How to test?
Wenzhong Chen
chenw@cs.queensu.ca
Thu, 26 Jul 2001 16:31:19 -0400 (EDT)
Yes. I am so stupid that forget to let it executable. Now it works. But I
try send request from my client machine try to ftp outside. It said no
route to host. I think my script has something wrong with my client setup.
So I try to use the same machine's browser and get rid of proxy setup. And
then connect to internet. But I can not see squid's access file has the
record. Could you please help to look me script to find what is wrong?
THanks.
James
On Thu, 26 Jul 2001, David Bitton wrote:
> if you have init.d, then you need to do an update-rc.d
> to add that script in the list of startup scripts.
> also, do a chmod 755 for the script so it'll have
> execute rights.
>
> --- Wenzhong Chen <chenw@cs.queensu.ca> wrote:
> > Actually I am a newbie here. I just amend someone's
> > script and try to let
> > it work. I post my script here. Because I can see
> > all file in init.d are
> > green except my firewall file. I am afraid it is not
> > started. I restart
> > the machine and it is still not turn to green. Could
> > somebody help me?
> > Thank you very much!
> >
> > James
> >
> >
> > #!/bin/sh
> > #
> > # This script contains the complete netfilter
> > firewall
> > # for this network. This firewall is designed to be
> > run
> > # 24 hours a day for full protection.
> > #
> > # chkconfig: 2345 11 92
> > # description: Contains the complete netfilter \
> > # firewall for this network.
> >
> > export PATH=$PATH:/usr/local/bin:/usr/local/sbin
> > [ ! -f `which iptables` ] && exit 1
> >
> >
> > CHAIN=
> > RETVAL=
> > INTERNAL_NET=x.x.x.0/24
> > INTERNAL_IP=x.x.x.x
> > INTERNET=x.x.x.x
> >
> >
> > # Now, see how we were called
> > case "$1" in
> > start)
> > echo -n "Loading netfilter firewall: "
> >
> > # Load any required modules
> > echo -n "modules "
> >
> > #Needed to initially load modules
> > /sbin/depmod -a
> >
> > modprobe ip_conntrack
> > modprobe ip_conntrack_ftp
> > modprobe iptable_nat
> > modprobe ip_nat_ftp
> > modprobe ipt_LOG
> >
> > #Set default policies for packets
> > going through this
> > firewall box
> >
> > iptables -t nat -P PREROUTING DROP
> > iptables -t nat -P POSTROUTING DROP
> > iptables -t nat -P FORWARD DROP
> >
> > #Set default policies for packet
> > entering this box
> >
> > iptables -P OUTPUT ACCEPT
> > iptables -P INPUT ACCEPT
> >
> > #kill spoofed packets
> >
> > for f in
> > /proc/sys/net/ipv4/conf/*/rp_filter; do
> > echo 1 > $f
> > done
> >
> > #Anything coming from our internal
> > network should have
> > only our addresses
> >
> > iptables -A FORWARD -i eth1 -s !
> > $INTERNAL_NET -j DROP
> >
> > #Anything coming from the internet
> > should have a real
> > internet address
> > iptables -A FORWARD -i eth0 -s
> > 192.168.0.0/16 -j DROP
> > iptables -A FORWARD -i eth0 -s
> > 172.16.0.0/12 -j DROP
> > iptables -A FORWARD -i eth0 -s
> > 10.0.0.0/8 -j DROP
> > iptables -A FORWARD -i eth0 -s
> > x.x.x.x/24 -j DROP
> >
> > #block outgoing network filesharing
> > protocols that aren't
> > designed to leave the LAN
> > #SMB/Windows filesharing
> > iptables -A FORWARD -p tcp --sport
> > 137:139 -j DROP
> > iptables -A FORWARD -p udp --sport
> > 137:139 -j DROP
> >
> > #NFS Mount Service (TCP/UDP 635)
> > iptables -A FORWARD -p tcp --sport
> > 635 -j DROP
> > iptables -A FORWARD -p udp --sport
> > 635 -j DROP
> >
> > #NFS (TCP/UDP 2049)
> > iptables -A FORWARD -p tcp --sport
> > 2049 -j DROP
> > iptables -A FORWARD -p udp --sport
> > 2049 -j DROP
> >
> > #Portmapper (TCP/UDP 111)
> > iptables -A FORWARD -p tcp --sport
> > 111 -j DROP
> > iptables -A FORWARD -p udp --sport
> > 111 -j DROP
> >
> > #Block incoming syslog, lpr, rsh,
> > rexec..
> > iptables -A FORWARD -i eth0 -p udp
> > --dport syslog -j DROP
> > iptables -A FORWARD -i eth0 -p tcp
> > --dport 515 -j DROP
> > iptables -A FORWARD -i eth0 -p tcp
> > --dport 514 -j DROP
> > iptables -A FORWARD -i eth0 -p tcp
> > --dport 512 -j DROP
> >
> > #Transparently proxy all web-surfing
> > through Squid box
> > iptables -t nat -A PREROUTING -i
> > eth1 -p tcp --dport 80 -j
> > REDIRECT --to-port 3128
> >
> > #Source NAT to get internet traffic
> > through
> > iptables -t nat -A POSTROUTING -o
> > eth1 -j SNAT --to
> > $INTERNET
> >
> > #Activate the forwarding
> > echo 1 >
> > /proc/sys/net/ipv4/ip_forward
> > #
> >
> -----------------------------------------------------------------------------------------------------------------------
> > #
> > echo ": done."
> >
> > touch /var/lock/subsys/firewall
> > RETVAL=0
> > ;;
> > stop)
> > echo -n "Unloading netfilter firewall: "
> >
> > #
> >
> -----------------------------------------------------------------------------------------------------------------------
> > #
> >
> >
> > CHAIN=PREROUTING
> > iptables -t nat -F $CHAIN
> >
> > CHAIN=OUTPUT
> > iptables -t nat -F $CHAIN
> >
> > CHAIN=POSTROUTING
> > iptables -t nat -F $CHAIN
> >
> > iptables -t nat -Z
> >
> > #
> >
> ----------------------------------------------------------------
> > # Unload any modules we loaded
> > echo -n "modules"
> > modprobe -r ipt_LOG 2> /dev/null
> > modprobe -r iptable_nat 2> /dev/null
> > modprobe -r ip_nat_ftp 2> /dev/null
> > modprobe -r ip_conntrack_ftp 2> /dev/null
> > modprobe -r ip_conntrack 2> /dev/null
> >
> > #
> >
> -----------------------------------------------------------------------------------------------------------------------
> > #
> > echo ": done."
> >
> > rm -f /var/lock/subsys/firewall
> > RETVAL=0
> > ;;
> > restart)
> > $0 stop
> > $0 start
> >
> > touch /var/lock/subsys/firewall
> > RETVAL=0
> > ;;
> > list)
> > [ ! `grep $2 /proc/net/ip_tables_names` ] && exit
> > 1
> >
> === message truncated ===
>
>
> =====
> ----
> David B. Bitton
> proviticus@yahoo.com
>
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo! Messenger
> http://phonecard.yahoo.com/
>
>