback traffic, but deny anything else (blocking rule)
    ipchains -A  input   -i ! lo -j DENY
    ipchains -A  output  -i ! lo -j DENY
    ipchains -A  forward -i ! lo -j DENY


    # load module to handle special protocols


    insmod ip_masq_cuseeme  > /dev/null 2>&1
    insmod ip_masq_irc      > /dev/null 2>&1
    insmod ip_masq_raudio   > /dev/null 2>&1
    insmod ip_masq_vdolive  > /dev/null 2>&1
    insmod ip_masq_ftp      > /dev/null 2>&1
    insmod ip_masq_quake    > /dev/null 2>&1


    # split rules based on interfaces
    ipchains -N home2cox
    ipchains -N cox2home
    ipchains -N icmp-acc
    ipchains -N home-if
    ipchains -N cox-if


    #insert the chains into the forward rule chain
    ipchains -A forward -s 192.168.1.0/24 -i eth0 -j home2cox
    ipchains -A forward -i eth1 -j cox2home
    ipchains -A forward -j DENY -l


    # insert the chains for the interfaces into the input rule
    ipchains -A input -d 192.168.1.1  -j home-if
    ipchains -A input -d 24.16.129.51 -j cox-if


    # setup the individual chains
    home2cox_setup
    cox2home_setup
    icmp_acc_setup
    home_if_setup
    cox_if_setup


    # delete blocking rules
    ipchains -D input   1
    ipchains -D forward 1
    ipchains -D output  1
}


noFirewall()
{
    #
    # This is a wide open set of rules
    #


    # set the policy for the chains
    ipchains -F
    ipchains -X
    ipchains -P input ACCEPT
    ipchains -P forward DENY
    ipchains -P output ACCEPT


    # Turn on anti-spoofing rules 
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done


    # echo Turning on packet filtering
    echo 1 > /proc/sys/net/ipv4/ip_forward
    ipchains -A forward -i eth0 -j MASQ


    # load module to handle special protocols
    insmod ip_masq_cuseeme  > /dev/null 2>&1
    insmod ip_masq_irc      > /dev/null 2>&1
    insmod ip_masq_raudio   > /dev/null 2>&1
    insmod ip_masq_vdolive  > /dev/null 2>&1
    insmod ip_masq_ftp      > /dev/null 2>&1
    insmod ip_masq_quake    > /dev/null 2>&1
}


turnoff()
{
    # Turn off anti-spoofing rules 
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done
    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter


    # Turning off IP forwarding
    echo 0 > /proc/sys/net/ipv4/ip_forward


    # flush chains of the rules, delete empty chains and then set the policies
    ipchains -F
    ipchains -X
    ipchains -P input ACCEPT
    ipchains -P forward ACCEPT
    ipchains -P output ACCEPT


    # unload modules
    /sbin/rmmod ip_masq_cuseeme > /dev/null 2>&1
    /sbin/rmmod ip_masq_irc     > /dev/null 2>&1
    /sbin/rmmod ip_masq_raudio  > /dev/null 2>&1
    /sbin/rmmod ip_masq_vdolive > /dev/null 2>&1
    /sbin/rmmod ip_masq_ftp     > /dev/null 2>&1
    /sbin/rmmod ip_masq_quake   > /dev/null 2>&1
}


list()
{
    #
    #  Output the Current rules
    #
    for i in input forward output home2cox cox2home icmp-acc home-if cox-if
    do
        echo "ipchains -L $i -n -v"
        ipchains -L $i -n -v
        echo ""
    done
}


case "$1" in

start)
    Firewall 
    ;;


stop)
    turnoff
    ;;


restart)
    Firewall
    ;;


masq)
    noFirewall
    ;;


*)
    list
    ;;


esac



--
Stephen Smith
1955 E. Bluefield Ave.
Phoenix, AZ 85022
(602)971-9520