LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Firewall (Giptables) Can't seem to work... (https://www.linuxquestions.org/questions/linux-software-2/firewall-giptables-cant-seem-to-work-228403/)

ImAnEwBiE 09-08-2004 10:13 PM
Firewall (Giptables) Can't seem to work...
 
# DEBUG
#

DEBUG="off"

# ----------------------------------------------------------------------------
# Some definitions for easy maintenance
# Edit these to suit your system
#

MONOLITIC_KERNEL="no"

# Interface 0: This is our external network interface
# It is directly connected to Internet

INTERFACE0="eth0"
INTERFACE0_IPADDR="`/sbin/ifconfig | grep -A 4 eth0 | awk '/inet/ { print $2
} ' | sed -e s/addr://`"
ANY_IPADDR="0/0"

# Interface 1: This is our internal network interface
# It is directly connected to our private network
INTERFACE1="eth1"
INTERFACE1_IPADDR="`/sbin/ifconfig | grep -A 4 eth1 | awk '/inet/ { print $2
} ' | sed -e s/addr://`"
ANY_IPADDR="0/0"

# Your name servers ip address

ISP_PRIMARY_DNS_SERVER="`fgrep nameserver /etc/resolv.conf | sed -n '1 p' |
cut -f 2 -d ' '`"
ISP_SECONDARY_DNS_SERVER="`fgrep nameserver /etc/resolv.conf | sed -n '2 p'
| cut -f 2 -d ' '`"

# SYSLOG client ip address

SYSLOG_CLIENT="d.d.d.d"

# Loopback interface

LOOPBACK_INTERFACE="lo" # Loopback interface

# Port declarations, do not change them

PRIV_PORTS="0:1023"

Loading custom firewall rules from /etc/rc.d/rc.giptables.custom
#

LOAD_CUSTOM_RULES="yes"

# ----------------------------------------------------------------------------
# Logging
# Limit the amount of incoming dropped packets that gets sent to the logs
#

# We log & drop all the packets that are not expected. In order to avoid
# our logs beeing flooded, we rate limit the logging

# Interface 0 log dropped packets

INTERFACE0_LOG_DROPPED_PACKETS="yes"
INTERFACE0_LOG_LIMIT="5/m"
INTERFACE0_LOG_LIMIT_BURST="7"

# Interface 1 log dropped packets

INTERFACE1_LOG_DROPPED_PACKETS="yes"
INTERFACE1_LOG_LIMIT="7/m"
INTERFACE1_LOG_LIMIT_BURST="9"

# ----------------------------------------------------------------------------
# Network Ghouls
# Refuse any connection from problem sites
#

# The /etc/rc.d/rc.giptables.blocked file contains a list of ip addresses that
# will be blocked from having any kind of access to your server on all your
# interfaces if the next option is "yes"

NETWORK_GHOULS="yes"

# ----------------------------------------------------------------------------
# Syn-flood protection
# Limit the number of incoming tcp connections
#

SYN_FLOOD_PROTECTION="yes"

# Interface 0 incoming syn-flood protection
INTERFACE0_IN_SYN_FLOOD_PROTECTION="yes"
INTERFACE0_IN_TCP_CONN_LIMIT="10/s"
INTERFACE0_IN_TCP_CONN_LIMIT_BURST="20"

# Interface 1 incoming syn-flood protection

INTERFACE1_IN_SYN_FLOOD_PROTECTION="yes"
INTERFACE1_IN_TCP_CONN_LIMIT="7/s"
INTERFACE1_IN_TCP_CONN_LIMIT_BURST="11"

# ----------------------------------------------------------------------------
# Sanity check
#

SANITY_CHECK="yes"

# Make sure NEW incoming tcp connections are SYN packets

INTERFACE0_IN_DROP_NEW_WITHOUT_SYN="yes"
INTERFACE1_IN_DROP_NEW_WITHOUT_SYN="yes"

# Drop all incoming fragments
INTERFACE0_IN_DROP_ALL_FRAGMENTS="yes"
INTERFACE1_IN_DROP_ALL_FRAGMENTS="yes"

# Drop all incoming malformed XMAS packets

INTERFACE0_IN_DROP_XMAS_PACKETS="yes"
INTERFACE1_IN_DROP_XMAS_PACKETS="yes"

# Drop all incoming malformed NULL packets

INTERFACE0_IN_DROP_NULL_PACKETS="yes"
INTERFACE1_IN_DROP_NULL_PACKETS="yes"

# ----------------------------------------------------------------------------
# Spoofing and bad addresses
#

REFUSE_SPOOFING="yes"

# Refuse incoming packets claiming to be from the ip addresses of our interfaces

REFUSE_SPOOFING_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_IN_REFUSE_SPOOFING[0]="yes"

REFUSE_SPOOFING_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_IN_REFUSE_SPOOFING[0]="yes"

# Refuse incoming packets claiming to be from broadcast-src address range

REFUSE_SPOOFING_IPADDR[1]="0.0.0.0/8"
INTERFACE0_IN_REFUSE_SPOOFING[1]="yes"

# Refuse incoming packets claiming to be from reserved loopback address range

REFUSE_SPOOFING_IPADDR[2]="127.0.0.0/8"
INTERFACE0_IN_REFUSE_SPOOFING[2]="yes"

# Refuse incoming packets claiming to be from class A private network

REFUSE_SPOOFING_IPADDR[3]="10.0.0.0/8"
INTERFACE0_IN_REFUSE_SPOOFING[3]="yes"

# Refuse incoming packets claiming to be from class B private network

REFUSE_SPOOFING_IPADDR[4]="172.16.0.0/12"
INTERFACE0_IN_REFUSE_SPOOFING[4]="yes"

# Refuse incoming packets claiming to be from class C private network

REFUSE_SPOOFING_IPADDR[5]="192.168.0.0/16"
INTERFACE0_IN_REFUSE_SPOOFING[5]="yes"

# Refuse incoming packets claiming to be from class D, E, and unallocated

REFUSE_SPOOFING_IPADDR[6]="224.0.0.0/3"
INTERFACE0_IN_REFUSE_SPOOFING[6]="yes"

# ****************************************************************************
# *
# A N Y *
# *
# ****************************************************************************

ACCEPT_ANY="no"

# ****************************************************************************
# *
# D N S *
:
ACCEPT_DNS="yes"

# ----------------------------------------------------------------------------
# DNS outgoing client request
#

# Interface 0 DNS outgoing client request

INTERFACE0_DNS_CLIENT="yes"

INTERFACE0_DNS_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_DNS_OUT_DST_IPADDR[0]=$ISP_PRIMARY_DNS_SERVER
INTERFACE0_DNS_OUT_UDP_REQUEST[0]="yes"
INTERFACE0_DNS_OUT_TCP_REQUEST[0]="yes"
INTERFACE0_DNS_OUT_SPORT53_REQUEST[0]="no"

INTERFACE0_DNS_OUT_SRC_IPADDR[1]=$INTERFACE0_IPADDR
INTERFACE0_DNS_OUT_DST_IPADDR[1]=$ISP_SECONDARY_DNS_SERVER
INTERFACE0_DNS_OUT_UDP_REQUEST[1]="yes"
INTERFACE0_DNS_OUT_TCP_REQUEST[1]="yes"
INTERFACE0_DNS_OUT_SPORT53_REQUEST[1]="no"

# ****************************************************************************
# *
# F T P *
# *
# ****************************************************************************

ACCEPT_FTP="no"

# ----------------------------------------------------------------------------
# FTP outgoing client request
#

# Interface 0 FTP outgoing client request

INTERFACE0_FTP_CLIENT="yes"

INTERFACE0_FTP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_FTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
INTERFACE0_FTP_OUT_PASIVE[0]="yes"
INTERFACE0_FTP_OUT_ACTIVE[0]="no"

# ****************************************************************************
# *
# S S H *
# *
# ****************************************************************************

ACCEPT_SSH="yes"

# ----------------------------------------------------------------------------
# SSH outgoing client request
#

# Interface 0 SSH outgoing client request

INTERFACE0_SSH_CLIENT="no"

INTERFACE0_SSH_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_SSH_OUT_DST_IPADDR[0]=$ANY_IPADDR

# ----------------------------------------------------------------------------
# SSH incoming client request
# Interface 0 SSH incoming client request

INTERFACE0_SSH_SERVER="yes"

INTERFACE0_SSH_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_SSH_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR

INTERFACE1_SSH_SERVER="yes"

INTERFACE1_SSH_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE1_SSH_IN_DST_IPADDR[0]=$INTERFACE1_IPADDR

# ****************************************************************************
# *
# T E L N E T *
# *
# ****************************************************************************

ACCEPT_TELNET="no"

# ----------------------------------------------------------------------------
TELNET outgoing client request
#

# Interface 0 TELNET outgoing client request

INTERFACE0_TELNET_CLIENT="yes"

INTERFACE0_TELNET_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_TELNET_OUT_DST_IPADDR[0]=$ANY_IPADDR

# ****************************************************************************
# *
# T E L N E T S *
# *
# ****************************************************************************

ACCEPT_TELNETS="no"

# ****************************************************************************
# *
# S M T P *
# *
ACCEPT_SMTP="yes"

# ----------------------------------------------------------------------------
# SMTP outgoing client request
#

# Interface 0 SMTP outgoing client request

INTERFACE0_SMTP_CLIENT="yes"

INTERFACE0_SMTP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_SMTP_OUT_DST_IPADDR[0]=$ANY_IPADDR

INTERFACE1_SMTP_CLIENT="yes"

INTERFACE1_SMTP_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_SMTP_OUT_DST_IPADDR[0]=$ANY_IPADDR

ANY_SMTP_CLIENT="yes"

ANY_SMTP_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
ANY_SMTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ----------------------------------------------------------------------------
# SMTP incoming client request
#

# Interface 0 SMTP incoming client request

INTERFACE0_SMTP_SERVER="yes"

INTERFACE0_SMTP_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_SMTP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR

INTERFACE1_SMTP_SERVER="yes"

INTERFACE1_SMTP_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE1_SMTP_IN_DST_IPADDR[0]=$INTERFACE1_IPADDR

# ****************************************************************************
# *
# S M T P S *
# *
# ****************************************************************************
ACCEPT_SMTPS="no"

# ----------------------------------------------------------------------------
# SMTPS outgoing client request
#

# Interface 0 SMTPS outgoing client request

INTERFACE0_SMTPS_CLIENT="yes"

INTERFACE0_SMTPS_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_SMTPS_OUT_DST_IPADDR[0]=$ANY_IPADDR

# ----------------------------------------------------------------------------
# SMTPS incoming client request
#

# Interface 0 SMTPS incoming client request

INTERFACE0_SMTPS_SERVER="yes"
INTERFACE0_SMTPS_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_SMTPS_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR

# ****************************************************************************
# *
# Q M Q P *
# *
# ****************************************************************************

ACCEPT_QMQP="no"

# ----------------------------------------------------------------------------
# QMQP outgoing client request
#

# Interface 0 QMQP outgoing client request

INTERFACE0_QMQP_CLIENT="yes"

INTERFACE0_QMQP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_QMQP_OUT_DST_IPADDR[0]=$ANY_IPADDR

# ****************************************************************************
# *
# H T T P *
# *
# ****************************************************************************

ACCEPT_HTTP="yes"

# ----------------------------------------------------------------------------
# HTTP outgoing client request
#

# Interface 0 HTTP outgoing client request

INTERFACE0_HTTP_CLIENT="yes"

INTERFACE0_HTTP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_HTTP_OUT_DST_IPADDR[0]=$ANY_IPADDR

INTERFACE1_HTTP_CLIENT="yes"

INTERFACE1_HTTP_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_HTTP_OUT_DST_IPADDR[0]=$ANY_IPADDR

# ----------------------------------------------------------------------------
# HTTP incoming client request
#

# Interface 0 HTTP incoming client request

INTERFACE0_HTTP_SERVER="yes"

INTERFACE0_HTTP_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_HTTP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR

# Interface 1 HTTP incoming client request

INTERFACE1_HTTP_SERVER="yes"

INTERFACE1_HTTP_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE1_HTTP_IN_DST_IPADDR[0]=$INTERFACE1_IPADDR

# ****************************************************************************
# *
# S Q U I D *
# *
# ****************************************************************************

ACCEPT_SQUID="yes" # Squid in Proxy-Caching Mode

Here is my configuration friends!i just attached squid and http...i cant seem to make squid work.But when giptables is off,i can access the server as my proxy server....Hope you guys help me out!im a newbie in Linux,and im still trying to learn the tricks..y'know..God bless you all!

Thanks!


All times are GMT -5. The time now is 12:04 AM.