[H-GEN] Firewalls

David Findlay david_j_findlay at yahoo.com.au
Wed Apr 18 21:25:40 EDT 2001


[ Humbug *General* list - semi-serious discussions about Humbug and  ]
[ Unix-related topics.  Please observe the list's charter.           ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]

I am trying to set up a transparent firewall for my network. I basically want 
to set it up so that any machine inside my 
network including the internet server can access the net as if they were 
directly connected. However I want to hide 
my machine from anything coming in, and effectively make it look like the 
server doesn't even exist. I have this mostly 
working, the machines inside the network can access the internet directly. 
However pinging something on the 
internet doesn't work. Also my proxy server, Squid, which sits on the 
internet connection server won't work and reports 
it can't find my a name service record for anything. What have I done wrong?

Below is my script:

-- Start Firewall Script --
#! /bin/bash

# Automatically sets up and configures firewalling and IP accounting rules
ANYWHERE=0.0.0.0/0
EXT_IF=ppp0
INT_IF=eth0

INTERNAL_NET=192.168.0.0/24
INTERNET=0.0.0.0/0
ME=192.168.0.3

# Disable packet filtering while we set up the firewall
echo 0 > /proc/sys/net/ipv4/ip_forward

# Flush rules
/sbin/ipchains -F 

# Deny all packets by default - mostly closed firewall
/sbin/ipchains -P input DENY
/sbin/ipchains -P output DENY
/sbin/ipchains -P forward DENY

# Accept anything to/from localhost
/sbin/ipchains -A input -j ACCEPT -p all -s localhost -d localhost -i lo $LOG
/sbin/ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo $LOG


# Spoofing protection
/sbin/ipchains -A input -j RETURN -p all -s $INTERNAL_NET -d $ANYWHERE -i 
$EXT_IF $LOG

# Accept TCP packets belonging to already-established connections
/sbin/ipchains -A input -j ACCEPT -p tcp -s $ANYWHERE -d $ME ! -y -b $LOG

# Accept TCP packets coming from local network
/sbin/ipchains -A input -j ACCEPT -p all -s $INTERNAL_NET -d $ME -i $INT_IF
/sbin/ipchains -A output -j ACCEPT -p all -s $ME -d $INTERNAL_NET -i $INT_IF

# Allow unlimited access from inside but only domain from outside
/sbin/ipchains -A input -p tcp -i $EXT_IF -d $INTERNAL_NET domain -y -j ACCEPT

/sbin/ipchains -A input -p tcp -d $ANYWHERE -y -j ACCEPT
/sbin/ipchains -A input -p udp -i $EXT_IF -d $INTERNAL_NET domain -j ACCEPT
/sbin/ipchains -A input -p udp -d $ANYWHERE -j ACCEPT
/sbin/ipchains -A input -p icmp -i $EXT_IF -d $INTERNAL_NET -j ACCEPT
/sbin/ipchains -A input -p icmp -d $ANYWHERE -j ACCEPT

# Accept and masquerade all packets from the inside going anywhere
/sbin/ipchains -A input -j ACCEPT -p all -s $INTERNAL_NET -d $ANYWHERE -i 
$INT_IF $LOG
/sbin/ipchains -A forward -j MASQ -p all -s $INTERNAL_NET -d $ANYWHERE -i 
$INT_IF $LOG

# Accept all TCP packets going to the outside net
/sbin/ipchains -A output -j ACCEPT -p all -s $ME -d $ANYWHERE -i $EXT_IF $LOG

# Accept type 3 ICMP queries
/sbin/ipchains -A input -j ACCEPT -p icmp -s $ANYWHERE -d $ME -i $EXT_IF 
--icmp-type destination-unreachable $LOG
/sbin/ipchains -A output -j ACCEPT -p icmp -s $ME -d $ANYWHERE -i $EXT_IF 
--icmp-type destination-unreachable $LOG

# IP Accounting rules
/sbin/ipchains -N netdown
/sbin/ipchains -A netdown -i ppp0 -d $INTERNAL_NET -s $ANYWHERE
/sbin/ipchains -N netup
/sbin/ipchains -A netup -i ppp0 -s $INTERNAL_NET -d $ANYWHERE

# Catch everything rules to provide logging
/sbin/ipchains -A input -j DENY -l
/sbin/ipchains -A output -j DENY -l
/sbin/ipchains -A forward -j DENY -l

# Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

-- End Firewall Script --

Sorry about the word wrapping on this message I had to turn it off so It 
wouldn't muck up the script file. Thanks in advance,

David Findlay



--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.



More information about the General mailing list