-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sunday 06 January 2002 8:22 pm, dman wrote:
>
> I wrote /etc/init.d/FIREWALL, a shell script I wrote to configure
> iptables. Then I added a symlink to it
>
> $ ls -l /etc/rc2.d
> lrwxrwxrwx 1 root root 20 Aug 19 16:59 S13FIREWALL ->
> /etc/init.d/FIREWALL
>
> The iptables rules use 'eth1' to refer to the external interface, not
> a hard-coded IP since it can't be known ahead of time.
>
>
Just to be a bit pedantic. Firewall really needs to come up just before you
connect to the network. In debian the /etc/init.d/ifupdown script is
executed as the symlink S39ifupdown in /etc/rcS.d so I have a firewall script
in /etc/init.d (/etc/init.d/firewall) that is linked in as S38firewall in
/etc/rcS.d. This causes it to be run just prior to bringing the network up.
Just to be clear on the firewall script - here is a few bits of mine - see
how I use the shell variable $INETIF - originally this was ppp when I had a
dial up link and I changed it to eth0 once I had cable modem and two ethernet
cards.
INETIF=eth0
...
#
# Route packets going out from here onto a new table so that we can do
# things with them (logging etc)
#
iptables -N to-inet
...
#
# Now make the connection to the table
#
iptables -A OUTPUT -o $INETIF -j to-inet
#
# Common internet Stuff
#
iptables -N from-inet
#
# Stuff already established is allowed
#
iptables -A from-inet -m state --state ESTABLISHED,RELATED -j ACCEPT
...
iptables -A from-inet -j LOG
iptables -A from-inet -j DROP
#
# Create a chain which protects gateway
#
iptables -N inet-in
...
#
# Allow connections to my ssh port
#
iptables -A inet-in -m state --state NEW -p tcp --dport ssh -j ACCEPT
iptables -A inet-in -p udp --dport ssh -j ACCEPT
#
# Allow boot stuff so I can configure interface
#
iptables -A inet-in -p udp --dport 67:68 -j ACCEPT
#
# Do Common Stuff
#
iptables -A inet-in -j from-inet
#
# Create table from forwarded stuff from Inet
#
iptables -N inet-fwd
...
#
# Do common stuff
#
iptables -A inet-fwd -j from-inet
#
# Link new tables in
#
iptables -A INPUT -i $INETIF -j inet-in
iptables -A FORWARD -i $INETIF -j inet-fwd
#
# need to MASQUERADE outgoing stuff
#
iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o $INETIF -j MASQUERADE
...
I left a lot out, but what I have included is the essence of the framework.
There is on outgoing chain (I don't stop anything from my users but I do
occassionally like to count the packets of different sorts. I add rules to
the to-inet chain to count packets.
Coming in, I initially route to two chains if they are from the internet.
inet-in and inet-fwd. The first is to the gateway where (for instance) I
allow an ssh connection, the second is stuff for an internal lan where I
don't allow much, but I do add rules to allow various games protocols through.
from-inet is a chain that both type of input use and is called after each of
the above chains have been traversed. I allow established connections
through, but not much else (which above is logged and dropped - you may wish
to drop some things silently if you get a lot of them)
- --
Alan - [EMAIL PROTECTED]
http://www.chandlerfamily.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8ONKD1mf3M5ZDr2kRAkj3AJ90wYDpPjYa45iq2sdrVivLfiTsYgCdFWBt
kfifqBuiWcZvhfFboOzOWQ8=
=s9m3
-----END PGP SIGNATURE-----
