Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
02-17-2004, 10:59 PM
|
#1
|
LQ Newbie
Registered: Aug 2003
Location: Australia mate
Distribution: Slackware 9.1
Posts: 23
Rep:
|
Simple firewall script. pls help
Hi,
I've been having a bit of trouble getting my firewall to work correctly. I was wondering if anyone had a script I could use.
What I'm looking for is a script which has a simple masc statment to share my connection ppp0 from my linux box 192.168.1.1 to my windows 192.168.1.2 on eth0 with all the usual stuff and leave port 22 open for ssh. Heres What I got, any suggestions. It comes up with errors when I add it to RC.M
I did the chmod a+x for execution
Thx guys
#!/bin/sh
echo Firewall Starting...
#set TCP/IP stack options
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Flush all chains
/sbin/iptables -F
/sbin/iptables -Z
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F PREROUTING
#Set default policies
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
#Accept any connections from lan
/sbin/iptables -A INPUT -s 192.168.1.0/16 -j ACCEPT
#ICMP
#/sbin/iptables -A INPUT -p icmp -j ACCEPT
#SSH
/sbin/iptables -A INPUT -p tcp -dport 22 -j ACCEPT
#allow packets from established connections in
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p tcp --dport 1024:65535 -m state --state RELATED -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p udp --dport 1024:65535 -m state --state RELATED -j ACCEPT
#drop any other attempted connections
/sbin/iptables -A INPUT -j LOG --log-prefix "DROPPED PACKET"
/sbin/iptables -A INPUT -j DROP
#masquerade for lan
/sbin/iptables -t nat -A POSTROUTING -i eth0 -o ppp0 -j MASQUERADE
echo Firewall Started
|
|
|
02-17-2004, 11:12 PM
|
#2
|
Member
Registered: Sep 2003
Location: Dallas, TX.
Distribution: Slacking since '94
Posts: 153
Rep:
|
Sure! Here's one. Enjoy
|
|
|
02-17-2004, 11:19 PM
|
#3
|
Senior Member
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019
Rep:
|
Here's an rc.firewall that I made....
I didn't leave port 22 open. I forward it to my linux box and then I can ssh from there to my router if I need to. Hope it helps!
Code:
#!/bin/bash
#
# stops and start the firewall definitions
firewall_start() {
echo "Starting Firewall..."
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
EXTERNAL=eth0
INTERNAL=eth1
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! $EXTERNAL -j ACCEPT
iptables -A FORWARD -s 10.0.0.0/8 -i $EXTERNAL -j REJECT
iptables -A FORWARD -s 176.16.0.0/12 -i $EXTERNAL -j REJECT
iptables -A FORWARD -s 192.168.0.0/16 -i $EXTERNAL -j REJECT
iptables -A FORWARD -p tcp -d 176.16.1.2 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -d 176.16.1.3 -s 216.76.29.66 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -p tcp -d 176.16.1.2 -s 149.149.0.0/16 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -p tcp -d 176.16.1.2 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5900 -j DNAT --to-destination 176.16.1.3
iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 22 -j DNAT --to-destination 176.16.1.2
# iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 21 -j DNAT --to-destination 176.16.1.2
# iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 80 -j DNAT --to-destination 176.16.1.2
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $EXTERNAL -j ACCEPT
iptables -A INPUT -i $INTERNAL -j ACCEPT
iptables -A INPUT -j REJECT
iptables -A OUTPUT -j ACCEPT
}
firewall_stop() {
echo "Disabling Firewall..."
iptables -t filter --flush
iptables -t filter --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain
iptables -t nat -X
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
}
firewall_restart() {
firewall_stop
sleep 1
firewall_start
}
case "$1" in
'start')
firewall_start
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
|
|
|
02-18-2004, 12:00 AM
|
#4
|
LQ Newbie
Registered: Aug 2003
Location: Australia mate
Distribution: Slackware 9.1
Posts: 23
Original Poster
Rep:
|
Thx guys I'll have a go at it.
Got a nit worried about the watch dog script but luck enough theres a gui.
Last edited by Wags; 02-18-2004 at 12:19 AM.
|
|
|
02-18-2004, 04:24 PM
|
#5
|
Member
Registered: Jan 2003
Distribution: many win/nix/mac
Posts: 259
Rep:
|
Go to this site, walk through the prompts. Cut and past into a newly created /etc/rc.d/rc.firewall
Edit the line that has the location of iptables---it will default to /usr/local/sbin us slackware people need to change that to /usr/sbin
The firewall will be excellently commented--so custom editing is extremely easy.
Then type from cli /usr/rc.d/rc.firewall start
Voila--15 min tops
Happy slacking

|
|
|
02-18-2004, 05:13 PM
|
#6
|
LQ Newbie
Registered: Aug 2003
Location: Australia mate
Distribution: Slackware 9.1
Posts: 23
Original Poster
Rep:
|
Thx, u guys have been helpful. Got it all running like a charm.  ))
|
|
|
All times are GMT -5. The time now is 09:44 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|