source: genesis/tools/firewall@ 5172

Last change on this file since 5172 was 4317, checked in by dirkx, 20 years ago

Fixing line types

  • Property svn:eol-style set to native
File size: 3.8 KB
RevLine 
[813]1#! /bin/bash
2# -x
3#
4#
5
6if [ "$1" != "-n" ]
7then
8 /bin/bash -n $0 $* || exit 1 # Check op Syntax errors!
9fi
10#echo Syntax $0 OK!
11
12. /etc/wireless.conf.sh
13
14ic='/sbin/ipchains'
15nm='/usr/local/bin/netmask'
16
17echo 0 > /proc/sys/net/ipv4/ip_forward
18
19PATH="/sbin:/usr/sbin:/usr/local/sbin/:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/lib/java/bin:/usr/games/bin:/usr/games:/opt/gnome/bin:/opt/kde/bin:/usr/openwin/bin";
20
21gw=`route -n |grep '^0.0.0.0'|tr -s ' '`
22
23if [ "$gw" != "" ]
24then
25 gw_if=`echo $gw|cut -d ' ' -f 8` # gw. dev.
26 def_gw=`echo $gw|cut -d ' ' -f 2` # def. gw
27else
28 gw_if=eth0
29 def_gw=99.99.99.99
30
31fi
32 gwif_ip=`$nm $gw_if i`
33 good_net=`$nm $gw_if m`
34
35
36wifs=`/sbin/ifconfig|cut -d ' ' -f 1|grep -v '^$'|grep -v $gw_if|grep -v lo`
37wifs_major=`/sbin/ifconfig|cut -d ' ' -f 1|grep -v '^$'|grep -v $gw_if|grep -v lo|grep -v ':'`
38
39wif_ip=`$nm wlan0 i`
40wnet=172.16.0.0/12
41
42tports='22 37 53 80 3128' # ssh,time,domain,http,squid
43uports='53 3130' # domain,squid
44
45modprobe ipchains
46
47
48in="$ic -A input"
49out="$ic -A output"
50fw="$ic -A forward"
51
52#modprobe ip_masq_autofw
53#modprobe ip_masq_cuseeme
54#modprobe ip_masq_ftp
55#modprobe ip_masq_irc
56#modprobe ip_masq_mfw
57#modprobe ip_masq_portfw
58#modprobe ip_masq_quake
59#modprobe ip_masq_raudio
60#modprobe ip_masq_user
61#modprobe ip_masq_vdolive
62
63$ic -F input
64$ic -F output
65$ic -F forward
66
67
68echo Default policy
69
70$ic -P input REJECT
71$ic -P output ACCEPT
72$ic -P forward DENY # pings return
73
74$ic -X
75
76######### Incoming
77
78echo Incoming
79
80$in -i lo -j ACCEPT
81
82$in -s 0.0.0.0/0 bootpc -d 255.255.255.255 bootps -p udp -j ACCEPT # DHCP op broadcast
83$in -s 0.0.0.0/0 bootpc -d 255.255.255.255 bootps -p tcp -j ACCEPT # DHCP op broadcast
84
85$in -d 224.0.0.5 -p 89 -j ACCEPT # OSPF
86$in -d 224.0.0.6 -p 89 -j ACCEPT # OSPF
87$in -d 224.0.0.5 -p 2 -j ACCEPT # OSPF
88$in -d 224.0.0.6 -p 2 -j ACCEPT # OSPF
89
90for if in $wifs_major
91do
92 ip=`$nm $if i`
93 $in -s 0.0.0.0/0 bootpc -d $ip bootps -i $if -p udp -j ACCEPT # DHCP op eigen ip
94 $in -s 0.0.0.0/0 bootpc -d $ip bootps -i $if -p tcp -j ACCEPT # DHCP op eigen ip
95 $in -s ! $wnet -i $if -j DENY -l # Spoofing; alleen wnet ip wifs.
96done
97
98for p in $tports
99do
100 $in -d $gwif_ip $p -p tcp -j ACCEPT # tports op gwif_ip
101 $in -d $wif_ip $p -p tcp -j ACCEPT # tports op wif_ip
102done
103
104for p in $uports
105do
106 $in -d $gwif_ip $p -p udp -j ACCEPT # uports op gwif_ip
107 $in -d $wif_ip $p -p udp -j ACCEPT # uports op wif_ip
108done
109
110
111$in -d $good_net -s $wnet ! -y -p tcp -j ACCEPT # established sessions
112
113$in -d $gwif_ip ! -y -p tcp -j ACCEPT # established sessions
114for if in $wifs
115do
116 ip=`$nm $if i`
117 $in -d $ip -s $wnet ! -y -p tcp -j ACCEPT # established sessions
118done
119
120
121for if in $wifs $gw_if
122do
123 ip=`$nm $if i`
124
125 $in -d $ip 53 -p udp -j ACCEPT # named wel,
126 $in -d $ip --sport 53 -p udp -j ACCEPT # named wel.
127 # Want named source adres wordt door named gekozen afhankelijk van de if.
128
129 $in -d $ip -p icmp -j ACCEPT # icmp wel.
130
131 $in -d $ip -p 89 -j ACCEPT # OSPF
132 $in -d $ip -p 2 -j ACCEPT # OSPF
133
134 $in -d $ip -j REJECT -l # Vangnet
135done
136
137$in -d $wnet -j ACCEPT # dst wireless=okay
138
139if [ "$gw_open" != "open" ]
140then
141 for if in $wifs_major
142 do
143 $in -d ! $good_net -s $wnet -i $if -j ACCEPT # wel naar Internet, niet naar goodnet.
144 done
145fi
146
147#$in --dport 137:139 -j REJECT # Netbios
148$in -j REJECT -l # vangnet
149
150######### Forward
151
152echo forwarding
153
154echo 1 > /proc/sys/net/ipv4/ip_forward
155
156$fw -d $gwif_ip ! -y -p tcp -j ACCEPT # established sessions
157for if in $wifs
158do
159 ip=`$nm $if i`
160 $fw -d $ip -s $wnet ! -y -p tcp -j ACCEPT # established sessions
161done
162
163$fw -s $good_net -d $wnet -j MASQ # dst wireless=okay
164
165if [ "$gw_open" != "open" ]
166then
167 $fw -d ! $good_net -i $gw_if -j MASQ # naar Internet = okay
168fi
169
170$fw -j REJECT -l # vangnet
171
172
173#########
174
175
176#ipchains -nxvL
177
Note: See TracBrowser for help on using the repository browser.