650 lines
24 KiB
HTML
650 lines
24 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>The Linux Cipe+Masquerading mini-HOWTO: Common Machine Configuration</TITLE>
|
|
<LINK HREF="Cipe+Masq-7.html" REL=next>
|
|
<LINK HREF="Cipe+Masq-5.html" REL=previous>
|
|
<LINK HREF="Cipe+Masq.html#toc6" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="Cipe+Masq-7.html">Next</A>
|
|
<A HREF="Cipe+Masq-5.html">Previous</A>
|
|
<A HREF="Cipe+Masq.html#toc6">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s6">6. Common Machine Configuration</A></H2>
|
|
|
|
<H2><A NAME="ss6.1">6.1 /etc/cipe/ip-up</A>
|
|
</H2>
|
|
|
|
<H3>Kernel 2.0, ipfwadm, cipe 1.0.x</H3>
|
|
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<HR>
|
|
<PRE>
|
|
|
|
#!/bin/bash
|
|
# ip-up <interface> <myaddr> <daemon-pid> <local> <remote> <arg>
|
|
#3/29/1999
|
|
#An example ip-up script for the older 1.x 2.x kernels using ipfwadm that
|
|
#will setup routes and firewall rules to connect your local class c network
|
|
#to a remote class c network.
|
|
|
|
#The rules are configured to prevent spoofing and stuffed routing between
|
|
#the networks. There are also additional security enhancements commented
|
|
#out towards the bottom of the script.
|
|
#Send questions or comments to acj@home.com.
|
|
|
|
#--------------------------------------------------------------------------
|
|
#Set some script variables
|
|
device=$1 # the CIPE interface
|
|
me=$2 # our UDP address
|
|
pid=$3 # the daemon's process ID
|
|
ipaddr=$4 # IP address of our CIPE device
|
|
vptpaddr=$5 # IP address of the remote CIPE device
|
|
option=$6 # argument supplied via options
|
|
|
|
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
|
|
|
|
#comment/uncomment to enable/disbale kernel logging for all unauthorized
|
|
#access attempts. Must be same as ip-down script in order to remove rules.
|
|
log="-o"
|
|
|
|
#--------------------------------------------------------------------------
|
|
umask 022
|
|
|
|
# just a logging example
|
|
#echo "UP $*" >> /var/adm/cipe.log
|
|
|
|
# many systems like these pid files
|
|
#echo $3 > /var/run/$device.pid
|
|
|
|
#--------------------------------------------------------------------------
|
|
|
|
#add route entry for remote cipe network
|
|
network=`expr $ptpaddr : '\([0-9]*\.[0-9]*\.[0-9]*\.\)'`0
|
|
route add -net $network netmask 255.255.255.0 dev $device
|
|
|
|
#need to add route entry for host in 2.0 kernels
|
|
route add -host $ptpaddr dev $device
|
|
|
|
#--------------------------------------------------------------------------
|
|
#cipe interface incoming firewall rules
|
|
#must be inserted into list in reverse order
|
|
|
|
#deny all other incoming packets to cipe interface
|
|
ipfwadm -I -i deny -W $device -S 0/0 -D 0/0 $log
|
|
|
|
#accept incoming packets from remotenet to localnet on cipe interface
|
|
ipfwadm -I -i accept -W $device -S $ptpaddr/24 -D $ipaddr/24
|
|
|
|
#accept incoming packets from localnet to remotenet on cipe interface
|
|
ipfwadm -I -i accept -W $device -S $ipaddr/24 -D $ptpaddr/24
|
|
|
|
#deny incoming packets, cipe interface, claiming to be from localnet; log
|
|
ipfwadm -I -i deny -W $device -S $ipaddr/24 -D $ipaddr/24 $log
|
|
|
|
#--------------------------------------------------------------------------
|
|
#cipe interface outgoing firewall rules
|
|
#must be inserted into list in reverse order
|
|
|
|
#deny all other outgoing packets from cipe interface
|
|
ipfwadm -O -i deny -W $device -S 0/0 -D 0/0 $log
|
|
|
|
#accept outgoing from remotenet to localnet on cipe interface
|
|
ipfwadm -O -i accept -W $device -S $ptpaddr/24 -D $ipaddr/24
|
|
|
|
#accept outgoing from localnet to remotenet on cipe interface
|
|
ipfwadm -O -i accept -W $device -S $ipaddr/24 -D $ptpaddr/24
|
|
|
|
#deny outgoing to localnet from localnet, cipe interface, deny; log
|
|
ipfwadm -O -i deny -W $device -S $ipaddr/24 -D $ipaddr/24 $log
|
|
|
|
#--------------------------------------------------------------------------
|
|
#The forwarding is configured so machines on your local network do not get
|
|
#masqueraded to the remote network. This provides better access control
|
|
#between networks. Must be inserted into list in reverse order
|
|
|
|
#deny all other forwarding through cipe interface; log
|
|
ipfwadm -F -i deny -W $device -S 0/0 -D 0/0 $log
|
|
|
|
#accept forwarding from remotenet to localnet on cipe interfaces
|
|
ipfwadm -F -i accept -W $device -S $ptpaddr/24 -D $ipaddr/24
|
|
|
|
#accept forwarding from localnet to remotenet on cipe interfaces
|
|
ipfwadm -F -i accept -W $device -S $ipaddr/24 -D $ptpaddr/24
|
|
|
|
#--------------------------------------------------------------------------
|
|
#Make sure forwarding is enabled in the kernel. The kernel by default may
|
|
#have forwarding disabled.
|
|
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
#--------------------------------------------------------------------------
|
|
#Optional security enhancement - set default forward policy to
|
|
#DENY or REJECT. If your forwarding default policy is DENY/REJECT
|
|
#you will need to add the following rules to your main forward chain. It
|
|
#is a good idea to have all default policies set for DENY or
|
|
#REJECT.
|
|
|
|
#define machine interfaces
|
|
#localif="eth0"
|
|
#staticif="eth1" ;cable modem users
|
|
#staticif="ppp0" ;dialup users
|
|
|
|
#a real sloppy way to get the peer ip address from the options file - a new
|
|
#argument with peer ip:port passed to script would be nice.
|
|
#both lines need to be uncommented
|
|
#peerfile=`grep $device /etc/cipe/options.* | cut -f1 -d:`
|
|
#peer=`grep peer $peerfile | cut -f1 -d: | awk '{print $2}'`
|
|
|
|
#must log peer ip address for ip-down script
|
|
#echo $peer > /var/run/$device.peerip
|
|
|
|
#accept forwarding from localnet to remotenet on internal network interface
|
|
#ipfwadm -F -i accept -W $localif -S $ipaddr/24 -D $ptpaddr/24
|
|
#accept forwarding from remotenet to localnet on internal network interface
|
|
#ipfwadm -F -i accept -W $localif -S $ptpaddr/24 -D $ipaddr/24
|
|
#accept forwarding on staticif from me to peer
|
|
#myaddr=`echo $me | cut -f1 -d:`
|
|
#ipfwadm -F -i accept -W $staticif -S $myaddr -D $peer
|
|
#--------------------------------------------------------------------------
|
|
#Other optional security enhancement
|
|
#block all incoming requests from everywhere to our cipe udp port
|
|
#except our peer's udp port
|
|
|
|
#need to determine udp ports for the cipe interfaces
|
|
#get our udp port
|
|
#if [ "$option" = "" ]; then
|
|
# myport=`echo $me | cut -f2 -d:`
|
|
#else
|
|
# myport=$option
|
|
#fi
|
|
|
|
#get remote udp port -- peerfile variable must be set above
|
|
#peerport=`grep peer $peerfile | cut -f2 -d:`
|
|
|
|
#must log peer udp port for ip-down script
|
|
#echo $peerport > /var/run/$device.peerport
|
|
|
|
#get our ip address
|
|
#myaddr=`echo $me | cut -f1 -d:`
|
|
|
|
#deny and log all requests to cipe udp port must be inserted first
|
|
#ipfwadm -I -i deny -P udp -W $staticif -S 0/0 -D $myaddr $myport $log
|
|
#accept udp packets from peer at udp cipe port to my udp cipe port
|
|
#ipfwadm -I -i accept -P udp -W $staticif -S $peer $peerport \
|
|
#-D $myaddr $myport
|
|
|
|
exit 0
|
|
</PRE>
|
|
<HR>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<H3>Kernel 2.1/2.2, ipchains, cipe 1.2.x</H3>
|
|
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<HR>
|
|
<PRE>
|
|
|
|
#!/bin/bash
|
|
# ip-up <interface> <myaddr> <daemon-pid> <local> <remote> <arg>
|
|
#3/29/1999
|
|
#An example ip-up script for the newer 2.1/2.2 kernels using ipchains that
|
|
#will setup routes and firewall rules to connect your local class c network
|
|
#to a remote class c network. This script creates 3 user defined chains
|
|
#-input, output, and forward - for each cipe interface, based on the
|
|
#interface name. It will then insert a rule into each of the built-in
|
|
#input, output, and forward chains to use the user defined chains. The
|
|
#rules are configured to prevent spoofing and stuffed routing between the
|
|
#networks. There are also additional security enhancements commented out
|
|
#towards the bottom of the script.
|
|
#Send questions or comments to acj@home.com.
|
|
|
|
#--------------------------------------------------------------------------
|
|
|
|
#Set some script variables
|
|
device=$1 # the CIPE interface
|
|
me=$2 # our UDP address
|
|
pid=$3 # the daemon's process ID
|
|
ipaddr=$4 # IP address of our CIPE device
|
|
ptpaddr=$5 # IP address of the remote CIPE device
|
|
option=$6 # argument supplied via options
|
|
|
|
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
|
|
|
|
#comment/uncomment to enable/disbale kernel logging for all unauthorized
|
|
#access attempts. Must be same as ip-down script in order to remove rules.
|
|
log="-l"
|
|
|
|
#--------------------------------------------------------------------------
|
|
umask 022
|
|
# just a logging example
|
|
#echo "UP $*" >> /var/adm/cipe.log
|
|
|
|
# many systems like these pid files
|
|
#echo $3 > /var/run/$device.pid
|
|
|
|
#--------------------------------------------------------------------------
|
|
#add route entry for remote cipe network
|
|
network=`expr $ptpaddr : '\([0-9]*\.[0-9]*\.[0-9]*\.\)'`0
|
|
route add -net $network netmask 255.255.255.0 dev $device
|
|
|
|
#--------------------------------------------------------------------------
|
|
#create new ipchain for cipe interface input rules
|
|
ipchains -N $device"i"
|
|
#flush all rules in chain (sanity flush)
|
|
ipchains -F $device"i"
|
|
#deny incoming packets, cipe interface, claiming to be from localnet; log
|
|
ipchains -A $device"i" -j DENY -i $device -s $ipaddr/24 -d $ipaddr/24 $log
|
|
#accept incoming packets from localnet to remotenet on cipe interface
|
|
ipchains -A $device"i" -j ACCEPT -i $device -s $ipaddr/24 -d $ptpaddr/24
|
|
#accept incoming packets from remotenet to localnet on cipe interface
|
|
ipchains -A $device"i" -j ACCEPT -i $device -s $ptpaddr/24 -d $ipaddr/24
|
|
#deny all other incoming packets
|
|
ipchains -A $device"i" -j DENY -s 0/0 -d 0/0 $log
|
|
|
|
#--------------------------------------------------------------------------
|
|
#create new ipchain for cipe interface output rules
|
|
ipchains -N $device"o"
|
|
#flush all rules in chain (sanity flush)
|
|
ipchains -F $device"o"
|
|
#deny outgoing to localnet from localnet, cipe interface, deny; log
|
|
ipchains -A $device"o" -j DENY -i $device -s $ipaddr/24 -d $ipaddr/24 $log
|
|
#accept outgoing from localnet to remotenet on cipe interface
|
|
ipchains -A $device"o" -j ACCEPT -i $device -s $ipaddr/24 -d $ptpaddr/24
|
|
#accept outgoing from remotenet to localnet on cipe interface
|
|
ipchains -A $device"o" -j ACCEPT -i $device -s $ptpaddr/24 -d $ipaddr/24
|
|
#deny all other outgoing packets
|
|
ipchains -A $device"o" -j DENY -s 0/0 -d 0/0 $log
|
|
|
|
#--------------------------------------------------------------------------
|
|
#The forward chain is configured so machines on your local network do not
|
|
#get masqueraded to the remote network. This provides better access
|
|
#control between networks.
|
|
|
|
#create new ipchain for cipe interface forward rules
|
|
ipchains -N $device"f"
|
|
#flush all rules in chain (sanity flush)
|
|
ipchains -F $device"f"
|
|
#accept forwarding from localnet to remotenet on cipe interfaces
|
|
ipchains -A $device"f" -j ACCEPT -i $device -s $ipaddr/24 -d $ptpaddr/24
|
|
#accept forwarding from remotenet to localnet on cipe interfaces
|
|
ipchains -A $device"f" -j ACCEPT -i $device -s $ptpaddr/24 -d $ipaddr/24
|
|
#deny all other forwarding; log
|
|
ipchains -A $device"f" -j DENY -s 0/0 -d 0/0 $log
|
|
|
|
#--------------------------------------------------------------------------
|
|
#Make sure forwarding is enabled in the kernel. New kernels by default have
|
|
#forwarding disabled.
|
|
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
#--------------------------------------------------------------------------
|
|
#insert rules to main input, output, and forward chains to enable new rules
|
|
#for the cipe interface
|
|
ipchains -I input -i $device -j $device"i"
|
|
ipchains -I output -i $device -j $device"o"
|
|
ipchains -I forward -i $device -j $device"f"
|
|
|
|
#--------------------------------------------------------------------------
|
|
#Optional security enhancement - set built-in forward chain policy to
|
|
#DENY or REJECT. If your main forward chain default policy is DENY/REJECT
|
|
#you will need to add the following rules to your main forward chain. It
|
|
#is a good idea to have all built-in chain default policies set for DENY or
|
|
#REJECT.
|
|
|
|
#define machine interfaces
|
|
#localif="eth0"
|
|
#staticif="eth1" ;cable modem users
|
|
#staticif="ppp0" ;dialup users
|
|
|
|
#a real sloppy way to get the peer ip address from the options file - a new
|
|
#argument with peer ip:port passed to script would be nice.
|
|
#both lines need to be uncommented
|
|
#peerfile=`grep $device /etc/cipe/options.* | cut -f1 -d:`
|
|
#peer=`grep peer $peerfile | cut -f1 -d: | awk '{print $2}'`
|
|
|
|
#must log peer ip address for ip-down script
|
|
#echo $peer > /var/run/$device.peerip
|
|
|
|
#accept forwarding from localnet to remotenet on internal network interface
|
|
#ipchains -I forward -j ACCEPT -i $localif -s $ipaddr/24 -d $ptpaddr/24
|
|
#accept forwarding from remotenet to localnet on internal network interface
|
|
#ipchains -I forward -j ACCEPT -i $localif -s $ptpaddr/24 -d $ipaddr/24
|
|
#accept forwarding on staticif from me to peer
|
|
#myaddr=`echo $me | cut -f1 -d:`
|
|
#ipchains -I forward -j ACCEPT -i $staticif -s $myaddr -d $peer
|
|
#--------------------------------------------------------------------------
|
|
#Other optional security enhancement
|
|
#block all incoming requests from everywhere to our cipe udp port
|
|
#except our peer's udp port
|
|
|
|
#need to determine udp ports for the cipe interfaces
|
|
#get our udp port
|
|
#if [ "$option" = "" ]; then
|
|
# myport=`echo $me | cut -f2 -d:`
|
|
#else
|
|
# myport=$option
|
|
#fi
|
|
|
|
#get remote udp port -- peerfile variable must be set above
|
|
#peerport=`grep peer $peerfile | cut -f2 -d:`
|
|
|
|
#must log peer udp port for ip-down script
|
|
#echo $peerport > /var/run/$device.peerport
|
|
|
|
#get our ip address
|
|
#myaddr=`echo $me | cut -f1 -d:`
|
|
|
|
#deny and log all requests to cipe udp port must be inserted first
|
|
#ipchains -I input -j DENY -p udp -i $staticif -s 0/0 \
|
|
#-d $myaddr $myport $log
|
|
#accept udp packets from peer at udp cipe port to my udp cipe port
|
|
#ipchains -I input -j ACCEPT -p udp -i $staticif -s $peer $peerport \
|
|
# -d $myaddr $myport
|
|
|
|
#--------------------------------------------------------------------------
|
|
# Set up spoofing protection in kernel as an additional security measure
|
|
#--------------------------------------------------------------------------
|
|
#Why do I have spoofing protection in the firewall rules in addition to
|
|
#this script that sets up spoof protection for each interface in the
|
|
#kernel? Guess I'm paranoid.
|
|
|
|
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
|
|
echo -n "Setting up IP spoofing protection..."
|
|
iface="/proc/sys/net/ipv4/conf/$device/rp_filter"
|
|
echo 1 > $iface
|
|
echo "done."
|
|
else
|
|
echo "Cannot setup spoof protection in kernel for $device" \
|
|
| mail -s"Security Warning: $device" root
|
|
exit 1
|
|
fi
|
|
|
|
exit 0
|
|
</PRE>
|
|
<HR>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<H2><A NAME="ss6.2">6.2 /etc/cipe/ip-down</A>
|
|
</H2>
|
|
|
|
<H3>Kernel 2.0, ipfwadm, cipe 1.0.x</H3>
|
|
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<HR>
|
|
<PRE>
|
|
|
|
#!/bin/bash
|
|
|
|
# ip-down <interface> <myaddr> <daemon-pid> <local> <remote> <arg>
|
|
#3/29/1999
|
|
#An example ip-down script for the older 1.x 2.x kernels using ipfwadm that
|
|
#will remove firewall rules that were setup to connect your local class c
|
|
#network to a remote class c network.
|
|
|
|
#--------------------------------------------------------------------------
|
|
#Set some script variables
|
|
device=$1 # the CIPE interface
|
|
me=$2 # our UDP address
|
|
pid=$3 # the daemon's process ID
|
|
ipaddr=$4 # IP address of our CIPE device
|
|
ptpaddr=$5 # IP address of the remote CIPE device
|
|
option=$6 # argument supplied via options
|
|
|
|
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
|
|
|
|
#comment/uncomment to enable/disbale kernel logging for all unauthorized
|
|
#access attempts. Must be same as ip-down script in order to remove rules.
|
|
log="-o"
|
|
|
|
#--------------------------------------------------------------------------
|
|
umask 022
|
|
|
|
# just a logging example
|
|
#echo "DOWN $*" >> /var/adm/cipe.log
|
|
|
|
# many systems like these pid files
|
|
#rm -f /var/run/$device.pid
|
|
|
|
#--------------------------------------------------------------------------
|
|
#cipe interface incoming firewall rules
|
|
|
|
#delete (deny all other incoming packets to cipe interface)
|
|
ipfwadm -I -d deny -W $device -S 0/0 -D 0/0 $log
|
|
|
|
#delete (accept incoming packets from remotenet to localnet on cipe
|
|
#interface)
|
|
ipfwadm -I -d accept -W $device -S $ptpaddr/24 -D $ipaddr/24
|
|
|
|
#delete (accept incoming packets from localnet to remotenet on cipe
|
|
#interface)
|
|
ipfwadm -I -d accept -W $device -S $ipaddr/24 -D $ptpaddr/24
|
|
|
|
#delete (deny incoming packets, cipe interface, claiming to be from
|
|
#localnet and log)
|
|
ipfwadm -I -d deny -W $device -S $ipaddr/24 -D $ipaddr/24 $log
|
|
|
|
#--------------------------------------------------------------------------
|
|
#cipe interface incoming firewall rules
|
|
|
|
#delete (deny all other outgoing packets from cipe interface)
|
|
ipfwadm -O -d deny -W $device -S 0/0 -D 0/0 $log
|
|
|
|
#delete (accept outgoing from remotenet to localnet on cipe interface)
|
|
ipfwadm -O -d accept -W $device -S $ptpaddr/24 -D $ipaddr/24
|
|
|
|
#delete (accept outgoing from localnet to remotenet on cipe interface)
|
|
ipfwadm -O -d accept -W $device -S $ipaddr/24 -D $ptpaddr/24
|
|
|
|
#delete (deny outgoing to localnet from localnet, cipe interface, deny
|
|
#and log)
|
|
ipfwadm -O -d deny -W $device -S $ipaddr/24 -D $ipaddr/24 $log
|
|
|
|
#--------------------------------------------------------------------------
|
|
#cipe interface forwarding firewall rules
|
|
|
|
#delete (deny all other forwarding through cipe interface; log)
|
|
ipfwadm -F -d deny -W $device -S 0/0 -D 0/0 $log
|
|
|
|
#delete (accept forwarding from remotenet to localnet on cipe interfaces)
|
|
ipfwadm -F -d accept -W $device -S $ptpaddr/24 -D $ipaddr/24
|
|
|
|
#delete (accept forwarding from localnet to remotenet on cipe interfaces)
|
|
ipfwadm -F -d accept -W $device -S $ipaddr/24 -D $ptpaddr/24
|
|
|
|
#--------------------------------------------------------------------------
|
|
#Optional security enhancement - set default forward policy to
|
|
#DENY or REJECT. If your forwarding default policy is DENY/REJECT
|
|
#you will need to add the following rules to your main forward chain. It
|
|
#is a good idea to have all default policies set for DENY or
|
|
#REJECT.
|
|
|
|
#define machine interfaces
|
|
#localif="eth0"
|
|
#staticif="eth1" ;cable modem users
|
|
#staticif="ppp0" ;dialup users
|
|
|
|
#a real sloppy way to get the peer ip address from the options file - a new
|
|
#argument with peer ip:port passed to script would be nice.
|
|
#both lines need to be uncommented
|
|
#peerfile=`grep $device /etc/cipe/options.* | cut -f1 -d:`
|
|
#peer=`grep peer $peerfile | cut -f1 -d: | awk '{print $2}'`
|
|
|
|
#must log peer ip address for ip-down script
|
|
#echo $peer > /var/run/$device.peerip
|
|
|
|
#delete (accept forwarding from localnet to remotenet on internal network
|
|
interface)
|
|
#ipfwadm -F -d accept -W $localif -S $ipaddr/24 -D $ptpaddr/24
|
|
#delete (accept forwarding from remotenet to localnet on internal network
|
|
interface)
|
|
#ipfwadm -F -d accept -W $localif -S $ptpaddr/24 -D $ipaddr/24
|
|
#delete (accept forwarding on staticif from me to peer)
|
|
#myaddr=`echo $me | cut -f1 -d:`
|
|
#ipfwadm -F -d accept -W $staticif -S $myaddr -D $peer
|
|
#--------------------------------------------------------------------------
|
|
#Other optional security enhancement
|
|
#block all incoming requests from everywhere to our cipe udp port
|
|
#except our peer's udp port
|
|
|
|
#need to determine udp ports for the cipe interfaces
|
|
#get our udp port
|
|
#if [ "$option" = "" ]; then
|
|
# myport=`echo $me | cut -f2 -d:`
|
|
#else
|
|
# myport=$option
|
|
#fi
|
|
|
|
#get remote udp port -- peerfile variable must be set above
|
|
#peerport=`grep peer $peerfile | cut -f2 -d:`
|
|
|
|
#must log peer udp port for ip-down script
|
|
#echo $peerport > /var/run/$device.peerport
|
|
|
|
#get our ip address
|
|
#myaddr=`echo $me | cut -f1 -d:`
|
|
|
|
#delete (deny and log all requests to cipe udp port must be inserted first)
|
|
#ipfwadm -I -d deny -P udp -W $staticif -S 0/0 -D $myaddr $myport $log
|
|
#delete (accept udp packets from peer at udp cipe port to my udp cipe port)
|
|
#ipfwadm -I -d accept -P udp -W $staticif -S $peer $peerport \
|
|
#-D $myaddr $myport
|
|
|
|
exit 0
|
|
</PRE>
|
|
<HR>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<H3>Kernel 2.1/2.2, ipchains, cipe 1.2.x</H3>
|
|
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<HR>
|
|
<PRE>
|
|
|
|
#!/bin/sh
|
|
# ip-down <interface> <myaddr> <daemon-pid> <local> <remote> <arg>
|
|
#3/29/1999
|
|
#An example ip-down script for the newer 2.1/2.2 kernels using ipchains
|
|
#that will remove firewall rules that were setup to connect your local
|
|
#class c network to a remote class c network. Optional security
|
|
#enhancement rules removal is also added and commented towards end of
|
|
#script.
|
|
#Send questions or comments to acj@home.com.
|
|
|
|
#--------------------------------------------------------------------------
|
|
#Set some script variables
|
|
device=$1 # the CIPE interface
|
|
me=$2 # our UDP address
|
|
pid=$3 # the daemon's process ID
|
|
ipaddr=$4 # IP address of our CIPE device
|
|
ptpaddr=$5 # IP address of the remote CIPE device
|
|
option=$6 # argument supplied via options
|
|
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
|
|
|
|
#comment/uncomment to enable/disbale kernel logging for all unauthorized
|
|
#access attempts
|
|
#must be same as ip-up script in order to remove rules
|
|
log="-l"
|
|
|
|
#--------------------------------------------------------------------------
|
|
umask 022
|
|
|
|
# Logging example
|
|
#echo "DOWN $*" >> /var/adm/cipe.log
|
|
|
|
# remove the daemon pid file
|
|
#rm -f /var/run/$device.pid
|
|
|
|
#--------------------------------------------------------------------------
|
|
#remove rules from main input, output, and forward chains for cipe
|
|
#interface
|
|
ipchains -D input -i $device -j $device"i"
|
|
ipchains -D output -i $device -j $device"o"
|
|
ipchains -D forward -i $device -j $device"f"
|
|
|
|
#--------------------------------------------------------------------------
|
|
#flush all rules in cipe interface input chain
|
|
ipchains -F $device"i"
|
|
#remove cipe interface input chain
|
|
ipchains -X $device"i"
|
|
|
|
#--------------------------------------------------------------------------
|
|
#flush all rules in cipe interface output chain
|
|
ipchains -F $device"o"
|
|
#remove cipe interface output chain
|
|
ipchains -X $device"o"
|
|
|
|
#--------------------------------------------------------------------------
|
|
#flush all rules in cipe interface forward chain
|
|
ipchains -F $device"f"
|
|
#remove cipe interface forward chain
|
|
ipchains -X $device"f"
|
|
|
|
#--------------------------------------------------------------------------
|
|
#Remove optional security enhancement rules
|
|
|
|
#get peer ip address
|
|
#peer=`cat /var/run/$device.peerip`
|
|
|
|
#define machine interfaces
|
|
#localif="eth0"
|
|
#staticif="eth1" ;cable modem users
|
|
#staticif="ppp0" ;dialup users
|
|
|
|
#get our ip address
|
|
#myaddr=`echo $me |cut -f1 -d:`
|
|
|
|
#delete (accept forwarding from localnet to remotenet on internal network
|
|
#interface)
|
|
#ipchains -D forward -j ACCEPT -i $localif -s $ipaddr/24 -d $ptpaddr/24
|
|
#delete (accept forwarding from remotenet to localnet on internal network
|
|
#interface)
|
|
#ipchains -D forward -j ACCEPT -i $localif -s $ptpaddr/24 -d $ipaddr/24
|
|
#delete (accept forwarding on staticif from me to peer)
|
|
#ipchains -D forward -j ACCEPT -i $staticif -s $myaddr -d $peer
|
|
|
|
#remove peer ip file
|
|
#rm /var/run/$device.peerip
|
|
|
|
#--------------------------------------------------------------------------
|
|
#Remove other optional security enhancement rules
|
|
|
|
#get peer udp port
|
|
#peerport=`cat /var/run/$device.peerport`
|
|
|
|
#get our udp port
|
|
#if [ "$option" = "" ]; then
|
|
# myport=`echo $me | cut -f2 -d:`
|
|
#else
|
|
# myport=$option
|
|
#fi
|
|
|
|
#delete (deny and log all requests to cipe udp port must be inserted first)
|
|
#ipchains -D input -j DENY -p udp -i $staticif -s 0/0 \
|
|
#-d $myaddr $myport $log
|
|
#delete (accept udp packets from peer at udp cipe port to my udp cipe port)
|
|
#ipchains -D input -j ACCEPT -p udp -i $staticif -s $peer $peerport \
|
|
#-d $myaddr $myport
|
|
|
|
#remove peer port file
|
|
#rm /var/run/$device.peerport
|
|
|
|
#--------------------------------------------------------------------------
|
|
|
|
exit 0
|
|
</PRE>
|
|
<HR>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<P>
|
|
<HR>
|
|
<A HREF="Cipe+Masq-7.html">Next</A>
|
|
<A HREF="Cipe+Masq-5.html">Previous</A>
|
|
<A HREF="Cipe+Masq.html#toc6">Contents</A>
|
|
</BODY>
|
|
</HTML>
|