Linux Voodoo Corporation
About Us 866.309.4617 Tracking Shopping Cart Checkout
Shop Account Customer Care Services Resources
Overview Books Mailing Lists Search Howtos
 
  You are here: » Main » Howto's Log In  | Financing  
Swartz Creek, Michigan: Linux Voodoo offers Linux consulting (and support) services (both free and commercial), Linux compatible hardware and software reviews and sales, Linux servers and desktop, the Voodoo Linux distribution and hardening systems, Linux driver development, Linux news,chat, message boards, Linux embedded jobs, security advisories, Linux howto's and newbie information. linux download red hat directpc direct pc linux linux software linux driver linux tutorial linux mandrake mandrake linux linux command netapp linux mount windows source decss linux game linux hp suse linux linux downloads linux firewall linux server linux programming linux red hat wine linux linux ppt linux operating system embedded linux linux distribution corel linux free linux free linux download linux help force 10baset linux linux laptop reset linux scsi d kill tape /proc linux router linux pda linux wallpaper red hat linux download linux kernel linux router project linux iso linux howto linux how to linux os linux application linux certification linux web hosting linux hosting linux modem peanut linux nokia rs 232 linux modem setting linux for window linux free download linux documentation project linux sms1 linux call back linux problem reading directory linux boot disk linux theme linux cluster linux closing port linux security dialogic linux linux emulator linux training linux startup dual boot window 2000 linux linux magazine linux auto rpm realtek rtl8019 linux driver download robomon linux linux estrutura de diretorios 3c589d config linux timeservice linux linux samba linux dvd player linux .ppt mplayer near download and linux red hat linux 7.2 linux mail server free linux software linux hardwarelinux anti virus redmond linux linux modem driver linux vpn pic microcontroller linux programmer aol for linux linux review linux wireless
contact us: abuse@flonetwork.com webmaster@flonetwork.com info@webmaster@flonetwork.com spampoision@lnxvoodoo.com noc@sprint.net webmaster@lnxvoodoo.com wlad@lnxvoodoo.com michelle@lnxvoodoo.com ryan@lnxvoodoo.com bryan@lnxvoodo.com rambo@lnxvoodoo.com senioreditor@lnxvoodoo.com editor@lnxvoodoo.com
WOW on Linux, yes our gaming systems do include World of Warcraft for Linux! Linux Voodoo Gaming systems include one copy of World of Warcraft, 1 year paid subscription to Transgaming.com so you can play over 200 popular Windows games on our linux systems. Too good to be true? Try it out for yourself.
  Start shopping
Notebooks
notebooks 

 

Desktops
desktops 

 

Servers
servers 

 

Appliances
appliances 

 

Accessories
accessories 

 

Software
software 
Howto's  
Next Previous Contents

7. Example masquerading firewall scripts

7.1 Kernel 2.0, ipfwadm 


#!/bin/sh 
#04/04/1999 
#example rc.firewall script for the 2.0 kernels using ipfwadm 
#I cant take full credit for this script.  I had found it a few 
#years ago and made slight modifications. 
#Send questions or comments to acj@home.com. 

#--------------------------------------------------------------------- 
#Variables 
#--------------------------------------------------------------------- 

#local ethernet interface 
localip= 
localif=eth0 

#static ethernet interface 
staticip= 
staticif=eth1 

PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" 

#--------------------------------------------------------------------- 
#Incoming Firewall Policies 
#--------------------------------------------------------------------- 
#flush incoming firewall policies 
/sbin/ipfwadm -I -f 

#set incoming firewall policy default to deny 
/sbin/ipfwadm -I -p deny 

#--------------------------------------------------------------------- 

#local interface, local machines, going anywhere is valid 
/sbin/ipfwadm -I -a accept -V $localip -S $localip/24 -D 0.0.0.0/0 
#remote interface, claiming to be local machines (IP spoofing) deny and log 
/sbin/ipfwadm -I -a deny -V $staticip -S $localip/24 -D 0.0.0.0/0 -o 
#remote interface, any source, going to staticip address is valid 
/sbin/ipfwadm -I -a accept -V $staticip -S 0.0.0.0/0 -D $staticip/32 
#loopback interface is valid 
/sbin/ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0 
#all other incoming is denied and logged 
/sbin/ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o 

#--------------------------------------------------------------------- 
#Outgoing Firewall Policies 
#--------------------------------------------------------------------- 

#flush outgoing firewall policies 
/sbin/ipfwadm -O -f 

#set outgoing firewall policy default to deny 
/sbin/ipfwadm -O -p deny 

#--------------------------------------------------------------------- 

#local interface, any source going to local net is valid 
/sbin/ipfwadm -O -a accept -V $localip -S 0.0.0.0/0 -D $localip/24 
#outgoing to localnet on static interface, stuffed routing, deny 
/sbin/ipfwadm -O -a deny -V $staticip -S 0.0.0.0/0 -D $localip/24 -o 
#outgoing from localnet on static interface, stuffed masquerading, deny 
/sbin/ipfwadm -O -a deny -V $staticip -S $localip/24 -D 0.0.0.0/0 -o 
#outgoing to localnet on static interface, stuffed masquerading, deny 
/sbin/ipfwadm -O -a deny -V $staticip -S 0.0.0.0/0 -D $localip/24 -o 
#anything else outgoing on remote interface is valid 
/sbin/ipfwadm -O -a accept -V $staticip -S $staticip/32 -D 0.0.0.0/0 
#loopback interface is valid 
/sbin/ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0 
#all other outgoing is denied and logged 
/sbin/ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o 

#-------------------------------------------------------------------------- 
#Forwarding firewall policies 
#-------------------------------------------------------------------------- 

#flush forwarding policies 
/sbin/ipfwadm -F -f 

#set forwarding policy default to deny 
/sbin/ipfwadm -F -p deny 

#masquerade from localnet on local interface to anywhere 
/sbin/ipfwadm -F -a masquerade -W $staticif -S $localip/24 -D 0.0.0.0/0 
#all other forwarding is denied 
/sbin/ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 

exit 0

7.2 Kernel 2.1/2.2, ipchains 


#!/bin/sh 
#04/04/1999 
#example rc.firewall script for the newer 2.1/2.2 kernels using ipchains
#that creates user defined chains for each interface.  There are firewall
#rules for spoofing protection which may be unnecessary since the newer
#kernels can have kernel spoofing protection enabled.  You might say it's
#super paranoid checking. 
#Send questions or comments to acj@home.com. 

#--------------------------------------------------------------------- 
#Variables 
#--------------------------------------------------------------------- 

#local ethernet interface 
localip= 
localif=eth0 

#static ethernet interface 
staticip= 
staticif=eth1 

#loopback interface 
loopback=lo 

PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" 

#--------------------------------------------------------------------- 
#Flush built-in input, output, and forward ipchains; set default policy 
#Good policy to deny all packets especially while setting up chains 
#--------------------------------------------------------------------- 

#set incoming firewall policy default to deny 
ipchains -P input DENY 

#flush incoming firewall policies 
ipchains -F input 

#--------------------------------------------------------------------- 

#set outgoing firewall policy default to deny 
ipchains -P output DENY 

#flush outgoing firewall policies 
ipchains -F output 

#--------------------------------------------------------------------- 

#set forwarding firewall policy default to deny 
ipchains -P forward DENY 

#flush forwarding firewall policies 
ipchains -F forward 

#--------------------------------------------------------------------- 
#flush all policies  -redundant for main policies, but also flushes user 
#defined policies 
#ipchains -F 

#remove all user defined policies - you may or may not want to enable this 
#ipchains -X 

#--------------------------------------------------------------------- 
#Incoming Firewall Policies 
#--------------------------------------------------------------------- 

#create new input chain for static ethernet interface 
ipchains -N $staticif"-i" 

#flush all rules in chain (sanity flush) 
ipchains -F $staticif"-i" 

#block incoming tcp SYN packets to all ports on staticif and log 
#this may be a little harsh but its a nice feature 
#ipchains -A $staticif"-i" -j DENY -p tcp -y -i $staticif -s 0/0 \
#-d $staticip : -l 

#remote interface, claiming to be local machines (IP spoofing) deny and log 
ipchains -A $staticif"-i" -j DENY -i $staticif -s $localip/16 -d 0/0 -l 

#remote interface, any source, going to staticip address is valid 
ipchains -A $staticif"-i" -j ACCEPT -i $staticif -s 0/0 -d $staticip/32 

#all other incoming is denied and logged 
ipchains -A $staticif"-i" -j DENY -s 0/0 -d 0/0 -l 

#--------------------------------------------------------------------- 

#create new input chain for local ethernet interface 
ipchains -N $localif"-i" 

#flush all rules in chain (sanity flush) 
ipchains -F $localif"-i" 

#local interface, local machines, going anywhere is valid 
ipchains -A $localif"-i" -j ACCEPT -i $localif -s $localip/24 -d 0/0 

#all other incoming is denied and logged 
ipchains -A $localif"-i" -j DENY -s 0/0 -d 0/0 -l 

#--------------------------------------------------------------------- 

#create new input chain for loopback interface 
ipchains -N $loopback"-i" 

#flush all rules in chain (sanity flush) 
ipchains -F $loopback"-i" 

#loopback interface is valid 
ipchains -A $loopback"-i" -j ACCEPT -i $loopback -s 0/0 -d 0/0 

#all other incoming is denied and logged 
ipchains -A $loopback"-i" -j DENY -s 0/0 -d 0/0 -l 

#-------------------------------------------------------------------------- 
#Forwarding firewall policies 
#-------------------------------------------------------------------------- 

#create new forward chain for static ethernet interface 
ipchains -N $staticif"-f" 

#flush all rules in chain (sanity flush) 
ipchains -F $staticif"-f" 

#masquerade from localnet on static interface to anywhere 
ipchains -A $staticif"-f" -j MASQ -i $staticif -s $localip/24 -d 0/0 

#all other forwarding is denied and logged 
ipchains -A $staticif"-f" -j DENY -s 0/0 -d 0/0 -l 

#--------------------------------------------------------------------- 

#create new forward chain for local ethernet interface 
ipchains -N $localif"-f" 

#flush all rules in chain (sanity flush) 
ipchains -F $localif"-f" 

#all other forwarding is denied and logged 
ipchains -A $localif"-f" -j DENY -s 0/0 -d 0/0 -l 

#--------------------------------------------------------------------- 

#create new forward chain for loopback interface 
ipchains -N $loopback"-f" 

#flush all rules in chain (sanity flush) 
ipchains -F $loopback"-f" 

#all other forwarding is denied and logged 
ipchains -A $loopback"-f" -j DENY -s 0/0 -d 0/0 -l 
  

#--------------------------------------------------------------------- 
#Outgoing Firewall Policies 
#--------------------------------------------------------------------- 

#create new output chain for static ethernet interface 
ipchains -N $staticif"-o" 

#flush all rules in chain (sanity flush) 
ipchains -F $staticif"-o" 

#outgoing to localnet on remote interface(stuffed routing) deny & log 
ipchains -A $staticif"-o" -j DENY -i $staticif -s 0/0 -d $localip/24 -l 

#outgoing from local net on remote interface, stuffed masquerading, deny 
ipchains -A $staticif"-o" -j DENY -i $staticif -s $localip/24 -d 0/0 -l 

#anything else outgoing on remote interface is valid 
ipchains -A $staticif"-o" -j ACCEPT -i $staticif -s $staticip/32 -d 0/0 

#all other outgoing is denied and logged 
ipchains -A $staticif"-o" -j DENY -s 0/0 -d 0/0 -l 

#--------------------------------------------------------------------- 

#create new output chain for local ethernet interface 
ipchains -N $localif"-o" 

#flush all rules in chain (sanity flush) 
ipchains -F $localif"-o" 

#local interface, any source going to local net is valid 
ipchains -A $localif"-o" -j ACCEPT -i $localif -s 0/0 -d $localip/24 

#all other outgoing is denied and logged 
ipchains -A $localif"-o" -j DENY -s 0/0 -d 0/0 -l 

#--------------------------------------------------------------------- 

#create new output chain for loopback interface 
ipchains -N $loopback"-o" 

#flush all rules in chain (sanity flush) 
ipchains -F $loopback"-o" 

#loopback interface is valid 
ipchains -A $loopback"-o" -j ACCEPT -i $loopback -s 0/0 -d 0/0 
#all other outgoing is denied and logged 
ipchains -A $loopback"-o" -j DENY -s 0/0 -d 0/0 -l 

#-------------------------------------------------------------------------- 
#make sure forwarding is enabled in the kernel 
#-------------------------------------------------------------------------- 

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward 

#-------------------------------------------------------------------------- 
#Add pointers to built-in chains to enable user defined chains 
#change the order in each chain to optimize filtering for an interface 
#-------------------------------------------------------------------------- 

#add local interface input chain 
ipchains -A input -i $localif -j $localif"-i" 

#add static interface input chain 
ipchains -A input -i $staticif -j $staticif"-i" 

#add loopback interface input chain 
ipchains -A input -i $loopback -j $loopback"-i" 

#------------------------------------------------------------------------- 

#add local interface output chain 
ipchains -A output -i $localif -j $localif"-o" 

#add static interface output chain 
ipchains -A output -i $staticif -j $staticif"-o" 

#add loopback interface output chain 
ipchains -A output -i $loopback -j $loopback"-o" 

#------------------------------------------------------------------------- 

#add local interface forward chain 
ipchains -A forward -i $localif -j $localif"-f" 

#add static interface forward chain 
ipchains -A forward -i $staticif -j $staticif"-f" 

#add loopback interface forward chain 
ipchains -A forward -i $loopback -j $loopback"-f" 

#--------------------------------------------------------------------- 
#Super Paranoid check --- even though default policy is set for deny, 
#block all packets on any interface 
#--------------------------------------------------------------------- 

#all other incoming is denied and logged 
ipchains -A input -j DENY -s 0/0 -d 0/0 -l 

#all other output is denied and logged 
ipchains -A output -j DENY -s 0/0 -d 0/0 -l 

#all other forwarding is denied and logged 
ipchains -A forward -j DENY -s 0/0 -d 0/0 -l 

exit 0

Next Previous Contents
Continue
 



P
System Builder

Now Shipping from: California - Florida - Georgia - Massachusetts - Michigan - New Jersey - Pennsylvania - Tennessee - Texas
We only ship within the USA and APO's.
We do not ship on national US holidays or on weekends.
Linux Voodoo RSS Store Feed
About Us  |  Contact Us  |  Conditions of Use  |  Privacy Notice  |  Warranty & Returns  |  Employment |  PHP HTML Form Builder

Copyright © 2003, Linux Voodoo Corporation All rights reserved. Linux is a trademark of Linus Torvalds.
email-addresses
Asterisk Debian Linux, WOW on Linux, yes our gaming systems do include World of Warcraft for Linux! Linux Voodoo Gaming systems include one copy of World of Warcraft, 1 year paid subscription to Transgaming.com so you can play over 200 popular Windows games on our linux systems. Too good to be true? Try it out for yourself.