Views
This attempts to document my working EigerStein Static IP/Proxy ARP installation.
The biggest problem I had was making sure that I had matching versions of network.conf, network, and ipfilter.conf. For example, if you get error messages like "walk-list not found" that means that you aren't running the right version of init.d/network.
I work for an ISP and have 16 static IP's with an ISDN connection, and I have my own domain living on those IP's. Due to security issues with my job I wish to have one or two of the machines in my house on a separate DMZ network (that is, I do if I understand the concept correctly).
I'm using as my base Charles' LRP-CD Proxy ARP config files on top of the other stuff from the ScriptsV1.1.zip file. (Thanks, Charles!)
# uname -a Linux Router zippy 2.2.16 #1 Sun Jun 11 11:33:38 CDT 2000
It's running on a P75 with an ancient IBM monochrome display adapter and 3 3c509 NICs.
Here's the topology I'm running:
my ISP makes available static IP 123.231.45.16/28
|
| <-ISDN line
|
123.231.45.17 Pipeline 75 ISDN modem and Mickey Mouse(tm) packet filter
|
| <-10baseT
|
| LRP:
+---123.231.45.18 eth0
192.168.1.254 eth1------HUB-------192.168.1.0/24 workstations
+---123.231.45.18 eth2
|
DMZ HUB
|
+--123.231.45.29 web server, also virtual domains at 123.231.45.22 and 23
|
+--123.231.45.30 mail/dns server
My intent is the that the machines on the DMZ net have complete access to the net, including the ability to display X apps from clients outside my IP space. For this reason I assume that I can't put them on the 192.168.1.0 net.
The workstations on the 192.168 net work fine, ip masq works and they all look to the outside world like they are 123.231.45.18
The machines on the 192.168.1/24 network all have:
nameserver 192.168.1.254 nameserver 123.231.45.30in their resolv.conf files.
Bill Dudley
dud -at sign- casano -dot- com
Views
############################################################################### # Brief instructions for this file ############################################################################### NETWORK_CONF_VERSION=20010330 # # VERBOSE=(YES/NO) Default: Yes # Be verbose about settings. # # MAX_LOOP=(int) Default: 10 # Maximum number of incrementable entries to search for. # IE: If you create a DNS7=, and MAX_LOOP=7, it will not be reached. # (DNS0 - DNS7 == 8 entires) # Setting this value too high will decrease the speed of the configuation # system. # # IPFWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO # Enable IP forwarding in the kernel. FILTER_ON means forwarding will # only happen when IP filtering rules are loaded # # IPALWAYSDEFRAG_KERNEL=(YES/NO) Default: NO # Enable IP Global defragmentation in the kernel. # # **WARNING** - If this was turned on everywhere in a network of routers, # it can result in TCP connections failing and TCP connection resets. # # ONLY turn this on if the box is a firewall or the single point of # entry for a network, or an endpoint for port forwarding or a load # balancer for a WWW server farm. DO NOT turn this on if the box is a # conventional router as it breaks the TCP/IP RFCes. This option is # needed when using IP NAT, IP masquerading, IP autofw, IP portfw, # transperent proxying or other kernel operations that intercept a # packet flow and redirect it. # # It is a usful tool when using a packet filtering router to protect # directly attached ethernet networks of servers as it stops fragment # attacks on the servers in behind the router. Another use is packet # filtering router to protect dial-in Internet users on NASes # (Portmasters, TC racks etc) from various SMB and fragment attacks # and to redirect all WWW connections into a WWW proxy-caching server. # # CONFIG_HOSTNAME=(YES/NO) Default: NO # Create /etc/hostname file using HOSTNAME entry. # Any current hostname file will be **OVERWRITTEN** # # CONFIG_HOSTSFILE=(YES/NO) Default: NO # Create /etc/hosts file using HOSTSx entries. # Any current hosts file will be **OVERWRITTEN** # # CONFIG_DNS=(YES/NO) Default: NO # Create /etc/resolv.conf file using DOMAINS and DNSx entries. # Any current resolv.conf file will be **OVERWRITTEN** # # IF_LIST Default: "$IF_AUTO" # A space seperated list of interfaces that can be ACTIVE on this machine # This controls which interfaces can be brought up and down manually. # # IF_AUTO Default: "eth0" # A space seperated list of interfaces that get started on boot. Tunneling # interfaces like CIPE should be after the raw interfaces they depend on. # The interfaces are started in the order they occur on the list, and are # shutdown in the reverse order of IF_LIST. # # IPFILTER_SWITCH=(none|router|firewall) Default: "none" # Selects the basic IP filtering/firewalling setup of the router. "None" # is used for a straight through router, "router" for a filtering router with # IP spoof protection and Martian protection and "firewall" for a basic IP # masquerading/NAT firewall. The basic filter types are provided in # /etc/ipfilter.conf. If you want more than what is provided read the man # pages for ipchains or ipfwadm and BE CAREFUL when you edit this! # ############################################################################### # General Settings ############################################################################### VERBOSE=YES MAX_LOOP=10 IPFWDING_KERNEL=FILTER_ON IPALWAYSDEFRAG_KERNEL=YES CONFIG_HOSTNAME=YES CONFIG_HOSTSFILE=YES CONFIG_DNS=YES ############################################################################### # Interfaces ############################################################################### # Start pppd PPP interfaces first as pppd's use of DNS can delay startup. # # Interfaces to start on boot go here - ie "ppp0 eth0" IF_AUTO="eth0 eth1 eth2" # List of all configured interfaces, manual start and boot start IF_LIST="$IF_AUTO" # Accept ICMP Redirects on ALL interfaces, also depends on /proc # per interface IP forwarding flag. - YES/NO ALLIF_ACCEPT_REDIRECTS=NO # Need these both for interfaces run by daemons - ie PPP, CIPE, some # WAN interfaces # IP spoofing protection by default for interfaces - YES/NO DEF_IP_SPOOF=YES # Kernel logging of spoofed packets by default for interfaces - YES/NO DEF_IP_KRNL_LOGMARTIANS=YES # Bridge Setup - Global stuff # # Enable bridging - YES/NO BRG_SWITCH=NO # Exempt ethernet protocol types - type "brcfg list" to find out allowed # values BRG_EXEMPT_PROTOS="" eth0_IPADDR=123.231.45.18 eth0_MASKLEN=28 eth0_BROADCAST=123.231.45.31 # Use this to set the default route if required - ONLY one to be set. # routed or gated could be used to set this so only use if not running these. eth0_DEFAULT_GW=123.231.45.17 # Secondary IP addresses/networks on same wire - add them here #eth0_IP_EXTRA_ADDRS="192.168.1.193 192.168.2.1/24" # Additional routes for this interface, if any # format:[_ ] # NewTek Config for SanFrancisco note: # This tells linux the Defalt GW is via this interface # All other public IP traffic will go out the DMZ interface # SA_TX Config note: 0.0.0.2 added to prevent martian errors # and allow connections from the Ops net (.2 public IP) to work #eth0_ROUTES="0.0.0.1 0.0.0.2" eth0_ROUTES="123.231.45.17" # IP spoofing protection on this interface - YES/NO eth0_IP_SPOOF=YES # Kernel logging of spoofed packets on this interface - YES/NO eth0_IP_KRNL_LOGMARTIANS=YES # This setting affects the processing of ICMP redirects. Setting it to NO # makes this more secure. Don't turn this off if you have two IP # networks/subnets on the same media - YES/NO eth0_IP_SHARED_MEDIA=NO # Bridge this interface - YES/NO eth0_BRIDGE=NO # Proxy-arp from this interface, no other config required to turn on proxy ARP! # - YES/NO eth0_PROXY_ARP=YES # Simple QoS/fair queueing support # Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO eth0_FAIRQ=NO # Ethernet Transmit Queue Length # eth0_TXQLEN=100 # Complex QoS - Enable all of these + above to turn it on #eth0_BNDWIDTH=10Mbit # Device bandwidth #eth0_HNDL=2 # Queue Handle - must be unique #eth0_IABURST=100 # Interactive Burst #eth0_IARATE=1Mbit # Interactive Rate #eth0_PXMTU=1514 # Physical MTU - includes Link Layer header eth1_IPADDR=192.168.1.254 eth1_MASKLEN=24 eth1_BROADCAST=192.168.1.255 eth1_IP_SPOOF=YES eth1_IP_KRNL_LOGMARTIANS=YES eth1_IP_SHARED_MEDIA=NO eth1_BRIDGE=NO eth1_PROXY_ARP=NO eth1_FAIRQ=NO eth2_IPADDR=123.231.45.18 eth2_MASKLEN=28 eth2_BROADCAST=123.231.45.31 eth2_ROUTES="123.231.45.16/28" eth2_IP_SPOOF=YES eth2_IP_KRNL_LOGMARTIANS=YES eth2_IP_SHARED_MEDIA=NO eth2_BRIDGE=NO eth2_PROXY_ARP=YES eth2_FAIRQ=NO # PPP interface stuff - these apply to all ASYNC ppp interfaces, options # same as ethernet above. ppp_BNDWIDTH=30Kbit ppp_FAIRQ=YES ppp_TXQLEN=30 ppp_IABURST=20 ppp_IARATE=10Kbit ppp_PXMTU=1500 ############################################################################### # IP Filter setup - can pull in settings from above ############################################################################### # Set up the basic type of filtering. Can be one of (none|router|firewall) # You must load the ip_masq_* modules to enable full IP masquerading, and # ip_masq_portfw if you want to forward external ports pop-3, mtp, www # to internal machines below. IPFILTER_SWITCH=firewall # This set of variables is used with both sets of filters SNMP_BLOCK=YES # Block all SNMP (YES/NO) # List of IP Nos used for SNMP management SNMP_MANAGER_IPS="" # Fair Queuing support # List of Mark values MRK_CRIT=1 # Critical traffic, routing, DNS MRK_IA=2 # Interactive traffic - telnet, ssh, IRC # List of traffic types and maps to mark values # Setting this variable turns on the # fairq chain CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh" # This set of variables is used with the basic routing filter setup # This set of variables is used with a basic IP masquerading firewall setup #Notation - IP addresses/masklen # # NOTE: Do NOT turn on the DMZ network or ANY external port masquerading/ # port forwarding when EXTERN_DYNADDR is on because some security # leaks will result. You may also want to limit the external open # ports to domain (UDP) for DNS. Anyhow, these features are not that # usable unless you have a static external address # EXTERN_IF="eth0" # External Interface # Added for DHCP support # Setting this to YES causes the script to read EXTERN_IP directly from # the interface EXTERN_DHCP=NO # - YES/NO # The interface to configure via dhcp IF_DHCP=$EXTERN_IF # If YES, your firewall filters use 0/0 for your IP address, instead of your # actual IP address. Set this to NO for typical ethernet setups, even if you # are using DHCP # External Address dynamically assigned EXTERN_DYNADDR=NO # - YES/NO # -- OR -- EXTERN_IP=123.231.45.18 # External Interface IP number # If external interface is DHCP, read the IP address # This should probably be moved to the init.d network script, but it seemed # I put it here for now, as it is more obvious what it is doing, in case it # messes something else up. if [ "$EXTERN_DHCP" = "YES" ] || \ [ "$EXTERN_DHCP" = "Yes" ] || \ [ "$EXTERN_DHCP" = "yes" ]; then # This computes the IP address of $EXTERN_IF # Grep extracts just the line(s) with IP address information from the output # of ip addr. The first sed gets rid of all but the first line (in case # there are several IP addresses for some reason), and next sed extracts # just the IP address in dot quad notation. EXTERN_IP=`ip addr list label $EXTERN_IF | \ grep inet | \ sed '1!d' | \ sed 's/^[^.0-9]*\([.0-9]*\).*$/\1/'` # Debugging - Remove if you like # echo Extern IP: $EXTERN_IP # If the external address is not configured, use a bogus address for the # external interface to prevent a bunch of (harmless) errors that spit out # when the IPCHAINS script is called. if [ x$EXTERN_IP = x ]; then EXTERN_IP=192.168.254.254 fi fi # Silent Deny list added by Charles Steinkuehler to prevent filling the # logs with denied packets you know about and don't want logged anymore # These packets are denied very early in the ipchains rules, so be as # specific as possible with their definitions # - proto_srcip/mask_dstport #SILENT_DENY="udp_0.0.0.1_route udp_0.0.0.0/24_37" # Extra rule scripts added by Charles Steinkuehler to more easily support # non-standard extentions of the pre-configured ipchains rules #IPCH_IN=/etc/ipchains.input #IPCH_FWD=/etc/ipchains.forward #IPCH_OUT=/etc/ipchains.output ## UDP Services open to outside world # - srcip/mask_dstport # NOTE: bootpc port is used for dhcp client #EXTERN_UDP_PORTS="0/0_domain 0/0_ntp 0/0_bootpc" # TCP services open to outside world # - srcip/mask_dstport #EXTERN_TCP_PORTS="0/0_ssh 0/0_smtp" EXTERN_TCP_PORTS="0/0_ssh" # Generic Services open to outside world # - protocol_srcip/mask_dstport #EXTERN_PORTS=" 50_207.235.86.252/32 # 51_207.235.86.252/32" # Internal interface INTERN_IF="eth1" # Internal Interface INTERN_NET=192.168.1.0/24 # One (or more) Internal network(s) # Alternate form of INTERN_NET: #INTERN_NET="192.168.1.0/24 192.168.2.0/24 192.168.4.0/24" INTERN_IP=192.168.1.254 # IP number of Internal Interface # (to allow forwarding to external IP) MASQ_SWITCH=YES # Masquerade internal network to outside # world - YES/NO # These services are not masqueraded from inside to outside. proto_destnet_port # Allows the firewall to be trusted for ssh access to routers... # Override for below #NOMASQ_DEST_BYPASS="tcp_10.0.0.1_ssh" # services not to be masqueraded #NOMASQ_DEST="tcp_0/0_ssh" # Uncomment following for port-forwarded internal services. # The following is an example of what should be put here. # Tuples are as follows: # _ _ _ _ #INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp" # These lines use the primary external IP address...if you need to port-forward # an aliased IP address, use the INTERN_SERVERS setting above #INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available #INTERN_WWW_SERVER=192.168.1.1 # Internal WWW server to make available #INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available #INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available #INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available INTERN_SSH_SERVER=192.168.1.26 # Internal SSH server to make available #EXTERN_SSH_PORT=24 # External port to use for internal SSH access # DMZ setup # Whether you want a DMZ or not (YES, PROXY, NO) DMZ_SWITCH=PROXY DMZ_IF="eth2" # DMZ Interface DMZ_NET=123.231.45.16/28 # DMZ Network # For Proxy-Arp DMZ's only: # These IP's are on the external net...all others in the network are assumed # to be DMZ addresses DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $eth0_IPADDR" # Shorthands for DMZ firewall rules: zappa="123.231.45.29" dudley="123.231.45.30" eeny="123.231.45.22" meeny="123.231.45.23" ## Both of the following should be used together - ie if you turn on ## DMZ_HIGH_TCP_CONNECT - DO specify DMZ_CLOSED_DEST! # Allows inbound connections to high tcp ports (>1023) # You can also allow to specific machines using 1024: as the dest port range # in DMZ_OPEN_DEST #DMZ_HIGH_TCP_CONNECT=YES ## 3306 MySQL, 6000 X, 2049 NFS, 7100 xfs #DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100" # Inbound services to allow to the DMZ # _ _ DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain tcp_${DMZ_NET}_ssh tcp_${DMZ_NET}_domain icmp_${DMZ_NET}_: tcp_${dudley}_ftp tcp_${zappa}_www tcp_${eeny}_www tcp_${meeny}_www tcp_${zappa}_6000:6004 tcp_${dudley}_smtp" # tcp_${dudley}_imap2 # tcp_${dudley}_pop-3" ############################################################################### # Interface activation/deactivation functions # Here so that special interface commands can be called and daemons started # # Arps can be set up here, network/host routes and so forth. # # This appears to be a little messy but is needed to achieve maximum # functionality and flexibility. # ############################################################################### echo_rtepfx () { local IFS='_' set -- $1 echo $1 } echo_rteargs () { local IFS='_' set -- $1 shift echo $@ } if_up () { local ADDR # sort out a few things to make life easier - here so that you # can see what is done and so that you can add anything if needed eval local IPADDR=\${"$1"_IPADDR:-""} # I am also a good genius eval local MASKLEN=\${"$1"_MASKLEN:-""} eval local BROADCAST=\${"$1"_BROADCAST:-""} eval local PTPADDR=\${"$1"_PTPADDR:-""} eval local DEFAULT_GW=\${"$1"_DEFAULT_GW:-""} eval local IP_EXTRA_ADDRS=\${"$1"_IP_EXTRA_ADDRS:-""} eval local ROUTES=\${"$1"_ROUTES:-""} eval local FAIRQ=\${"$1"_FAIRQ:-""} eval local TXQLEN=\${"$1"_TXQLEN:-""} eval local IP_SPOOF=\${"$1"_IP_SPOOF:-""} eval local IP_KRNL_LOGMARTIANS=\${"$1"_IP_KRNL_LOGMARTIANS:-""} eval local IP_SHARED_MEDIA=\${"$1"_IP_SHARED_MEDIA:-""} eval local BRIDGE=\${"$1"_BRIDGE:-""} eval local PROXY_ARP=\${"$1"_PROXY_ARP:-""} if [ -n "$BROADCAST" ] ; then IFCFG_BROADCAST="broadcast $BROADCAST" fi # Do dee global bridge stuff brg_global # Set default interface flags here - used for PPP and WAN interfaces if_setproc default rp_filter $DEF_IP_SPOOF if_setproc default log_martians $DEF_IP_KRNL_LOGMARTIANS if_setproc all accept_redirects $ALLIF_ACCEPT_REDIRECTS # Set up each interface case $1 in ppp0) pppd call provider ;; fr*) wanconfig card wanpipe1 dev $1 start ip addr add $IPADDR peer $PTPADDR dev $1 ip link set $1 up # Fair queuing - this can be selected for any interface ip_frQoS $1 ;; *) # default interface startup brg_iface $1 up $BRIDGE [ -n "$IPADDR" ] \ && ip addr add $IPADDR/$MASKLEN $IFCFG_BROADCAST dev $1 for ADDR in $IP_EXTRA_ADDRS; do ip addr add $ADDR dev $1 done ip link set $1 up case "$PROXY_ARP" in YES|Yes|yes) ip route flush dev $1 ;; *) ;; esac # Fair queuing - this can be selected for any interface ip_QoS $1 ;; esac for route in $ROUTES; do ip route add `echo_rtepfx $route` dev $1 `echo_rteargs $route` done # Do universal interface config items here # Default route support [ -n "$DEFAULT_GW" ] \ && ip route replace default nexthop via $DEFAULT_GW dev $1 # Set the TX Queue Length [ -n "$TXQLEN" ] \ && ip link set $1 txqlen $TXQLEN # Spoof protection if_setproc $1 rp_filter $IP_SPOOF # Kernel logging of martians on this interface if_setproc $1 log_martians $IP_KRNL_LOGMARTIANS # Shared Media stuff if_setproc $1 shared_media $IP_SHARED_MEDIA # Proxy ARP support if_setproc $1 proxy_arp $PROXY_ARP return 0 } if_down () { # Do Dee global bridge stuff brg_global case $1 in ppp*) [ -f /var/run/$1.pid ] && qt kill `cat /var/run/$1.pid` sleep 5 # Wait for pppd to die ;; fr*) qt ip link set $1 down qt ip addr flush dev $1 qt wanconfig card wanpipe1 dev $1 stop ;; *) # default action brg_iface $1 down ip link set $1 down # This also kills any routes qt ip addr flush dev $1 ;; esac # Clean up any QoS/fair queuing stuff ip_QoSclear $1 true } #END if_down ############################################################################### # Hostname Requires: CONFIG_HOSTNAME=YES ############################################################################### HOSTNAME=zippy ############################################################################### # Hosts file (Static domainname entires) Requires: CONFIG_HOSTSFILE=YES ############################################################################### # IP FQDN hostname alias1 alias2.. HOSTS0="$eth0_IPADDR $HOSTNAME.private.network $HOSTNAME mr rtr" HOSTS1="192.168.1.29 farlow.private.network farlow" HOSTS2="192.168.1.28 longhair.private.network longhair" HOSTS3="192.168.1.27 pass.private.network pass" HOSTS4="192.168.1.26 django.private.network django" HOSTS5="192.168.1.25 booker.private.network booker" HOSTS6="123.231.45.29 zappa.casano.com zappa" HOSTS7="123.231.45.30 dudley.casano.com dudley" HOSTS8="$eth2_IPADDR zippy.dmz.network zippy2" HOSTS9="$eth1_IPADDR zippy.private.network zippy1" ############################################################################### # Domain Search Order and Name Servers Requires: CONFIG_DNS=YES ############################################################################### DOMAINS="casano.com private.network dmz.network" DNS0=123.231.45.30 DNS1=123.231.236.1 ############################################################################### # QoS/Fariqueing functions ############################################################################### ip_QoSclear () { [ -x /sbin/tc ] \ && qt tc qdisc del dev $1 root return 0 } ip_frQoS () { # Set some vaiables eval local FAIRQ=\${"$1"_FAIRQ:-""} eval local BULKRATE=\${"$1"_BULKRATE:-""} eval local BULKBURST=\${"$1"_BULKBURST:-""} eval local FRBURST=\${"$1"_FRBURST:-""} eval local HNDL=\${"$1"_HNDL:-""} eval local BNDWIDTH=\${"$1"_BNDWIDTH:-""} eval local IARATE=\${"$1"_IARATE:-""} eval local IABURST=\${"$1"_IABURST:-""} eval local PXMTU=\${"$1"_PXMTU:-""} if [ ! -x /sbin/tc ]; then return 1 fi if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ] then return 1 fi if [ -z "$BULKRATE" -o -z "$FRBURST" -o -z "$HNDL" -o -z "$PXMTU" \ -o -z "$BNDWIDTH" -o -z "$IARATE" -o -z "$IABURST" \ -o -z "$BULKBURST" ]; then tc qdisc replace dev $1 root sfq return 0 fi # Attach CBQ to device tc qdisc add dev $1 root handle $HNDL: cbq \ bandwidth $BNDWIDTH avpkt 1000 # Set up classes # Bulk class tc class add dev $1 parent $HNDL:0 classid :1 \ est 1sec 8sec cbq bandwidth $BNDWIDTH \ rate $BULKRATE allot $PXMTU bounded weight 1 prio 6 \ avpkt 1000 maxburst $BULKBURST \ split $HNDL:0 defmap ff7f tc qdisc add dev $1 parent $HNDL:1 sfq perturb 15 # Interactive Class tc class add dev $1 parent $HNDL:0 classid :2 \ est 2sec 16sec cbq bandwidth $BNDWIDTH \ rate $IARATE allot $PXMTU bounded weight 1 prio 6 \ avpkt 1000 maxburst $IABURST \ split $HNDL:0 defmap 80 tc qdisc add dev $1 parent $HNDL:2 sfq perturb 15 # Priority class tc class add dev $1 parent $HNDL:0 classid :3 \ est 1sec 8sec cbq bandwidth $BNDWIDTH \ rate $FRBURST allot $PXMTU bounded weight 1 prio 1 \ avpkt 1000 maxburst 21 tc qdisc add dev $1 parent $HNDL:3 pfifo # Add filters tc filter add dev $1 parent $HNDL:0 protocol ip \ priority 50 handle $MRK_CRIT fw classid $HNDL:3 tc filter add dev $1 parent $HNDL:0 protocol ip \ priority 60 handle $MRK_IA fw classid $HNDL:2 return 0 } ip_QoS () { # Set some vaiables eval local HNDL=\${"$1"_HNDL:-""} eval local FAIRQ=\${"$1"_FAIRQ:-""} if [ -z "$FAIRQ" -a -n "$2" ]; then local FAIRQ=$2 fi eval local BNDWIDTH=\${"$1"_BNDWIDTH:-""} if [ -z "$BNDWIDTH" -a -n "$3" ]; then local BNDWIDTH=$3 fi eval local PXMTU=\${"$1"_PXMTU:-""} if [ -z "$PXMTU" -a -n "$4" ]; then local PXMTU=$4 fi eval local IARATE=\${"$1"_IARATE:-""} if [ -z "$IARATE" -a -n "$5" ]; then local IARATE=$5 fi eval local IABURST=\${"$1"_IABURST:-""} if [ -z "$IABURST" -a -n "$6" ]; then local IABURST=$6 fi if [ ! -x /sbin/tc ]; then return 1 fi if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ] then return 1 fi if [ -z "$BNDWIDTH" -o -z "$IABURST" -o -z "$IARATE" -o -z "$HNDL" \ -o -z "$PXMTU" ]; then tc qdisc replace dev $1 root sfq return 0 fi # Attach CBQ to device tc qdisc add dev $1 root handle $HNDL: cbq \ bandwidth $BNDWIDTH \ avpkt 1000 # Set up classes # Bulk class tc class add dev $1 parent $HNDL:0 classid :1 est 1sec 8sec \ cbq bandwidth $BNDWIDTH rate $BNDWIDTH \ allot $PXMTU avpkt 1000 bounded weight 1 prio 6 \ split $HNDL:0 defmap ff7f tc qdisc add dev $1 parent $HNDL:1 sfq perturb 15 # Interactive class tc class add dev $1 parent $HNDL:0 classid :2 est 2sec 16sec \ cbq bandwidth $BNDWIDTH rate $IARATE maxburst $IABURST \ allot $PXMTU avpkt 1000 bounded isolated weight 1 \ prio 2 split $HNDL:0 defmap 80 tc qdisc add dev $1 parent $HNDL:2 sfq perturb 15 # Priority class tc class add dev $1 parent $HNDL:0 classid :3 est 1sec 8sec \ cbq bandwidth $BNDWIDTH rate $BNDWIDTH \ allot $PXMTU avpkt 1000 bounded weight 1 prio 1 tc qdisc add dev $1 parent $HNDL:3 pfifo # Add filters tc filter add dev $1 parent $HNDL:0 protocol ip \ priority 50 handle $MRK_CRIT fw classid $HNDL:3 tc filter add dev $1 parent $HNDL:0 protocol ip \ priority 60 handle $MRK_IA fw classid $HNDL:2 \ return 0 } ############################################################################### # End ###############################################################################
#
#
# ipfilter.conf This file contains the functions that contain the firewall
# and ipfilter configuration. This is an example setup for
# IP masquearding
#
IPFILTER_CONF_VERSION=20010330
# set -x # Uncomment for script debug
IPCH="/sbin/ipchains --no-warnings"
IPMASQADM=/usr/sbin/ipmasqadm
# DONT change this!
LOCAL_NET=127.0.0.0/8
LOCAL_IP=127.0.0.1
# Some functions to handle Protocol IP Port tuples
echoProto () {
local IFS='_'
set -- $1
echo $1
}
echoIp () {
local IFS='_'
set -- $1
echo "$2"
}
echoPort () {
local IFS='_'
set -- $1
echo "$3"
}
echoIpPort () {
local IFS='_'
set -- $1
echo "$2 $3"
}
echoSrvIpPort () {
local IFS='_'
set -- $1
echo "$4 $5"
}
echoMrkMark () {
local IFS='_'
set -- $1
echo $1
}
echoMrkProto () {
local IFS='_'
set -- $1
echo $2
}
echoMrkIpPort () {
local IFS='_'
set -- $1
echo "$3 $4"
}
echoBpSrc () {
local IFS='_'
set -- $1
echo "$2"
}
echoBpDstPort () {
local IFS='_'
set -- $1
echo "$3 $4"
}
echoFwDstPort () {
local IFS='_'
set -- $1
echo "$2"
}
echoFwSrcIp () {
local IFS='_'
set -- $1
echo "$1"
}
# A function to filter out Martian source addresses
stopMartians () {
local LIST=$1
shift
# The source addresses listed here are conservatively
# invalid as they are either used as broadcast/multicast
# destation addresses, a special value in IP stacks, loopback
# networks and illegal/ambiguous Classed IP addressing networks.
#
# You can add your 'martian/invalid' source address blocks to the
# MARTIAN_NETS list in /etc/network.conf
# All ones, all zeroes
$IPCH -A $LIST -j DENY -p all -s 0.0.0.0 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 255.255.255.255 -d 0/0 -l $*
# Loop back addresses
$IPCH -A $LIST -j DENY -p all -s 127.0.0.0/8 -d 0/0 -l $*
# Multicast source addresses
$IPCH -A $LIST -j DENY -p all -s 224.0.0.0/4 -d 0/0 -l $*
# RFC 1918/1627/1597 blocks
$IPCH -A $LIST -j DENY -p all -s 10.0.0.0/8 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 172.16.0.0/12 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 192.168.0.0/16 -d 0/0 -l $*
# IANA reserved blocks (Martians from the gated restricted list
# - actually impossible/ambiguous classed networks)
$IPCH -A $LIST -j DENY -p all -s 0.0.0.0/8 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 128.0.0.0/16 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 191.255.0.0/16 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 192.0.0.0/24 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 223.255.255.0/24 -d 0/0 -l $*
# Class E address (experimental use)
$IPCH -A $LIST -j DENY -p all -s 240.0.0.0/4 -d 0/0 -l $*
# Addtions/other IANA reserved blocks
for NET in $MARTIAN_NETS; do
$IPCH -A $LIST -j DENY -p all -s $NET -d 0/0 -l $*
done; unset NET
}
# A function to block services that give trouble on an IFACE
standardBlock () {
local LIST=$1
shift
# Block SMB/Windows networking to protect Windows boxes and to stop
# Windows NT doing braindead things with mail, www, etc
# This also prevents Internet Explorer spraying user logins
# and passwords everywhere
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 -d 0/0 netbios-ns $*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 -d 0/0 135 $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d 0/0 netbios-ns $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d 0/0 135 $*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 -d 0/0 netbios-dgm:netbios-ssn $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d 0/0 netbios-dgm $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 netbios-ns:netbios-dgm -d 0/0 $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 135 -d 0/0 $*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 netbios-ns:netbios-ssn -d 0/0 $*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 135 -d 0/0 $*
}
# A function to control SNMP access on a network
snmpBlock () {
local LIST=$1
local DEST_IP=$2
local SNMP_IP
shift 2
if [ "$SNMP_BLOCK" != "YES" -a "$SNMP_BLOCK" != "Yes" \
-a "$SNMP_BLOCK" != "yes" ] ; then
return 0
fi
for SNMP_IP in $SNMP_MANAGER_IPS; do
$IPCH -A $LIST -j ACCEPT -p udp -s $SNMP_IP -d $DEST_IP 161:162 $*
done; unset SNMP_IP
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d $DEST_IP 161:162 -l $*
}
# A function to build rule chains for checking the overlapping IP space
# when running a proxy-arp'd DMZ network
ipfilter_dmzChain () {
local CHAIN=$1
local SRC_DEST=$2
local DEST_RULE=$3
shift 3
case "$SRC_DEST" in
S*|s*)
SRC_DEST="-s"
;;
D*|d*)
SRC_DEST="-d"
;;
*)
echo "ipfilter_dmzChain: Invalid parameter: $SRC_DEST" >&2
SRC_DEST="-s"
;;
esac
# Create new chain
$IPCH -N $CHAIN
# Return to main ruleset if source is an expected external IP
for ADDR in $DMZ_EXT_ADDRS; do
$IPCH -A $CHAIN -j RETURN -p all $SRC_DEST $ADDR
done; unset ADDR
# Anything else is a DMZ IP
$IPCH -A $CHAIN -j $DEST_RULE -p all $*
}
# A function to mark packets for classification
ipfilter_fairq () {
[ -z "$CLS_FAIRQ" ] && return 0
# Create new chain
$IPCH -N fairq
# Populate chain
for CLS in $CLS_FAIRQ; do
$IPCH -A fairq -j RETURN -m `echoMrkMark $CLS` -p `echoMrkProto $CLS` \
-d `echoMrkIpPort $CLS` -b
done; unset CLS
return 0
}
# A function to flush the filters (for internal use)
ipfilter_flush () {
# Flush the filters out
$IPCH -F input # input firewall list
$IPCH -F output # output firewall list
$IPCH -F forward # forwarding firewall list
# Flush fairq chain!
[ -n "$CLS_FAIRQ" ] && qt $IPCH -F fairq && qt $IPCH -X fairq
if [ "$DMZ_SWITCH" = "PROXY" -o "$DMZ_SWITCH" = "Proxy" \
-o "$DMZ_SWITCH" = "proxy" ]; then
# Flush Proxy-Arp DMZ chains:
qt $IPCH -F dmzSpoof && qt $IPCH -X dmzSpoof
qt $IPCH -F dmzIn && qt $IPCH -X dmzIn
fi
# Flush portfw rules
[ "$IPPORTFW" ] && $IPMASQADM portfw -f
# Flush autofw rules
[ "$IPAUTOFW" ] && $IPMASQADM autofw -F
# Flush mfw rules
[ "$IPMFW" ] && $IPMASQADM mfw -F
}
# A function to set the filter default policies
ipfilter_policy () {
$IPCH -P input $1
$IPCH -P output $1
$IPCH -P forward $1
}
# A function to clear the filters
ipfilter_clear () {
# Flush the filters
ipfilter_flush
# Reset the default policy
#
# ONLY DENY FORWARDING ETC IF YOU KNOW WHAT YOU ARE DOING! If
# you turn off the filters, the box will become opaque to any traffic!
#
ipfilter_policy ACCEPT
}
# A function to configure the filters for routing
ipfilter_router_cfg () {
#
# set default policies
#
# ONLY DENY FORWARDING ETC IF YOU KNOW WHAT YOU ARE DOING! If
# you turn off the filters, the box will become opaque to any traffic!
#
ipfilter_policy DENY
# Clear any garbage rules out of the filters
ipfilter_flush
# Set up Fair Queueing classifier lists
ipfilter_fairq
# Forwarding
$IPCH -A forward -j DENY -p icmp --icmp-type redirect -l
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
$IPCH -A forward -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A forward -j ACCEPT -p all -s 0/0 -d 0/0
# Incoming Stuff
# Do this here to control junk coming in - good for defending against flood
# attacks
if [ "$BORDER_RTR" = "YES" -o "$BORDER_RTR" = "Yes" -o "$BORDER_RTR" = "yes" ];
then
# Origin blocking
for SRC in $BLOCKED_INSRC; do
$IPCH -A input -j DENY -p `echoProto $SRC` \
-s `echoIpPort $SRC` -i $EXTERN_RIF
done; unset SRC
for SRC in $LOGGED_BLOCKED_INSRC; do
$IPCH -A input -j DENY -p `echoProto $SRC` \
-s `echoIpPort $SRC` -i $EXTERN_RIF -l
done; unset SRC
fi
# Stop ICMP time stamp messages - don't need these
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-request -l
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-reply -l
# Border router stuff
if [ "$BORDER_RTR" = "YES" -o "$BORDER_RTR" = "Yes" -o "$BORDER_RTR" = "yes" ];
then
# Get rid of incoming Martians
stopMartians input -i $EXTERN_RIF
# Prevent RFC 1918/1627/1597 IP packets from coming in
$IPCH -A input -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF
$IPCH -A input -j DENY -p all -s 0/0 -d 192.168.0.0/16 -i $EXTERN_RIF
$IPCH -A input -j DENY -p all -s 0/0 -d 172.16.0.0/12 -i $EXTERN_RIF
# Allow icmp/BGP coming in on our link net
if [ -n "$LINK_NET" ]; then
$IPCH -A input -j ACCEPT -p icmp -s $LINK_NET -d 0/0 \
-i $EXTERN_RIF
$IPCH -A input -j ACCEPT -p tcp -s $LINK_NET -d $LINK_NET bgp \
-i $EXTERN_RIF
$IPCH -A input -j ACCEPT -p tcp -s $LINK_NET bgp \
-d $LINK_NET 1024:65535 ! -y -i $EXTERN_RIF
# $IPCH -A input -j ACCEPT -p udp -s $LINK_NET -d $LINK_NET egp \
# -i $EXTERN_RIF
# $IPCH -A input -j ACCEPT -p udp -s $LINK_NET egp \
# -d $LINK_NET 1024:65535 -i $EXTERN_RIF
fi
# Get rid of fake packets from our internal source addresses
for IP in $IP_BLOCKS; do
$IPCH -A input -j DENY -p all -s $IP -d 0/0 -i $EXTERN_RIF -l
done; unset IP
# Destination blocking
for DEST in $BLOCKED_INDEST; do
$IPCH -A input -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF
done; unset DEST
for DEST in $LOGGED_BLOCKED_INDEST; do
$IPCH -A input -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF -l
done; unset DEST
# SNMP control - Prevent SNMP access to our network
if [ "$SNMP_BLOCK" = "YES" -o "$SNMP_BLOCK" = "Yes" \
-o "$SNMP_BLOCK" = "yes" ] ; then
$IPCH -A input -j REJECT -p udp -s 0/0 -d 0/0 161:162 \
-i $EXTERN_RIF -l
fi
# Block SMB stuff on input interface
if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \
"$SMB_BLOCK" = "yes" ]; then
standardBlock input -i $EXTERN_RIF
fi
# DNS control - only allow certain machines to do zone transfers
if [ -n "$DNS_IPS" ]; then
for IP in $DNS_IPS; do
$IPCH -A input -j ACCEPT -p tcp -d 0/0 domain -i $EXTERN_RIF
done; unset IP
$IPCH -A input -j REJECT -p tcp -d 0/0 domain -i $EXTERN_RIF -l
fi
fi
# Stop address spoofing - uncomment the next two lines if needed
# $IPCH -A input -j ACCEPT -p all -s $LOCAL_IP -d 0/0 -i lo
# stopMartians input
# Control SNMP access in network
snmpBlock input 0/0 -b
# On all other interfaces accept everything.
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
$IPCH -A input -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A input -j ACCEPT -p all -s 0/0 -d 0/0
# Outgoing stuff
# Classify packets, apply TOS etc
[ -n "$CLS_FAIRQ" ] && $IPCH -A output -j fairq
# Border router stuff
if [ "$BORDER_RTR" = "YES" -o "$BORDER_RTR" = "Yes" -o "$BORDER_RTR" = "yes" ]
then
# Stop outgoing RFC 1918/1627/1597 packets
$IPCH -A output -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF
$IPCH -A output -j DENY -p all -s 0/0 -d 192.168.0.0/16 -i $EXTERN_RIF
$IPCH -A output -j DENY -p all -s 0/0 -d 172.16.0.0/12 -i $EXTERN_RIF
# Log and stop certain outgoing traffic
for DEST in $BLOCKED_OUTDEST; do
$IPCH -A output -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF
done; unset DEST
for DEST in $LOGGED_BLOCKED_OUTDEST; do
$IPCH -A output -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF -l
done; unset DEST
# Block SMB stuff on output interface
if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \
"$SMB_BLOCK" = "yes" ]; then
standardBlock output -i $EXTERN_RIF
fi
# Control Outgoing Source addresses
for IP in $IP_BLOCKS; do
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
$IPCH -A output -j ACCEPT -f -p all -s $IP -d 0/0 \
-i $EXTERN_RIF
fi
$IPCH -A output -j ACCEPT -p all -s $IP -d 0/0 -i $EXTERN_RIF
done; unset IP
$IPCH -A output -j DENY -p all -i $EXTERN_RIF -l
fi
#
# Server screening control.
#
for IF in $SERVER_RIFS; do
# localise variables
eval local BYPASS=\${"$IF"_BYPASS:-""}
eval local PORT_BLOCK=\${"$IF"_PORT_BLOCK:-""}
eval local LOGGED_PORT_BLOCK=\${"$IF"_LOGGED_PORT_BLOCK:-""}
eval local SMB_BLOCK=\${"$IF"_SMB_BLOCK:-""}
eval local HOST_BYPASS=\${"$IF"_HOST_BYPASS:-""}
eval local HOST_ACKPASS=\${"$IF"_HOST_ACKPASS:-""}
eval local HOST_BLOCK=\${"$IF"_HOST_BLOCK:-""}
# Block Martians
stopMartians output -i $IF
# Bypass for port blocks
for PASS in $BYPASS; do
$IPCH -A output -j ACCEPT -p `echoProto $PASS` \
-s `echoBpSrc $PASS` -d `echoBpDstPort $PASS` -i $IF
done; unset PASS
# Port Blocks
for DEST in $PORT_BLOCK; do
$IPCH -A output -j REJECT -p `echoProto $DEST` \
-s 0/0 -d 0/0 `echoIpPort $DEST` -i $IF
done; unset DEST
for DEST in $LOGGED_PORT_BLOCK; do
$IPCH -A output -j REJECT -p `echoProto $DEST` \
-s 0/0 -d 0/0 `echoIpPort $DEST` -i $IF -l
done; unset DEST
# SMB blocking
if [ "$SMB_BLOCK" != "NO" -a "$SMB_BLOCK" != "No" \
-a "$SMB_BLOCK" != "no" ]; then
standardBlock output -i $IF
fi
#Host Bypassing
for PASS in $HOST_BYPASS; do
$IPCH -A output -j ACCEPT -p `echoProto $PASS` \
-s `echoBpSrc $PASS` -d `echoBpDstPort $PASS` -i $IF
done; unset PASS
#Host Blocking
for DEST in $HOST_BLOCK; do
$IPCH -A output -j REJECT -p tcp -s 0/0 -d $DEST auth -i $IF
done; unset DEST
for PASS in $HOST_ACKPASS; do
$IPCH -A output -j ACCEPT -p tcp \
-s 0/0 -d $PASS 1024:65535 -i $IF ! -y
done; unset PASS
for DEST in $HOST_BLOCK; do
$IPCH -A output -j DENY -p all -s 0/0 -d $DEST -i $IF -l
done; unset DEST
# Otherwise, accept all output on this interface
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
# Handle fragmented packets
$IPCH -A output -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A output -j ACCEPT -p all -s 0/0 -d 0/0 -i $IF
done; unset IF
# On all other interfaces accept anything
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
$IPCH -A output -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A output -j ACCEPT -p all -s 0/0 -d 0/0
}
# A function to configure the filters for firewalling
ipfilter_firewall_cfg () {
local ADDR
local DEST
local NET
#
# set default policies
#
# ONLY DENY FORWARDING ETC IF YOU KNOW WHAT YOU ARE DOING! If
# you turn off the filters, the box will become opaque to any traffic!
#
ipfilter_policy DENY
# Clear any garbage rules out of the filters
ipfilter_flush
# Set up Fair Queueing classifier lists
ipfilter_fairq
#
# Set up forwarding
#
# Set up masquerading timout values
$IPCH -M -S 14400 0 0
# Stop forwarding of ICMP redirects
$IPCH -A forward -j DENY -p icmp --icmp-type redirect -l
# Handle masquerading denial - always valid because this controls access
# to DMZ from inside etc.
for PORT in $NOMASQ_DEST_BYPASS; do
for NET in $INTERN_NET; do
$IPCH -A forward -j MASQ -p `echoProto $PORT` \
-s $NET -d `echoIpPort $PORT`
done; unset NET
done; unset PORT
for PORT in $NOMASQ_DEST; do
for NET in $INTERN_NET; do
$IPCH -A forward -j REJECT -p `echoProto $PORT` \
-s $NET -d `echoIpPort $PORT`
done; unset NET
done; unset PORT
# Connect DMZ to internet
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" -o "$DMZ_SWITCH" = "PROXY" \
-o "$DMZ_SWITCH" = "Proxy" -o "$DMZ_SWITCH" = "proxy" ]; then
# Masquerade internal network to DMZ network
for NET in $INTERN_NET; do
$IPCH -A forward -j MASQ -p all -s $NET -d $DMZ_NET -i $DMZ_IF
done; unset NET
for DEST in $DMZ_CLOSED_DEST; do
$IPCH -A forward -j REJECT -p `echoProto $DEST` \
-d `echoIpPort $DEST` -i $DMZ_IF
done; unset DEST
for DEST in $DMZ_OPEN_DEST; do
$IPCH -A forward -j ACCEPT -p `echoProto $DEST` \
-d `echoIpPort $DEST` -i $DMZ_IF
done; unset DEST
if [ "$DMZ_HIGH_TCP_CONNECT" = "YES" \
-o "$DMZ_HIGH_TCP_CONNECT" = "Yes" \
-o "$DMZ_HIGH_TCP_CONNECT" = "yes" ]; then
$IPCH -A forward -j ACCEPT -p tcp -s 0/0 \
-d $DMZ_NET 1024:65535 -i $DMZ_IF
else
$IPCH -A forward -j ACCEPT -p tcp -s 0/0 \
-d $DMZ_NET 1024:65535 -i $DMZ_IF ! -y
fi
$IPCH -A forward -j ACCEPT -p icmp -s 0/0 -d $DMZ_NET -i $DMZ_IF
$IPCH -A forward -j ACCEPT -p tcp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
$IPCH -A forward -j ACCEPT -p icmp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
$IPCH -A forward -j ACCEPT -p udp -s $DMZ_NET domain \
-d 0/0 -i $EXTERN_IF
$IPCH -A forward -j MASQ -p udp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
fi
# Set up port forwards for internal services
for DEST in $INTERN_SERVERS; do
# Can't deal with PASV mode
$IPMASQADM portfw -a -P `echoProto $DEST` \
-L `echoIpPort $DEST` -R `echoSrvIpPort $DEST`
$IPCH -A forward -j MASQ -p `echoProto $DEST` \
-s `echoSrvIpPort $DEST`
done; unset DEST
if [ -n "$INTERN_FTP_SERVER" ] ; then
# Can't deal with PASV mode
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP ftp -R $INTERN_FTP_SERVER ftp
fi
if [ -n "$INTERN_WWW_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP www -R $INTERN_WWW_SERVER www
fi
if [ -n "$INTERN_SMTP_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP smtp -R $INTERN_SMTP_SERVER smtp
fi
if [ -n "$INTERN_POP3_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP pop-3 -R $INTERN_WWW_SERVER pop-3
fi
if [ -n "$INTERN_IMAP_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP imap -R $INTERN_IMAP_SERVER imap
fi
if [ -n "$INTERN_SSH_SERVER" ] ; then
if [ -n "$EXTERN_SSH_PORT" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP $EXTERN_SSH_PORT \
-R $INTERN_SSH_SERVER ssh
else
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP ssh \
-R $INTERN_SSH_SERVER ssh
fi
fi
# Masquerade internal network to world
if [ "$MASQ_SWITCH" = "YES" -o "$MASQ_SWITCH" = "Yes" \
-o "$MASQ_SWITCH" = "yes" ]; then
for NET in $INTERN_NET; do
$IPCH -A forward -j MASQ -p all -s $NET -d 0/0 -i $EXTERN_IF
done; unset NET
fi
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" ]; then
$IPCH -A forward -j DENY -p all -s 0/0 -d $DMZ_NET -i $DMZ_IF -l
fi
[ -r "$IPCH_FWD" ] && . $IPCH_FWD
$IPCH -A forward -j DENY -p all -s 0/0 -d 0/0
#
# EXTERNAL INTERFACE
#
# Input filter
# Added by Charles Steinkuehler to provide a way to keep from filling the logs
# with denyed packets that we know about and don't want to see anymore
for DEST in $SILENT_DENY; do
$IPCH -A input -j DENY -p `echoProto $DEST` \
-s `echoIp $DEST` \
-d 0/0 `echoPort $DEST` -i $EXTERN_IF
done; unset DEST
# Block ICMP redirects
$IPCH -A input -j DENY -p icmp --icmp-type redirect -l
# Stop ICMP time stamp messages - don't need these
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-request -l
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-reply -l
# Spoofing prevention
stopMartians input -i $EXTERN_IF
for NET in $INTERN_NET; do
$IPCH -A input -j DENY -p all -s $NET -d 0/0 -i $EXTERN_IF -l
done; unset NET
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" ]; then
$IPCH -A input -j DENY -p all -s $DMZ_NET -d 0/0 -i $EXTERN_IF -l
fi
if [ "$DMZ_SWITCH" = "PROXY" -o "$DMZ_SWITCH" = "Proxy" \
-o "$DMZ_SWITCH" = "proxy" ]; then
ipfilter_dmzChain dmzSpoof Source DENY -l
# Call ruleset if source IP matches DMZ_NET specification
$IPCH -A input -j dmzSpoof -p all -s $DMZ_NET -d 0/0 -i $EXTERN_IF
fi
if [ "$EXTERN_DYNADDR" = "YES" -o "$EXTERN_DYNADDR" = "Yes" \
-o "$EXTERN_DYNADDR" = "yes" ]; then
# Spoof protection
if_setproc $EXTERN_IF rp_filter YES
# Kernel logging of martians on this interface
if_setproc $EXTERN_IF log_martians YES
local EX_IP=0/0
else
for ADDR in $EXTERN_IP; do
$IPCH -A input -j DENY -p all -s $ADDR -d 0/0 \
-i $EXTERN_IF -l
done; unset ADDR
local EX_IP=0/0
fi
# Turn off all traffic from net to internal IP numbers
$IPCH -A input -j REJECT -p all -s 0/0 -d $LOCAL_NET -i $EXTERN_IF -l
for NET in $INTERN_NET; do
$IPCH -A input -j REJECT -p all -s 0/0 -d $NET -i $EXTERN_IF -l
done; unset NET
# Stop Netbios shenanagans
standardBlock input -i $EXTERN_IF
# Bypass filters below for DMZ_NET access - port control done in forwarding
# firewall
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" ]; then
$IPCH -A input -j ACCEPT -p all -s 0/0 -d $DMZ_NET -i $EXTERN_IF
fi
if [ "$DMZ_SWITCH" = "PROXY" -o "$DMZ_SWITCH" = "Proxy" \
-o "$DMZ_SWITCH" = "proxy" ]; then
ipfilter_dmzChain dmzIn Dest ACCEPT
# Call ruleset if destination IP matches DMZ_NET specification
$IPCH -A input -j dmzIn -p all -s 0/0 -d $DMZ_NET -i $EXTERN_IF
fi
# Generic Services
[ -r "$IPCH_IN" ] && . $IPCH_IN
# Open specified services to the world
for SERVICE in $EXTERN_PORTS; do
$IPCH -A input -j ACCEPT \
-p `echoProto $SERVICE` \
-s `echoIp $SERVICE` \
-d $EX_IP `echoPort $SERVICE` -i $EXTERN_IF
done; unset SERVICE
# TCP
# Open specified TCP services to the world
for SERVICE in $EXTERN_TCP_PORTS; do
$IPCH -A input -j ACCEPT -p tcp -s `echoFwSrcIp $SERVICE` \
-d $EX_IP `echoFwDstPort $SERVICE` -i $EXTERN_IF
done; unset SERVICE
# auth - send a reject packet. You may want to to forward this to an internal bo# x if using IRC. Here so that a rule above can override
$IPCH -A input -j REJECT -p tcp -s 0/0 -d 0/0 auth -i $EXTERN_IF
# NFS server protection
# $IPCH -A input -j DENY -p tcp -s 0/0 -d 0/0 2049 -i $EXTERN_IF -l
# Accept all incoming TCP packets to the External interface on non-priveleged
# ports
$IPCH -A input -j ACCEPT -p tcp -s 0/0 -d $EX_IP 1024:65535 -i $EXTERN_IF
#UDP
# SNMP control
snmpBlock input $EX_IP -i $EXTERN_IF
# Open specfied UDP services to the world
for SERVICE in $EXTERN_UDP_PORTS; do
$IPCH -A input -j ACCEPT -p udp -s `echoFwSrcIp $SERVICE` \
-d $EX_IP `echoFwDstPort $SERVICE` -i $EXTERN_IF
done; unset SERVICE
# Block NFS access
#$IPCH -A input -j DENY -p udp -s 0/0 -d 0/0 2049 -i $EXTERN_IF -l
# Block all incoming DHCP/BOOTP queries - this bypasses the logging further down
$IPCH -A input -j DENY -p udp -s 0/0 -d 0/0 bootps -i $EXTERN_IF
# Allow UDP masquerading for non-priviliged services Comment this out for
# higher security
$IPCH -A input -j ACCEPT -p udp -s 0/0 -d $EX_IP 1024:65535 -i $EXTERN_IF
#ICMP
# Uncomment the following to protect against ping bomb attacks on Windows
# $IPCH -A input -j DENY -p icmp -s 0/0 0 8 -d 0/0 -i $EXTERN_IF -l
$IPCH -A input -j ACCEPT -p icmp -s 0/0 -d $EX_IP -i $EXTERN_IF
# Allow OSPF through - this is for gated to work
$IPCH -A input -j ACCEPT -p 89 -s 0/0 -d 0/0 -i $EXTERN_IF
# Bottom line - DENY anything that does not match
$IPCH -A input -j DENY -p all -s 0/0 -d 0/0 -i $EXTERN_IF -l
#
# Global Incoming
#
# Global control on SNMP
snmpBlock input 0/0 -b
# Allow input on all other interfaces
$IPCH -A input -j ACCEPT -p all -s 0/0 -d 0/0
# Outgoing stuff
# Classify packets, apply TOS etc
[ -n "$CLS_FAIRQ" ] && $IPCH -A output -j fairq
#Guard against sending rubbish onto Internet
stopMartians output -i $EXTERN_IF
for NET in $INTERN_NET; do
$IPCH -A output -j DENY -p all -s $NET -d 0/0 -i $EXTERN_IF
done; unset NET
# Stop Netbios
standardBlock output -i $EXTERN_IF
[ -r "$IPCH_OUT" ] && . $IPCH_OUT
# Allow output on all other interfaces
$IPCH -A output -j ACCEPT -p all -s 0/0 -d 0/0
}
#!/bin/sh
###############################################################################
# Extended Materhorn configruation scripts
# By Charles Steinkuehler
# Version 1.1
# April 28, 2000
# NETWORK_VERSION added by William F. Dudley 2001/03/31
###############################################################################
#
# LRP/Debian network configuration system
#
# Ring a ding ding, my dang a lang dong Dave 'Kill a Cop' Cinege GPL2
# Ding Dong Dell, Pussy's in the well Matthew 'Network Cowboy' Grant GPL2
#
# start)
# Depending on the auto config portions in /etc/network.conf, it auto-
# generates hosts, resolv.conf, sets the hostname, starts up interfaces,
# configures the IP filter/firewall and sets up routes (not necessarily
# in that order).
#
# stop)
# brings down all interfaces listed in /proc/net/dev, and their associated
# routes. Flushes all rules for ipfwadm, ipchains, ipautofw, ipportfw.
#
#Used by update-rc.d
RCDLINKS="S,S39" #LRP
FLAGS="start 39 S" #Debian
#DEBUG=1
# Define the initial index value for indexed variable lists
INIT_INDEX=0
SP=' '
qt () { "$@" >/dev/null 2>&1 ; }
vb () { "$@" ; }
source () { . $1 ; }
BANNER="# This file was generated by $0. It may be overwritten!"
#Default safe settings
VERBOSE=YES
MAX_LOOP=10
IPFWDING_KERNEL=NO
IPALWAYSDEFRAG_KERNEL=NO
IPFWDING_FW=NO
CONFIG_DNS=NO
IPFILTER_SWITCH=none
IF_AUTO="eth0"
IF_LIST="$IF_AUTO"
#==============================================================================#
[ -f /etc/network.conf ] && source /etc/network.conf
[ -f /etc/ipfilter.conf ] && source /etc/ipfilter.conf && IPFILTER=1
NETWORK_VERSION=20010330
if [ X$NETWORK_CONF_VERSION != X$NETWORK_VERSION ] ; then
echo "network.conf version '$NETWORK_CONF_VERSION' mismatch with network version $NETWORK_VERSION"
fi
if [ IPFILTER=1 ] ; then
if [ X$IPFILTER_CONF_VERSION != X$NETWORK_VERSION ] ; then
echo "ipfilter.conf version '$IPFILTER_CONF_VERSION' mismatch with network version $NETWORK_VERSION"
fi
fi
[ "$DEBUG" ] && qt () { "$@" ; }
[ "$VERBOSE" = "NO" ] && vb () { qt "$@" ; }
[ -f /proc/net/ip_fwchains ] && IPCHAINS=1
[ -f /proc/net/ip_masq/autofw ] && IPAUTOFW=1
[ -f /proc/net/ip_masq/portfw ] && IPPORTFW=1
[ -f /proc/net/ip_masq/mfw ] && IPMFW=1
[ -f /proc/sys/net/ipv4/ip_always_defrag ] && IPALWAYSDFRG=1
GDC_PATH=/usr/bin/gdc
IFLIST="`echo $IF_LIST | sed 's/ /|/g'`|all"
for IF in $IF_LIST; do
REV_IF_LIST="$IF $REV_IF_LIST"
done
unset IF
###############################################################################
#General utilities to process lists of environment variables
###############################################################################
# A function to walk a list of environment variables
# To use, define a series of BASENAMEx lines in network.conf
# where x is an integer number
# $1 = List Basename
# $2 = Initial integer suffix (usually 0 or 1)
# $3 = Procedure to call
# $4+= Parameters to pass to procedure
# NOTE: Called procedure can reference local walk-list variables, like x or y
walk-list () {
# x = Variable index, y = count of processed variables
local BASENAME=$1 x=$2 PROCEDURE=$3 ITEM="" y="0"
shift 3
while
eval ITEM="\$$BASENAME$x"
[ "$ITEM" != "" ]
do
y=$(($y + 1))
# 'Call' the procedure, passing the variable to process and any args
eval $PROCEDURE $BASENAME$x $*
x=$(($x + 1))
done
WALK_COUNT=$y
}
###############################################################################
#IP Forwarding configuration
###############################################################################
start-auto-ipkrnlswch () {
# Turn on global RP filter switch - this is ANDed with
# the per interface ones
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Fix the Shared Media Mess
echo 0 > /proc/sys/net/ipv4/conf/all/shared_media
echo 0 > /proc/sys/net/ipv4/conf/default/shared_media
if [ "$IPALWAYSDFRG" ]; then
if [ "$IPALWAYSDEFRAG_KERNEL" = "YES" ]; then
echo "1" >/proc/sys/net/ipv4/ip_always_defrag
&& vb echo -n "[IP Always Defrag: ENABLED] "
else
echo "0" >/proc/sys/net/ipv4/ip_always_defrag \
&& vb echo -n "[IP Always Defrag: DISABLED] "
fi
fi
if [ "$IPFWDING_KERNEL" = "YES" ]; then
echo "1" >/proc/sys/net/ipv4/ip_forward && vb echo -n "[IP Forwarding: ENABLED] "
elif [ "$IPFWDING_KERNEL" != "FILTER_ON" ]; then
echo "0" >/proc/sys/net/ipv4/ip_forward && vb echo -n "[IP Forwarding: DISABLED] "
fi
vb echo
}
###############################################################################
#Interface configuration
###############################################################################
start-auto-if () {
vb echo -n "$SP""Loopback interface: "
###
#localhost interface
####################
qt ip addr add 127.0.0.1/8 broadcast 127.255.255.255 dev lo
ip link set lo up && vb echo -n "lo "
vb echo
# Do the rest of the interfaces
iface_up all
}
###############################################################################
#Hostname
###############################################################################
start-auto-hostname () {
if [ "$CONFIG_HOSTNAME" = "YES" ]; then
vb echo "$SP""Hostname: $HOSTNAME"
# hostname --file /etc/hostname #bad idea...
echo "$BANNER" >/etc/hostname #Clear file
echo "$HOSTNAME" >>/etc/hostname
fi
}
###############################################################################
#Hosts file
###############################################################################
start-auto-hosts-writeline () {
local LINE
eval LINE="\$$1"
echo "$LINE" >>$2
}
start-auto-hosts () {
if [ "$CONFIG_HOSTSFILE" = "YES" ]; then
vb echo -n "$SP""Static NS: "
HOSTSF="/etc/hosts"
echo "$BANNER" > $HOSTSF #Clear file
walk-list HOSTS $INIT_INDEX start-auto-hosts-writeline $HOSTSF
echo "127.0.0.1 localhost" >>$HOSTSF
vb echo "$(($WALK_COUNT + 1)) hosts"
fi
}
###############################################################################
#DNS configuration
###############################################################################
start-auto-DNS-writeline () {
local LINE
eval LINE="\$$1"
echo "nameserver $LINE" >>$2 && vb echo -n "$LINE "
}
start-auto-DNS () {
if [ "$CONFIG_DNS" = "YES" ]; then
vb echo -n "$SP""DNS: "
RESOLV="/etc/resolv.conf"
echo "$BANNER" >$RESOLV #Clear file
echo "search $DOMAINS" >>$RESOLV
walk-list DNS $INIT_INDEX start-auto-DNS-writeline $RESOLV
echo "nameserver 127.0.0.1" >>$RESOLV \
&& vb echo -n "127.0.0.1"
vb echo
fi
}
##############################################################################
# Interface stuff iface_up, iface_down, iface_reset
##############################################################################
iface_up () {
vb echo -n "$SP""Starting interface: "
if [ "$1" = "all" ] ; then
for IF in $IF_AUTO; do
if_up $IF && vb echo -n "$IF "
done
unset IF
else
if_up $1 && vb echo -n "$1 "
fi
vb echo
}
iface_down () {
vb echo -n "$SP""Stopping interface: "
if [ "$1" = "all" ] ; then
for IF in $REV_IF_LIST; do
if_down $IF && vb echo -n "$IF "
done
unset IF
else
if_down $1 && vb echo -n "$1 "
fi
vb echo
}
iface_reset () {
iface_down $1
sleep 2
iface_up $1
# If gated is around, tell it all about this!
[ -f $GDC_PATH ] && vb echo "Telling gated..."
[ -f $GDC_PATH ] && sleep 5 && $GDC_PATH interface
}
##############################################################################
# Function to set 2.2 kernel interface parameters
# if_setproc ( YES|NO
##############################################################################
if_setproc () {
if [ -z "$3" ]; then
return 0;
fi
[ ! -f /proc/sys/net/ipv4/conf/$1/$2 ] && return 1
case "$3" in
YES|Yes|yes)
echo 1 > /proc/sys/net/ipv4/conf/$1/$2
return 0;
;;
NO|No|no)
echo 0 > /proc/sys/net/ipv4/conf/$1/$2
return 0;
;;
*)
return 1;
esac
return 0;
}
##############################################################################
# Functions to configure the bridge
# brg_global()
##############################################################################
brg_global() {
case "$BRG_SWITCH" in
YES|Yes|yes)
brcfg start 2> /dev/null
;;
NO|No|no)
brcfg stop 2> /dev/null
;;
esac
if [ -n "$BRG_EXEMPT_PROTOS" ]; then
# Reseting the policy clears the exemption list
brcfg policy accept
brcfg exempt $BRG_EXEMPT_PROTOS
fi
return 0
}
brg_iface () {
case $2 in
up)
if [ "$3" != "YES" -a "$3" != "Yes" -a "$3" != "yes" ]; then
return 0
fi
brcfg dev $1 enable 2> /dev/null
;;
down)
brcfg dev $1 disable 2> /dev/null
;;
esac
return 0
}
##############################################################################
# checkarg() a function to check interface arguments
##############################################################################
checkarg() {
eval "case \"$*\" in
$IFLIST)
;;
*)
echo \"Usage: `basename $0` ifup|ifdown|ifreset {$IFLIST}\"
exit 1
;;
esac"
}
##############################################################################
# functions to handle filter stuff
##############################################################################
ipfilter_kernfwd () {
if [ "$IPFWDING_KERNEL" != "FILTER_ON" ]; then
return 0;
fi
case $1 in
on)
echo "1" >/proc/sys/net/ipv4/ip_forward \
&& vb echo -n "[IP Forwarding: ENABLED] "
;;
off)
echo "0" >/proc/sys/net/ipv4/ip_forward \
&& vb echo -n "[IP Forwarding: DISABLED] "
;;
*)
echo "AAARGGHH - wrong argument given to ipfilter_kernfwd: $1"
exit 1
;;
esac
}
# Selects basic filter type configuration function
ipfilter_cfg () {
echo -n "$SP""IP filters: "
case $IPFILTER_SWITCH in
router|Router|ROUTER)
ipfilter_router_cfg && vb echo -n "router "
ipfilter_kernfwd on
;;
firewall|Firewall|FIREWALL)
ipfilter_firewall_cfg && vb echo -n "firewall "
ipfilter_kernfwd on
;;
none|NONE|None)
ipfilter_kernfwd off
ipfilter_clear && vb echo -n "none "
;;
esac
vb echo
}
ipfilter_cmd () {
if [ $IPFILTER -lt 1 ] ; then
echo
echo "$SP""No /etc/ipfilter.conf file."
echo
return 1
fi
if ! [ -x /sbin/ipchains ] ; then
echo
echo "$SP""/sbin/ipchains not found."
echo
return 1
fi
if ! [ -x /usr/sbin/ipmasqadm ] ; then
echo
echo "$SP""/usr/sbin/ipmasqadm not found."
echo
return 1
fi
case $1 in
load|reload)
ipfilter_cfg
;;
flush)
vb echo -n "$SP""IP filters: "
[ "$IPFWDING_KERNEL" = "FILTER_ON" ] \
&& echo "0" >/proc/sys/net/ipv4/ip_forward \
&& vb echo -n "[IP Forwarding: DISABLED] "
ipfilter_clear
vb echo "flushed"
;;
list)
case $2 in
autofw)
cat /proc/net/ip_masq/autofw | more
;;
mfw)
ipmasqadm mfw -nL | more
;;
masq*)
ipchains -n -v -M -L | more
;;
portfw)
ipmasqadm portfw -nl | more
;;
input|output|forward)
ipchains -n -v -L $2 | more
;;
"")
(ipchains -n -v -L; \
echo 'AutoFW:'; \
cat /proc/net/ip_masq/autofw; \
echo 'MarkFW:'; \
ipmasqadm mfw -nL; \
echo 'PortFW:'; \
ipmasqadm portfw -nl) \
| more
;;
*)
echo "Usage: `basename $0` ipfilter list [input|output|forward|autofw|mfw|portfw]"
echo " `basename $0` ipfilter list masq|masquerade"
exit 1
;;
esac
;;
*)
echo "Usage: `basename $0` ipfilter load|flush|reload"
echo " `basename $0` ipfilter list [input|output|forward|autofw|mfw|portfw]"
echo " `basename $0` ipfilter list masq|masquerade"
exit 1
;;
esac
}
##############################################################################
# Start and stop
##############################################################################
start () {
echo -n "Starting Network: "
start-auto-ipkrnlswch
ipfilter_cmd load
start-auto-if
start-auto-hostname
start-auto-hosts
start-auto-DNS
} #END start ()
stop () {
echo "Stopping Network: "
iface_down all
if [ "$IPFWADM" ]; then
ipfwadm -F -f && ipfwadm -I -f && ipfwadm -O -f && \
ipfwadm -A -f && echo -n ", FW Rules"
fi
echo -n "$SP""Stopping: Routes"
ipfilter_clear && vb echo -n ", IP filters, IP firewalling"
echo "0" >/proc/sys/net/ipv4/ip_forward \
&& vb echo -n ", IP Forwarding"
echo
} #END stop ()
#############################################################################
# Main - Down to business
#############################################################################
case "$1" in
start) start ;;
stop) stop ;;
reload|force-reload)
$0 stop
sleep 1
$0 start
;;
ifup)
shift
checkarg $*
iface_up $1
;;
ifdown)
shift
checkarg $*
iface_down $1
;;
ifreset)
shift
checkarg $*
iface_reset $1
;;
ipfilter)
if ! ipfilter_cmd $2 $3; then
exit 1
fi
;;
*) echo "Usage: `basename $0` start|stop|reload"
echo " `basename $0` ifup|ifdown|ifreset $IFLIST"
echo " `basename $0` ipfilter load|flush|reload"
echo " `basename $0` ipfilter list [input|output|forward|autofw|mfw|portfw]"
echo " `basename $0` ipfilter list masq|masquerade"
exit 1
;;
esac
exit 0