[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

for those upgrading to 2.2...




I've recently upgraded a couple of boxes that do masquerading from 2.0
to 2.2.  The biggest change is that now instead of using the ipfwadm
to set up firewall/masquerading rules, you now have to use the
ipchains utility.  The ipchains package does include a script called
ipfwadm-wrapper that is a nearly complete replacement for ipfwadm, but
it seems like an inefficient way to handle things at best.

Anyway, to help anybody out there who is considering upgrading, below
is my script to start firewalling/masquerading, converted to use
ipchains.  Hopefully it will help you get started, at least.

Steve
-- 
steve@silug.org           | Linux Users of Central Illinois
(217)698-1694             | Meetings the 4th Tuesday of every month
Steven Pritchard          | http://www.luci.org/ for more info

----- Script follows -----
#!/bin/sh
#
# firewall     This shell script takes care of starting and stopping
#              IP masquerading and firewalling.
#

# Run the old 2.0 script if we're running a 2.0 kernel.
if [ `uname -r | cut -d. -f1-2` = "2.0" ]; then
    exec /etc/rc.d/init.d/firewall-2.0 $*
fi

# Source function library.
#. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# See how we were called.
case "$1" in
  start)
        echo -n "Starting firewall: "
        # Load ip_masq modules.
	for module in /lib/modules/`uname -r`/ipv4/ip_masq_*.o
	do
	    modprobe `echo ${module} | cut -d/ -f6`
	done

	# Set up firewalling rules.
	ipchains -P input ACCEPT
	ipchains -P output ACCEPT
	ipchains -P forward REJECT

	# Block reserved addresses on the appropriate interfaces.
	# I originally had these set to REJECT, but that doesn't
	# make sense since the traffic is by definition invalid.
	ipchains -I input -p all -s 192.168.0.0/16 -i ppp0 -j DENY
	ipchains -I output -p all -s 192.168.0.0/16 -i ppp0 -j DENY
	ipchains -I input -p all -s 172.16.0.0/12 -i ppp0 -j DENY
	ipchains -I output -p all -s 172.16.0.0/12 -i ppp0 -j DENY
	ipchains -I input -p all -s 10.0.0.0/8 -i ppp0 -j DENY
	ipchains -I output -p all -s 10.0.0.0/8 -i ppp0 -j DENY
	ipchains -I input -p all -s 127.0.0.0/8 -i ppp0 -j DENY
	ipchains -I output -p all -s 127.0.0.0/8 -i ppp0 -j DENY
	ipchains -I input -p all -s 127.0.0.0/8 -i eth0 -j DENY
	ipchains -I output -p all -s 127.0.0.0/8 -i eth0 -j DENY

	# MASQ everything in 192.168.0.0.
	ipchains -I forward -p all -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQ

        touch /var/lock/subsys/firewall
        echo
        ;;
  stop)
        echo -n "Shutting down firewall: "
        # Unload modules
	for module in `cat /proc/modules | grep '^ip_masq' | cut -d' ' -f1`
	do
	    rmmod ${module}
	done
	# Flush firewalling rules & accept everything.
	ipchains -F input
	ipchains -F output
	ipchains -F forward
	ipchains -P input ACCEPT
	ipchains -P output ACCEPT
	ipchains -P forward ACCEPT
        echo "done"
        rm -f /var/lock/subsys/firewall
        ;;
  restart)
	$0 stop
	$0 start
	;;
  *)
        echo "Usage: firewall {start|stop}"
        exit 1
esac

exit 0

--
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.