1160 lines
38 KiB
HTML
1160 lines
38 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Configure script for Example Gateway Server</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.60"><LINK
|
|
REL="HOME"
|
|
TITLE="Securing and Optimizing Linux"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Networking Firewall -Masquerading and Forwarding"
|
|
HREF="Masq-forward.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Config /etc/rc.d/init.d/firewall script file -Gateway Server"
|
|
HREF="chap12sec105.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Deny access to some address"
|
|
HREF="chap12sec107.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Securing and Optimizing Linux: RedHat Edition -A Hands on Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="chap12sec105.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 12. Networking Firewall -Masquerading and Forwarding</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="chap12sec107.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="AEN6824"
|
|
>12.3. Configure script for Example Gateway Server</A
|
|
></H1
|
|
><P
|
|
> This is the configuration script file for our Gateway Server. This configuration allows unlimited traffic on the Loopback interface, <SPAN
|
|
CLASS="acronym"
|
|
>ICMP</SPAN
|
|
>, <SPAN
|
|
CLASS="acronym"
|
|
>DNS</SPAN
|
|
> Server and Client (53),
|
|
<SPAN
|
|
CLASS="acronym"
|
|
>SSH</SPAN
|
|
> Server and Client (22), <SPAN
|
|
CLASS="acronym"
|
|
>HTTP</SPAN
|
|
> Server and Client (80), <SPAN
|
|
CLASS="acronym"
|
|
>HTTPS</SPAN
|
|
> Server and Client (443), <SPAN
|
|
CLASS="acronym"
|
|
>POP</SPAN
|
|
> Client (110), <SPAN
|
|
CLASS="acronym"
|
|
>NNTP</SPAN
|
|
> NEWS
|
|
Client (119), <SPAN
|
|
CLASS="acronym"
|
|
>SMTP</SPAN
|
|
> Server and Client (25), <SPAN
|
|
CLASS="acronym"
|
|
>IMAP</SPAN
|
|
> Server (143), <SPAN
|
|
CLASS="acronym"
|
|
>IRC</SPAN
|
|
> Client (6667), <SPAN
|
|
CLASS="acronym"
|
|
>ICQ</SPAN
|
|
> Client (4000), <SPAN
|
|
CLASS="acronym"
|
|
>FTP</SPAN
|
|
> Client (20, 21),
|
|
RealAudio / QuickTime Client, and OUTGOING TRACEROUTE requests by default.
|
|
</P
|
|
><P
|
|
> If you don't want some services listed in the firewall rules files for the Gateway Server that I make ON by default, comment them out with a "#" at the beginning of the line. If you want some other services
|
|
that I commented out with a "#", then remove the "#" at the beginning of their lines. If you have configured Masquerading on your server, don't forget to uncomment the modules necessary to masquerade their
|
|
respective services that you need like <TT
|
|
CLASS="filename"
|
|
>ip_masq_irc.o</TT
|
|
>, <TT
|
|
CLASS="filename"
|
|
>ip_masq_raudio.o</TT
|
|
>, etc under the MODULES MASQUERADING section of the firewall script file.
|
|
</P
|
|
><P
|
|
> Create the firewall script file <B
|
|
CLASS="command"
|
|
>touch</B
|
|
> <TT
|
|
CLASS="filename"
|
|
>/etc/rc.d/init.d/firewall</TT
|
|
>, on your Gateway Server and add:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> #!/bin/sh
|
|
#
|
|
# ----------------------------------------------------------------------------
|
|
# Last modified by Gerhard Mourani: 04-25-2000
|
|
# ----------------------------------------------------------------------------
|
|
# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler
|
|
#
|
|
# Permission to use, copy, modify, and distribute this software and its
|
|
# documentation for educational, research, private and non-profit purposes,
|
|
# without fee, and without a written agreement is hereby granted.
|
|
# This software is provided as an example and basis for individual firewall
|
|
# development. This software is provided without warranty.
|
|
#
|
|
# Any material furnished by Robert L. Ziegler is furnished on an
|
|
# "as is" basis. He makes no warranties of any kind, either expressed
|
|
# or implied as to any matter including, but not limited to, warranty
|
|
# of fitness for a particular purpose, exclusivity or results obtained
|
|
# from use of the material.
|
|
# ----------------------------------------------------------------------------
|
|
#
|
|
# Invoked from /etc/rc.d/init.d/firewall.
|
|
# chkconfig: - 60 95
|
|
# description: Starts and stops the IPCHAINS Firewall \
|
|
# used to provide Firewall network services.
|
|
|
|
# Source function library.
|
|
. /etc/rc.d/init.d/functions
|
|
|
|
# Source networking configuration.
|
|
. /etc/sysconfig/network
|
|
|
|
# Check that networking is up.
|
|
if [ ${NETWORKING} = "no" ]
|
|
then
|
|
exit 0
|
|
fi
|
|
|
|
if [ ! -x /sbin/ipchains ]; then
|
|
exit 0
|
|
fi
|
|
|
|
# See how we were called.
|
|
case "$1" in
|
|
start)
|
|
echo -n "Starting Firewalling Services: "
|
|
|
|
# Some definitions for easy maintenance.
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
|
|
|
|
EXTERNAL_INTERFACE="eth0" # Internet connected interface
|
|
LOCAL_INTERFACE_1="eth1" # Internal LAN interface
|
|
LOOPBACK_INTERFACE="lo" # Your local naming convention
|
|
IPADDR="my.ip.address" # Your <SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
> address
|
|
LOCALNET_1="192.168.1.0/24" # Whatever private range you use
|
|
IPSECSG="my.ipsecsg.address" # Space separated list of remote VPN gateways
|
|
FREESWANVI="ipsec0" # Space separated list of virtual interfaces
|
|
ANYWHERE="any/0" # Match any <SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
> address
|
|
NAMESERVER_1="my.name.server.1" # Everyone must have at least one
|
|
NAMESERVER_2="my.name.server.2" # Your secondary name server
|
|
MY_ISP="my.isp.address.range/24" # ISP <SPAN
|
|
CLASS="acronym"
|
|
>&</SPAN
|
|
> NOC address range
|
|
|
|
SMTP_SERVER="my.smtp.server" # Your Mail Hub Server.
|
|
POP_SERVER="my.pop.server" # External pop server, if any
|
|
NEWS_SERVER="my.news.server" # External news server, if any
|
|
SYSLOG_SERVER="syslog.internal.server" # Your syslog internal server
|
|
|
|
LOOPBACK="127.0.0.0/8" # Reserved loopback address range
|
|
CLASS_A="10.0.0.0/8" # Class A private networks
|
|
CLASS_B="172.16.0.0/12" # Class B private networks
|
|
CLASS_C="192.168.0.0/16" # Class C private networks
|
|
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addresses
|
|
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addresses
|
|
BROADCAST_SRC="0.0.0.0" # Broadcast source address
|
|
BROADCAST_DEST="255.255.255.255" # Broadcast destination address
|
|
PRIVPORTS="0:1023" # Well known, privileged port range
|
|
UNPRIVPORTS="1024:65535" # Unprivileged port range
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
# <SPAN
|
|
CLASS="acronym"
|
|
>SSH</SPAN
|
|
> starts at 1023 and works down to 513 for
|
|
# each additional simultaneous incoming connection.
|
|
SSH_PORTS="1022:1023" # range for <SPAN
|
|
CLASS="acronym"
|
|
>SSH</SPAN
|
|
> privileged ports
|
|
|
|
# traceroute usually uses -S 32769:65535 -D 33434:33523
|
|
TRACEROUTE_SRC_PORTS="32769:65535"
|
|
TRACEROUTE_DEST_PORTS="33434:33523"
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# Default policy is DENY
|
|
# Explicitly accept desired INCOMING <SPAN
|
|
CLASS="acronym"
|
|
>&</SPAN
|
|
> OUTGOING connections
|
|
|
|
# Remove all existing rules belonging to this filter
|
|
ipchains -F
|
|
|
|
# Clearing all current rules and user defined chains
|
|
ipchains -X
|
|
|
|
# Set the default policy of the filter to deny.
|
|
# Don't even bother sending an error message back.
|
|
ipchains -P input DENY
|
|
ipchains -P output DENY
|
|
ipchains -P forward DENY
|
|
|
|
# set masquerade timeout to 10 hours for tcp connections
|
|
ipchains -M -S 36000 0 0
|
|
|
|
# Don't forward fragments. Assemble before forwarding.
|
|
ipchains -A output -f -i $LOCAL_INTERFACE_1 -j DENY
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# MODULES MASQUERADING
|
|
# Uncomment bellow all modules lines that you need
|
|
|
|
# These modules are necessary to masquerade their respective services.
|
|
/sbin/modprobe ip_masq_ftp
|
|
/sbin/modprobe ip_masq_raudio ports=554,7070,7071,6970,6971
|
|
/sbin/modprobe ip_masq_irc
|
|
#/sbin/modprobe ip_masq_vdolive
|
|
#/sbin/modprobe ip_masq_cuseeme
|
|
#/sbin/modprobe ip_masq_quake
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# LOOPBACK
|
|
|
|
# Unlimited traffic on the loopback interface.
|
|
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
|
|
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# Network Ghouls
|
|
# Deny access to jerks
|
|
|
|
# /etc/rc.d/rc.firewall.blocked contains a list of
|
|
# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
|
|
# rules to block from any access.
|
|
|
|
# Refuse any connection from problem sites
|
|
#if [ -f /etc/rc.d/rc.firewall.blocked ]; then
|
|
# . /etc/rc.d/rc.firewall.blocked
|
|
#fi
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# SPOOFING <SPAN
|
|
CLASS="acronym"
|
|
>&</SPAN
|
|
> BAD ADDRESSES
|
|
# Refuse spoofed packets.
|
|
# Ignore blatantly illegal source addresses.
|
|
# Protect yourself from sending to bad addresses.
|
|
|
|
# Refuse spoofed packets pretending to be from the external address.
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l
|
|
|
|
# Refuse packets claiming to be to or from a Class A private network
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l
|
|
|
|
# Refuse packets claiming to be to or from a Class B private network
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l
|
|
|
|
# Refuse packets claiming to be to or from a Class C private network
|
|
# ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
|
|
# ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l
|
|
# ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l
|
|
# ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l
|
|
|
|
# Refuse packets claiming to be from the loopback interface
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l
|
|
|
|
# Refuse broadcast address SOURCE packets
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
|
|
|
|
# Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)
|
|
# Multicast is illegal as a source address.
|
|
# Multicast uses UDP.
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l
|
|
|
|
# Refuse Class E reserved <SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
> addresses
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l
|
|
|
|
# refuse addresses defined as reserved by the IANA
|
|
# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
|
|
# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
|
|
# 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l
|
|
|
|
#65: 01000001 - /3 includes 64 - need 65-79 spelled out
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l
|
|
|
|
#80: 01010000 - /4 masks 80-95
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l
|
|
|
|
# 96: 01100000 - /4 makses 96-111
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l
|
|
|
|
#126: 01111110 - /3 includes 127 - need 112-126 spelled out
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l
|
|
|
|
#217: 11011001 - /5 includes 216 - need 217-219 spelled out
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l
|
|
|
|
#223: 11011111 - /6 masks 220-223
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# <SPAN
|
|
CLASS="acronym"
|
|
>ICMP</SPAN
|
|
>
|
|
|
|
# To prevent denial of service attacks based on <SPAN
|
|
CLASS="acronym"
|
|
>ICMP</SPAN
|
|
> bombs, filter
|
|
# incoming Redirect (5) and outgoing Destination Unreachable (3).
|
|
# Note, however, disabling Destination Unreachable (3) is not
|
|
# advisable, as it is used to negotiate packet fragment size.
|
|
|
|
# For bi-directional ping.
|
|
# Message Types: Echo_Reply (0), Echo_Request (8)
|
|
# To prevent attacks, limit the src addresses to your ISP range.
|
|
#
|
|
# For outgoing traceroute.
|
|
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
|
|
# default UDP base: 33434 to base+nhops-1
|
|
#
|
|
# For incoming traceroute.
|
|
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
|
|
# To block this, deny OUTGOING 3 and 11
|
|
|
|
# 0: echo-reply (pong)
|
|
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
|
|
# 4: source-quench
|
|
# 5: redirect
|
|
# 8: echo-request (ping)
|
|
# 11: time-exceeded
|
|
# 12: parameter-problem
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
|
|
-s $ANYWHERE 0 -d $IPADDR -j ACCEPT
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
|
|
-s $ANYWHERE 3 -d $IPADDR -j ACCEPT
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
|
|
-s $ANYWHERE 4 -d $IPADDR -j ACCEPT
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
|
|
-s $ANYWHERE 11 -d $IPADDR -j ACCEPT
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
|
|
-s $ANYWHERE 12 -d $IPADDR -j ACCEPT
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
|
|
-s $MY_ISP 8 -d $IPADDR -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
|
|
-s $IPADDR 0 -d $MY_ISP -j ACCEPT
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
|
|
-s $IPADDR 3 -d $MY_ISP -j ACCEPT
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
|
|
-s $IPADDR 4 -d $ANYWHERE -j ACCEPT
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
|
|
-s $IPADDR 8 -d $ANYWHERE -j ACCEPT
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
|
|
-s $IPADDR 12 -d $ANYWHERE -j ACCEPT
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
|
|
-s $IPADDR 11 -d $MY_ISP -j ACCEPT
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# UDP INCOMING TRACEROUTE
|
|
# traceroute usually uses -S 32769:65535 -D 33434:33523
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
|
|
-s $MY_ISP $TRACEROUTE_SRC_PORTS \
|
|
-d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
|
|
-s $ANYWHERE $TRACEROUTE_SRC_PORTS \
|
|
-d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# <SPAN
|
|
CLASS="acronym"
|
|
>DNS</SPAN
|
|
> server
|
|
# ----------
|
|
|
|
# <SPAN
|
|
CLASS="acronym"
|
|
>DNS</SPAN
|
|
>: full server
|
|
# server/client to server query or response
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
|
|
-s $ANYWHERE $UNPRIVPORTS \
|
|
-d $IPADDR 53 -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
|
|
-s $IPADDR 53 \
|
|
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
|
|
|
|
# <SPAN
|
|
CLASS="acronym"
|
|
>DNS</SPAN
|
|
> client (53)
|
|
# ---------------
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
|
|
-s $NAMESERVER_1 53 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $NAMESERVER_1 53 -j ACCEPT
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
|
|
-s $NAMESERVER_2 53 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $NAMESERVER_2 53 -j ACCEPT
|
|
|
|
# TCP client to server requests are allowed by the protocol
|
|
# if UDP requests fail. This is rarely seen. Usually, clients
|
|
# use TCP as a secondary nameserver for zone transfers from
|
|
# their primary nameservers, and as hackers.
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $NAMESERVER_1 53 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $NAMESERVER_1 53 -j ACCEPT
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $NAMESERVER_2 53 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $NAMESERVER_2 53 -j ACCEPT
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# TCP accept only on selected ports
|
|
# ---------------------------------
|
|
# ------------------------------------------------------------------
|
|
|
|
# <SPAN
|
|
CLASS="acronym"
|
|
>SSH</SPAN
|
|
> server (22)
|
|
# ---------------
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $ANYWHERE $UNPRIVPORTS \
|
|
-d $IPADDR 22 -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $IPADDR 22 \
|
|
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $ANYWHERE $SSH_PORTS \
|
|
-d $IPADDR 22 -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $IPADDR 22 \
|
|
-d $ANYWHERE $SSH_PORTS -j ACCEPT
|
|
|
|
# <SPAN
|
|
CLASS="acronym"
|
|
>SSH</SPAN
|
|
> client (22)
|
|
# ---------------
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $ANYWHERE 22 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $ANYWHERE 22 -j ACCEPT
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $ANYWHERE 22 \
|
|
-d $IPADDR $SSH_PORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $IPADDR $SSH_PORTS \
|
|
-d $ANYWHERE 22 -j ACCEPT
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
# <SPAN
|
|
CLASS="acronym"
|
|
>HTTP</SPAN
|
|
> client (80)
|
|
# ----------------
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $ANYWHERE 80 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $ANYWHERE 80 -j ACCEPT
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
# <SPAN
|
|
CLASS="acronym"
|
|
>HTTPS</SPAN
|
|
> client (443)
|
|
# ------------------
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $ANYWHERE 443 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $ANYWHERE 443 -j ACCEPT
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
# POP client (110)
|
|
# ----------------
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $POP_SERVER 110 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $POP_SERVER 110 -j ACCEPT
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
# NNTP NEWS client (119)
|
|
# ----------------------
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $NEWS_SERVER 119 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $NEWS_SERVER 119 -j ACCEPT
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
# FINGER client (79)
|
|
# ------------------
|
|
# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
# -s $ANYWHERE 79 \
|
|
# -d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
# -s $IPADDR $UNPRIVPORTS \
|
|
# -d $ANYWHERE 79 -j ACCEPT
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
# SYSLOG client (514)
|
|
# -----------------
|
|
|
|
# ipchains -A output -i $LOCAL_INTERFACE_1 -p udp \
|
|
# -s $IPADDR 514 \
|
|
# -d $SYSLOG_SERVER 514 -j ACCEPT
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
# AUTH server (113)
|
|
# -----------------
|
|
|
|
# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $ANYWHERE \
|
|
-d $IPADDR 113 -j REJECT
|
|
|
|
# AUTH client (113)
|
|
# -----------------
|
|
# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
# -s $ANYWHERE 113 \
|
|
# -d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
# -s $IPADDR $UNPRIVPORTS \
|
|
# -d $ANYWHERE 113 -j ACCEPT
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
# SMTP client (25)
|
|
# ----------------
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $ANYWHERE 25 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $ANYWHERE 25 -j ACCEPT
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
# IRC client (6667)
|
|
# -----------------
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $ANYWHERE 6667 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $ANYWHERE 6667 -j ACCEPT
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
# ICQ client (4000)
|
|
# -----------------
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $ANYWHERE 2000:4000 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $ANYWHERE 2000:4000 -j ACCEPT
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
|
|
-s $ANYWHERE 4000 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $ANYWHERE 4000 -j ACCEPT
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
# FTP client (20, 21)
|
|
# -------------------
|
|
|
|
# outgoing request
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $ANYWHERE 21 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $ANYWHERE 21 -j ACCEPT
|
|
|
|
# NORMAL mode data channel
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $ANYWHERE 20 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
# NORMAL mode data channel responses
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $ANYWHERE 20 -j ACCEPT
|
|
|
|
# PASSIVE mode data channel creation
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
|
|
|
|
# PASSIVE mode data channel responses
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $ANYWHERE $UNPRIVPORTS \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
# RealAudio / QuickTime client
|
|
# ----------------------------
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $ANYWHERE 554 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $ANYWHERE 554 -j ACCEPT
|
|
|
|
|
|
# TCP is a more secure method: 7070:7071
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
-s $ANYWHERE 7070:7071 \
|
|
-d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $ANYWHERE 7070:7071 -j ACCEPT
|
|
|
|
|
|
# UDP is the preferred method: 6970:6999
|
|
# For LAN machines, UDP requires the RealAudio masquerading module and
|
|
# the ipmasqadm third-party software.
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
|
|
-s $ANYWHERE $UNPRIVPORTS \
|
|
-d $IPADDR 6970:6999 -j ACCEPT
|
|
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
|
|
-s $IPADDR $UNPRIVPORTS \
|
|
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
# WHOIS client (43)
|
|
# -----------------
|
|
# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
|
|
# -s $ANYWHERE 43 \
|
|
# -d $IPADDR $UNPRIVPORTS -j ACCEPT
|
|
|
|
# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
|
|
# -s $IPADDR $UNPRIVPORTS \
|
|
# -d $ANYWHERE 43 -j ACCEPT
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
# OUTGOING TRACEROUTE
|
|
# -------------------
|
|
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
|
|
-s $IPADDR $TRACEROUTE_SRC_PORTS \
|
|
-d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# Unlimited traffic within the local network.
|
|
|
|
# All internal machines have access to the firewall machine.
|
|
|
|
ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT
|
|
ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# FreeS/WAN IPSec VPN
|
|
# -------------------
|
|
|
|
# If you are using the FreeSWAN IPSec VPN, you will need to fill in the
|
|
# addresses of the gateways in the IPSECSG and the virtual interfaces for
|
|
# FreeS/Wan IPSEC in the FREESWANVI parameters. Look at the beginning of
|
|
# this firewall script rules file to set the parameters.
|
|
|
|
# IPSECSG is a Space separated list of remote gateways. FREESWANVI is a
|
|
# Space separated list of virtual interfaces for FreeS/Wan IPSEC
|
|
# implementation. Only include those that are actually used.
|
|
|
|
# Allow IPSEC protocol from remote gateways on external interface
|
|
# IPSEC uses three main types of packet:
|
|
# IKE uses the UDP protocol and port 500,
|
|
# ESP use the protocol number 50, and
|
|
# AH use the protocol number 51
|
|
|
|
# ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
|
|
# -s $IPSECSG -j ACCEPT
|
|
|
|
# ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
|
|
# -d $IPSECSG -j ACCEPT
|
|
|
|
# ipchains -A input -i $EXTERNAL_INTERFACE -p 50 \
|
|
# -s $IPSECSG -j ACCEPT
|
|
|
|
# ipchains -A output -i $EXTERNAL_INTERFACE -p 50 \
|
|
# -d $IPSECSG -j ACCEPT
|
|
|
|
# ipchains -A input -i $EXTERNAL_INTERFACE -p 51 \
|
|
# -s $IPSECSG -j ACCEPT
|
|
|
|
# ipchains -A output -i $EXTERNAL_INTERFACE -p 51 \
|
|
# -d $IPSECSG -j ACCEPT
|
|
|
|
# Allow all traffic to FreeS/WAN Virtual Interface
|
|
# ipchains -A input -i $FREESWANVI \
|
|
# -s $ANYWHERE \
|
|
# -d $ANYWHERE -j ACCEPT
|
|
|
|
# ipchains -A output -i $FREESWANVI \
|
|
# -s $ANYWHERE \
|
|
# -d $ANYWHERE -j ACCEPT
|
|
|
|
# Forward anything from the FreeS/WAN virtual interface IPSEC tunnel
|
|
# ipchains -A forward -i $FREESWANVI \
|
|
# -s $ANYWHERE \
|
|
# -d $ANYWHERE -j ACCEPT
|
|
|
|
# Disable <SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
> spoofing protection to allow IPSEC to work properly
|
|
# echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
|
|
# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# Masquerade internal traffic.
|
|
|
|
# All internal traffic is masqueraded externally.
|
|
|
|
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ
|
|
|
|
# ----------------------------------------------------------------------------
|
|
# Enable logging for selected denied packets
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
|
|
-d $IPADDR -j DENY -l
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
|
|
-d $IPADDR $PRIVPORTS -j DENY -l
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
|
|
-d $IPADDR $UNPRIVPORTS -j DENY -l
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
|
|
-s $ANYWHERE 5 -d $IPADDR -j DENY -l
|
|
|
|
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
|
|
-s $ANYWHERE 13:255 -d $IPADDR -j DENY -l
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
;;
|
|
stop)
|
|
echo -n "Shutting Firewalling Services: "
|
|
|
|
# Remove all existing rules belonging to this filter
|
|
ipchains -F
|
|
|
|
# Delete all user-defined chain to this filter
|
|
ipchains -X
|
|
|
|
# Reset the default policy of the filter to accept.
|
|
ipchains -P input ACCEPT
|
|
ipchains -P output ACCEPT
|
|
ipchains -P forward ACCEPT
|
|
|
|
;;
|
|
status)
|
|
status firewall
|
|
;;
|
|
restart|reload)
|
|
$0 stop
|
|
$0 start
|
|
;;
|
|
*)
|
|
echo "Usage: firewall {start|stop|status|restart|reload}"
|
|
exit 1
|
|
esac
|
|
|
|
exit 0
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> Now, make this script executable and change its default permissions:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /#<B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> 700 /etc/rc.d/init.d/firewall
|
|
[root@deep] /#<B
|
|
CLASS="command"
|
|
>chown</B
|
|
> 0.0 /etc/rc.d/init.d/firewall
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> Create the symbolic <TT
|
|
CLASS="filename"
|
|
>rc.d</TT
|
|
> links for your Firewall with the command:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /#<B
|
|
CLASS="command"
|
|
>chkconfig</B
|
|
> --add firewall
|
|
[root@deep] /#<B
|
|
CLASS="command"
|
|
>chkconfig</B
|
|
> --level 345 firewall on
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
Now, your firewall rules are configured to use System <TT
|
|
CLASS="literal"
|
|
>V</TT
|
|
> init -System <TT
|
|
CLASS="literal"
|
|
>V</TT
|
|
> <EM
|
|
>init is in charge of starting all the normal processes that need to run at boot time</EM
|
|
> and it will
|
|
be automatically started each time your server reboots.
|
|
</P
|
|
><P
|
|
> To manually stop the firewall on your system, use the following command:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /# /etc/rc.d/init.d/firewall <B
|
|
CLASS="command"
|
|
>stop</B
|
|
>
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="literallayout"
|
|
><TT
|
|
CLASS="computeroutput"
|
|
> Shutting Firewalling Services: [ OK ]
|
|
</TT
|
|
></PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> To manually start the firewall on your system, use the following command:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /# /etc/rc.d/init.d/firewall <B
|
|
CLASS="command"
|
|
>start</B
|
|
>
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="literallayout"
|
|
><TT
|
|
CLASS="computeroutput"
|
|
> Starting Firewalling Services: [ OK ]
|
|
</TT
|
|
></PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="chap12sec105.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="chap12sec107.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Config <TT
|
|
CLASS="filename"
|
|
>/etc/rc.d/init.d/firewall</TT
|
|
> script file -Gateway Server</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="Masq-forward.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Deny access to some address</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |