[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Need_help_with_this_script

Hi

On Mon, May 28, 2001 at 07:40:53PM +0200, LuisMi wrote:
> Check it now, I did the changes you told me.
> This firewall will be used in an little ISP that offers web,
> mail (sendmail & pop3), primary dns & secundary dns.
> That services will be behind that firewall with ipmasqadm
> except dns services (I think)

For such a simple setup, this script is extremely long.

> Thanks for your support
> 
> LuisMi
> 

> 
> #!/bin/sh
> # IPchains Firewalling Script File
> 
> # Libreria de funciones
> # ---------------------
> . /etc/init.d/functions
> 
> # Configuracion de la red
> # -----------------------
> . /etc/sysconfig/network
> 
> # Comprobando que la red esta activa
> # ----------------------------------
> 
> [ ${NETWORKING} = "no" ] && exit 0
> 
> 
> # Variables
> # ---------
> interfaz0="eth0"
> interfaz_loopback="lo"
> 
> ip_eth0=`ifconfig $interfaz0 | grep "inet addr:" | awk -F: {'print $2'} | cut -d\  -f 1`

This will not work unless you have configured your eth0
interface first, which is a bad idea, as mentioned in my last
e-mail.

> CUALQUIERA="0.0.0.0/0"
> LOOPBACK="127.0.0.0/8"
> CLASE_A="10.0.0.0/8"
> CLASE_B="172.16.0.0/12"
> CLASE_C="192.168.0.0/16"
> MULTICAST="224.0.0.0/4"
> BROADCAST_SRC="0.0.0.0"
> BROADCAST_DEST="255.255.255.255"
> 
> PRIVPORTS="0:1023"
> UNPRIVPORTS="1024:65535"
> LOCALPORTS=`cat /etc/sysctl.conf | awk '/local_port/{print $3 ":" $4}'`
> TRACER_SRC_PORTS="32769:65535"
> TRACER_DEST_PORTS="33434:33523"
> SOCKS_PORT="1080"
> OPENWINDOWS_PORT="2000"
> NFS_PORT="2049"
> XWINDOW_PORTS="6000"
> SSH_PORTS="1020:1023"
> 
> # Servidor DNS
> # ¡¡¡¡¡¡¡¡¡¡¡Faltan definir los servidores DNS!!!!!!!!!
> # ¡¡¡¡¡¡¡¡¡¡¡Faltan definir los servidores DNS!!!!!!!!!
> # ¡¡¡¡¡¡¡¡¡¡¡Faltan definir los servidores DNS!!!!!!!!!
> 
> # Servidor HORA
> HORA=hora.uniovi.es
> 
> # Protecciones varias TCP/IP
> # --------------------------
[snip]
> # Estableciendo politicas por defecto a las cadenas INPUT, OUTPUT, FORWARD
> /sbin/ipchains -P input REJECT
> /sbin/ipchains -P output REJECT
> /sbin/ipchains -P forward REJECT
> 
> # Limpiando todas las cadenas del cortafuegos
> # -------------------------------------------
> /sbin/ipchains -F
> /sbin/ipchains -F spoofed
> /sbin/ipchains -F tcp-c-o
> /sbin/ipchains -F tcp-s-i
> /sbin/ipchains -F udp-c-o
> /sbin/ipchains -F udp-s-i
> /sbin/ipchains -F tcp-c-i
> /sbin/ipchains -F tcp-s-o
> /sbin/ipchains -F misc-out
> /sbin/ipchains -F misc-in
> /sbin/ipchains -F icmp-in
> /sbin/ipchains -F icmp-out
> /sbin/ipchains -F log-in
> /sbin/ipchains -F log-out

"/sbin/ipchains -F" will clear all rules for all defined chains.
You don't have to specify all the chains individually.  (i.e.
just use ipchains -F, not ipchains -F spoofed; ipchains -F
tcp-c-o etc., etc.)

> /sbin/ipchains -X spoofed
> /sbin/ipchains -X tcp-c-o
> /sbin/ipchains -X tcp-s-i
> /sbin/ipchains -X udp-c-o
> /sbin/ipchains -X udp-s-i
> /sbin/ipchains -X tcp-c-i
> /sbin/ipchains -X tcp-s-o
> /sbin/ipchains -X misc-out
> /sbin/ipchains -X misc-in
> /sbin/ipchains -X icmp-in
> /sbin/ipchains -X icmp-out
> /sbin/ipchains -X log-in
> /sbin/ipchains -X log-out
[snip]

"ipchains -X" gets rid of all user defined chains.  No need to
specify each one separately.

-- 
Michael Wood        | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies
Reply to: