# Firewall setup. # # This is a conversion of the ipchains/ipmasqadm based firewall.ini # from the 1.x series of floppyfw, it's pretty simple and the # corresponding ipchains rules are kept for references. # # Setting up iptables # . /etc/config # # Stopping forwarding (this script may be run during normal uptime because # for re-lease of HDCP or demand dialing / PPPoE. # echo "0" > /proc/sys/net/ipv4/ip_forward # # Overriding the /etc/config and adding additional information. # . /etc/outside.info . /etc/inside.info # # Brad suggested this: # And he suggested to check and maybe change the formatting. # We'll do that later. # echo "Starting firewall with the following config:" echo echo " Inside Outside" echo " Network: ${INSIDE_NETWORK} ${OUTSIDE_NETWORK}" echo " Device: ${INSIDE_DEVICE} ${OUTSIDE_DEVICE}" echo "IP Address: ${INSIDE_IP} ${OUTSIDE_IP}" echo " Netmask: ${INSIDE_NETMASK} ${OUTSIDE_NETMASK}" echo " Broadcast: ${INSIDE_BROADCAST} ${OUTSIDE_BROADCAST}" echo " Gateway: [None Set] ${OUTSIDE_GATEWAY}" echo # # Flushing the chains. # iptables -F iptables -t nat -F iptables -X iptables -Z # zero all counters # # Policy for chains DROP everything # iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # # Good old masquerading. # iptables -t nat -A POSTROUTING -o ${OUTSIDE_DEV} -j MASQUERADE # # Forwarding outside ports to an internal server. # This used to be the ipchains / ipmasqadm portfw commad. # # SSH: #iptables -A OUTPUT -t nat -p tcp -d ${OUTSIDE_IP} --dport 22 -j DNAT --to 10.42.42.:22 #iptables -A FORWARD -p tcp -d ${OUTSIDE_IP} --dport 22 -o ${INSIDE_DEV} -j ACCEPT # Web: #iptables -A OUTPUT -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to 10.42.42.:80 #iptables -A FORWARD -p tcp -d ${OUTSIDE_IP} --dport 80 -o ${INSIDE_DEV} -j ACCEPT # FTP: #iptables -A OUTPUT -t nat -p tcp -d ${OUTSIDE_IP} --dport 21 -j DNAT --to 10.42.42.:21 # ftp #iptables -A FORWARD -p tcp -d ${OUTSIDE_IP} --dport 21 -o ${INSIDE_DEV} -j ACCEPT # # Keep state. # iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEV} -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEV} -j DROP # # We don't like the NetBIOS and Samba leaking.. # iptables -t nat -A PREROUTING -p TCP -i ${INSIDE_DEV} --dport 135:139 -j DROP iptables -t nat -A PREROUTING -p UDP -i ${INSIDE_DEV} --dport 137:139 -j DROP # # We would like to ask for names from our floppyfw box # iptables -A OUTPUT --dport 53 -j ACCEPT # to both sides. iptables -A INPUT -i ${OUTSIDE_DEVICE} --dport 53 -j ACCEPT # And also, DHCP, but we can basically accept anything from the inside. iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT # # Finally, list what we have # # iptables -L # If broken DNS: #iptables -L -n # # This enables dynamic IP address following # echo 7 > /proc/sys/net/ipv4/ip_dynaddr # # Rules set, we can enable forwarding in the kernel. # echo "Enabling IP forwarding." echo "1" > /proc/sys/net/ipv4/ip_forward