How to test?
Kevin Evans
kevin@thewalledcity.net
Thu, 26 Jul 2001 21:02:45 +0100
The green colour in your shell means the script is executable. To make
the firewall script executable (and thus turn it green) do:
chmod +x firewall
(or whatever the file is called)
After that, try:
cd /etc/rc.d/init.d
./firewall
If that works, it should work at boot.
Kev
Kevin Evans - kevin@thewalledcity.net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
www.thewalledcity.net - Free webmail
irc.irctoo.net - the IRCtoo chat net
-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Wenzhong Chen
Sent: Thursday, July 26, 2001 8:26 PM
To: David Bitton
Cc: netfilter@lists.samba.org
Subject: Re: How to test?
Actually I am a newbie here. I just amend someone's script and try to
let it work. I post my script here. Because I can see all file in init.d
are green except my firewall file. I am afraid it is not started. I
restart the machine and it is still not turn to green. Could somebody
help me? Thank you very much!
James
#!/bin/sh
#
# This script contains the complete netfilter firewall
# for this network. This firewall is designed to be run
# 24 hours a day for full protection.
#
# chkconfig: 2345 11 92
# description: Contains the complete netfilter \
# firewall for this network.
export PATH=$PATH:/usr/local/bin:/usr/local/sbin
[ ! -f `which iptables` ] && exit 1
CHAIN=
RETVAL=
INTERNAL_NET=x.x.x.0/24
INTERNAL_IP=x.x.x.x
INTERNET=x.x.x.x
# Now, see how we were called
case "$1" in
start)
echo -n "Loading netfilter firewall: "
# Load any required modules
echo -n "modules "
#Needed to initially load modules
/sbin/depmod -a
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_LOG
#Set default policies for packets going through this
firewall box
iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP
iptables -t nat -P FORWARD DROP
#Set default policies for packet entering this box
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
#kill spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
#Anything coming from our internal network should have
only our addresses
iptables -A FORWARD -i eth1 -s ! $INTERNAL_NET -j DROP
#Anything coming from the internet should have a real
internet address
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A FORWARD -i eth0 -s x.x.x.x/24 -j DROP
#block outgoing network filesharing protocols that
aren't designed to leave the LAN
#SMB/Windows filesharing
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
#NFS Mount Service (TCP/UDP 635)
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
#NFS (TCP/UDP 2049)
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
#Portmapper (TCP/UDP 111)
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP
#Block incoming syslog, lpr, rsh, rexec..
iptables -A FORWARD -i eth0 -p udp --dport syslog -j
DROP
iptables -A FORWARD -i eth0 -p tcp --dport 515 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 514 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 512 -j DROP
#Transparently proxy all web-surfing through Squid box
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80
-j REDIRECT --to-port 3128
#Source NAT to get internet traffic through
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to
$INTERNET
#Activate the forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#
------------------------------------------------------------------------
-----------------------------------------------
#
echo ": done."
touch /var/lock/subsys/firewall
RETVAL=0
;;
stop)
echo -n "Unloading netfilter firewall: "
#
------------------------------------------------------------------------
-----------------------------------------------
#
CHAIN=PREROUTING
iptables -t nat -F $CHAIN
CHAIN=OUTPUT
iptables -t nat -F $CHAIN
CHAIN=POSTROUTING
iptables -t nat -F $CHAIN
iptables -t nat -Z
#
----------------------------------------------------------------
# Unload any modules we loaded
echo -n "modules"
modprobe -r ipt_LOG 2> /dev/null
modprobe -r iptable_nat 2> /dev/null
modprobe -r ip_nat_ftp 2> /dev/null
modprobe -r ip_conntrack_ftp 2> /dev/null
modprobe -r ip_conntrack 2> /dev/null
#
------------------------------------------------------------------------
-----------------------------------------------
#
echo ": done."
rm -f /var/lock/subsys/firewall
RETVAL=0
;;
restart)
$0 stop
$0 start
touch /var/lock/subsys/firewall
RETVAL=0
;;
list)
[ ! `grep $2 /proc/net/ip_tables_names` ] && exit 1
iptables -t $2 -L
[ -f /var/lock/subsys/firewall ] && touch
/var/lock/subsys/firewall
RETVAL=0
;;
listc)
[ ! `grep $2 /proc/net/ip_tables_names` ] && exit 1
iptables -t $2 -L $3
[ -f /var/lock/subsys/firewall ] && touch
/var/lock/subsys/firewall
RETVAL=0
;;
*)
echo "Usage: $0 {start|stop|restart|list table|listc
table chain}"
RETVAL=0
;;
esac
exit $RETVAL
Thu, 26 Jul 2001, David
Bitton wrote:
> Just post the IP's, and I'm sure we'd be more than
> happy to see if we can circumvent your firewall. (Chuckle).
>
> =====
> ----
> David B. Bitton
> proviticus@yahoo.com
>
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo!
> Messenger http://phonecard.yahoo.com/
>