linux-l: Suse und Bash-Scripts
Mario Thaten
mario at thaten.de
Di Jul 10 15:59:57 CEST 2001
Halloele!
Schoenen Gruss aus dem thueringer Wald und eine kleine Frage an
alle, die die Untiefen der SuSE Distri etwas besser kennen. Ich
habe vor ueber nem Jahr ein kleines Firewallskript entwickelt
(/bin/bash), das auf allen Debian-Rechnern mit bash V. 2.03.0(1)
hervorragend laeuft. Nun wollte ich dies zwei Benutzern mit SuSE 7.1,
die sich beide mit dem System eigentlich ganz gut auskennen zur
Verfuegung stellen. Ergebnis, bei Ausfuehrung des Skripts erscheint
ein "File not found"-Error. Deren Bash-Version ist 2.03.1.
Da ich keine SuSE zum Selbstrausfinden besitze, wollte ich fragen,
ob jemand fuer mich das Skript austesten koennte und mal rausfinden,
woran das liegt. Sorry fuer die grosse Datenmenge!
28 Grad heisse Gruesse vom Balkon! :)
Greetz, Mario
--
\
| Mario Thaten (mario at thaten.de)
| "Always be yourself, but never mind to change." |
`-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --'
-------------- nächster Teil --------------
#!/bin/sh
# Personal modular firewall configuration... V.1.3
# Mario Thaten 03/13/2001
# new modules have to be added with a chain name in chain_started and
# chain_finished for proof of dependencies and under status*) for being
# displayed with the status monitor.
########################################### VARIABLE DEFINITIONS #########################################
IPCHAINS=/sbin/ipchains
LOCALNET=192.168.10.0/24
ANYWHERE=0.0.0.0/0
BROADCAST=192.168.10.255/32
FIREWALL=192.168.10.200/32
UNPRIVPORTS=1024:
EXT_DEV=ppp0
INT_DEV=eth0
# Set this var to an IP Address and netmask of hosts on the darkside that you trust!
# These hosts will be granted some kinds of port access in the www-module!
# You might have to uncomment some lines in www_start!
# You will then have to restart setup.ipchains!!!
# Example: TRUSTEDHOSTS=("www.belug.org/32")
TRUSTEDHOSTS=()
# Set this array to the IP Addresses of computers you do not want to have access to the
# internet (whose packets should not be "NAT"ted...)
# Example: INTERNET_RESTRICTION=("192.168.10.10" "192.168.10.11")
INTERNET_RESTRICTION=()
########################################### FUNCTION DEFINITIONS #########################################
# a little function to check if a kernel module is loaded
module() {
/sbin/lsmod | grep $1 > /dev/null
}
# chain_started looks, if the module $2 that module $1 depends on is loaded
# and if not exits unsuccessfully
chain_started() {
# Assign name of chain to be tested with the module
case "$2" in
icmp_start) CHAINNAME=icmp-acc;;
localnet_start) CHAINNAME=good-box;;
www_start) CHAINNAME=box-bad;;
wwwgate_start) CHAINNAME=good-bad;;
esac
case "$2" in
basic_start)
if `cat /proc/sys/net/ipv4/ip_forward | grep 0 > /dev/null` ; then
echo "Option $1 depends on basic_start!!!"
exit 1
fi
;;
*)
if ! `cat /proc/net/ip_fwnames | grep $CHAINNAME > /dev/null` ; then
echo "Option $1 depends on $2!!!"
exit 1
fi
;;
esac
}
# chain_finished looks, if the module $2 that depends on module $1 is unloaded
# and if not exits unsuccessfully
chain_finished() {
# Assign name of chain to be tested with the module
case "$2" in
icmp_stop) CHAINNAME=icmp-acc;;
localnet_stop) CHAINNAME=good-box;;
www_stop) CHAINNAME=box-bad;;
wwwgate_stop) CHAINNAME=good-bad;;
esac
case "$2" in
basic_stop)
if ! `cat /proc/sys/net/ipv4/ip_forward | grep 0 > /dev/null` ; then
echo "Option $1 depends on basic_stop!!!"
exit 1
fi
;;
*)
if `cat /proc/net/ip_fwnames | grep $CHAINNAME > /dev/null` ; then
echo "Option $1 depends on $2!!!"
exit 1
fi
;;
esac
}
########################################### FIREWALL DEFINITIONS #########################################
if [ -e /proc/net/ip_masquerade ] && [ -e /proc/net/ip_fwnames ] && [ -e /proc/net/ip_fwchains ] ; then
case "$1" in
basic_start)
# basic settings for internet firewalling and gatewaying
echo -e "\033[36mEnabling firewalling basics of network $LOCALNET ... \033[m "
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Enabled IP forwarding."
echo 7 > /proc/sys/net/ipv4/ip_dynaddr
echo "Enabled RST provoking mode."
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
echo "Enabled IP spoofing protection."
$IPCHAINS -P input REJECT
$IPCHAINS -P forward REJECT
$IPCHAINS -P output REJECT
$IPCHAINS -A input -p tcp --sport $UNPRIVPORTS --dport auth -i lo -j REJECT
$IPCHAINS -A input -i lo -j ACCEPT
$IPCHAINS -A output -p tcp --dport $UNPRIVPORTS --sport auth -i lo -j REJECT
$IPCHAINS -A output -i lo -j ACCEPT
;;
basic_stop)
chain_finished basic_stop icmp_stop
chain_finished basic_stop localnet_stop
chain_finished basic_stop www_stop
chain_finished basic_stop wwwgate_stop
# shutdown basic settings for internet firewalling and gatewaying
if ! `cat /proc/sys/net/ipv4/ip_forward | grep 0 > /dev/null` ; then
echo -e "\033[35mDisabling firewalling basics of network $LOCALNET ... \033[m "
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "Disabled IP forwarding."
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
echo "Disabled RST provoking mode."
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $i
done
echo "Disabled IP spoofing protection."
$IPCHAINS -F input
$IPCHAINS -F forward
$IPCHAINS -F output
$IPCHAINS -P input ACCEPT
$IPCHAINS -P forward ACCEPT
$IPCHAINS -P output ACCEPT
else
echo -e "\033[35mBasic settings for firewalling already disabled...\033[m"
fi
;;
icmp_start)
chain_started icmp_start basic_start
# settings for icmp communication (defining two chains for normal and masquerades communication)
if ! `cat /proc/net/ip_fwnames | grep icmp-acc > /dev/null` ; then
echo -e "\033[36mEnabling icmp communication ... \033[m"
# icmp packets that may be allowed
$IPCHAINS -N icmp-acc
$IPCHAINS -N icmp-msq
$IPCHAINS -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPCHAINS -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
$IPCHAINS -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
$IPCHAINS -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
$IPCHAINS -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
$IPCHAINS -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
$IPCHAINS -A icmp-acc -l -j REJECT
$IPCHAINS -A icmp-msq -p icmp --icmp-type destination-unreachable -j MASQ
$IPCHAINS -A icmp-msq -p icmp --icmp-type source-quench -j MASQ
$IPCHAINS -A icmp-msq -p icmp --icmp-type time-exceeded -j MASQ
$IPCHAINS -A icmp-msq -p icmp --icmp-type parameter-problem -j MASQ
$IPCHAINS -A icmp-msq -p icmp --icmp-type echo-request -j MASQ
$IPCHAINS -A icmp-msq -p icmp --icmp-type echo-reply -j MASQ
$IPCHAINS -A icmp-msq -l -j REJECT
else
echo -e "\033[36mIcmp communication already enabled... \033[m"
fi
;;
icmp_stop)
chain_finished icmp_stop localnet_stop
chain_finished icmp_stop www_stop
# shutdown settings for icmp communication
if `cat /proc/net/ip_fwnames | grep icmp-acc > /dev/null` ; then
echo -e "\033[35mDisabling icmp communication ... \033[m"
$IPCHAINS -F icmp-acc
$IPCHAINS -F icmp-msq
$IPCHAINS -X icmp-acc
$IPCHAINS -X icmp-msq
else
echo -e "\033[35mIcmp communication already disabled... \033[m"
fi
;;
localnet_start)
chain_started localnet_start basic_start
chain_started localnet_start icmp_start
# settings for communication between localnet and the box
if ! `cat /proc/net/ip_fwnames | grep good-box > /dev/null` ; then
echo -e "\033[36mEnabling firewall settings for $LOCALNET ... \033[m"
# what we allow users to do with our server
$IPCHAINS -N good-box
$IPCHAINS -A input -s $LOCALNET -d $FIREWALL -i $INT_DEV -j good-box
$IPCHAINS -A input -s $LOCALNET -d $BROADCAST -i $INT_DEV -j good-box
# what we allow the server to tell the users
$IPCHAINS -N box-good
$IPCHAINS -A output -i $INT_DEV -s $FIREWALL -d $LOCALNET -j box-good
$IPCHAINS -A output -i $INT_DEV -s $FIREWALL -d $BROADCAST -j box-good
## ICMP
$IPCHAINS -A good-box -p icmp -j icmp-acc
$IPCHAINS -A box-good -p icmp -j icmp-acc
## DNS
# good 2 box
$IPCHAINS -A good-box -p udp --sport $UNPRIVPORTS --dport domain -j ACCEPT
$IPCHAINS -A box-good -p udp --sport domain --dport $UNPRIVPORTS -j ACCEPT
# box 2 good
# $IPCHAINS -A box-good -p udp --sport $UNPRIVPORTS --dport domain -j ACCEPT
# $IPCHAINS -A good-box -p udp --sport domain --dport $UNPRIVPORTS -j ACCEPT
## SSH
# good 2 box
$IPCHAINS -A good-box -p tcp --sport $UNPRIVPORTS --dport ssh -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport ssh ! -y --dport $UNPRIVPORTS -j ACCEPT
# box 2 good
# $IPCHAINS -A box-good -p tcp --sport $UNPRIVPORTS --dport ssh -j ACCEPT
# $IPCHAINS -A good-box -p tcp --sport ssh ! -y --dport $UNPRIVPORTS -j ACCEPT
## HTTP
# good 2 box
$IPCHAINS -A good-box -p tcp --sport $UNPRIVPORTS --dport www -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport www --dport $UNPRIVPORTS ! -y -j ACCEPT
# box 2 good
$IPCHAINS -A box-good -p tcp --sport $UNPRIVPORTS --dport www -j ACCEPT
$IPCHAINS -A good-box -p tcp --sport www --dport $UNPRIVPORTS ! -y -j ACCEPT
## FTP
# good 2 box
$IPCHAINS -A good-box -p tcp --sport $UNPRIVPORTS --dport 21 -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport 21 --dport $UNPRIVPORTS ! -y -j ACCEPT
$IPCHAINS -A good-box -p tcp --sport $UNPRIVPORTS --dport 20 -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport 20 --dport $UNPRIVPORTS -j ACCEPT
# box 2 good
$IPCHAINS -A box-good -p tcp --sport $UNPRIVPORTS --dport 21 -j ACCEPT
$IPCHAINS -A good-box -p tcp --sport 21 --dport $UNPRIVPORTS ! -y -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport $UNPRIVPORTS --dport 20 -j ACCEPT
$IPCHAINS -A good-box -p tcp --sport 20 --dport $UNPRIVPORTS -j ACCEPT
## POP3, IMAP3, SMTP
# good 2 box
$IPCHAINS -A good-box -p tcp --sport $UNPRIVPORTS --dport pop3 -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport pop3 --dport $UNPRIVPORTS ! -y -j ACCEPT
# $IPCHAINS -A good-box -p tcp --sport $UNPRIVPORTS --dport imap3 -j ACCEPT
# $IPCHAINS -A box-good -p tcp --sport imap3 --dport $UNPRIVPORTS ! -y -j ACCEPT
$IPCHAINS -A good-box -p tcp --sport $UNPRIVPORTS --dport smtp -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport smtp --dport $UNPRIVPORTS ! -y -j ACCEPT
# box 2 good
# $IPCHAINS -A box-good -p tcp --sport $UNPRIVPORTS --dport pop3 -j ACCEPT
# $IPCHAINS -A good-box -p tcp --sport pop3 --dport $UNPRIVPORTS ! -y -j ACCEPT
# $IPCHAINS -A box-good -p tcp --sport $UNPRIVPORTS --dport imap3 -j ACCEPT
# $IPCHAINS -A good-box -p tcp --sport imap3 --dport $UNPRIVPORTS ! -y -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport $UNPRIVPORTS --dport smtp -j ACCEPT
$IPCHAINS -A good-box -p tcp --sport smtp --dport $UNPRIVPORTS ! -y -j ACCEPT
## IRC
# good 2 box
$IPCHAINS -A good-box -p tcp --sport $UNPRIVPORTS --dport 6667 -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport 6667 --dport $UNPRIVPORTS ! -y -j ACCEPT
# box 2 good
# $IPCHAINS -A box-good -p tcp --sport $UNPRIVPORTS --dport 6667 -j ACCEPT
# $IPCHAINS -A good-box -p tcp --sport 6667 --dport $UNPRIVPORTS ! -y -j ACCEPT
## NETBIOS (this is really a security hole... :))
# Port 137
$IPCHAINS -A good-box -p udp --sport 137 --dport 137 -j ACCEPT
$IPCHAINS -A good-box -p udp --sport $UNPRIVPORTS --dport 137 -j ACCEPT
$IPCHAINS -A good-box -p udp --sport 137 --dport $UNPRIVPORTS -j ACCEPT
$IPCHAINS -A box-good -p udp --sport 137 --dport 137 -j ACCEPT
$IPCHAINS -A box-good -p udp --sport $UNPRIVPORTS --dport 137 -j ACCEPT
$IPCHAINS -A box-good -p udp --sport 137 --dport $UNPRIVPORTS -j ACCEPT
# Port 138
$IPCHAINS -A good-box -p udp --sport 138 --dport 138 -j ACCEPT
$IPCHAINS -A good-box -p udp --sport $UNPRIVPORTS --dport 138 -j ACCEPT
$IPCHAINS -A good-box -p udp --sport 138 --dport $UNPRIVPORTS -j ACCEPT
$IPCHAINS -A box-good -p udp --sport 138 --dport 138 -j ACCEPT
$IPCHAINS -A box-good -p udp --sport $UNPRIVPORTS --dport 138 -j ACCEPT
$IPCHAINS -A box-good -p udp --sport 138 --dport $UNPRIVPORTS -j ACCEPT
# Port 139
$IPCHAINS -A good-box -p tcp --sport $UNPRIVPORTS --dport 139 -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport 139 --dport $UNPRIVPORTS ! -y -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport $UNPRIVPORTS --dport 139 -j ACCEPT
$IPCHAINS -A good-box -p tcp --sport 139 --dport $UNPRIVPORTS ! -y -j ACCEPT
## LOCALSITE-SPECIFIC CONFIGURATION
## HALT-SCRIPT FOR @SERVER.ILMENAU
$IPCHAINS -A good-box -p tcp --sport $UNPRIVPORTS --dport 950 -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport 950 --dport $UNPRIVPORTS ! -y -j ACCEPT
## HERMES-PORT
$IPCHAINS -A good-box -p tcp --sport $UNPRIVPORTS --dport 951 -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport 951 --dport $UNPRIVPORTS ! -y -j ACCEPT
## SWAT
$IPCHAINS -A good-box -p tcp --sport $UNPRIVPORTS --dport swat -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport swat --dport $UNPRIVPORTS ! -y -j ACCEPT
## DISCARD
$IPCHAINS -A good-box -p tcp --sport $UNPRIVPORTS --dport discard -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport discard --dport $UNPRIVPORTS ! -y -j ACCEPT
## ECHO
$IPCHAINS -A good-box -p tcp --sport $UNPRIVPORTS --dport echo -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport echo --dport $UNPRIVPORTS ! -y -j ACCEPT
## AUTH
# good 2 box
$IPCHAINS -A good-box -p tcp --sport $UNPRIVPORTS --dport auth -j ACCEPT
$IPCHAINS -A box-good -p tcp --sport auth --dport $UNPRIVPORTS ! -y -j ACCEPT
# box 2 good
$IPCHAINS -A box-good -p tcp --sport $UNPRIVPORTS --dport auth -j ACCEPT
$IPCHAINS -A good-box -p tcp --sport auth --dport $UNPRIVPORTS ! -y -j ACCEPT
# everything else we reject just for logging purposes
$IPCHAINS -A box-good -l -j REJECT
$IPCHAINS -A good-box -l -j REJECT
else
echo -e "\033[36mFirewall settings for $LOCALNET already enabled... \033[m"
fi
;;
localnet_stop)
# shutdown settings for communication between localnet and the box
if `cat /proc/net/ip_fwnames | grep good-box > /dev/null` ; then
echo -e "\033[35mDisabling firewalling settings for $LOCALNET ... \033[m "
$IPCHAINS -D input -s $LOCALNET -d $FIREWALL -i $INT_DEV -j good-box
$IPCHAINS -D input -s $LOCALNET -d $BROADCAST -i $INT_DEV -j good-box
$IPCHAINS -D output -i $INT_DEV -s $FIREWALL -d $LOCALNET -j box-good
$IPCHAINS -D output -i $INT_DEV -s $FIREWALL -d $BROADCAST -j box-good
$IPCHAINS -F good-box
$IPCHAINS -F box-good
$IPCHAINS -X good-box
$IPCHAINS -X box-good
else
echo -e "\033[35mFirewall settings for $LOCALNET already disabled...\033[m"
fi
;;
www_start)
chain_started www_start basic_start
chain_started www_start icmp_start
# settings for communication between the box and the darkside
if ! `cat /proc/net/ip_fwnames | grep box-bad > /dev/null` ; then
echo -e "\033[36mEnabling communication between server and web ... \033[m"
$IPCHAINS -N box-bad
$IPCHAINS -N bad-box
$IPCHAINS -A output -i $EXT_DEV -s ! $LOCALNET -d ! $LOCALNET -j box-bad
$IPCHAINS -A input -i $EXT_DEV -s ! $LOCALNET -d ! $LOCALNET -j bad-box
# The following entry is a potential security hole!!!
# Carefully consider using it!!!
## MASKED ACTIVE FTP
$IPCHAINS -A box-bad -p tcp --sport $UNPRIVPORTS --dport $UNPRIVPORTS -j ACCEPT
$IPCHAINS -A bad-box -p tcp --sport $UNPRIVPORTS --dport $UNPRIVPORTS ! -y -j ACCEPT
## ICMP
$IPCHAINS -A box-bad -p icmp -j icmp-acc
$IPCHAINS -A bad-box -p icmp -j icmp-acc
## DNS
# box 2 bad
$IPCHAINS -A box-bad -p udp --sport $UNPRIVPORTS --dport domain -j ACCEPT
$IPCHAINS -A bad-box -p udp --sport domain --dport $UNPRIVPORTS -j ACCEPT
# bad 2 box
# $IPCHAINS -A bad-box -p udp --sport $UNPRIVPORTS --dport domain -j ACCEPT
# $IPCHAINS -A box-bad -p udp --sport domain --dport $UNPRIVPORTS -j ACCEPT
## SSH
# box 2 bad
$IPCHAINS -A box-bad -p tcp --sport $UNPRIVPORTS --dport ssh -j ACCEPT
$IPCHAINS -A bad-box -p tcp --sport ssh ! -y --dport $UNPRIVPORTS -j ACCEPT
# bad 2 box
# i=0
# while [ "${TRUSTEDHOSTS[i]}" ]; do
# $IPCHAINS -A bad-box -p tcp -s ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS --dport ssh -j ACCEPT
# $IPCHAINS -A box-bad -p tcp --sport ssh ! -y -d ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS -j ACCEPT
# i=$[$i+1]
# done
## HTTP
# box 2 bad
$IPCHAINS -A box-bad -p tcp --sport $UNPRIVPORTS --dport www -j ACCEPT
$IPCHAINS -A bad-box -p tcp --sport www --dport $UNPRIVPORTS ! -y -j ACCEPT
# bad 2 box
# i=0
# while [ "${TRUSTEDHOSTS[i]}" ]; do
# $IPCHAINS -A bad-box -p tcp -s ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS --dport www -j ACCEPT
# $IPCHAINS -A box-bad -p tcp --sport www ! -y -d ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS -j ACCEPT
# i=$[$i+1]
# done
## HTTPS
# box 2 bad
$IPCHAINS -A box-bad -p tcp --sport $UNPRIVPORTS --dport https -j ACCEPT
$IPCHAINS -A bad-box -p tcp --sport https --dport $UNPRIVPORTS ! -y -j ACCEPT
# bad 2 box
# i=0
# while [ "${TRUSTEDHOSTS[i]}" ]; do
# $IPCHAINS -A bad-box -p tcp -s ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS --dport https -j ACCEPT
# $IPCHAINS -A box-bad -p tcp --sport https ! -y -d ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS -j ACCEPT
# i=$[$i+1]
# done
## NNTP
# box 2 bad
$IPCHAINS -A box-bad -p tcp --sport $UNPRIVPORTS --dport nntp -j ACCEPT
$IPCHAINS -A bad-box -p tcp --sport nntp --dport $UNPRIVPORTS ! -y -j ACCEPT
# bad 2 box
# i=0
# while [ "${TRUSTEDHOSTS[i]}" ]; do
# $IPCHAINS -A bad-box -p tcp -s ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS --dport nntp -j ACCEPT
# $IPCHAINS -A box-bad -p tcp --sport nntp ! -y -d ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS -j ACCEPT
# i=$[$i+1]
# done
## FTP
# box 2 bad
$IPCHAINS -A box-bad -p tcp --sport $UNPRIVPORTS --dport 21 -j ACCEPT
$IPCHAINS -A bad-box -p tcp --sport 21 --dport $UNPRIVPORTS ! -y -j ACCEPT
$IPCHAINS -A box-bad -p tcp --sport $UNPRIVPORTS --dport 20 -j ACCEPT
$IPCHAINS -A bad-box -p tcp --sport 20 --dport $UNPRIVPORTS -j ACCEPT
# bad 2 box
# i=0
# while [ "${TRUSTEDHOSTS[i]}" ]; do
# $IPCHAINS -A bad-box -p tcp -s ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS --dport 21 -j ACCEPT
# $IPCHAINS -A box-bad -p tcp --sport 21 ! -y -d ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS -j ACCEPT
# $IPCHAINS -A bad-box -p tcp -s ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS --dport 20 -j ACCEPT
# $IPCHAINS -A box-bad -p tcp --sport 20 -d ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS -j ACCEPT
# i=$[$i+1]
# done
## POP3, IMAP3, SMTP
# box 2 bad
$IPCHAINS -A box-bad -p tcp --sport $UNPRIVPORTS --dport pop3 -j ACCEPT
$IPCHAINS -A bad-box -p tcp --sport pop3 --dport $UNPRIVPORTS ! -y -j ACCEPT
$IPCHAINS -A box-bad -p tcp --sport $UNPRIVPORTS --dport imap3 -j ACCEPT
$IPCHAINS -A bad-box -p tcp --sport imap3 --dport $UNPRIVPORTS ! -y -j ACCEPT
$IPCHAINS -A box-bad -p tcp --sport $UNPRIVPORTS --dport smtp -j ACCEPT
$IPCHAINS -A bad-box -p tcp --sport smtp --dport $UNPRIVPORTS ! -y -j ACCEPT
# bad 2 box
# i=0
# while [ "${TRUSTEDHOSTS[i]}" ]; do
# $IPCHAINS -A bad-box -p tcp -s ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS --dport pop3 -j ACCEPT
# $IPCHAINS -A box-bad -p tcp --sport pop3 ! -y -d ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS -j ACCEPT
# $IPCHAINS -A bad-box -p tcp -s ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS --dport imap3 -j ACCEPT
# $IPCHAINS -A box-bad -p tcp --sport imap3 ! -y -d ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS -j ACCEPT
# $IPCHAINS -A bad-box -p tcp -s ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS --dport smtp -j ACCEPT
# $IPCHAINS -A box-bad -p tcp --sport smtp ! -y -d ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS -j ACCEPT
# i=$[$i+1]
# done
## IRC
# box 2 bad
$IPCHAINS -A box-bad -p tcp --sport $UNPRIVPORTS --dport 6667 -j ACCEPT
$IPCHAINS -A bad-box -p tcp --sport 6667 --dport $UNPRIVPORTS ! -y -j ACCEPT
# bad 2 box
# i=0
# while [ "${TRUSTEDHOSTS[i]}" ]; do
# $IPCHAINS -A bad-box -p tcp -s ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS --dport 6667 -j ACCEPT
# $IPCHAINS -A box-bad -p tcp --sport 6667 ! -y -d ${TRUSTEDHOSTS[$i]} $UNPRIVPORTS -j ACCEPT
# i=$[$i+1]
# done
## AUTH
# this is necessary for dalnet to work
# box 2 bad
$IPCHAINS -A box-bad -p tcp --sport $UNPRIVPORTS --dport auth -j ACCEPT
$IPCHAINS -A bad-box -p tcp --sport auth --dport $UNPRIVPORTS ! -y -j ACCEPT
# bad 2 box
$IPCHAINS -A bad-box -p tcp --sport $UNPRIVPORTS --dport auth -j ACCEPT
$IPCHAINS -A box-bad -p tcp --sport auth --dport $UNPRIVPORTS ! -y -j ACCEPT
# everything else we reject just for logging purposes
$IPCHAINS -A box-bad -l -j REJECT
$IPCHAINS -A bad-box -l -j REJECT
else
echo -e "\033[36mCommunication between server and web already enabled... \033[m"
fi
;;
www_stop)
chain_finished www_stop wwwgate_stop
# shutdown settings for communication between the box and the darkside
if `cat /proc/net/ip_fwnames | grep box-bad > /dev/null` ; then
echo -e "\033[35mDisabling communication between server and web ... \033[m "
$IPCHAINS -D output -i $EXT_DEV -s ! $LOCALNET -d ! $LOCALNET -j box-bad
$IPCHAINS -D input -i $EXT_DEV -s ! $LOCALNET -d ! $LOCALNET -j bad-box
$IPCHAINS -F box-bad
$IPCHAINS -F bad-box
$IPCHAINS -X box-bad
$IPCHAINS -X bad-box
else
echo -e "\033[35mCommunication between server and web already disabled...\033[m"
fi
;;
wwwgate_start)
chain_started wwwgate_start basic_start
chain_started wwwgate_start www_start
# settings for communication between localnet and the darkside
if ! `cat /proc/net/ip_fwnames | grep good-bad > /dev/null` ; then
echo -e "\033[36mEnabling communication between $LOCALNET and the web ... \033[m"
$IPCHAINS -N good-bad
$IPCHAINS -N bad-good
# muss rein, damit die MASQ-Abfragen ueberhaupt rausduerfen
$IPCHAINS -A input -i $INT_DEV -s $LOCALNET -d ! $FIREWALL -j ACCEPT
$IPCHAINS -A output -i $INT_DEV -d $LOCALNET -s ! $FIREWALL -j ACCEPT
$IPCHAINS -A forward -i $EXT_DEV -s $LOCALNET -j good-bad
$IPCHAINS -A forward -i $INT_DEV -s ! $LOCALNET -j bad-good
## REMOVE PEOPLE IN $INTERNET_RESTRICTION FROM WEB ACCESS
i=0
while [ "${INTERNET_RESTRICTION[i]}" ]; do
$IPCHAINS -A good-bad -s ${INTERNET_RESTRICTION[$i]} -l -j REJECT
$IPCHAINS -A bad-good -d ${INTERNET_RESTRICTION[$i]} -l -j REJECT
i=$[$i+1]
done
## HTTP
$IPCHAINS -A good-bad -p tcp --sport $UNPRIVPORTS --dport www -j MASQ
## HTTPS
$IPCHAINS -A good-bad -p tcp --sport $UNPRIVPORTS --dport https -j MASQ
## NNTP
$IPCHAINS -A good-bad -p tcp --sport $UNPRIVPORTS --dport nntp -j MASQ
## FTP
$IPCHAINS -A good-bad -p tcp --sport $UNPRIVPORTS --dport 21 -j MASQ
$IPCHAINS -A good-bad -p tcp --sport $UNPRIVPORTS --dport 20 -j MASQ
$IPCHAINS -A good-bad -p tcp --sport $UNPRIVPORTS --dport $UNPRIVPORTS -j MASQ
## ICMP
$IPCHAINS -A good-bad -p icmp -j icmp-msq
## SSH
$IPCHAINS -A good-bad -p tcp --dport ssh -j MASQ
## POP3, SMTP, IMAP3
$IPCHAINS -A good-bad -p tcp --dport smtp -j MASQ # this may come from the smtp-port too!
$IPCHAINS -A good-bad -p tcp --sport $UNPRIVPORTS --dport pop3 -j MASQ
$IPCHAINS -A good-bad -p tcp --sport $UNPRIVPORTS --dport imap3 -j MASQ
## AUTH
$IPCHAINS -A good-bad -p tcp --sport $UNPRIVPORTS --dport auth -j MASQ
$IPCHAINS -A good-bad -p tcp --sport auth --dport $UNPRIVPORTS -j MASQ
# rejecting the rest just for logging purposes
$IPCHAINS -A good-bad -l -j REJECT
$IPCHAINS -A bad-good -l -j REJECT
insmod ip_masq_ftp
# irc is completely done by this module and the rules in box-bad/bad-box
insmod ip_masq_irc
else
echo -e "\033[36mCommunication between $LOCALNET and web already enabled... \033[m"
fi
;;
wwwgate_stop)
# shutdown settings for communication between localnet and the darkside
if `cat /proc/net/ip_fwnames | grep good-bad > /dev/null` ; then
echo -e "\033[35mDisabling communication between $LOCALNET and the web ... \033[m "
$IPCHAINS -D input -i $INT_DEV -s $LOCALNET -d ! $FIREWALL -j ACCEPT
$IPCHAINS -D output -i $INT_DEV -d $LOCALNET -s ! $FIREWALL -j ACCEPT
$IPCHAINS -D forward -i $EXT_DEV -s $LOCALNET -j good-bad
$IPCHAINS -D forward -i $INT_DEV -s ! $LOCALNET -j bad-good
$IPCHAINS -F good-bad
$IPCHAINS -F bad-good
$IPCHAINS -X bad-good
$IPCHAINS -X good-bad
# Give the modules one second to accept they are worthless! :)
sleep 1
rmmod ip_masq_ftp
rmmod ip_masq_irc
else
echo -e "\033[35mCommunication between $LOCALNET and web already disabled...\033[m"
fi
;;
start)
$0 basic_start
$0 icmp_start
$0 localnet_start
$0 www_start
$0 wwwgate_start
$IPCHAINS -A input -l -j REJECT
$IPCHAINS -A forward -l -j REJECT
$IPCHAINS -A output -l -j REJECT
;;
stop)
$0 wwwgate_stop
$0 www_stop
$0 localnet_stop
$0 icmp_stop
$0 basic_stop
;;
restart|reload)
$0 stop && sleep 1 && $0 start
;;
status)
check_chain () {
if `cat /proc/net/ip_fwnames | grep $1 > /dev/null` ; then
echo -e " * $2"
fi
}
echo -e "Modules loaded: "
if ! `cat /proc/sys/net/ipv4/ip_forward | grep 0 > /dev/null` ; then
echo -e " * basic"
else echo -e " no modules loaded..."
fi
check_chain icmp-acc icmp
check_chain good-box localnet
check_chain box-bad www
check_chain good-bad wwwgate
;;
concrete)
$IPCHAINS -vnL
;;
*)
echo ""
echo "Usage: $0 {start|stop|status|concrete|restart}"
echo "Professional: $0 {basic|icmp|localnet|www|wwwgate}"
echo " always add a _start or _stop to the professional name."
exit 1
esac
else
echo "Sorry, $0 cannot proceed!!!"
echo "The kernel lacks firewalling and/or masquerading support!"
echo "Firewalling and Gatewaying will not be enabled!!!"
exit 1
fi
exit 0
Mehr Informationen über die Mailingliste linux-l