Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentooized rc.firewall-2.4
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
Satori80
Tux's lil' helper
Tux's lil' helper


Joined: 24 Feb 2004
Posts: 137

PostPosted: Sat Aug 14, 2004 7:15 pm    Post subject: Gentooized rc.firewall-2.4 Reply with quote

If you are like me you like to learn how Linux does things at a basic level. The Linux IP Masquerade HOWTO teaches us how to learn about iptables on a variety of Linux distributions, however Gentoo is not one of them.

With help from others I've Gentooized the script from the HOWTO so Gentoo users may follow along with the HOWTO at http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html.

Copy the following script and save it to /etc/init.d/rc.firewall-2.4 and be sure to run 'chmod +x /etc/init.d/rc.firewall-2.4'.

There are a few extras in this version thanks to bertvv, who created his own Gentoo version of rc.firewall-2.4 here. The only difference between his and mine, is mine contains all the comments and superfluous commands from the HOWTO to help us better follow along.

Enjoy.

Code:
#!/sbin/runscript
#
# rc.firewall-2.4 modified for Gentoo by Scott Szigeti(satori80@msn.com)
# Thanks to Bert Van Vreckem(bertvv@advalvas.be) for help with
# 'Gentooization'
#
# Based on the Linux IP Masquerade HOWTO v2.00.110903
# by David A. Ranch(dranch@trinnet.net)
# http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html

FWVER=v0.80.081404

#          An example of an IPTABLES firewall with IP Masquerade
#          support for 2.4.x kernels.
#
# Log:
#
#   0.80s - Added a DISABLED ip_nat_irc kernel module section, changed the
#           default of the ip_conntrack_irc to NOT load by default, and
#           added additional kernel module comments
#   0.79s - ruleset now uses modprobe instead of insmod
#   0.78s - REJECT is not a legal policy yet; back to DROP
#   0.77s - Changed the default block behavior to REJECT not DROP
#   0.76s - Added a comment about the OPTIONAL WWW ruleset and a comment
#           where to put optional PORTFW commands
#   0.75s - Added clarification that PPPoE users need to use
#           "ppp0" instead of "eth0" for their external interface
#   0.74s - Changed the EXTIP command to work on NON-English distros
#   0.73s - Added comments in the output section that DHCPd is optional
#           and changed the default settings to disabled
#   0.72s - Changed the filter from the INTNET to the INTIP to be
#           stateful; moved the command VARs to the top and made the
#           rest of the script to use them
#   0.70s - Added a disabled examples for allowing internal DHCP
#           and external WWW access to the server
#   0.63s - Added support for the IRC module
#   0.62s - Initial version based upon the basic 2.4.x rc.firewall


#----------------------------------------------------------------------
# Settings
#----------------------------------------------------------------------

#-------- General settings --------------------------------------------
# These should not be changed
opts="${opts} showstatus panic fw.rules nat.rules"

# The location of the iptables and kernel module programs
#
#   If your Linux distribution came with a copy of iptables,
#   most likely all the programs will be located in /sbin.  If
#   you manually compiled iptables, the default location will
#   be in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES="/sbin/iptables"
LSMOD="/sbin/lsmod"
DEPMOD="/sbin/depmod"
MODPROBE="/sbin/modprobe"
GREP="/bin/grep"
AWK="/bin/awk"
SED="/bin/sed"
IFCONFIG="/sbin/ifconfig"
ECHO="/bin/echo"

# status flag (used by eend)
status="0"

#----------------------------------------------------------------------
# Gentoo Script proper 
#----------------------------------------------------------------------

#-------- Dependencies ------------------------------------------------
depend() {
   need net
}

#-------- Specific settings -------------------------------------------

#Setting the EXTERNAL and INTERNAL interfaces for the network
#
#  Each IP Masquerade network needs to have at least one
#  external and one internal network.  The external network
#  is where the natting will occur and the internal network
#  should preferably be addressed with a RFC1918 private address
#  scheme.
#
#  For this example, "eth0" is internal and "eth1" is external"
#
#
#  NOTE:  If this doesnt EXACTLY fit your configuration, you must
#         change the EXTIF or INTIF variables above. For example:
#
#            If you are a PPPoE or analog modem user:
#
#               EXTIF="ppp0"
#
#
EXTIF="eth1"
INTIF="eth0"

# Specify your Static IP address here or let the script take care of it
# for you.
#
#   If you prefer to use STATIC addresses in your firewalls, un-# out the
#   static example below and # out the dynamic line.  If you don't care,
#   just leave this section alone.
#
#   If you have a DYNAMIC IP address, the ruleset already takes care of
#   this for you.  Please note that the different single and double quote
#   characters and the script MATTER.
#
#
#   DHCP users:
#   -----------
#   If you get your TCP/IP address via DHCP, **you will need ** to enable the
#   #ed out command below underneath the PPP section AND replace the word
#   "eth0" with the name of your EXTERNAL Internet connection (ppp0, ippp0,
#   etc) on the lines for "ppp-ip" and "extip".  You should also note that the
#   DHCP server can and will change IP addresses on you.  To deal with this,
#   users should configure their DHCP client to re-run the rc.firewall ruleset
#   everytime the DHCP lease is renewed.
#
#     NOTE #1:  Some DHCP clients like the original "pump" (the newer
#               versions have been fixed) did NOT have the ability to run
#               scripts after a lease-renew.  Because of this, you need to
#               replace it with something like "dhcpcd" or "dhclient".
#
#     NOTE #2:  The syntax for "dhcpcd" has changed in recent versions.
#
#               Older versions used syntax like:
#                         dhcpcd -c /etc/rc.d/rc.firewall eth0
#
#               Newer versions execute a file called /etc/dhcpc/dhcpcd-eth0.exe
#
#     NOTE #3:  For Pump users, put the following line in /etc/pump.conf:
#
#                   script /etc/rc.d/rc.firewall
#
#   PPP users:
#   ----------
#   If you aren't already aware, the /etc/ppp/ip-up script is always run when
#   a PPP connection comes up.  Because of this, we can make the ruleset go and
#   get the new PPP IP address and update the strong firewall ruleset.
#
#   If the /etc/ppp/ip-up file already exists, you should edit it and add a line
#   containing "/etc/rc.d/rc.firewall" near the end of the file.
#
#   If you don't already have a /etc/ppp/ip-up sccript, you need to create the
#   following link to run the /etc/rc.d/rc.firewall script.
#
#       ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
#
#   * You then want to enable the #ed out shell command below *
#
#
# Determine the external IP automatically:
# ----------------------------------------
#
#  The following line will determine your external IP address.  This
#  line is somewhat complex and confusing but it will also work for
#  all NON-English Linux distributions:
#
EXTIP="`$IFCONFIG $EXTIF | $AWK \
  /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

# For users who wish to use STATIC IP addresses:
#
#  # out the EXTIP line above and un-# out the EXTIP line below
#
#EXTIP="your.static.PPP.address"

# Assign the internal TCP/IP network and IP address
INTNET="192.168.1.0/24"
INTIP="192.168.1.1/24"

# Setting any other local variables
#
UNIVERSE="0.0.0.0/0"

#-------- SNAT ruleset -------------------------------------------------
nat.rules() {
 
   ebegin "Loading SNAT rules-2.4 $FWVER"

   #Clearing any previous configuration
   #
   #  Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
   #  The default for FORWARD is DROP (REJECT is not a valid policy)
   #
   einfo " - Clearing any existing rules and setting default policy.."
   $IPTABLES -P INPUT ACCEPT || status="1"
   $IPTABLES -F INPUT || status="1"
   $IPTABLES -P OUTPUT ACCEPT || status="1"
   $IPTABLES -F OUTPUT || status="1"
   $IPTABLES -P FORWARD DROP || status="1"
   $IPTABLES -F FORWARD || status="1"
   $IPTABLES -t nat -F || status="1"

   einfo " - FWD: Allow all connections OUT and only existing and related ones IN"
   $IPTABLES -A FORWARD -i $EXTIF -o $INTIF \
   -m state --state ESTABLISHED,RELATED -j ACCEPT || status="1"
   $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT || status="1"
   $IPTABLES -A FORWARD -j LOG || status="1"

   einfo " - Enabling SNAT (MASQUERADE) functionality on $EXTIF"
   $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE || status="1"

   einfo "SNAT rules-2.4 $FWVER loaded"
   
   eend $status
}

#-------- Firewall ruleset --------------------------------------------

fw.rules() {

   ebegin "Loading firewall rules-2.4 $FWVER"

   einfo "External Interface:  $EXTIF"
   einfo "Internal Interface:  $INTIF"
   einfo " ---"

   einfo "External IP: $EXTIP"
   einfo " ---"

   einfo "Internal Network: $INTNET"
   einfo "Internal IP:      $INTIP"
   einfo " ---"

   einfo "loading modules: "

# Need to verify that all modules have all required dependencies
   einfo " - Verifying that all kernel modules are ok..."
   $DEPMOD -a || status="1"

# With the IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel.  This HOWTO shows ALL IPTABLES
# options as MODULES.  If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually. 
#
#  NOTE: The following items are listed ONLY for informational reasons.
#        There is no reason to manual load these modules unless your
#        kernel is either mis-configured or you intentionally disabled
#        the kernel module autoloader.
   
# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:

# NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ
#        modules are shown below but are commented out from loading.
# ===============================================================

#Load the main body of the IPTABLES module - "iptable"
#  - Loaded automatically when the "iptables" command is invoked
#
#  - Loaded manually to clean up kernel auto-loading timing issues
 
   einfo "ip_tables..."
#Verify the module isn't loaded.  If it is, skip it

   if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
      $MODPROBE ip_tables || status="1"
   fi

#Load the IPTABLES filtering module - "iptable_filter"
#  - Loaded automatically when filter policies are activated

#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack  module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
#  - This module is loaded automatically when MASQ functionality is
#    enabled
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
   einfo "ip_conntrack..."
#Verify the module isn't loaded.  If it is, skip it
   if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
      $MODPROBE ip_conntrack || status="1"
   fi

#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate

   einfo "ip_conntrack_ftp..."
#Verify the module isn't loaded.  If it is, skip it

   if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
      $MODPROBE ip_conntrack_ftp || status="1"
   fi

#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
   
   einfo "ip_conntrack_irc..."
#Verify the module isn't loaded.  If it is, skip it
   if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
      $MODPROBE ip_conntrack_irc || status="1"
   fi

#Loads the general IPTABLES NAT code - "iptable_nat"
#  - Loaded automatically when MASQ functionality is turned on
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
   einfo "iptable_nat..."
#Verify the module isn't loaded.  If it is, skip it
#
   if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
      $MODPROBE iptable_nat || status="1"
   fi

#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
   einfo "ip_nat_ftp..."
#Verify the module isn't loaded.  If it is, skip it
#
   if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
      $MODPROBE ip_nat_ftp || status="1"
   fi
 
#Loads the IRC NAT functionality into the core IPTABLES code
# Require to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to activate

   einfo "ip_nat_irc..."
#Verify the module isn't loaded.  If it is, skip it
   if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
      $MODPROBE ip_nat_irc || status="1"
   fi
   
   einfo " ---"

# Just to be complete, here is a partial list of some of the other 
# IPTABLES kernel modules and their function.  Please note that most
# of these modules (the ipt ones) are automatically loaded by the
# master kernel module for proper operation and don't need to be
# manually loaded.
# --------------------------------------------------------------------
#
#    ip_nat_snmp_basic - this module allows for proper NATing of some
#                        SNMP traffic
#
#    iptable_mangle    - this target allows for packets to be
#                        manipulated for things like the TCPMSS
#                        option, etc.
#
# --
#
#    ipt_mark       - this target marks a given packet for future action.
#                     This automatically loads the ipt_MARK module
#
#    ipt_tcpmss     - this target allows to manipulate the TCP MSS
#                     option for braindead remote firewalls.
#                     This automatically loads the ipt_TCPMSS module
#
#    ipt_limit      - this target allows for packets to be limited to
#                     to many hits per sec/min/hr
#
#    ipt_multiport  - this match allows for targets within a range
#                     of port numbers vs. listing each port individually
#
#    ipt_state      - this match allows to catch packets with various
#                     IP and TCP flags set/unset
#
#    ipt_unclean    - this match allows to catch packets that have invalid
#                     IP/TCP flags set
#
#    iptable_filter - this module allows for packets to be DROPped,
#                     REJECTed, or LOGged.  This module automatically
#                     loads the following modules:
#
#                     ipt_LOG - this target allows for packets to be
#                               logged
#
#                     ipt_REJECT - this target DROPs the packet and returns
#                                  a configurable ICMP packet back to the
#                                  sender.


#CRITICAL:  Enable IP forwarding since it is disabled by default
#
#           Redhat Users:  you may try changing the options in
#                          /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#

   einfo "Enabling forwarding..."
   $ECHO "1" > /proc/sys/net/ipv4/ip_forward

   einfo " ---"


# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP,
#   enable this following option.  This enables dynamic-address hacking
#   which makes the life with Diald and similar programs much easier.
#
   einfo "Enabling DynamicAddr..."
   $ECHO "1" > /proc/sys/net/ipv4/ip_dynaddr

   einfo " ---"

# Enable Reverse Path Filtering: makes sure packets use legitmate
# sources addresses to prevent IP spoofing.
#   for i in /proc/sys/net/ipv4/conf/*/re_filter ; do
#   $ECHO "1" > $i
#   done

# Drop ping packets. It can be handy to enable pinging from the
# local net for network testing, but there is no reason why an
# outsider should be able to ping.
#   $ECHO "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Ignore ICMP broadcasts. This prevents Smurf attacks.
   $ECHO "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Protect against bogus error message responses
   $ECHO "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Disable source routed packets, which can be used to compromise
# your network
   $ECHO "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Don't accept redirects. This can be used to alter your routing
# table.
   $ECHO "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable log_martians, logging of spoofed, source routed and
# redirect packets.
   $ECHO "1" > /proc/sys/net/ipv4/conf/all/log_martians

# Enable Syn Cookies.
#   $ECHO "1" > /proc/sys/net/ipv4/tcp_syncookies

######### Firewall rules start ########################################
#
#  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
#  NOTE #2:  The following is an example for an internal LAN address in the
#            192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
#            connecting to the Internet on external interface "eth0".  This
#            example will MASQ internal traffic out to the Internet but not
#            allow non-initiated traffic into your internal network.

#Clearing any previous configuration
#
#  Unless specified, the defaults for INPUT, OUTPUT, and FORWARD  is to DROP
#   
#  You CANNOT change this to REJECT as it isn't a valid policy setting.
#  If you want to REJECT, you must explicitly REJECT at the end of a given
#  INPUT, OUTPUT, or FORWARD chain.
#
   einfo "Clearing any existing rules and setting default policy to DROP.."
   $IPTABLES -P INPUT DROP || status="1"
   $IPTABLES -F INPUT || status="1"
   $IPTABLES -P OUTPUT DROP || status="1"
   $IPTABLES -F OUTPUT || status="1"
   $IPTABLES -P FORWARD DROP || status="1"
   $IPTABLES -F FORWARD || status="1"
   $IPTABLES -F -t nat || status="1"

#Not needed and it will only load the unneeded kernel module
#   $IPTABLES -F -t mangle
#
# Flush the user chain.. if it exists
   if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
      $IPTABLES -F drop-and-log-it || status="1"
   fi
#
# Delete all User-specified chains
   $IPTABLES -X || status="1"
#
# Reset all IPTABLES counters
   $IPTABLES -Z || status="1"

#Configuring specific CHAINS for later use in the ruleset
#
#  NOTE:  Some users prefer to have their firewall silently
#         "DROP" packets while others prefer to use "REJECT"
#         to send ICMP error messages back to the remote
#         machine.  The default is "REJECT" but feel free to
#         change this below.
#
# NOTE: Without the --log-level set to "info", every single
#       firewall hit will goto ALL vtys.  This is a very big
#       pain.
#
   einfo "Creating a DROP chain.."
   $IPTABLES -N drop-and-log-it || status="1"
   $IPTABLES -A drop-and-log-it -j LOG --log-level info || status="1"
   $IPTABLES -A drop-and-log-it -j REJECT || status="1"

   einfo " - Loading INPUT rulesets..."


#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are
#        already flushed and set to a default policy of DROP.
#
# loopback interfaces are valid.
#
   $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT || status="1"


# local interface, local machines, going anywhere is valid
#
   $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT || status="1"

# remote interface, claiming to be local machines, IP spoofing, get lost
#
   $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it || status="1"


# external interface, from any source, for ICMP traffic is valid
#
#  If you would like your machine to "ping" from the Internet,
#  enable this next line
#
#   $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT || status="1"


# remote interface, any source, going to permanent PPP address is valid
#
#   $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT || status="1"


# Allow any related traffic coming back to the MASQ server in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
 ESTABLISHED,RELATED -j ACCEPT || status="1"


#- ------ Begin OPTIONAL INPUT Section --------------------------------
#

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#
$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT || status="1"
$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT || status="1"

# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
#    NOTE:  This is NOT needed for simply enabling PORTFW.  This is ONLY
#           for users that plan on running Apache on the MASQ server itself
#
#echo -e "      - Allowing EXTERNAL access to the WWW server"
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
# -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT

#
#-------- End OPTIONAL INPUT Section ----------------------------------



# Catch all rule, all other incoming is denied and logged.
#
   $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it || status="1"

   einfo " - Loading OUTPUT rulesets..."

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
#         already flushed and set to a default policy of DROP.
#

# loopback interface is valid.
#
   $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT || status="1"


# local interfaces, any source going to local net is valid
#
   $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT || status="1"


# local interface, any source going to local net is valid
#
   $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT || status="1"


# outgoing to local net on remote interface, stuffed routing, deny
#
   $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it || status="1"


# anything else outgoing on remote interface is valid
#
   $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT || status="1"


#-------- Begin OPTIONAL OUTPUT Section -------------------------------
#

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#         - Remove BOTH #s all the #s if you need this functionality.
#
   $IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
   -d 255.255.255.255 --dport 68 -j ACCEPT || status="1"
   $IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
   -d 255.255.255.255 --dport 68 -j ACCEPT || status="1"

#
#-------- End OPTIONAL OUTPUT Section ---------------------------------


# Catch all rule, all other outgoing is denied and logged.
#
   $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it || status="1"

   einfo " - Loading FORWARD rulesets"

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#

#-------- Begin OPTIONAL FORWARD Section ------------------------------
#
#-------- End OPTIONAL FORWARD Section --------------------------------


   einfo " - FWD: Allow all connections OUT and only existing/related IN"
   $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \
   -j ACCEPT || status="1"
   $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT || status="1"

# Catch all rule, all other forwarding is denied and logged.
#
   $IPTABLES -A FORWARD -j drop-and-log-it || status="1"

   einfo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
#More liberal form
#   $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
   $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP || status="1"

   einfo "Firewall rules-2.4 $FWVER done"

   eend $status
}

#-------- restart -----------------------------------------------------

# Use the restart command to reinstate the firewall ruleset if you are
# stop or kill mode

restart() {
   svc_stop
   svc_start
}

#-------- start firewall ----------------------------------------------
# This is the firewall ruleset from rc.firewall-2.4-stronger v0.80s
# from the IP Masquerade HOWTO

start() {
   ebegin "Starting firewall"
   fw.rules
   eend $status
}

#-------- stop firewall -----------------------------------------------

# This shuts down packet filtering but keeps stateful inspection
# to insure that only existing or related traffic is allowed in from the
# external network.

# This is basically the ruleset from rc.firewall-2.4 v0.75 from the
# IP Masquerade HOWTO

stop() {
   ebegin "Shutting down firewall"
   nat.rules
   eend $status
}

#-------- Shut down firewall completly --------------------------------

# This pretty much sets all interfaces wide open for remote access

kill() {
   ebegin "Shutting down all rules"
   
   $IPTABLES -t filter -F || status="1"
   $IPTABLES -t filter -X || status="1"
   $IPTABLES -t filter -P INPUT ACCEPT || status="1"
   $IPTABLES -t filter -P OUTPUT ACCEPT || status="1"
   $IPTABLES -t filter -P FORWARD ACCEPT || status="1"

   eend $status
}

#-------- show config -------------------------------------------------
showstatus() {
   ebegin "Status"

   $IPTABLES -L -n -v --line-numbers
   einfo "NAT status"
   $IPTABLES -L -n -v --line-numbers -t nat
   
   eend $?
}

#-------- panic rules -------------------------------------------------
#
# ***WARNING***
#
# This command will kill *all* communication on all external OS level
# network interfaces!
#
# Try not to use this command on a remote machine unless you have a way
# to reboot remotely or access to the machine other than the OS level
# network interfaces.
#
# If your connection gets cut off, it would be extremely difficult or
# most likely impossible to restart the ruleset on PC style hardware
# without direct keyboard access.

panic() {
   ebegin "Setting panic rules"
   $IPTABLES -F || status="1"
   $IPTABLES -X || status="1"
   $IPTABLES -t nat -F || status="1"
   $IPTABLES -P FORWARD DROP || status="1"
   $IPTABLES -P INPUT   DROP || status="1"
   $IPTABLES -P OUTPUT  DROP || status="1"
   $IPTABLES -A INPUT -i lo -j ACCEPT || status="1"
   $IPTABLES -A OUTPUT -o lo -j ACCEPT || status="1"
   eend $status
}

# EOF /etc/init.d/rc.firewall-2.4


PS. if this exists already on this board, please let me know so I can delete this post! I used search but apparently it doesn't always find things I'm looking for. (translation = I suck @ searching)[/code]
Back to top
View user's profile Send private message
Circuitsoft
Tux's lil' helper
Tux's lil' helper


Joined: 14 Jul 2004
Posts: 112

PostPosted: Fri May 27, 2005 6:28 am    Post subject: Reply with quote

Not sure if it's elsewhere on the board, but it's not necessary.

Step 1:
rc-update add iptables default
This adds the iptables service to your startup scripts.

Step 2:
/etc/init.d/iptables start
This marks the iptables service as started for the gentoo rc-scripts

Step 3:
Run rc.firewall-2.4 Once

Now, when you shut down the computer, and the rc-scripts stop the iptables service, that script saves the current iptables configuration into a file somwhere in /var (I think).

Next time the computer starts up, the iptables configuration will be reloaded from the file it was saved in.

So. If you're messing with iptables, just on the command line and not in a script, and find something you like, you just have to /etc/init.d/iptables save and its current state will be saved, so you don't have to worry about writing a script like this. As for loading modules, they will be automatically loaded if necessary (see /etc/modules.conf)
Back to top
View user's profile Send private message
Satori80
Tux's lil' helper
Tux's lil' helper


Joined: 24 Feb 2004
Posts: 137

PostPosted: Fri May 27, 2005 2:06 pm    Post subject: Reply with quote

Well... sure. You could do that. If you want to do things the easy way... . (some people :wink:)
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18159

PostPosted: Fri May 27, 2005 7:46 pm    Post subject: Reply with quote

I forget the reasons, but some people don't like their iptables managed through the /etc/init.d service.
_________________
Those who know what's best for us must rise and save us from ourselves.
Back to top
View user's profile Send private message
jhunholz
Apprentice
Apprentice


Joined: 29 Apr 2004
Posts: 154
Location: Raleigh, NC

PostPosted: Fri May 27, 2005 8:16 pm    Post subject: Reply with quote

Has anyone seen an rc.firewall script for the 2.6 kernel? I would hate to downgrade just for that...
_________________
Member of the Gentoo Right Wing Conspiracy
Back to top
View user's profile Send private message
Circuitsoft
Tux's lil' helper
Tux's lil' helper


Joined: 14 Jul 2004
Posts: 112

PostPosted: Sat May 28, 2005 6:06 am    Post subject: Reply with quote

2.0 had ipfwadm
2.2 had ipchains
2.4 has iptables
2.6 still uses iptables, so there's no reason to change it.
Back to top
View user's profile Send private message
Satori80
Tux's lil' helper
Tux's lil' helper


Joined: 24 Feb 2004
Posts: 137

PostPosted: Sat May 28, 2005 2:48 pm    Post subject: Reply with quote

Circuitsoft wrote:
2.6 still uses iptables, so there's no reason to change it.


Exactly. The 2.4 and 2.6 versions can use the same script.
Back to top
View user's profile Send private message
Dolio
l33t
l33t


Joined: 17 Jun 2002
Posts: 650

PostPosted: Sun May 29, 2005 8:22 pm    Post subject: Reply with quote

Query: This script contains the following:

Code:
depend {
    need net
}


Doesn't that mean that the firewall starts after your network interfaces come online, and isn't that a no-no as far as paranoid security people are concerned?

Edit: The following is probably better:

Code:
depend {
    before net
}

_________________
They don't have a good bathroom to do coke in.
Back to top
View user's profile Send private message
Cadorna
Apprentice
Apprentice


Joined: 30 Dec 2004
Posts: 215
Location: Argentina

PostPosted: Fri Jun 03, 2005 8:40 pm    Post subject: Reply with quote

Dolio wrote:
Query: This script contains the following:

Code:
depend {
    need net
}


Doesn't that mean that the firewall starts after your network interfaces come online, and isn't that a no-no as far as paranoid security people are concerned?

Edit: The following is probably better:

Code:
depend {
    before net
}


if you start it before net you won't be able to get EXTIP and INTIP
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum