#!/bin/sh # #http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-old-updates.wri # **** # NOTE: All 2.2.x Linux kernels prior to 2.2.11 have a fragmentation # **** bug that renders all strong IPCHAINS rulesets void. It # is CRITICAL that users upgrade the Linux kernel to 2.2.11+ # for proper firewall security. logger "\n\nLoading TrinityOS IPCHAINS Firewall $FWVER" # The loopback interface and address # LOOPBACKIF="lo" LOOPBACKIP="127.0.0.1" # External interface device. #changed the line below by hanscees EXTIF="ppp0" logger External Interface: $EXTIF # IP address of the external interface # Static TCP/IP addressed users: For EXTIP, EXTBROAD, and EXTGW, simply replace # the pipelines with your correct TCP/IP address, broadcast address, and # external gateway, respectively. # # eg: EXTIP="100.200.0.212" # EXTIP="10.194.0.xxx" EXTBROAD="10.194.0.255" DGW="195.190.241.xx" INTIF="eth0" logger Internal Interface: $INTIF # IP address on the internal interface INTIP="192.168.0.xxx" logger Internal IP: $INTIP # IP network address of the internal network INTLAN="192.168.0.0/24" logger Internal LAN: $INTLAN echo " --- " # IP Mask for all IP addresses UNIVERSE="0.0.0.0/0" # IP Mask for broadcast transmissions BROADCAST="255.255.255.255" # Specification of the high unprivileged IP ports. UNPRIVPORTS="1024:65535" # Specification of X Window System (TCP) ports. XWINDOWS_PORTS="6000:6010" # Port forwarding allows external traffic to directly connect to an INTERNAL # Masq'ed machine. An example need for port forwarding is the need for external # users to directly contact a WWW server behind the MASQ server. # # To enable portfw, you need to un-# out and edit the lines above for one or # more SECUREHOSTs. You then need to un-# out the PORTFW in the FORWARD # sections of later in the ruleset. # # If you want to simply portfw one explict host, it should be configured via a # SECUREHOST option above. If this PORTFW'ed port should be available for ALL # hosts on the Inet, it should be opened up in the INPUT section much like for # HTTP, Sendmail, etc. # # NOTE: Port forwarding is well beyond the scope of this documentation to # explain the security issues implied in opening up access like this. # Please see Appendix A to find the IP-MASQ-HOWTO for a full explanation. # # Disabled by default. # #PORTFWIP1="192.168.0.20" #echo PortFW1 IP: $PORTFWIP1 #PORTFWIP2="192.168.0.20" #echo PortFW2 IP: $PORTFWIP2 #PORTFWIP3="192.168.0.20" #echo PortFW3 IP: $PORTFWIP3 # TCP/IP addresses of INTENRAL hosts network allowed to directly # connect to the Linux server. All internal hosts are allowed # per default. # # Disabled by default #HOST1IP="192.168.0.10" #echo Internal Host 1 IP: $HOST1IP #HOST2IP="192.168.0.11" #echo Internal Host 2 IP: $HOST2IP # Logging state. # # Uncomment the " " line and comment the "-l" line if you want to # disable logging of some of more important the IPCHAINS rulesets. # # The output of this logging can be found in the /var/log/messages # file. It is recommended that you leave this setting enabled. # If you need to reduce some of the logging, edit the rulesets and # delete the "$LOGGING" syntax from the ruleset that you aren't # interested in. # # LOGGING=" " LOGGING="-l" #echo " - Debugging." #echo Loopback IP: $LOOPBACKIP > /tmp/rc.firewall.dump #echo Loopback interface name: $LOOPBACKIF >> /tmp/rc.firewall.dump #echo Internal interface name: $INTIF >> /tmp/rc.firewall.dump #echo Internal interface IP: $INTIP >> /tmp/rc.firewall.dump #echo Internal LAN address: $INTLAN >> /tmp/rc.firewall.dump #echo ----------------------------------------------------- >> /tmp/rc.firewall.dump #echo External interface name: $EXTIF >> /tmp/rc.firewall.dump #echo External interface IP: $EXTIP >> /tmp/rc.firewall.dump #echo External interface broadcast IP: $EXTBROAD >> /tmp/rc.firewall.dump #echo External interface default gateway: $EXTGW >> /tmp/rc.firewall.dump #echo ----------------------------------------------------- >> /tmp/rc.firewall.dump #echo External secondary DNS: $SECONDARYDNS >> /tmp/rc.firewall.dump #echo External secured host: $SECUREHOST >> /tmp/rc.firewall.dump # Disable IP spoofing attacks. # # This drops traffic addressed for one network though it is being received on a # different interface. # echo " - Disabling IP Spoofing attacks." for file in /proc/sys/net/ipv4/conf/*/rp_filter do echo "2" > $file done #-------------------------------------------------------------------- # Masquerading Timeouts #-------------------------------------------------------------------- # Set timeout values for masq sessions (seconds). # # Item #1 - 2 hrs timeout for TCP session timeouts # Item #2 - 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # Item #3 - 60 sec timeout for UDP traffic # # Note to ICQ users: You might want to set the UDP timeout to something # like 160. # echo " - Changing IP masquerading timeouts." /sbin/ipchains -M -S 7200 10 160 echo " - Loading masquerading modules." #/sbin/modprobe ip_masq_cuseeme /sbin/modprobe ip_masq_ftp #/sbin/modprobe ip_masq_irc #/sbin/modprobe ip_masq_quake /sbin/modprobe ip_masq_raudio #/sbin/modprobe ip_masq_vdolive #-------------------------------------------------------------------- # Default Policies #-------------------------------------------------------------------- # Set all default policies to REJECT and flush all old rules. #-------------------------------------------------------------------- # Change default policies to REJECT. # # We want to only EXPLICTLY allow what traffic is allowed IN and OUT of the # firewall. All other traffic will be implicitly blocked. # #echo " - Set default policies to REJECT" /sbin/ipchains -P input REJECT /sbin/ipchains -P output REJECT /sbin/ipchains -P forward REJECT #echo " - Flushing all old rules and setting all default policies to REJECT " # Flush all old rulesets # /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward #echo "Input Rules:" #-------------------------------------------------------------------- # Incoming Traffic on the Internal LAN # DHCP Server. # # Disabled by default # echo " Optional parameter: DHCPd server" #/sbin/ipchains -A input -j ACCEPT -i $INTIF -p udp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps #/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps #-------------------------------------------------------------------- # Incoming Traffic from the External Interface # DHCP Clients. # # If you get a dynamic IP address for your ADSL or Cablemodem connection, you # will need to enable these lines. # # Enabled by default. #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootps -d $BROADCAST/0 bootpc #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootps -d $BROADCAST/0 bootpc # FTP: Allow external users to connect to the Linux server ITSELF for # PORT-style FTP services. This will NOT work for PASV FTP transfers. # # Disabled by default. # echo " Optional parameter: FTP server" #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp-data # HTTP: Allow external users to connect to the Linux server ITSELF for # HTTP services. # # Disabled by default. # echo " Optional parameter: WWW server" /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP http # ICMP: Allow ICMP packets from all external TCP/IP addresses. # /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP # NTP: Allow external computers to connect to the Linux server ITSELF for # NTP (time) updates # #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ntp #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP ntp # TELNET: Allow external computers to connect to the Linux server ITSELF for # TELNET access. # #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP telnet # SSH server: Allow external computers to connect to the Linux server ITSELF # for SSH access. # #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ssh #-------------------------------------------------------------------- # Specific Input Rejections on the EXTERNAL interface # Remote interface, claiming to be local machines, IP spoofing, get lost & log /sbin/ipchains -A input -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING # NFS: Reject NFS traffic FROM and TO external machines. # /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 2049 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 2049 -d $EXTIP # SMB: Reject SMB traffic FROM and TO external machines. # # echo " - Silently rejecting TCP/UDP SMB traffic on the external internface." /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 137 /sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 137 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 137 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 138 /sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 138 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 138 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 139 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 137 -d $EXTIP /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 138 -d $EXTIP /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 139 -d $EXTIP #-------------------------------------------------------------------- # Incoming Traffic on all Interfaces # /sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE auth # BOOTP/DHCP: Reject all stray bootp traffic. # # Disabled by default. #/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE bootpc # DNS: If you are running an authoritative DNS server, you must open # up the DNS ports on all interfaces to allow lookups. If you are # running a caching DNS server, you will need to at least open the DNS # ports to internal interfaces. # # It is recommend to secure DNS by restricting zone transfers and split # DNS servers as documented in Step 4. # # Disabled by default. # echo " Optional parameter: DNS server" #/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE domain #/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $UNIVERSE domain # RIP: Reject all stray RIP traffic. #/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE -d $UNIVERSE route # SMTP: If this server is an authoritative SMTP email server, you must # allow SMTP traffic to all interfaces. #/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $EXTIP smtp #-------------------------------------------------------------------- # Specific Input Rejections from ANY interface # Allow ALL internal interfaces to access the Inet # ------------------------------------------------ # Local interface, local machines, going anywhere is valid. # # The main reason why this is at the BOTTOM of the INPUT section is to make sure # that all required DENY/REJECT firewall lines are hit before allowing all internal # traffic. If you DON'T want to allow ALL internal traffic to get out to the # Internet, put a "#" in the front of the line below and un-#ed out the lines # at the top of this section to allow only specific internal HOSTS to get out. # # Comment this line out if you want to only allow specific traffic on the # internal network. /sbin/ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE # Loopback interface is valid. /sbin/ipchains -A input -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE # HIGH PORTS: # # Enable all high unprivileged ports for all reply TCP/UDP traffic # # NOTE: The use of the "! -y" flag filters TCP traffic that doesn't have the # SYN bit set. In other words, this means that any traffic that is # trying to initiate traffic to your server on a HIGH port will be # rejected. # # The only HIGH port traffic that will be accepted is either return # traffic that the server originally initiated or UDP-based traffic. # # NOTE2: Please note that port 20 for ACTIVE FTP sessions should NOT use # SYN filtering. Because of this, we must specifically allow it in. # echo " - Enabling all input REPLY (TCP/UDP) traffic on high ports." /sbin/ipchains -A input -j ACCEPT ! -y -p tcp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS /sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE ftp-data -d $EXTIP $UNPRIVPORTS /sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS #-------------------------------------------------------------------- # Catch All INPUT Rule #-------------------------------------------------------------------- # echo " - Final input catch all rule." # All other incoming is denied and logged. /sbin/ipchains -A input -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING #-------------------------------------------------------------------- # Outgoing Traffic on the Internal LAN #-------------------------------------------------------------------- # This ruleset provides policies for traffic that is going out on the internal # LAN. # # Local interface, any source going to local net is valid. /sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN # Loopback interface is valid. /sbin/ipchains -A output -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE # Outgoing Traffic on the External Interface # FTP: Allow FTP traffic (the Linux server is a FTP server) # # Disabled by default. # echo " Optional parameter: FTP server" #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $UNIVERSE #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $UNIVERSE # HTTP: Allow HTTP traffic (the Linux server is a WWW server) # # Disabled by default # echo " Optional parameter: WWW server" /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP http -d $UNIVERSE # NTP: Allow NTP updates (the Linux server is a NTP server) # # NOTE: Some NTP clients require TCP traffic. Others require UDP. # Your pick! # # Disabled by default # echo " Optional parameter: NTP server" /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ntp -d $UNIVERSE $logging /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $EXTIP ntp -d $UNIVERSE $logging # TELNET: Allow telnet traffic (the Linux server is a TELNET server) # #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $UNIVERSE # SSH server: Allow outgoing SSH traffic (the Linux server is a SSH server) # #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $UNIVERSE #-------------------------------------------------------------------- # Outgoing Traffic on all Interfaces # /sbin/ipchains -A output -j ACCEPT -p tcp -s $UNIVERSE auth -d $UNIVERSE # DNS: If you your Linux server is an authoritative DNS server, you must # enable this ruleset #/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP domain -d $UNIVERSE #/sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP domain -d $UNIVERSE # ICMP: Allow ICMP traffic out # # /sbin/ipchains -A output -j ACCEPT -p icmp -s $UNIVERSE -d $UNIVERSE # SMTP: If the Linux servers is either an authoritative SMTP server or # relay, you must allow this ruleset. # #/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP smtp -d $UNIVERSE #-------------------------------------------------------------------- # Specific Output Rejections # Reject outgoing traffic to the local net from the remote interface, # stuffed routing; deny & log /sbin/ipchains -A output -j REJECT -i $EXTIF -s $UNIVERSE -d $INTLAN $LOGGING # Reject outgoing traffic from the local net from the external interface, # stuffed masquerading, deny and log /sbin/ipchains -A output -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING # SMB # /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 137 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 138 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 139 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 137 -d $UNIVERSE 137 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 138 -d $UNIVERSE 138 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 139 -d $UNIVERSE 139 $LOGGING # RPC. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE sunrpc $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP sunrpc -d $UNIVERSE $LOGGING # Mountd. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 635 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 635 -d $UNIVERSE $LOGGING # PPTP. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1723 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1723 $LOGGING # Remote Winsock. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1745 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1745 $LOGGING # NFS. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 2049 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 2049 -d $UNIVERSE $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 2049 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 2049 -d $UNIVERSE $LOGGING # PcAnywhere. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5631 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 5631 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5632 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 5632 $LOGGING # Xwindows. # # NOTE: See variable section above for the example range (6000:6007 by default) # Xwindows can use far more than just ports 6000-6007. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING # NetBus. /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12345 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12346 $LOGGING # NetBus Pro. /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 20034 $LOGGING # BackOrofice /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE/0 31337 $LOGGING # Win Crash Trojan. /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 5742 $LOGGING # Socket De Troye. /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 30303 $LOGGING # Unknown Trojan Horse (Master's Paradise [CHR]) /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 40421 $LOGGING # Trinoo UDP flooder - Please note this port will probably change over time /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 27665 -d $UNIVERSE/0 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 27444 -d $UNIVERSE/0 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 31335 -d $UNIVERSE/0 $LOGGING #IPSec VPNs /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 500 -d $UNIVERSE/0 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 500 $LOGGING # Shaft distributed flooder - Please note this port will probably change over time /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 20432 -d $UNIVERSE/0 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 18753 -d $UNIVERSE/0 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 20433 -d $UNIVERSE/0 $LOGGING #-------------------------------------------------------------------- # Allow all High Ports for return traffic. /sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE /sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE #-------------------------------------------------------------------- # Catch All Rule #-------------------------------------------------------------------- echo " - Final output catch all rule." # All other outgoing is denied and logged. This ruleset should catch # everything including samba that hasn't already been blocked. # /sbin/ipchains -A output -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING #******************************************************************** # Forwarding Rules #******************************************************************** # #-------------------------------------------------------------------- # Enable TCP/IP forwarding and masquerading from the Internal LAN #-------------------------------------------------------------------- # Diald Users: # # You need this rule to allow the sl0 SLIP interface to receive # traffic to then bring the interface up. # # Disabled by default # #/sbin/ipchains -A forward -j MASQ -i sl0 -s $INTLAN -d $UNIVERSE/0 #-------------------------------------------------------------------- # Port Forwarding #-------------------------------------------------------------------- # Port forwarding allows external traffic to directly connect to an INTERNAL # Masq'ed machine. An example for this is when a user needs to have external # users directly contact a WWW server behind the MASQ server. # # To use PORTFW, you need to un-# out and edit the $SECUREHOST section at # the top of the ruleset. # # NOTE: Port forwarding is well beyond the scope of this documentation to # explain the security issues implied in opening up access like this. # Please see Appendix A to read the IP-MASQ-HOWTO for a full explanation. # # Do not use ports greater than 1023 for redirection ports. # # Disabled by default. #-------------------------------------------------------------------- #echo " * Enabling Port Forwarding onto internal hosts." #/usr/sbin/ipmasqadm portfw -f #echo " * Forwarding SSH traffic on port 26 to $PORTFWIP1" #/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 26 -R $PORTFWIP1 22 # #echo " * Forwarding SSH traffic on port 26 to $PORTFWIP2" #/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 26 -R $PORTFWIP2 22 # #echo " * Forwarding SSH traffic on port 26 to $PORTFWIP3" #/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 26 -R $PORTFWIP3 22 #-------------------------------------------------------------------- # Enable TCP/IP forwarding and masquerading from the Internal LAN #-------------------------------------------------------------------- # Turn on IP Forwarding in the Linux kernel # # There are TWO methods of turning on this feature. The first method is the # Red Hat way. Edit the /etc/sysconfig/network file and change the # "FORWARD_IPV4" line to say: # # FORWARD_IPV4=true # # The second method is shown below and can executed at any time while the # system is running. # echo " - Enabling IP forwarding." echo "1" > /proc/sys/net/ipv4/ip_forward # Masquerade from local net on local interface to anywhere. # echo " - Enable IP Masquerading from the internal LAN." /sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE # Enabling Always Defrag for Masqueraded systems # echo " - Enable IP Always Defrag for the internal LAN." echo "1" > /proc/sys/net/ipv4/ip_always_defrag # Catch all rule, all other forwarding is denied. # /sbin/ipchains -A forward -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING logger "TrinityOS IPCHAINS Firewall $FWVER implemented.\n\n"