The attached file is how I do it on redhat 9: Good luck.
On Thursday 03 July 2003 11:29 am, Daniel Dui wrote: Here is my problem: I have a RH9 box with two network cards. One network card connects to a cable modem and the other to a hub. I would like to share the Internet connection with other computers in the house. I was hoping to find a "share connection" tick box somewhere in the network configuration options, but I could not. I had a look at various howtos, but they look much more complicated than they should be. All I am trying to do is set up a little home network! I am surprised that still there is not a simple and easy way to do a simple and easy thing in RH9. Can anyone provide any clue? many thanks -daniel -- rm -rf /bin/laden Do it now and often!
# # chkconfig: 2345 11 89 # description: sets up a basic firewall ruleset # # This script is setup to use IPCHAINS to protect a small network. It is # considered to be 'medium-light' secure. # # This script should be saved as /etc/rc.d/init.d/firewallss # # to enable the system to run this script at system start and stop, issue # the command # chkconfig --add firewallss --level 2345 # Make sure the script's executable bits are set. This can be done with # chmod u+x firewallss # # Thanks go to various people around the office as well as the Trinity OS # author, David A. Ranch. To see a more comprehensive firewall example as # well as other security related topics, please see David's TrinityOS # document at: # http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html # # There are three user-configurable sections. The first is for the network # values for the firewall. The second is for CIPE configuration. The third # consists of the ipchains commands themselves. The only thing that should # need to be changed for the third section is uncommenting the cipe rulesets # if needed (they are deactivated by default). # # Things to watch out for when using this script: # a. When starting it by hand it tends to like the network already up. # This includes both interfaces. (When started automatically by # init it is started pretty early, there is minimal time for the # window to be open. This is medium security, afterall. # b. pump, which controls dhcp under Red Hat, isn't very good at picking # up a change in address for the interface. So if the IP addy of the # interface changes, the script might need to be start/stopped by hand. # You'll loose connectivity and a lot of messages about UDP errors will # be logged to /var/log/messages when this happens. # c. This script is an example. It is targeted for a small LAN (a single # subnet) and would require work for a more complex network. It is # also not guaranteed to be secure, though it is reasonable. # # NO WARRANTY # This script is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY, without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # (http://www.gnu.org/copyleft/gpl.html) for more details. # # ###### SCRIPT START ######## # ---- these are for the function calls so the script will run as a service # only change this if the location on your system is different. It # shouldn't be. # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. # only change this if the location on your system is different. It # shouldn't be. . /etc/sysconfig/network ######. /etc/sysconfig/cipe # ---- Basic sanity check. This makes sure that networking is up. If it # isn't, why continue? # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 ###### USER CONFIGURATION START ######################################### # ---- The device name for the external network interface (in this case "eth1" # Change this to match the interface that is your external (WAN) inter- # face. (PPP users would use ppp0, for example). EXTDEV=eth0 # ---- Don't change the code below. It uses the ifconfig command and # cuts the relevant information out of the display (the IP address) and # configures it. Replacing the code segment with the IP address would # result in the same information anyway. The advantage of using the # code below is for DHCP or other dynamic networks. EXTERNALIP=`ifconfig $EXTDEV | grep "inet addr:" | \ awk -F: {'print $2'} | cut -d\ -f 1` if [ -z "${EXTERNALIP}" ]; then exit 1 fi # ---- The device name for the internal network interface (in this case "eth0" # See comments above. INTDEV=eth1 # See comments above. INTERNALIP=`ifconfig $INTDEV | grep "inet addr:" | \ awk -F: {'print $2'} | cut -d\ -f 1` if [ -z "${INTERNALIP}" ]; then exit 1 fi # ---- The network value for the internal network, in this case it is the # reserved block of 192.168.20.xxx Chance it to match the internal net- # work you are using. INTNET="10.0.0.0" # ===== End of the first configuration section # CIPE Configuration section. # ---- If running CIPE, uncomment these lines. If you are not running CIPE # DON'T mess with any of these. #CIPEDEV=cipcb0 #CIPE_INET=`ifconfig $CIPEDEV | grep "inet addr:" | \ # awk -F: {'print $2'} | cut -d\ -f 1` #if [ -z "${INTERNALIP}" ]; then # exit 1 #fi # #CIPE_PTP=`ifconfig $CIPEDEV | grep "P-t-P:" | \ # awk -F: {'print $3'} | cut -d\ -f 1` #if [ -z "${INTERNALIP}" ]; then # exit 1 # fi # # # The internal IPs used for the destination network. # CIPEINTNET="xxx.xxx.xxx.xxx" # The real IP network used for Red Hat # CIPEREALNET="xxx.xxx.xxx.xxx" # The IP Tunnel Box's IP Addy # TUNNEL="xxx.xxx.xxx.xxx" # IMPORTANT NOTE: If using CIPE then the sections below with the same # variables will need to be uncommented. If you don't # know what CIPE is or don't know how to configure it, # leave it alone. VAriable list: TUNNEL, CIPEREALNET, # CIPEINTNET # ===== End of CIPE configuration section echo "EXTDEV: ${EXTDEV} on ${EXTERNALIP}" echo "INTDEV: ${INTDEV} on ${INTERNALIP}" # See how we were called. case "$1" in start) # Start firewall. echo -n "Starting firewall: " modprobe ipchains modprobe ip_masq_ftp modprobe ip_masq_irc modprobe ip_masq_raudio # ---- Begin of firewall/ipchain rules. # NOTE: If you have your own firewall script you would rather use, you # can replace the below section with it. Replace everything until the *** # Don't mess with these unless you know what you are doing. # MASQ timeouts. Change these only if the timeouts are causing # problems. # 2 hrs timeout for TCP session timeouts (7200 seconds) # 10 sec timeout for traffic after the TCP/IP "FIN" packet is # received # 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable # a 30sec firewal # echo "Setting masq timeouts" ipchains -M -S 7200 10 60 ################################################################## # Forwarding, flush and set default policy of deny. Actually the # default policy is irrelevant because there is a catch all rule # with deny and log. echo "Setting new forward rules" echo -n "forward..." # This makes sure that IP forwarding is turned on for networking. echo 1 > /proc/sys/net/ipv4/ip_forward # This does the flush ipchains -F forward # This sets the default to DENY ipchains -P forward DENY # Masquerade from local net on local interface to anywhere. The # 255.255.255.0 netmasks out to the last section. Using the above # internal network example, it makes it everything in the # 192.168.20.xxx range to be legal on this interface. ipchains -A forward -s $INTNET/255.255.255.0 -j MASQ # Masquerade from local net on local interface to anywhere. Like the # above rule, this one says that anything that has the source of the # internal network should be forwarded to the external device and # all these packets are to be masquared. The -d 0.0.0.0/0 indicates # that the destination of the traffic can be to anywhere. ipchains -A forward -i $EXTDEV -s $INTNET/24 -d 0.0.0.0/0 -j MASQ # Backup Rule. Try this out if forwarding doesn't seem to work with # the above rule (make sure to comment out the above). It says that # any packets are to be masq'd and forwarded to the external device. # ipchains -A forward -i $EXTDEV -j MASQ # CIPE Forwarding. Ignore this unless you need it. # ipchains -A forward -d $CIPEINTNET/255.255.255.0 # ipchains -A forward -d $CIPEREALNET/255.255.254.0 # catch all rule, all other forwarding is denied and logged. pity # there is no log option on the policy but this does the job instead. ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j DENY # These are variations of the uncommented rule above. #ipchains -A forward -j DENY -l #ipchains -A forward -j DENY -l ### Port Forwarding Operations ################################# # Uncomment these commands only if port forwarding is needed. # this one # echo "Enabling IPPORTFW Redirection on the external LAN..." # this one # /usr/sbin/ipmasqadm portfw -f # # You probably don't have the ipmasqadm package installed. If # not, go to http://juanjox.kernelnotes.org/ for the binaries. # before trying to run these commands. "rpm -q ipmasqadm" can # be used to check for the package. # #### ---- These Are Examples of Port Forwards ## This one forwards the httpd port from the firewall and ## points it to another machine on the LAN with the IP address of ## 192.168.100.100 # /usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTERNALIP 80 -R 192.168.100.100 80 ## This one forwards a specilized port from the firewall and ## points it at a machine on the LAN with the IP address of ## 192.168.100.100 at port 7000. # /usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTERNALIP 7000 -R 192.168.100.100 7000 ################################################################ # Incoming, flush and set default policy of deny. Actually the # default policy is irrelevant because there is a catch all rule # with deny and log. echo -n "input..." echo "Setting new input rules" # Incoming, flush and set default policy of deny. ipchains -F input ipchains -P input DENY -l # local interface, local machines, going anywhere is valid ipchains -A input -i $INTDEV -s $INTNET/24 -d 0.0.0.0/0 -j ACCEPT # multicasting is valid (xntpd) ipchains -A input -i $EXTDEV -s $EXTERNALIP/32 -d 224.0.0.0/8 -j ACCEPT # remote interface, claiming to be local machines, IP spoofing, # the rule tells to get lost ipchains -A input -i $EXTDEV -s $INTNET/24 -d 0.0.0.0/0 -j DENY -l # loopback interface is valid. ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # The following are ports that could not be configured to only # listen on the internal network, thus we firewall the external side. # Deny access to the backup software port # These lines are read as "Add to Input, Protocol "tcp", source "all" # with the destentation ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 617 -j DENY -l # Deny access to the firewall auth port ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 7777 -j DENY -l # Deny access to ftp ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 21 -l -j DENY ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 21 -l -j DENY # Deny access to telnet ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 23 -l -j DENY ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 23 -l -j DENY # Deny access to sendmail ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 25 -l -j DENY ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 25 -l -j DENY # Deny access to finger ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 79 -l -j DENY ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 79 -l -j DENY # Deny access to POP3 ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 110 -j DENY -l ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 110 -j DENY -l # Deny acceess to IDENT ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 113 -j DENY -l ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 113 -j DENY -l # Deny access to NetBois ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 139 -j DENY -l ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 139 -j DENY -l # Deny access to IMAP ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 143 -j DENY -l ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 143 -j DENY -l # Deny access to HTTPS ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 443 -j DENY -l ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 443 -j DENY -l # Deny access to MSFTDS ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 445 -j DENY -l ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 445 -j DENY -l # Deny access to SMTP ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 25 -l -j DENY ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 25 -l -j DENY # Deny access to rpc ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 111 -l -j DENY ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 111 -l -j DENY ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 135 -l -j DENY ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 135 -l -j DENY # Deny access to Upnp -- Universal plug and play ??? ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 5000 -l -j DENY ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 5000 -l -j DENY # Deny access to XWindows ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 6000 -l -j DENY ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 6000 -l -j DENY # Deny access to the echo port (used by squid/junkbuster) ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 7 -j DENY -l # Deny access to syslog ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 514 -l -j DENY # remote interface, any source, going to external address is not valid I do not want to be a router ipchains -A input -i $EXTDEV -s 0.0.0.0/0 -d $EXTERNALIP/32 -j ACCEPT #ipchains -A input -i $EXTDEV -s 0.0.0.0/0 -d $EXTERNALIP/32 -j DENY -l # IP-IP tunnel. Use these only if you need them. # FIXME: limit this to a device (EXTDEV OR CIPEDEV) # ipchains -A input -p udp -s $TUNNEL $PORT -j ACCEPT # ipchains -A input -i $CIPEDEV -j ACCEPT # catch all rule, all other incoming is denied. # ipchains -A input -j DENY -l # ipchains -A input -j DENY ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j DENY ################################################################## # Outgoing, flush and set default policy of reject. Actually the # default policy is irrelevant because there is a catch all rule # with deny and log. echo "Setting new output rules" echo -n "output..." # Outgoing, flush and set default policy of deny. ipchains -F output ipchains -P output DENY # local interface, any source going to local net is valid #ipchains -A output -i $INTDEV -s 0.0.0.0/0 -d $INTNET/24 -j ACCEPT ipchains -A output -i $INTDEV -s 0.0.0.0/0 -d $INTNET/24 -j ACCEPT # loopback interface is valid. # ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # outgoing to local net on remote interface: stuffed routing, deny ipchains -A output -i $EXTDEV -s 0.0.0.0/0 -d $INTNET/24 -j DENY -l # outgoing from local net on remote interface: stuffed masq, deny ipchains -A output -i $EXTDEV -s $INTNET/24 -d 0.0.0.0/0 -j DENY -l # anything else outgoing on remote interface is valid #ipchains -A output -i $EXTDEV -d 0.0.0.0/0 -j ACCEPT ipchains -A output -i $EXTDEV -s $EXTERNALIP/32 -d 0.0.0.0/0 -j ACCEPT # outgoing to IP-IP tunnel for CIPE server is valid. Use these # Only if you need them. # ipchains -A output -i $CIPEDEV -s $CIPE_INET -d $CIPE_PTP/32 -j ACCEPT # ipchains -A output -i $CIPEDEV -s $CIPE_INET -d $CIPEREALNET/23 -j ACCEPT # ipchains -A output -i $CIPEDEV -s $EXTERNALIP -d $CIPEREALNET/23 -j ACCEPT # ipchains -A output -i $CIPEDEV -s $CIPE_INET -d 0.0.0.0/0 -j ACCEPT # catch all rule, all other outgoing is denied. # ipchains -A output -j DENY -l # ipchains -A output -j DENY ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j DENY echo "Done with the firewall rulesets" echo -n "acct..." # Accounting, flush all entries ipchains -N acctin ipchains -N acctout ipchains -N acctio # Track traffic just to network, not individual hosts ipchains -I input -j acctio ipchains -I input -j acctin ipchains -I output -j acctio ipchains -I output -j acctout ipchains -I forward -j acctout echo "done" touch /var/lock/subsys/firewall ;; stop) # Stop firewall. echo -n "Shutting down firewall: " ipchains -F input ipchains -A input -j ACCEPT ipchains -F output ipchains -A output -j ACCEPT ipchains -F forward ipchains -A forward -j ACCEPT ipchains -X acctio ipchains -X acctin ipchains -X acctout rmmod ip_masq_raudio rmmod ip_masq_irc rmmod ip_masq_ftp echo "done" rm -f /var/lock/subsys/firewall ;; restart) $0 stop $0 start ;; status) status firewall ;; *) echo "Usage: firewall {start|stop|restart|status}" exit 1 esac exit 0
