creating firewalls
Hello,
I have decided on a really cool(TM) way to setup firewall rules on
Linux, so decided to post here to share with the rest of the world.
Comments welcome.
It is specific for iptables, but that is only because I am too lazy to
maintain anything before that. ipchains should work fine too, but
anything before that might cause problems.
I have a script /etc/init.d/firewall that sets up global system
stuff. It is called from my old do-nothing /etc/init.d/network file
(sometime I will have to do something to make this part more elegant
too).
if [ -e /proc/net/ip_tables_names ]
then
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -j ACCEPT -i eth0
iptables -A FORWARD -j ACCEPT -o eth0
iptables -A FORWARD -j LOG
fi
/usr/local/sbin/adaptor-add lo localhost
/usr/local/sbin/adaptor-add eth0 localnet
Previously I just hardcoded all the rules here, but I found it was too
inconvenient to alter rules only for particular adaptors, and some
need to be created dynamically, eg PPP rules. PPP rules cannot be
statically created at boot time, unless you can guarantee that only
one PPP connection will be established, or the order which they are
established in.
The script, "adaptor-add" adds firewall rules for each adaptor (I need
lo here because of the system default to drop all packets).a
daptor-add takes up to parameters: interface, user, local address and
remote address. I also have a corresponding ip-down script.
So, instead of hard coding PPP0 for instance, in my boot scripts, I
have a /etc/ppp/ip-up.d/firewall function:
#!/bin/sh
/usr/local/sbin/adaptor-add $PPP_IFACE $PPP_IPPARAM $PPP_LOCAL $PPP_REMOTE
$PPP_IPPARAM is set to user or APANA when pppd is called, with the
ipparam parameter.
I also have a corresponding /etc/ppp/ip-down.d/firewall, for shutting
the PPP connection down:
#!/bin/sh
/usr/local/sbin/adaptor-del $PPP_IFACE $PPP_IPPARAM $PPP_LOCAL $PPP_REMOTE
Now for the juicy bits (but with the juicy stuff deleted because it
represents my private security policy):
/usr/local/sbin/adaptor-add is designed in such a way it can be
manually re-executed without creating duplicate rules or errors:
#!/bin/sh
ADAPTOR="$1"
USER="$2"
LADDRESS="$3"
RADDRESS="$4"
# rules for linux 2.4.x kernels
if [ -e /proc/net/ip_tables_names ]
then
iptables -N $ADAPTOR-in >/dev/null 2>&1
iptables -F $ADAPTOR-in
iptables -N $ADAPTOR-out >/dev/null 2>&1
iptables -F $ADAPTOR-out
iptables -t nat -N $ADAPTOR-post >/dev/null 2>&1
iptables -t nat -F $ADAPTOR-post
if [ "$ADAPTOR" = "eth0" ]
then
iptables -A $ADAPTOR-in [deleted]
iptables -A $ADAPTOR-out [deleted]
elif [ "$USER" = "apana" ]
then
iptables -A $ADAPTOR-in [deleted]
iptables -A $ADAPTOR-out [deleted]
iptables -t nat -A $ADAPTOR-post -j MASQUERADE -s 192.168.0.0/16 -d 0.0.0.0/0
elif [ "$USER" = "user" ]
then
iptables -A $ADAPTOR-in [deleted]
iptables -A $ADAPTOR-out [deleted]
fi
iptables -D INPUT -i $ADAPTOR -j $ADAPTOR-in >/dev/null 2>&1
iptables -A INPUT -i $ADAPTOR -j $ADAPTOR-in
iptables -D OUTPUT -o $ADAPTOR -j $ADAPTOR-out >/dev/null 2>&1
iptables -A OUTPUT -o $ADAPTOR -j $ADAPTOR-out
iptables -t nat -D POSTROUTING -o $ADAPTOR -j $ADAPTOR-post >/dev/null 2>&1
iptables -t nat -A POSTROUTING -o $ADAPTOR -j $ADAPTOR-post
fi
and adaptor-del removes this stuff:
#!/bin/sh
ADAPTOR="$1"
USER="$2"
LADDRESS="$3"
RADDRESS="$4"
# rules for linux 2.4.x kernels
if [ -e /proc/net/ip_tables_names ]
then
iptables -D INPUT -i $ADAPTOR -j $ADAPTOR-in
iptables -F $ADAPTOR-in
iptables -X $ADAPTOR-in
iptables -D OUTPUT -o $ADAPTOR -j $ADAPTOR-out
iptables -F $ADAPTOR-out
iptables -X $ADAPTOR-out
iptables -t nat -D POSTROUTING -o $ADAPTOR -j $ADAPTOR-post
iptables -t nat -F $ADAPTOR-post
iptables -t nat -X $ADAPTOR-post
fi
--
Brian May <bam@debian.org>
Reply to: