[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ipfwadm
Have a firewalling related question.. I have an older machine with redhat
4.x (yes, I know it is old) with 2.0.30 kernel... I set up IP masquerading
which seems to work fine... it uses a standard dialup account to connect. I
basically want to disable everything on the outside (PPP) interface while
allowing the inside access to everything (well 3 machines have access to
everything, all other machines have full access to ONE remote machine)
Here's what I've got... my /etc/rc.d/init.d/firewall script which does the
basic stuff... I couldn't figure out any easy way to deal with the PPP
adapter changing IP addressses, so I made a seperate script that is called
from within the while loop of ifup-ppp... I have it to run right before pppd
is called (why I have it with a sleep 90 --it's ugly I know). The lines
wrapped in my email, but just ignore that part ;-)
It appears to run, and even if I do a ipfwadm -I -l, the rules show up and
look like they should... the only problem is, it doesn't seem to work. When
I telnet to an outside box and try to telnet back in, I can :-(
Any ideas, suggestions, comments?
oh yeah, btw, I tried using the Input and Output rules, but all I ever got
it to do was disable everything from working... So, instead, I am trying to
redirect the port to port 17 (which just happens to be disabled/non
functional)...
#!/bin/bash
. /etc/rc.d/init.d/functions
case "$1" in
start)
echo -n "Starting Firewall: "
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_vdolive
/sbin/modprobe ip_masq_quake
ipfwadm -F -p deny
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -a m -S 192.168.1.0/24 -D 208.202.227.130/32
#these lines allow users out to the net
ipfwadm -F -a m -S 192.168.1.12/32 -D 0.0.0.0/0
ipfwadm -F -a m -S 192.168.1.13/32 -D 0.0.0.0/0
ipfwadm -F -a m -S 192.168.1.19/32 -D 0.0.0.0/0
ipfwadm -F -a m -S 192.168.1.17/32 -D 0.0.0.0/0
# ipfwadm -I -a accept -S 0.0.0.0/0 -W ppp0 20 -P tcp -r 17
# ipfwadm -I -a accept -S 0.0.0.0/0 -W ppp0 21 -P tcp -r 17
# ipfwadm -I -a accept -S 0.0.0.0/0 -W ppp0 25 -P tcp -r 17
# ipfwadm -I -a accept -S 0.0.0.0/0 -W ppp0 23 -P tcp -r 17
# ipfwadm -I -a accept -S 0.0.0.0/0 -W ppp0 37 -P udp -r 17
# ipfwadm -I -a accept -S 0.0.0.0/0 -W ppp0 37 -P tcp -r 17
# ipfwadm -I -a accept -S 0.0.0.0/0 -W ppp0 53 -P udp -r 17
# ipfwadm -I -a accept -S 0.0.0.0/0 -W ppp0 53 -P tcp -r 17
# ipfwadm -I -a accept -S 0.0.0.0/0 -W ppp0 69 -P udp -r 17
# ipfwadm -I -a accept -S 0.0.0.0/0 -W ppp0 137 -P udp -r 17
# ipfwadm -I -a accept -S 0.0.0.0/0 -W ppp0 137 -P tcp -r 17
# ipfwadm -I -a accept -S 0.0.0.0/0 -W ppp0 138 -P udp -r 17
# ipfwadm -I -a accept -S 0.0.0.0/0 -W ppp0 138 -P tcp -r 17
# ipfwadm -I -a accept -S 0.0.0.0/0 -W ppp0 139 -P tcp -r 17
touch /var/lock/subsys/firewall
echo " done!"
;;
stop)
echo -n "Shutting down Firewall: "
ipfwadm -F -p deny
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f
rm -f /var/lock/subsys/firewall
echo
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: fireall (start|stop|restart|status)"
exit 1
esac
exit 0
----------
#!/bin/sh
sleep 90
ipfwadm -I -f
ipfwadm -I -a accept -S 0.0.0.0/0 -D `ifconfig | grep ppp0 -A1 |
grep inet | cut -f2 -d: | cut -f1 -d' '`/32 20 -P tcp -r 17
ipfwadm -I -a accept -S 0.0.0.0/0 -D `ifconfig | grep ppp0 -A1 |
grep inet | cut -f2 -d: | cut -f1 -d' '`/32 21 -P tcp -r 17
ipfwadm -I -a accept -S 0.0.0.0/0 -D `ifconfig | grep ppp0 -A1 |
grep inet | cut -f2 -d: | cut -f1 -d' '`/32 25 -P tcp -r 17
ipfwadm -I -a accept -S 0.0.0.0/0 -D `ifconfig | grep ppp0 -A1 |
grep inet | cut -f2 -d: | cut -f1 -d' '`/32 23 -P tcp -r 17
ipfwadm -I -a accept -S 0.0.0.0/0 -D `ifconfig | grep ppp0 -A1 |
grep inet | cut -f2 -d: | cut -f1 -d' '`/32 37 -P udp -r 17
ipfwadm -I -a accept -S 0.0.0.0/0 -D `ifconfig | grep ppp0 -A1 |
grep inet | cut -f2 -d: | cut -f1 -d' '`/32 37 -P tcp -r 17
ipfwadm -I -a accept -S 0.0.0.0/0 -D `ifconfig | grep ppp0 -A1 |
grep inet | cut -f2 -d: | cut -f1 -d' '`/32 53 -P udp -r 17
ipfwadm -I -a accept -S 0.0.0.0/0 -D `ifconfig | grep ppp0 -A1 |
grep inet | cut -f2 -d: | cut -f1 -d' '`/32 53 -P tcp -r 17
ipfwadm -I -a accept -S 0.0.0.0/0 -D `ifconfig | grep ppp0 -A1 |
grep inet | cut -f2 -d: | cut -f1 -d' '`/32 69 -P udp -r 17
ipfwadm -I -a accept -S 0.0.0.0/0 -D `ifconfig | grep ppp0 -A1 |
grep inet | cut -f2 -d: | cut -f1 -d' '`/32 137 -P udp -r 17
ipfwadm -I -a accept -S 0.0.0.0/0 -D `ifconfig | grep ppp0 -A1 |
grep inet | cut -f2 -d: | cut -f1 -d' '`/32 137 -P tcp -r 17
ipfwadm -I -a accept -S 0.0.0.0/0 -D `ifconfig | grep ppp0 -A1 |
grep inet | cut -f2 -d: | cut -f1 -d' '`/32 138 -P udp -r 17
ipfwadm -I -a accept -S 0.0.0.0/0 -D `ifconfig | grep ppp0 -A1 |
grep inet | cut -f2 -d: | cut -f1 -d' '`/32 138 -P tcp -r 17
ipfwadm -I -a accept -S 0.0.0.0/0 -D `ifconfig | grep ppp0 -A1 |
grep inet | cut -f2 -d: | cut -f1 -d' '`/32 139 -P tcp -r 17
--
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.