My Personal Firewall and IP Masquerading Howto
first read the official IP masq HOWTO resp. Firewall HOWTO
here are simply scripts that I use
First script is about
my ppp connection to my ISP
#!/bin/sh
#this funny script requires RedHat Linux network config scheme and
#hw/sw: lo eth0 and ppp0 devices
#applic: sleep sed awk ipfwadm uname ifconfig
case "$1" in
1)
echo "Enabling packet filtering firewall"
sleep 38
#Variable declarations
. /etc/sysconfig/network-scripts/ifcfg-eth0
IFINTERN=`/sbin/ifconfig eth0 |sed -n -e 's/inet addr://p'|awk '{print $1}'`
IFEXTERN=`/sbin/ifconfig ppp0 |sed -n -e 's/inet addr://p'|awk '{print $1}'`
IFLOOP=`/sbin/ifconfig lo |sed -n -e 's/inet addr://p'|awk '{print $1}'`
UNPRIVPORTS="1024:65535"
ANYWHERE="any/0"
LOCALHOST=`uname -n`
#Select default policies
ipfwadm -F -p deny
ipfwadm -I -p deny
ipfwadm -O -p deny
#Flush (get rid of) other policies
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f
#disable spoofed packets
ipfwadm -I -a deny -V $IFEXTERN -S $NETWORK
ipfwadm -I -a deny -V $IFEXTERN -S $IFEXTERN
#allow any trafic within local network
ipfwadm -I -a accept -V $IFINTERN
ipfwadm -O -a accept -V $IFINTERN
#allow any trafic within loopback device
ipfwadm -I -a accept -V $IFLOOP
ipfwadm -O -a accept -V $IFLOOP
#accessing of internet from this machine
#outgoing packets
ipfwadm -O -a accept -P tcp -S $IFEXTERN $UNPRIVPORTS \
-D $ANYWHERE nntp ftp ftp-data http domain telnet
ipfwadm -O -a accept -P udp -S $IFEXTERN $UNPRIVPORTS \
-D $ANYWHERE domain
#incoming packets
ipfwadm -I -a accept -k -P tcp \
-S $ANYWHERE nntp ftp http domain telnet \
-D $IFEXTERN $UNPRIVPORTS
ipfwadm -I -a accept -P tcp \
-S $ANYWHERE ftp-data -D $IFEXTERN $UNPRIVPORTS
ipfwadm -I -a accept -P udp \
-S $ANYWHERE domain -D $IFEXTERN $UNPRIVPORTS
;;
0)
echo "Disabling packet filtering firewall"
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -p accept
ipfwadm -I -p accept
ipfwadm -O -p accept
ipfwadm -F -l
ipfwadm -I -l
ipfwadm -O -l
;;
*)
echo "Usage: $0 {1|0}"
exit 0
esac
Second script contains setting for a forwarding machine a'la router
#!/bin/sh
#tento firewall pusta vsetko zadefinovane z lok siete ale nie
#zo samotneho firewallu
LOCALHOST="intranet.nova2"
LOCALNET="199.100.199.0/24"
IFEXTERN="192.1.1.1"
IFINTERN="199.100.199.4"
ANYWHERE="any/0"
UNPRIVPORTS="1024:65535"
# ====== Basic rules.
# Sure we're paranoid, but are we paranoid enough?
ipfwadm -I -p deny
ipfwadm -O -p deny
ipfwadm -F -p deny
#Flush all other rules
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
# Refuse spoofed packets.
ipfwadm -I -a deny -V $IFEXTERN -S $LOCALNET
ipfwadm -I -a deny -V $IFEXTERN -S $IFEXTERN
# Unlimited traffic within the local network.
ipfwadm -I -a accept -V $IFINTERN
ipfwadm -O -a accept -V $IFINTERN
# Unlimited ICMP traffic (not recommended).
#ipfwadm -I -a accept -P icmp
#ipfwadm -O -a accept -P icmp
#ipfwadm -F -a accept -P icmp
# ====== External use of our system.
#
# Public access for e-mail, ftp, WWW, and DNS.
#ipfwadm -I -a accept -P tcp \
# -D $LOCALHOST smtp ftp www domain
#ipfwadm -I -a accept -P udp -D $LOCALHOST domain
#ipfwadm -I -a accept -k -P tcp \
# -D $LOCALHOST ftp-data
#ipfwadm -O -a accept -P tcp -S $LOCALHOST smtp ftp \
# ftp-data www domain
#ipfwadm -O -a accept -P udp -S $LOCALHOST domain
#
# ====== Internal use of the Internet.
#
# Outgoing packets.
ipfwadm -O -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE ftp ftp-data www telnet domain
ipfwadm -O -a accept -P udp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE domain
ipfwadm -F -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE ftp ftp-data www telnet domain
ipfwadm -F -a accept -P udp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE domain
# Incoming packets.
ipfwadm -I -a accept -k -P tcp \
-S $ANYWHERE ftp www telnet domain \
-D $LOCALNET $UNPRIVPORTS
ipfwadm -I -a accept -P tcp \
-S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS
ipfwadm -I -a accept -P udp \
-S $ANYWHERE domain -D $LOCALNET $UNPRIVPORTS
ipfwadm -F -a accept -k -P tcp \
-S $ANYWHERE ftp www telnet \
-D $LOCALNET $UNPRIVPORTS
ipfwadm -F -a accept -P tcp \
-S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS
ipfwadm -F -a accept -P udp \
-S $ANYWHERE domain -D $LOCALNET $UNPRIVPORTS
Third scripts is the one with IP Masq instead of Forward
#!/bin/sh
#this funny script requires RedHat Linux network config scheme and
#hw/sw: lo eth0 and eth1 devices
#applic: sleep sed awk ipfwadm uname ifconfig
case "$1" in
1)
echo "Enabling packet filtering firewall"
#sleep 30
#load module for masq ftp
JUNK=`lsmod |grep ip_masq_ftp`
if [ "${JUNK}" = "" ];then
insmod ip_masq_ftp
fi
#Variable declarations
. /etc/sysconfig/network-scripts/ifcfg-eth0
IFINTERN=`/sbin/ifconfig eth0 |sed -n -e 's/inet addr://p'|awk '{print $1}'`
IFEXTERN=`/sbin/ifconfig eth1 |sed -n -e 's/inet addr://p'|awk '{print $1}'`
IFLOOP=`/sbin/ifconfig lo |sed -n -e 's/inet addr://p'|awk '{print $1}'`
UNPRIVPORTS="1024:65535"
ANYWHERE="any/0"
LOCALHOST=`uname -n`
#Select default policies
ipfwadm -F -p deny
ipfwadm -I -p deny
ipfwadm -O -p deny
#Flush (get rid of) other policies
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f
#disable spoofed packets
ipfwadm -I -a deny -V $IFEXTERN -S $NETWORK/$NETMASK
ipfwadm -I -a deny -V $IFEXTERN -S $IFEXTERN
#allow any trafic within local network
ipfwadm -I -a accept -V $IFINTERN
ipfwadm -O -a accept -V $IFINTERN
#allow any trafic within loopback device
ipfwadm -I -a accept -V $IFLOOP
ipfwadm -O -a accept -V $IFLOOP
#accessing of internet from this machine
#outgoing packets
ipfwadm -O -a accept -P tcp -S $IFEXTERN $UNPRIVPORTS \
-D $ANYWHERE \
nntp ftp ftp-data http domain telnet smtp pop
ipfwadm -O -a accept -P udp -S $IFEXTERN $UNPRIVPORTS \
-D $ANYWHERE domain
#incoming packets
ipfwadm -I -a accept -k -P tcp \
-S $ANYWHERE nntp ftp http domain telnet smtp pop\
-D $IFEXTERN $UNPRIVPORTS
ipfwadm -I -a accept -P tcp \
-S $ANYWHERE ftp-data -D $IFEXTERN $UNPRIVPORTS
ipfwadm -I -a accept -P udp \
-S $ANYWHERE domain -D $IFEXTERN $UNPRIVPORTS
#forwarding masquerading section
ipfwadm -F -a accept -m -P tcp -S $NETWORK/$NETMASK \
-D $ANYWHERE \
nntp ftp ftp-data http domain telnet smtp pop
ipfwadm -F -a accept -m -P udp -S $NETWORK/$NETMASK \
-D $ANYWHERE domain
;;
0)
echo "Disabling packet filtering firewall"
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -p accept
ipfwadm -I -p accept
ipfwadm -O -p accept
ipfwadm -F -l
ipfwadm -I -l
ipfwadm -O -l
#unload module for masq_ftp if free
JUNK=`lsmod |grep ip_masq_ftp.*0`
if [ ! "${JUNK}" = "" ];then
rmmod ip_masq_ftp
fi
;;
*)
echo "Usage: $0 {1|0}"
exit 1
esac
Some user friendly version of IP Masq
#!/bin/sh
#this funny script requires RedHat Linux network config scheme and
#hw/sw: lo eth0 and ppp0 devices
#applic: sleep sed awk ipfwadm uname ifconfig grep
case "$1" in
1)
echo "Enabling packet filtering firewall"
sleep 38
#load module for masq ftp
JUNK=`lsmod |grep ip_masq_ftp`
if [ "${JUNK}" = "" ];then
insmod ip_masq_ftp
fi
#Variable declarations
. /etc/sysconfig/network-scripts/ifcfg-eth0
IFINTERN=`/sbin/ifconfig eth0 |sed -n -e 's/inet addr://p'|awk '{print $1}'`
IFEXTERN=`/sbin/ifconfig ppp0 |sed -n -e 's/inet addr://p'|awk '{print $1}'`
IFLOOP=`/sbin/ifconfig lo |sed -n -e 's/inet addr://p'|awk '{print $1}'`
UNPRIVPORTS="1024:65535"
ANYWHERE="any/0"
LOCALHOST=`uname -n`
#Select default policies
ipfwadm -F -p deny
ipfwadm -I -p deny
ipfwadm -O -p deny
#Flush (get rid of) other policies
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f
#disable spoofed packets
ipfwadm -I -a deny -V $IFEXTERN -S $NETWORK/$NETMASK
ipfwadm -I -a deny -V $IFEXTERN -S $IFEXTERN
ipfwadm -I -a deny -P tcp -V $IFEXTERN -S $ANYWHERE -D $ANYWHERE 6000
#allow any trafic within local network
ipfwadm -I -a accept -V $IFINTERN
ipfwadm -O -a accept -V $IFINTERN
#allow any trafic within loopback device
ipfwadm -I -a accept -V $IFLOOP
ipfwadm -O -a accept -V $IFLOOP
#accessing of internet from this machine
#outgoing packets
ipfwadm -O -a accept -P tcp -S $IFEXTERN $UNPRIVPORTS \
-D $ANYWHERE \
nntp ftp ftp-data http domain telnet smtp pop
#spec http
ipfwadm -O -a accept -P tcp -S $IFEXTERN $UNPRIVPORTS \
-D $ANYWHERE $UNPRIVPORTS
ipfwadm -O -a accept -P udp -S $IFEXTERN $UNPRIVPORTS \
-D $ANYWHERE domain
#incoming packets
ipfwadm -I -a accept -k -P tcp \
-S $ANYWHERE nntp ftp http domain telnet smtp pop\
-D $IFEXTERN $UNPRIVPORTS
#spec http
ipfwadm -I -a accept -k -P tcp \
-S $ANYWHERE $UNPRIVPORTS \
-D $IFEXTERN $UNPRIVPORTS
ipfwadm -I -a accept -P tcp \
-S $ANYWHERE ftp-data -D $IFEXTERN $UNPRIVPORTS
ipfwadm -I -a accept -P udp \
-S $ANYWHERE domain -D $IFEXTERN $UNPRIVPORTS
#forwarding masquerading section
ipfwadm -F -a accept -m -P tcp -S $NETWORK/$NETMASK \
-D $ANYWHERE \
nntp ftp ftp-data http domain telnet smtp pop $UNPRIVPORTS
ipfwadm -F -a accept -m -P udp -S $NETWORK/$NETMASK \
-D $ANYWHERE domain
;;
0)
echo "Disabling packet filtering firewall"
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -p accept
ipfwadm -I -p accept
ipfwadm -O -p accept
ipfwadm -F -l
ipfwadm -I -l
ipfwadm -O -l
#unload module for masq_ftp if free
JUNK=`lsmod |grep ip_masq_ftp.*0`
if [ ! "${JUNK}" = "" ];then
rmmod ip_masq_ftp
fi
;;
*)
echo "Usage: $0 {1|0}"
exit 1
esac