mirror of https://github.com/tLDP/LDP
updated
This commit is contained in:
parent
ec09eeb7b2
commit
35e2b474fe
|
@ -20,7 +20,7 @@
|
|||
<Abstract>
|
||||
|
||||
<para>
|
||||
v2.00.011303, January 13, 2003
|
||||
v2.00.011703, January 17, 2003
|
||||
</para>
|
||||
|
||||
<para>
|
||||
|
@ -1199,7 +1199,7 @@ mirrir</ULink>, or his old
|
|||
<ItemizedList>
|
||||
<listitem>
|
||||
<para>
|
||||
<ULink URL="http://members.tripod.com/~djsf/masq-icq/">Andrew Deryabin's ICQ
|
||||
<ULink URL="http://djsf.narod.ru/masq-icq">Andrew Deryabin's ICQ
|
||||
MASQ module</ULink> for 2.2.x and 2.0.x kernels
|
||||
</para>
|
||||
</listitem>
|
||||
|
@ -1530,7 +1530,7 @@ Masquerade related options.
|
|||
<ItemizedList>
|
||||
<listitem>
|
||||
<para>
|
||||
<ULink URL="http://members.tripod.com/~djsf/masq-icq/">Andrew Deryabin's ICQ
|
||||
<ULink URL="http://djsf.narod.ru/masq-icqf/">Andrew Deryabin's ICQ
|
||||
MASQ module </ULink> for 2.2.x and 2.0.x kernels
|
||||
</para>
|
||||
</listitem>
|
||||
|
@ -3510,7 +3510,7 @@ SIMPLE ruleset:
|
|||
#!/bin/sh
|
||||
#
|
||||
# rc.firewall-2.4
|
||||
FWVER=0.71
|
||||
FWVER=0.72
|
||||
#
|
||||
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
|
||||
# using IPTABLES.
|
||||
|
@ -3523,6 +3523,7 @@ FWVER=0.71
|
|||
#
|
||||
#
|
||||
# Log:
|
||||
# 0.72 - Changed the default block behavior to REJECT not DROP
|
||||
# 0.71 - Added clarification that PPPoE users need to use
|
||||
# "ppp0" instead of "eth0" for their external interface
|
||||
# 0.70 - Added commented option for IRC nat module
|
||||
|
@ -3772,14 +3773,14 @@ echo "1" > /proc/sys/net/ipv4/ip_dynaddr
|
|||
#Clearing any previous configuration
|
||||
#
|
||||
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
|
||||
# The default for FORWARD is DROP
|
||||
# The default for FORWARD is REJECT
|
||||
#
|
||||
echo " clearing any existing rules and setting default policy.."
|
||||
$IPTABLES -P INPUT ACCEPT
|
||||
$IPTABLES -F INPUT
|
||||
$IPTABLES -P OUTPUT ACCEPT
|
||||
$IPTABLES -F OUTPUT
|
||||
$IPTABLES -P FORWARD DROP
|
||||
$IPTABLES -P FORWARD REJECT
|
||||
$IPTABLES -F FORWARD
|
||||
$IPTABLES -t nat -F
|
||||
|
||||
|
@ -7668,13 +7669,14 @@ Cannot work at present (it makes invalid assumptions about addresses).
|
|||
#
|
||||
# rc.firewall-2.4-stronger
|
||||
#
|
||||
FWVER=0.76s
|
||||
FWVER=0.77s
|
||||
|
||||
# An example of a stronger IPTABLES firewall with IP Masquerade
|
||||
# support for 2.4.x kernels.
|
||||
#
|
||||
# Log:
|
||||
#
|
||||
# 0.77s - Changed the default block behavior to REJECT not DROP
|
||||
# 0.76s - Added a comment about the OPTIONAL WWW ruleset and a comment
|
||||
# where to put optional PORTFW commands
|
||||
# 0.75s - Added clarification that PPPoE users need to use
|
||||
|
@ -8032,18 +8034,18 @@ echo " ---"
|
|||
|
||||
#Clearing any previous configuration
|
||||
#
|
||||
# Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP.
|
||||
# Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to REJECT
|
||||
#
|
||||
# You CANNOT change this to REJECT as it isn't a vaild setting for a
|
||||
# policy. If you want REJECT, you must explictly REJECT at the end
|
||||
# of a giving INPUT, OUTPUT, or FORWARD chain
|
||||
#
|
||||
echo " Clearing any existing rules and setting default policy to DROP.."
|
||||
$IPTABLES -P INPUT DROP
|
||||
echo " Clearing any existing rules and setting default policy to REJECT.."
|
||||
$IPTABLES -P INPUT REJECT
|
||||
$IPTABLES -F INPUT
|
||||
$IPTABLES -P OUTPUT DROP
|
||||
$IPTABLES -P OUTPUT REJECT
|
||||
$IPTABLES -F OUTPUT
|
||||
$IPTABLES -P FORWARD DROP
|
||||
$IPTABLES -P FORWARD REJECT
|
||||
$IPTABLES -F FORWARD
|
||||
$IPTABLES -F -t nat
|
||||
|
||||
|
@ -8077,7 +8079,7 @@ $IPTABLES -Z
|
|||
echo " Creating a DROP chain.."
|
||||
$IPTABLES -N drop-and-log-it
|
||||
$IPTABLES -A drop-and-log-it -j LOG --log-level info
|
||||
$IPTABLES -A drop-and-log-it -j DROP
|
||||
$IPTABLES -A drop-and-log-it -j REJECT
|
||||
|
||||
echo -e "\n - Loading INPUT rulesets"
|
||||
|
||||
|
@ -8324,9 +8326,11 @@ Lastly, if you are using a STATIC PPP IP address, change the
|
|||
# /etc/rc.d/rc.firewall: An example of a Stronger IPCHAINS firewall
|
||||
# ruleset for 2.2 kernels
|
||||
#
|
||||
FWVER=0.65s
|
||||
FWVER=0.70s
|
||||
#
|
||||
# Log:
|
||||
# 0.70s - Added missing execution variables
|
||||
# - fixed a missing -p tcp for the commented HTTPd section
|
||||
# 0.65s - Added comments HTTPd rules to the INPUT and OUTPUT section
|
||||
# - Added a comment where to insert IPPORTFW commands
|
||||
# 0.60s - Changed the EXTIP command to work on NON-English distros
|
||||
|
@ -8335,6 +8339,27 @@ FWVER=0.65s
|
|||
|
||||
echo -e "\nLoading rc.firewall-2.2-stronger : version $FWVER..\n"
|
||||
|
||||
|
||||
# The location of various iptables and other shell programs
|
||||
#
|
||||
# If your Linux distribution came with a copy of iptables, most
|
||||
# likely it is located in /sbin. If you manually compiled
|
||||
# iptables, the default location is in /usr/local/sbin
|
||||
#
|
||||
# ** Please use the "whereis iptables" command to figure out
|
||||
# ** where your copy is and change the path below to reflect
|
||||
# ** your setup
|
||||
#
|
||||
IPCHAINS=/sbin/ipchains
|
||||
LSMOD=/sbin/lsmod
|
||||
DEPMOD=/sbin/depmod
|
||||
INSMOD=/sbin/insmod
|
||||
MODPROBE=/sbin/modprobe
|
||||
GREP=/bin/grep
|
||||
AWK=/bin/awk
|
||||
SED=/bin/sed
|
||||
IFCONFIG=/sbin/ifconfig
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
|
||||
|
@ -8360,21 +8385,21 @@ INTNET="192.168.0.0/24"
|
|||
|
||||
# Needed to initially load modules
|
||||
#
|
||||
/sbin/depmod -a
|
||||
$DEPMOD -a
|
||||
|
||||
# Supports the proper masquerading of FTP file transfers using the PORT method
|
||||
#
|
||||
/sbin/modprobe ip_masq_ftp
|
||||
$MODPROBE ip_masq_ftp
|
||||
|
||||
# Supports the masquerading of RealAudio over UDP. Without this module,
|
||||
# RealAudio WILL function but in TCP mode. This can cause a reduction
|
||||
# in sound quality
|
||||
#
|
||||
/sbin/modprobe ip_masq_raudio
|
||||
$MODPROBE ip_masq_raudio
|
||||
|
||||
# Supports the masquerading of IRC DCC file transfers
|
||||
#
|
||||
#/sbin/modprobe ip_masq_irc
|
||||
#$MODPROBE ip_masq_irc
|
||||
|
||||
|
||||
# Supports the masquerading of Quake and QuakeWorld by default. These modules are
|
||||
|
@ -8385,19 +8410,19 @@ INTNET="192.168.0.0/24"
|
|||
# ----- kernel that has bugs in it. Please upgrade to the newest kernel.
|
||||
#
|
||||
#Quake I / QuakeWorld (ports 26000 and 27000)
|
||||
#/sbin/modprobe ip_masq_quake
|
||||
#$MODPROBE ip_masq_quake
|
||||
#
|
||||
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
|
||||
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
|
||||
#$MODPROBE ip_masq_quake 26000,27000,27910,27960
|
||||
|
||||
|
||||
# Supports the masquerading of the CuSeeme video conferencing software
|
||||
#
|
||||
#/sbin/modprobe ip_masq_cuseeme
|
||||
#$MODPROBE ip_masq_cuseeme
|
||||
|
||||
#Supports the masquerading of the VDO-live video conferencing software
|
||||
#
|
||||
#/sbin/modprobe ip_masq_vdolive
|
||||
#$MODPROBE ip_masq_vdolive
|
||||
|
||||
|
||||
#CRITICAL: Enable IP forwarding since it is disabled by default
|
||||
|
@ -8517,30 +8542,30 @@ EXTIP="`$IFCONFIG $EXTIF | $AWK \
|
|||
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec
|
||||
# firewall timeout in ICQ itself)
|
||||
#
|
||||
ipchains -M -S 7200 10 60
|
||||
$IPCHAINS -M -S 7200 10 60
|
||||
|
||||
#############################################################################
|
||||
# Incoming, flush and set default policy of reject. Actually the default policy
|
||||
# is irrelevant because there is a catch all rule with deny and log.
|
||||
#
|
||||
ipchains -F input
|
||||
ipchains -P input REJECT
|
||||
$IPCHAINS -F input
|
||||
$IPCHAINS -P input REJECT
|
||||
|
||||
# local interface, local machines, going anywhere is valid
|
||||
#
|
||||
ipchains -A input -i $INTIF -s $INTNET -d 0.0.0.0/0 -j ACCEPT
|
||||
$IPCHAINS -A input -i $INTIF -s $INTNET -d 0.0.0.0/0 -j ACCEPT
|
||||
|
||||
# remote interface, claiming to be local machines, IP spoofing, get lost
|
||||
#
|
||||
ipchains -A input -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT
|
||||
$IPCHAINS -A input -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT
|
||||
|
||||
# remote interface, any source, going to permanent PPP address is valid
|
||||
#
|
||||
ipchains -A input -i $EXTIF -s 0.0.0.0/0 -d $EXTIP/32 -j ACCEPT
|
||||
$IPCHAINS -A input -i $EXTIF -s 0.0.0.0/0 -d $EXTIP/32 -j ACCEPT
|
||||
|
||||
# loopback interface is valid.
|
||||
#
|
||||
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
|
||||
$IPCHAINS -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
|
||||
|
||||
|
||||
# ----- Begin OPTIONAL INPUT Section -----
|
||||
|
@ -8550,7 +8575,7 @@ ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
|
|||
# the IPMASQ server -OR- plan on PORTFW'ing HTTP traffic to
|
||||
# an internal WWW server
|
||||
#
|
||||
#ipchains -A input -i $EXTIF -s 0.0.0.0/0 -d $EXTIP 80 -j ACCEPT
|
||||
#$IPCHAINS -A input -i $EXTIF -p tcp -s 0.0.0.0/0 -d $EXTIP 80 -j ACCEPT
|
||||
|
||||
#
|
||||
# ----- End OPTIONAL INPUT Section -----
|
||||
|
@ -8559,34 +8584,34 @@ ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
|
|||
# catch all rule, all other incoming is denied and logged. pity there is no
|
||||
# log option on the policy but this does the job instead.
|
||||
#
|
||||
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
|
||||
$IPCHAINS -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
|
||||
|
||||
#############################################################################
|
||||
# Outgoing, flush and set default policy of reject. Actually the default policy
|
||||
# is irrelevant because there is a catch all rule with deny and log.
|
||||
#
|
||||
ipchains -F output
|
||||
ipchains -P output REJECT
|
||||
$IPCHAINS -F output
|
||||
$IPCHAINS -P output REJECT
|
||||
|
||||
# local interface, any source going to local net is valid
|
||||
#
|
||||
ipchains -A output -i $INTIF -s 0.0.0.0/0 -d $INTNET -j ACCEPT
|
||||
$IPCHAINS -A output -i $INTIF -s 0.0.0.0/0 -d $INTNET -j ACCEPT
|
||||
|
||||
# outgoing to local net on remote interface, stuffed routing, deny
|
||||
#
|
||||
ipchains -A output -i $EXTIF -s 0.0.0.0/0 -d $INTNET -l -j REJECT
|
||||
$IPCHAINS -A output -i $EXTIF -s 0.0.0.0/0 -d $INTNET -l -j REJECT
|
||||
|
||||
# outgoing from local net on remote interface, stuffed masquerading, deny
|
||||
#
|
||||
ipchains -A output -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT
|
||||
$IPCHAINS -A output -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT
|
||||
|
||||
# anything else outgoing on remote interface is valid
|
||||
#
|
||||
ipchains -A output -i $EXTIF -s $EXTIP/32 -d 0.0.0.0/0 -j ACCEPT
|
||||
$IPCHAINS -A output -i $EXTIF -s $EXTIP/32 -d 0.0.0.0/0 -j ACCEPT
|
||||
|
||||
# loopback interface is valid.
|
||||
#
|
||||
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
|
||||
$IPCHAINS -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
|
||||
|
||||
|
||||
# ----- Begin OPTIONAL OUTPUT Section -----
|
||||
|
@ -8596,7 +8621,7 @@ ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
|
|||
# the IPMASQ server -OR- plan on PORTFW'ing HTTP traffic to
|
||||
# an internal WWW server
|
||||
#
|
||||
#ipchains -A outut -i $EXTIF -s $EXTIP 80 -d 0.0.0.0/0 -j ACCEPT
|
||||
#$IPCHAINS -A output -i $EXTIF -p tcp -s $EXTIP 80 -d 0.0.0.0/0 -j ACCEPT
|
||||
|
||||
#
|
||||
# ----- End OPTIONAL OUTPUT Section -----
|
||||
|
@ -8604,14 +8629,14 @@ ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
|
|||
# catch all rule, all other outgoing is denied and logged. pity there is no
|
||||
# log option on the policy but this does the job instead.
|
||||
#
|
||||
ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
|
||||
$IPCHAINS -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
|
||||
|
||||
#############################################################################
|
||||
# Forwarding, flush and set default policy of deny. Actually the default policy
|
||||
# is irrelevant because there is a catch all rule with deny and log.
|
||||
#
|
||||
ipchains -F forward
|
||||
ipchains -P forward DENY
|
||||
$IPCHAINS -F forward
|
||||
$IPCHAINS -P forward DENY
|
||||
|
||||
|
||||
# ----- Begin OPTIONAL FORWARD Section -----
|
||||
|
@ -8621,12 +8646,12 @@ ipchains -P forward DENY
|
|||
|
||||
# Masquerade from local net on local interface to anywhere.
|
||||
#
|
||||
ipchains -A forward -i $EXTIF -s $INTNET -d 0.0.0.0/0 -j MASQ
|
||||
$IPCHAINS -A forward -i $EXTIF -s $INTNET -d 0.0.0.0/0 -j MASQ
|
||||
#
|
||||
# catch all rule, all other forwarding is denied and logged. pity there is no
|
||||
# log option on the policy but this does the job instead.
|
||||
#
|
||||
ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
|
||||
$IPCHAINS -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
|
||||
|
||||
#End of file.
|
||||
</screen>
|
||||
|
@ -9043,7 +9068,7 @@ ppp_ip="your.static.PPP.address"
|
|||
# is irrelevant because there is a catch all rule with deny and log.
|
||||
#
|
||||
/sbin/ipfwadm -F -f
|
||||
/sbin/ipfwadm -F -p deny
|
||||
/sbin/ipfwadm -F -p reject
|
||||
|
||||
# Masquerade from local net on local interface to anywhere.
|
||||
#
|
||||
|
@ -13924,8 +13949,41 @@ Update the portfw FTP patch
|
|||
<!-- ChangeLOG -->
|
||||
|
||||
<para>
|
||||
Changes from 01/12/03 to 01/13/03
|
||||
Changes from 01/12/03 to 01/17/03
|
||||
<ItemizedList>
|
||||
<listitem>
|
||||
<para>
|
||||
01/17/03: Fixed a major issue where the rc.firewall-2.2-stronger ruleset
|
||||
was referencing missing executable variables. This was taken from the
|
||||
2.4-stronger ruleset but I guess I forgot to finish it off. Fixed.
|
||||
Thanks to Samuel Kim for catching this!
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
01/17/03: Fixed an issue where the rc.firewall-2.2-stronger's commented
|
||||
HTTP section was missing the "-p tcp" option.
|
||||
Thanks to Samuel Kim for catching this!
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
01/16/03: Updated the URL for DJSF's ICQ module
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
01/16/03: Changed the default policy and drop chain from DENY to REJECT
|
||||
on both IPTABLES rulesets and on the advanced IPFWADM rulset.
|
||||
Thanks to Jonathan Hutchins for bringing this to my attention.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
01/16/03: Fixed a typo in the commented out HTTPd OUTPUT section of the
|
||||
rc.firewall-2.2-s ruleset
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
01/13/03: Updated the IPMASQ www site URL from ipmasq.cjb.net to
|
||||
|
|
Loading…
Reference in New Issue