Help with ipfwadm rules :(

=?iso-8859-1?Q?Eduardo_R=F6hr?= (hanus@gmx.net)
Thu, 11 Mar 1999 21:03:57 -0300


I have a net with a NT 4 Box and a linux RedHat 5.0 (upgraded from kernel
2.032 to kernel 2.035). What I'm trying (quite a while now) is to set with
help of ipfwadm a masquerading firewall. The idea is, that the NT box can
only use email (smtp and pop) with the outside world. With the kernel
configuration is all ok.
At first I used a very short script with a few ipfwadm rules and
masquerading. This worked fine...but I saw, that I was letting only big
holes everywhere...
So I find something called dotfile (it generates firewall rules based on
ipfwadm). Well, I pasted this rules in the /etc/ppp/ip-up file. The problem
is, that I can't find why the thing doesn't work....

PLEASEEEEEEEE HELPPPPPP or a clue...or something snif snif

#!/bin/bash

LOGDEVICE=$6
REALDEVICE=$1

export PATH=/sbin:/usr/sbin:/bin:/usr/bin

echo "$REALDEVICE" > /var/run/ppp-$LOGDEVICE.dev
[ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local $*

/etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE}

# Let's delete default route
route del default

# Routing through dynamic established ppp0
route add default gw $5

#------------> FIREWALL <----------------
#---------->General Settings<----------

# Variables
export ANY="0.0.0.0/0"
export INET="-W ppp0"
export LETH="-W eth0"
export LNET="172.16.0.0/16"
export FWALL="172.16.3.3/32"
export INET_IP="$4"
export OpenNewConn="-y"
export ConnEstablished="-k"

/sbin/ipfwadm -I -f # flush existing input rules
/sbin/ipfwadm -O -f # flush existing output rules
/sbin/ipfwadm -F -f # flush existing forwarding rules

# Set default policy to DENY
#/sbin/ipfwadm -I -p deny
#/sbin/ipfwadm -O -p deny
#/sbin/ipfwadm -F -p deny

# Anti-Spoofing
/sbin/ipfwadm -I -a deny -o $INET -S 127.0.0.0/8
/sbin/ipfwadm -O -a reject $INET -S 10.0.0.0/8
/sbin/ipfwadm -O -a reject $INET -D 10.0.0.0/8
/sbin/ipfwadm -I -a deny -o $INET -S 10.0.0.0/8
/sbin/ipfwadm -I -a deny -o $INET -D 10.0.0.0/8
/sbin/ipfwadm -O -a reject $INET -S 192.168.0.0/16
/sbin/ipfwadm -O -a reject $INET -D 192.168.0.0/16
/sbin/ipfwadm -I -a deny -o $INET -S 192.168.0.0/16
/sbin/ipfwadm -I -a deny -o $INET -D 192.168.0.0/16
/sbin/ipfwadm -F -a reject $INET -S $LNET -D $LNET
/sbin/ipfwadm -F -a reject $INET -S $LNET -D 10.0.0.0/8
/sbin/ipfwadm -F -a reject $INET -S $LNET -D 172.16.0.0/12
/sbin/ipfwadm -F -a reject $INET -S $LNET -D 192.168.0.0/16

# Internal traffic is OK
/sbin/ipfwadm -F -a accept $LETH -S $LNET -D $LNET
/sbin/ipfwadm -I -a accept $LETH -S $LNET -D $LNET
/sbin/ipfwadm -O -a accept $LETH -S $LNET -D $LNET
#/sbin/ipfwadm -F -a accept -W lo

# Let's masquerade only SMTP, POP and DNS
#/sbin/ipfwadm -F -a m $INET -P tcp -S $LNET -D $ANY http
/sbin/ipfwadm -F -a m $INET -P tcp -S $LNET -D $ANY 25 110 53
/sbin/ipfwadm -F -a m $INET -P udp -S $LNET -D $ANY 53

# Reject everything else
/sbin/ipfwadm -F -a reject $INET -S $LNET -D $ANY

# mmmm....
#/sbin/ipfwadm -O -a accept $INET -P tcp -S $INET_IP -D $ANY 1:1024
#/sbin/ipfwadm -I -a accept $INET -P tcp $ConnEstablished -D $INET_IP -S
$ANY 1:1024

# SMTP and POP can get in and out
/sbin/ipfwadm -O -a accept $INET -P tcp -S $INET_IP -D $ANY 25 110
/sbin/ipfwadm -I -a accept $INET -P tcp $ConnEstablished -D $INET_IP -S $ANY
25 110

# In a very long future http too
#/sbin/ipfwadm -O -a accept $INET -P tcp -S $INET_IP -D $ANY http
#/sbin/ipfwadm -I -a accept $INET -P tcp $ConnEstablished -D $INET_IP -S
$ANY http

# DNS queries
/sbin/ipfwadm -O -a accept $INET -P tcp -S $INET_IP -D $ANY domain
/sbin/ipfwadm -I -a accept $INET -P tcp -D $INET_IP -S $ANY domain
/sbin/ipfwadm -O -a accept $INET -P udp -S $INET_IP -D $ANY domain
/sbin/ipfwadm -I -a accept $INET -P udp -D $INET_IP -S $ANY domain

#echo conexion establecida >> /dev/console

exit0

PD: Sorry for my poor english jejeje

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu