Hello. I'm moving from a very old Fedora Core 1 to CentOS 4.4, what a change!! Three year ago, I wrote some script (network related) and worked very well. Now, I can put into init.d by means of chkconfig and I restarted the system, but always hang when executing my srcipt (in my new centos 4.4). There a manual for making scripts for init.d? there is some new requirement by which it does not work anymore? Thanks a lots!!!!
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Linux Man Sent: Sunday, December 17, 2006 8:30 PM To: centos@centos.org Subject: [CentOS] creating script for init.d
Hello. I'm moving from a very old Fedora Core 1 to CentOS 4.4, what a change!! Three year ago, I wrote some script (network related) and worked very well. Now, I can put into init.d by means of chkconfig and I restarted the system, but always hang when executing my srcipt (in my new centos 4.4 ). There a manual for making scripts for init.d? there is some new requirement by which it does not work anymore? Thanks a lots!!!!
Are you using the 'su' command in your script?
This happenned to me when I moved to RHEL4/Centos 4. My problem was due to SELinux. I was using the 'su' command. When I changed it to use the 'runuser' command instead, it worked fine. The reason it was hanging for me is that using the su command produces a context question on the console (during password checking) for which I had to press enter. With 'runuser', you don't get the SELinux context question.
Michael
I'm not using "su". I don't know how can I do!
2006/12/18, Michael Velez mikev777@hotmail.com:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Linux Man Sent: Sunday, December 17, 2006 8:30 PM To: centos@centos.org Subject: [CentOS] creating script for init.d
Hello. I'm moving from a very old Fedora Core 1 to CentOS 4.4, what a change!! Three year ago, I wrote some script (network related) and worked very well. Now, I can put into init.d by means of chkconfig and I restarted the system, but always hang when executing my srcipt (in my new centos 4.4 ). There a manual for making scripts for init.d? there is some new requirement by which it does not work anymore? Thanks a lots!!!!
Are you using the 'su' command in your script?
This happenned to me when I moved to RHEL4/Centos 4. My problem was due to SELinux. I was using the 'su' command. When I changed it to use the 'runuser' command instead, it worked fine. The reason it was hanging for me is that using the su command produces a context question on the console (during password checking) for which I had to press enter. With 'runuser', you don't get the SELinux context question.
Michael
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Linux Man wrote:
I'm not using "su". I don't know how can I do!
Ah, you're doing fine. No need in telling us the error you get, no need in showing us (at least the part of) the script which doesn't work - Well, that'll sure generate *lots* of help.
Anyone in need of a crystal ball?
Setting up Shoppe,
Ralph
Sorry, i sent the spript to as particular adress but not for the adress that I wanted (all centos mailing list), again, sorry
If I execute it in a terminal as root, works, without problem, but if i put it to load a boot time (with chkconfig) there isn't a visual error, just hang.
Using "echo" I isolate, ther problematic part, this is:
#Flush everything, start from scratch $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat
#Set default policies to DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP
Why hangs? any idea? Thanks a lot
2006/12/19, Ralph Angenendt ra+centos@br-online.de:
Linux Man wrote:
I'm not using "su". I don't know how can I do!
Ah, you're doing fine. No need in telling us the error you get, no need in showing us (at least the part of) the script which doesn't work - Well, that'll sure generate *lots* of help.
Anyone in need of a crystal ball?
Setting up Shoppe,
Ralph
Ralph Angenendt......ra@br-online.de | .."Text processing has made it possible Bayerischer Rundfunk...80300 München | ....to right-justify any idea, even one Programmbereich.Bayern 3, Jugend und | .which cannot be justified on any other Multimedia.........Tl:089.5900.16023 | ..........grounds." -- J. Finnegan, USC
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Linux Man Sent: Tuesday, December 19, 2006 11:40 PM To: CentOS mailing list Subject: Re: [CentOS] creating script for init.d
Sorry, i sent the spript to as particular adress but not for the adress that I wanted (all centos mailing list), again, sorry
If I execute it in a terminal as root, works, without problem, but if i put it to load a boot time (with chkconfig) there isn't a visual error, just hang.
Using "echo" I isolate, ther problematic part, this is:
#Flush everything, start from scratch $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat
#Set default policies to DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP
Why hangs? any idea? Thanks a lot
Is there any message that appears in /var/log/messages?
What happens if you just press the <ENTER> key when it hangs?
Michael
If I hit ENTER anything hapens (even with a lots of enter's) In /var/log/messages seems to compleate the scrips, I'm realy comfiusing (and :( of course) Can be SElinux? can I disable it to try? At terminal all work smooth, I don't understand why hangs at boot time Thanks a lot guys for you help!!
2006/12/20, Michael Velez mikev777@hotmail.com:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Linux Man Sent: Tuesday, December 19, 2006 11:40 PM To: CentOS mailing list Subject: Re: [CentOS] creating script for init.d
Sorry, i sent the spript to as particular adress but not for the adress that I wanted (all centos mailing list), again, sorry
If I execute it in a terminal as root, works, without problem, but if i put it to load a boot time (with chkconfig) there isn't a visual error, just hang.
Using "echo" I isolate, ther problematic part, this is:
#Flush everything, start from scratch $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat
#Set default policies to DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP
Why hangs? any idea? Thanks a lot
Is there any message that appears in /var/log/messages?
What happens if you just press the <ENTER> key when it hangs?
Michael
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
This is what I found in /var/lor/messages:
Dec 21 02:02:28 Promaster firewall.light: + /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.15.50 -j SNAT --to-source 192.168.1.5 Dec 21 02:02:28 Promaster firewall.light: + echo ...done Dec 21 02:02:28 Promaster firewall.light: + echo '' Dec 21 02:02:28 Promaster firewall.light: + echo '--> IPTABLES firewall loaded/activated <--' Dec 21 02:02:28 Promaster firewall.light: + exit 0 Dec 21 02:02:28 Promaster rc: Iniciando firewall.light: succeeded Dec 21 02:02:28 Promaster haldaemon: Iniciación de haldaemon succeeded Dec 21 02:02:28 Promaster fstab-sync[3722]: removed all generated mount points Dec 21 02:02:28 Promaster fstab-sync[3739]: added mount point /media/cdrom for /dev/hdc Dec 21 02:02:29 Promaster kernel: fp=INVALID:1 a=DROP IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1LEN=16436 TOS=0x00 PREC=0x00 TTL=64 ID=22436 DF PROTO=TCP SPT=32768 DPT=6009 WINDOW=8192 RES=0x00 ACK URGP=0 Dec 21 02:02:29 Promaster kernel: fp=INVALID:1 a=DROP IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1LEN=16436 TOS=0x00 PREC=0x00 TTL=64 ID=22438 DF PROTO=TCP SPT=32768 DPT=6009 WINDOW=8192 RES=0x00 ACK URGP=0 Dec 21 02:02:29 Promaster kernel: fp=INVALID:1 a=DROP IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1LEN=16436 TOS=0x00 PREC=0x00 TTL=64 ID=22440 DF PROTO=TCP SPT=32768 DPT=6009 WINDOW=8192 RES=0x00 ACK PSH URGP=0
As you can see, it look like the script execute good, but hangs de keybordad, monitor, mouse, etc. Nevertheless theres some activicty from lo to lo ?¿?¿?¿
2006/12/20, Linux Man linuxman.uru@gmail.com:
If I hit ENTER anything hapens (even with a lots of enter's) In /var/log/messages seems to compleate the scrips, I'm realy comfiusing (and :( of course) Can be SElinux? can I disable it to try? At terminal all work smooth, I don't understand why hangs at boot time Thanks a lot guys for you help!!
2006/12/20, Michael Velez mikev777@hotmail.com:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Linux Man Sent: Tuesday, December 19, 2006 11:40 PM To: CentOS mailing list Subject: Re: [CentOS] creating script for init.d
Sorry, i sent the spript to as particular adress but not for the adress that I wanted (all centos mailing list), again, sorry
If I execute it in a terminal as root, works, without problem, but if i put it to load a boot time (with chkconfig) there isn't a visual error, just hang.
Using "echo" I isolate, ther problematic part, this is:
#Flush everything, start from scratch $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat
#Set default policies to DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP
Why hangs? any idea? Thanks a lot
Is there any message that appears in /var/log/messages?
What happens if you just press the <ENTER> key when it hangs?
Michael
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, 2006-12-21 at 01:43 -0300, Linux Man wrote:
This is what I found in /var/lor/messages:
Dec 21 02:02:28 Promaster firewall.light: + /sbin/iptables -t nat -A POSTROUTING -o eth0 -s MailScanner warning: numerical links are often malicious:192.168.15.50 -j SNAT --to-source MailScanner warning: numerical links are often malicious:192.168.1.5 Dec 21 02:02:28 Promaster firewall.light: + echo ...done Dec 21 02:02:28 Promaster firewall.light: + echo '' Dec 21 02:02:28 Promaster firewall.light: + echo '--> IPTABLES firewall loaded/activated <--' Dec 21 02:02:28 Promaster firewall.light: + exit 0 Dec 21 02:02:28 Promaster rc: Iniciando firewall.light: succeeded Dec 21 02:02:28 Promaster haldaemon: Iniciación de haldaemon succeeded Dec 21 02:02:28 Promaster fstab-sync[3722]: removed all generated mount points Dec 21 02:02:28 Promaster fstab-sync[3739]: added mount point /media/cdrom for /dev/hdc Dec 21 02:02:29 Promaster kernel: fp=INVALID:1 a=DROP IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC= MailScanner warning: numerical links are often malicious:127.0.0.1 DST=MailScanner warning: numerical links are often malicious:127.0.0.1 LEN=16436 TOS=0x00 PREC=0x00 TTL=64 ID=22436 DF PROTO=TCP SPT=32768 DPT=6009 WINDOW=8192 RES=0x00 ACK URGP=0 Dec 21 02:02:29 Promaster kernel: fp=INVALID:1 a=DROP IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC= MailScanner warning: numerical links are often malicious:127.0.0.1 DST=MailScanner warning: numerical links are often malicious:127.0.0.1 LEN=16436 TOS=0x00 PREC=0x00 TTL=64 ID=22438 DF PROTO=TCP SPT=32768 DPT=6009 WINDOW=8192 RES=0x00 ACK URGP=0 Dec 21 02:02:29 Promaster kernel: fp=INVALID:1 a=DROP IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC= MailScanner warning: numerical links are often malicious:127.0.0.1 DST=MailScanner warning: numerical links are often malicious:127.0.0.1 LEN=16436 TOS=0x00 PREC=0x00 TTL=64 ID=22440 DF PROTO=TCP SPT=32768 DPT=6009 WINDOW=8192 RES=0x00 ACK PSH URGP=0
As you can see, it look like the script execute good, but hangs de keybordad, monitor, mouse, etc. Nevertheless theres some activicty from lo to lo ?¿?¿?¿
2006/12/20, Linux Man linuxman.uru@gmail.com: If I hit ENTER anything hapens (even with a lots of enter's) In /var/log/messages seems to compleate the scrips, I'm realy comfiusing (and :( of course) Can be SElinux? can I disable it to try? At terminal all work smooth, I don't understand why hangs at boot time Thanks a lot guys for you help!!
2006/12/20, Michael Velez <mikev777@hotmail.com>: > -----Original Message----- > From: centos-bounces@centos.org > [mailto:centos-bounces@centos.org] On Behalf Of Linux Man > Sent: Tuesday, December 19, 2006 11:40 PM > To: CentOS mailing list > Subject: Re: [CentOS] creating script for init.d > > Sorry, i sent the spript to as particular adress but not for > the adress that I wanted (all centos mailing list), again, sorry > > If I execute it in a terminal as root, works, without > problem, but if i put it to load a boot time (with chkconfig) > there isn't a visual error, just hang. > > Using "echo" I isolate, ther problematic part, this is: > > > #Flush everything, start from scratch > > $IPTABLES -F > > $IPTABLES -F -t mangle > > $IPTABLES -F -t nat > > $IPTABLES -X > > $IPTABLES -X -t mangle > > $IPTABLES -X -t nat > > > > #Set default policies to DROP > > $IPTABLES -P INPUT DROP > > $IPTABLES -P OUTPUT DROP > > $IPTABLES -P FORWARD DROP > > Why hangs? any idea? > Thanks a lot
---- I suppose I am missing something here but I'll offer a theory though without looking at your code, one could only guess what your problem might be.
iptables is a service already as part of the distribution.
/sbin/service iptables save # saves the current rules to /etc/sysconfig/iptables
you can either edit this file, or change your rulesets in real time and then execute a save at any time per above.
At startup, these rules are automatically loaded...no need to write your own script for init.d where iptables are concerned
Craig
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Linux Man Sent: Wednesday, December 20, 2006 11:44 PM To: CentOS mailing list Subject: Re: [CentOS] creating script for init.d
This is what I found in /var/lor/messages:
Dec 21 02:02:28 Promaster firewall.light: + /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.15.50 -j SNAT --to-source 192.168.1.5 http://192.168.1.5 Dec 21 02:02:28 Promaster firewall.light: + echo ...done Dec 21 02:02:28 Promaster firewall.light: + echo '' Dec 21 02:02:28 Promaster firewall.light: + echo '--> IPTABLES firewall loaded/activated <--' Dec 21 02:02:28 Promaster firewall.light: + exit 0 Dec 21 02:02:28 Promaster rc: Iniciando firewall.light: succeeded Dec 21 02:02:28 Promaster haldaemon: Iniciación de haldaemon succeeded Dec 21 02:02:28 Promaster fstab-sync[3722]: removed all generated mount points Dec 21 02:02:28 Promaster fstab-sync[3739]: added mount point /media/cdrom for /dev/hdc Dec 21 02:02:29 Promaster kernel: fp=INVALID:1 a=DROP IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC= 127.0.0.1 DST=127.0.0.1 LEN=16436 TOS=0x00 PREC=0x00 TTL=64 ID=22436 DF PROTO=TCP SPT=32768 DPT=6009 WINDOW=8192 RES=0x00 ACK URGP=0 Dec 21 02:02:29 Promaster kernel: fp=INVALID:1 a=DROP IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC= 127.0.0.1 DST=127.0.0.1 LEN=16436 TOS=0x00 PREC=0x00 TTL=64 ID=22438 DF PROTO=TCP SPT=32768 DPT=6009 WINDOW=8192 RES=0x00 ACK URGP=0 Dec 21 02:02:29 Promaster kernel: fp=INVALID:1 a=DROP IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC= 127.0.0.1 DST=127.0.0.1 LEN=16436 TOS=0x00 PREC=0x00 TTL=64 ID=22440 DF PROTO=TCP SPT=32768 DPT=6009 WINDOW=8192 RES=0x00 ACK PSH URGP=0
As you can see, it look like the script execute good, but hangs de keybordad, monitor, mouse, etc. Nevertheless theres some activicty from lo to lo ?¿?¿?¿
2006/12/20, Linux Man linuxman.uru@gmail.com:
If I hit ENTER anything hapens (even with a lots of enter's) In /var/log/messages seems to compleate the scrips, I'm realy comfiusing (and :( of course) Can be SElinux? can I disable it to try? At terminal all work smooth, I don't understand why hangs at boot time Thanks a lot guys for you help!!
2006/12/20, Michael Velez mikev777@hotmail.com:
At this point, I doubt you have the same problem I had (SELinux is not asking a question for you to respond to). What Craig is saying is accurate. CentOS 4.4 already has an iptables script. You should start with that. Then add your customized iptables rules from the command line and once you have verified them, save them to /etc/sysconfig/iptables with 'service iptables save'. Are you using your old Fedora iptables script?
I don't know enough about the iptables script to help you out here. Other experts on the list should know but starting from the base Centos 4.4 script should be better. In any case, I posted your own script below (which you had sent out).
Michael
This is the scrpit that I use, there's somethig wrong?
#Script configurado y optimizado para el servidor SunSet # #chkconfig: 35 98 27 # #Description: Firewall
# Hubicacion de los binarios de IPTABLES y sus comandos IPTABLES="/sbin/iptables"
case "$1" in stop) echo "Shutting down firewall..." $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat
$IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT echo "...done" ;;status) echo $"Table: filter" iptables --list echo $"Table: nat" iptables -t nat --list echo $"Table: mangle" iptables -t mangle --list ;; restart|reload) $0 stop $0 start ;; start) echo "Starting Firewall..." echo ""
##--------------------------Inicio del Firewall---------------------------------##
#----Interfaces por Defecto-----#
## Interface Externa (a Internet) DEFAULT_EXTIF="eth0"
## Interface Interna (a Lan) DEFAULT_INTIF="eth1"
## Interface Interna (a CAMARA) DEFAULT_CAMIF="eth2"
#----Variables Especiales-----#
# IP y Mascara para todas las IP (all) UNIVERSE="0.0.0.0/0"
# Specification of the high unprivileged IP ports. UNPRIVPORTS="1024:65535"
# Specification of X Window System (TCP) ports. XWINPORTS="6000:6063"
# Ports for IRC-Connection-Tracking IRCPORTS="6665,6666,6667,6668,6669,7000"
# Maquinas del Cyber A1="192.168.0.3" A2=" 192.168.0.4 http://192.168.0.4 " A3="192.168.0.5" A4="192.168.0.6" A5="192.168.0.7" A6=" 192.168.0.8" A7="192.168.0.9" A8="192.168.0.10" B1=" 192.168.0.11 http://192.168.0.11 " B2="192.168.0.12" B3="192.168.0.13" B4="192.168.0.14" B5="192.168.0.15" B6="192.168.0.16" J1="192.168.0.100" J2=" 192.168.0.101 http://192.168.0.101 " J3="192.168.0.103" J4="192.168.0.105" J5="192.168.0.104" J6="192.168.0.102" JEJE="192.168.0.2"
# Casa # Almaceno en la variable "actual" el valor de la IP actual ACTUAL=$(host -R 2 -W 3 latinloveruy.homelinux.net 63.208.196.90 | grep address | awk '{ print $4}')
# Pruebo por si no hubo respuesta del servidor y en ese
caso uso ns2
if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 latinloveruy.homelinux.net 204.13.249.81 | grep address |
awk '{ print
$4}') fi
# Pruebo por si no hubo respuesta del servidor y en ese
caso uso ns3
if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 latinloveruy.homelinux.net 204.13.250.81 | grep address |
awk '{ print
$4}') fi
# Pruebo por si no hubo respuesta del servidor y en ese
caso uso ns4
if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 latinloveruy.homelinux.net 213.155.150.205 | grep address | awk '{ print $4}') fi
# Pruebo por si no hubo respuesta del servidor y en ese
caso uso ns5
if [ "$actual" = "" ]; then ACTUAL=$(host -R 2 -W 3 latinloveruy.homelinux.net 63.170.10.81 | grep address |
awk '{ print
$4}') fi
#-----Port-Forwarding Variables-----#
#IP's a Forewardear
#MUNDAKA="172.16.1.191" CAMARA="192.168.15.50 "
#----Flood Variables-----#
# Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT="5/s" # Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST="10"
# Overall Limit for Loggging in Logging-Chains LOGLIMIT="2/s" # Burst Limit for Logging in Logging-Chains LOGLIMITBURST="10"
#Overall Limit for Ping-Flood-Detection PINGLIMIT="5/s" # Burst Limit for Ping-Flood-Detection PINGLIMITBURST="10"
#----Determinacion Automatica de la informacion para las Interfaces-----#
#Permite la determinacion de datos de configuracion de las
interfaces
#de forma automatica permitiendo adaptarce a los cambios
logicos de la
red #sin necesidad de editar el script ### Interface Externa (Internet-IPpublica):
## Obtener informacion de la Interface Externa ## Si no
encuentra una
interface se pondra el valor por defecto: DEFAULT_EXTIF como EXTIF if [ "x$2" != "x" ]; then EXTIF=$2 else EXTIF=$DEFAULT_EXTIF fi echo External Interface: $EXTIF
## Determinacion de la IP externa (publica)
EXTIP="`ifconfig $EXTIF |
grep inet | cut -d : -f 2 | cut -d \ -f 1`" if [ "$EXTIP" = '' ]; then echo "Aborting: Unable to determine the IP-address of $EXTIF !" exit 1 fi echo External IP: $EXTIP
## Determincion del Gateway Externo EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'` echo
Default GW:
$EXTGW
echo " --- "
### Interface Interna (Lan-IPprivada):
## Obtener informacion de la Interface InternaGet internal
interface
from command-line ## Si no encuentra una interface de
pondra el valor
por defecto: $DEFAULT_INTIF as INTIF if [ "x$3" != "x" ]; then INTIF=$3 else INTIF=$DEFAULT_INTIF fi echo Internal Interface: $INTIF
## Determinacion de IP Interna INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut
-d \ -f 1`"
if [ "$INTIP" = '' ]; then echo "Aborting: Unable to determine the IP-address of
$INTIF !"
exit 1fi echo Internal IP: $INTIP
## Determinacion de Mascara Interna INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`" echo Internal Netmask: $INTMASK
## Determinacion de la Network Interna
INTLAN=$INTIP'/'$INTMASK echo
Internal LAN: $INTLAN
echo ""
###--- Interface hacia la CAMARA ---
CAMIF="eth2" CAMIFIP="192.168.15.5 " CAMMASK="255.255.255.0"
##--- Reparo problemas de ruteo --- if [ "$(route | grep 169.254.0.0)" != "" ]; then ip route del 169.254.0.0/16 fi
#----Cargando Modulos de IPTABLES-----#
#Insert modules- should be done automatically if needed
#If the IRC-modules are available, uncomment them below
echo "Loading IPTABLES modules"
dmesg -n 1 #Kill copyright display on module load /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_irc ports=$IRCPORTS /sbin/modprobe ip_nat_irc ports=$IRCPORTS #dmesg -n 6
echo " --- "
#----Clear/Reset all chains-----#
#Clear all IPTABLES-chains
#Flush everything, start from scratch $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat
#Set default policies to DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP
#----Set network sysctl options-----#
echo "Setting sysctl options"
#Enable forwarding in kernel echo 1 > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks. echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings
(Smurf-Amplifier-Protection) echo 1
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses) echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range echo 32768 61000 > /proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack
echo " --- "
echo "Creating user-chains"
#----Create logging chains-----#
##These are the logging-chains. They all have a certain limit of log-entries/sec to prevent log-flooding ##The
syslog-entries will be
fireparse-compatible (see http://www.fireparse.com http://www.fireparse.com )
#Invalid packets (not ESTABLISHED,RELATED or NEW) $IPTABLES -N LINVALID $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP " --log-level info $IPTABLES -A LINVALID -j DROP
#TCP-Packets with one ore more bad flags $IPTABLES -N LBADFLAG $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP " --log-level info $IPTABLES -A LBADFLAG -j DROP
#Acceso no permitido a la Camara $IPTABLES -N LNOCAM $IPTABLES -A LNOCAM -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=NOCAM:1 a=DROP " $IPTABLES -A LNOCAM -j DROP
#Logging of connection attempts on special ports (Trojan portscans, special services, etc.) $IPTABLES -N LSPECIALPORT $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT
--limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP " --log-level info $IPTABLES -A LSPECIALPORT -j DROP
#Logging of possible TCP-SYN-Floods $IPTABLES -N LSYNFLOOD $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP " --log-level info $IPTABLES -A LSYNFLOOD -j DROP
#Logging of possible Ping-Floods $IPTABLES -N LPINGFLOOD $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT
--limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP " --log-level info $IPTABLES -A LPINGFLOOD -j DROP
#All other dropped packets $IPTABLES -N LDROP $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT
--limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP "
--log-level info
$IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT--limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP "
--log-level info
$IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT--limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3
a=DROP "
--log-level info $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP " --log-level info $IPTABLES -A LDROP -j DROP
#All other rejected packets $IPTABLES -N LREJECT $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1
a=REJECT "
--log-level info $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2
a=REJECT "
--log-level info $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3
a=REJECT "
--log-level info $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT
--limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT " --log-level info $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A LREJECT -j REJECT
#passtrue
# $IPTABLES -A FORWARD -p tcp -s $MUNDAKA -j ACCEPT #
$IPTABLES -A
FORWARD -p tcp -d $MUNDAKA -j ACCEPT
#----Create Accept-Chains-----#
#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
$IPTABLES -N TCPACCEPT $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit$TCPSYNLIMIT
--limit-burst $TCPSYNLIMITBURST -j ACCEPT $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT
#----Create special User-Chains-----#
#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with
impossible
flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)
$IPTABLES -N CHECKBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -jLBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j
LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE-j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -jLBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG
#FILTERING FOR SPECIAL PORTS
#Inbound/Outbound SILENTDROPS/REJECTS (Things we don'twant in our
Logs)
#SMB-Traffic $IPTABLES -N SMB $IPTABLES -A SMB -p tcp --dport 137 -j DROP $IPTABLES -A SMB -p tcp --dport 138 -j DROP $IPTABLES -A SMB -p tcp --dport 139 -j DROP $IPTABLES -A SMB -p tcp --dport 445 -j DROP $IPTABLES -A SMB -p udp --dport 137 -j DROP $IPTABLES -A SMB -p udp --dport 138 -j DROP $IPTABLES -A SMB -p udp --dport 139 -j DROP $IPTABLES -A SMB -p udp --dport 445 -j DROP $IPTABLES -A SMB -p tcp --sport 137 -j DROP $IPTABLES -A SMB -p tcp --sport 138 -j DROP $IPTABLES -A SMB -p tcp --sport 139 -j DROP $IPTABLES -A SMB -p tcp --sport 445 -j DROP $IPTABLES -A SMB -p udp --sport 137 -j DROP $IPTABLES -A SMB -p udp --sport 138 -j DROP $IPTABLES -A SMB -p udp --sport 139 -j DROP $IPTABLES -A SMB -p udp --sport 445 -j DROP #Inbound Special Ports $IPTABLES -N SPECIALPORTS #Deepthroat Scan $IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -jLSPECIALPORT
#Subseven Scan $IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -jLSPECIALPORT $IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT
#Netbus Scan $IPTABLES -A SPECIALPORTS -p tcp --dport12345:12346 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT
#Back Orifice scan $IPTABLES -A SPECIALPORTS -p udp --dport31337:31338 -j LSPECIALPORT
#X-Win $IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS -jLSPECIALPORT
#Hack'a'Tack 2000 $IPTABLES -A SPECIALPORTS -p udp --dport 28431 -jLSPECIALPORT
#ICMP/TRACEROUTE FILTERING
#Inbound ICMP/Traceroute $IPTABLES -N ICMPINBOUND #Ping Flood protection. Accept $PINGLIMITecho-requests/sec,
rest will be logged/dropped $IPTABLES -A ICMPINBOUND -p icmp --icmp-type
echo-request -m
limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT # $IPTABLES -A ICMPINBOUND -p icmp --icmp-type
echo-request -j
LPINGFLOOD
#Block ICMP-Redirects (Should already be catched bysysctl-options, if enabled) $IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP
#Block ICMP-Timestamp (Should already be catched bysysctl-options, if enabled) $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type
timestamp-reply
-j LDROP
#Block ICMP-address-mask (can help to preventOS-fingerprinting) $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP
#Allow all other ICMP in $IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT #Outbound ICMP/Traceroute $IPTABLES -N ICMPOUTBOUND #Block ICMP-Redirects (Should already be catched bysysctl-options, if enabled) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP
#Block ICMP-TTL-Expired #MS Traceroute (MS uses ICMP instead of UDp for tracert) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-typettl-zero-during-transit -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP
#Block ICMP-Parameter-Problem $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-typeparameter-problem -j LDROP
#Block ICMP-Timestamp (Should already be catched bysysctl-options, if enabled) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP
#Block ICMP-address-mask (can help to preventOS-fingerprinting) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP
##Accept all other ICMP going out $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT# CHAIN PARA LA SEPARACION DE TRAFICO BASADO EN LA IP DE
ORIGEN DE LA
LAN
$IPTABLES -t mangle -N SETEAMARCA $IPTABLES -t mangle -A SETEAMARCA -s $A1 -j MARK --set-mark 1 $IPTABLES -t mangle -A SETEAMARCA -s $A2 -j MARK --set-mark 2 $IPTABLES -t mangle -A SETEAMARCA -s $A3 -j MARK --set-mark 3 $IPTABLES -t mangle -A SETEAMARCA -s $A4 -j MARK --set-mark 4 $IPTABLES -t mangle -A SETEAMARCA -s $A5 -j MARK --set-mark 5 $IPTABLES -t mangle -A SETEAMARCA -s $A6 -j MARK --set-mark 6 $IPTABLES -t mangle -A SETEAMARCA -s $A7 -j MARK --set-mark 7 $IPTABLES -t mangle -A SETEAMARCA -s $A8 -j MARK --set-mark 8 $IPTABLES -t mangle -A SETEAMARCA -s $B1 -j MARK --set-mark 9 $IPTABLES -t mangle -A SETEAMARCA -s $B2 -j MARK --set-mark 10 $IPTABLES -t mangle -A SETEAMARCA -s $B3 -j MARK --set-mark 11 $IPTABLES -t mangle -A SETEAMARCA -s $B4 -j MARK --set-mark 12 $IPTABLES -t mangle -A SETEAMARCA -s $B5 -j MARK --set-mark 13 $IPTABLES -t mangle -A SETEAMARCA -s $B6 -j MARK --set-mark 14 $IPTABLES -t mangle -A SETEAMARCA -s $J1 -j MARK --set-mark 15 $IPTABLES -t mangle -A SETEAMARCA -s $J2 -j MARK --set-mark 16 $IPTABLES -t mangle -A SETEAMARCA -s $J3 -j MARK --set-mark 17 $IPTABLES -t mangle -A SETEAMARCA -s $J4 -j MARK --set-mark 18 $IPTABLES -t mangle -A SETEAMARCA -s $J5 -j MARK --set-mark 19 $IPTABLES -t mangle -A SETEAMARCA -s $J6 -j MARK --set-mark 20 $IPTABLES -t mangle -A SETEAMARCA -s $JEJE -j MARK --set-mark 21# $IPTABLES -t mangle -A SETEAMARCA -s $CAMARA -j MARK --set-mark 22
#----End User-Chains-----#
echo " --- "
#----Start Ruleset-----#
echo "Implementing firewall rules..."
################# ## INPUT-Chain ## (everything that is addressed to the firewall itself) #################
##GENERAL Filtering
# Kill INVALID packets (not ESTABLISHED, RELATED or NEW) $IPTABLES -A INPUT -m state --state INVALID -j LINVALID
# Check TCP-Packets for Bad Flags $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG
##Packets FROM FIREWALL-BOX ITSELF
#Local IF $IPTABLES -A INPUT -i lo -j ACCEPT # #Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter) $IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT
##Packets FROM INTERNAL NET
##Allow unlimited traffic from internal network using legit addresses to firewall-box ##If protection from the internal interface is needed, alter it
$IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT #Kill anything from outside claiming to be from internal network (Address-Spoofing --> Should be already catched by
rp_filter)
$IPTABLES -A INPUT -s $INTLAN -j LREJECT $IPTABLES -A INPUT -i $EXTIF -s $INTLAN -j LREJECT
##Packets FROM EXTERNAL NET
##ICMP & Traceroute filtering
#Filter ICMP $IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND
#Block UDP-Traceroute $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP
##Silent Drops/Rejects (Things we don't want in our logs)
#Drop all SMB-Traffic $IPTABLES -A INPUT -i $EXTIF -j SMB
#Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection) $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset
##Public services running ON FIREWALL-BOX (comment out to
activate):
# ftp-data #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j TCPACCEPT
# ftp #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j TCPACCEPT
# ssh $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j TCPACCEPT
#telnet #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT
# smtp #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT
# webmail #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 26 -j TCPACCEPT
# DNS $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT
# http #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT
# https #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT
# POP-3 #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT
# Bnc #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 31337 -j TCPACCEPT
##Separate logging of special portscans/connection attempts
$IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS
##Allow ESTABLISHED/RELATED connections in
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED
-j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT $IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
##Catch all rule $IPTABLES -A INPUT -j LDROP
################## ## Output-Chain ## (everything that comes directly from the Firewall-Box) ##################
##Packets TO FIREWALL-BOX ITSELF
#Local IF $IPTABLES -A OUTPUT -o lo -j ACCEPT
##Packets TO INTERNAL NET
#Allow unlimited traffic to internals networks using legit addresses $IPTABLES -A OUTPUT -o $INTIF -d $INTLAN -s $INTIP -j ACCEPT $IPTABLES -A OUTPUT -o $CAMIF -d $CAMARA -s $CAMIFIP -j ACCEPT
##Packets TO EXTERNAL NET
##ICMP & Traceroute
$IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB $IPTABLES -A OUTPUT -o $EXTIF -j SMB
#Ident $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT --reject-with tcp-reset
##Public services running ON FIREWALL-BOX (comment out to
activate):
# ftp-data #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 20 -j ACCEPT
# ftp #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 21 -j ACCEPT
# ssh $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#telnet #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT
# smtp #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
# webmail #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 88 -j ACCEPT
# DNS $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT
# http #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# https #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# POP-3 #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
#Netmeeting $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 1720 -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 1720 -j ACCEPT
#BNC #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 31337 -j ACCEPT
##Accept all tcp/udp traffic on unprivileged ports going out
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport $UNPRIVPORTS -j ACCEPT
##Darle una via privada de salida a paquetes del firewall itself $IPTABLES -t mangle -A OUTPUT -o $EXTIF -s $EXTIP -j MARK --set-mark 23
##Catch all rule
$IPTABLES -A OUTPUT -j LDROP
#################### ## FORWARD-Chain ## (everything that passes the firewall) ####################
##GENERAL Filtering
#Kill invalid packets (not ESTABLISHED, RELATED or NEW) $IPTABLES -A FORWARD -m state --state INVALID -j LINVALID
# Check TCP-Packets for Bad Flags $IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG
##Filtering FROM INTERNAL NET
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB $IPTABLES -A FORWARD -o $EXTIF -j SMB
##Special Drops/Rejects # - To be done -
##Filter for some Trojans communicating to outside # - To be done -
##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)
#Forwarding a mundaka #$IPTABLES -A FORWARD -o $EXTIF -s $SAND2002 -p tcp --sport 25 -j ACCEPT
##Allow all other forwarding (from Ports > 1024) from Internals Net's to External Net $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT $IPTABLES -A FORWARD -i $CAMIF -o $EXTIF -s $CAMARA -d $ACTUAL -p tcp --sport 9090 -j ACCEPT
##Filtering FROM EXTERNAL NET
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB $IPTABLES -A FORWARD -i $EXTIF -j SMB
##Allow replies coming in $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state RELATED -j ACCEPT
##Port-Forwarding [inbound] (--> Also see chain PREROUTING)
#Forwarding #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $MUNDAKA --dport 80 -j ACCEPT #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $MUNDAKA --dport 22 -j ACCEPT #$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $SAND2002 --dport 25 -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $CAMIF -s $ACTUAL -d $CAMARA -p tcp --dport 9090 -j ACCEPT
##Some ip forward
# $IPTABLES -A FORWARD -p tcp -s $MUNDAKA -j ACCEPT # $IPTABLES -A FORWARD -p tcp -d $MUNDAKA -j ACCEPT
## Forward entre las redes internas $IPTABLES -A FORWARD -s $CAMARA -i $CAMIF -o $INTIF -d $INTLAN -p tcp --sport 9090 -j ACCEPT $IPTABLES -A FORWARD -d $CAMARA -o $CAMIF -i $INTIF -s $INTLAN -p tcp --dport 9090 -j ACCEPT
## Cortar comunicacion Cyber-Cam (todo lo que vaya o venga a la Cam, y que no me halla ## interesado admitir antes, es logeado y luego muere) $IPTABLES -A FORWARD -o $CAMIF -j LNOCAM $IPTABLES -A FORWARD -i $CAMIF -j LNOCAM
##Catch all rule/Deny every other forwarding
$IPTABLES -A FORWARD -j LDROP
################ ## PREROUTING ## ################
##Port-Forwarding (--> Also see chain FORWARD)
#Puertos Trasladados # $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP --dport 25 -j DNAT --to-destination $SAND2002 $IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTIP -s $ACTUAL -p tcp --dport 9090 -j DNAT --to-destination $CAMARA
################### ## POSTROUTING ## ###################
#Seteo de marca basado en la dirección de origen $IPTABLES -t mangle -A POSTROUTING -s $INTLAN -o $EXTIF -j SETEAMARCA $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -s $CAMARA -j MARK --set-mark 22
#Masquerade from Internal Net to External Net
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -j SNAT --to-source $EXTIP $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $CAMARA -j SNAT --to-source $EXTIP #$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
#------End Ruleset------#
echo "...done" echo ""
echo "--> IPTABLES firewall loaded/activated <--"
##--------------------------------End Firewall---------------------------------##
;; *) echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF" exit 1 esac
exit 0
Michael Velez wrote:
CentOS 4.4 already has an iptables script. You should start with that. Then add your customized iptables rules from the command line and once you have verified them, save them to /etc/sysconfig/iptables with 'service iptables save'. Are you using your old Fedora iptables script?
I do it differently. I don't trust the "service iptables save" as sometimes adding other services will alter the saved data. The Red Hat scrips will do that for you to be "helpful".
The best solution (for me) is to create a completely standalone iptables configuration script. Then I just hack the default iptables script to run that script instead of loading the saved rules.
This leads to the minimum amount of intrusion into the Red Hat setup and has not given me any problems when upgrading from RH9 via various RHEL, Fedora and now to CentOS4.
well, I have no choice, i'm "trusting" in service iptables save, but at list my box works! Merry Christmas and Happy New Year Cheers!
2006/12/21, Morten Torstensen morten@mortent.org:
Michael Velez wrote:
CentOS 4.4 already has an iptables script. You should start with
that. Then
add your customized iptables rules from the command line and once you
have
verified them, save them to /etc/sysconfig/iptables with 'service
iptables
save'. Are you using your old Fedora iptables script?
I do it differently. I don't trust the "service iptables save" as sometimes adding other services will alter the saved data. The Red Hat scrips will do that for you to be "helpful".
The best solution (for me) is to create a completely standalone iptables configuration script. Then I just hack the default iptables script to run that script instead of loading the saved rules.
This leads to the minimum amount of intrusion into the Red Hat setup and has not given me any problems when upgrading from RH9 via various RHEL, Fedora and now to CentOS4.
--
//Morten Torstensen //Email: morten@mortent.org //IM: Cartoon@jabber.no morten.torstensen@gmail.com
And if it turns out that there is a God, I don't believe that he is evil. The worst that can be said is that he's an underachiever. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I know this is a CentOS/Linux list, but I seriously wish they would take a cue from *BSD and start integrating pf with modern Linux distributions.
Peter
Linux Man wrote:
well, I have no choice, i'm "trusting" in service iptables save, but at list my box works! Merry Christmas and Happy New Year Cheers!
On Tue December 26 2006 19:43, Peter Serwe wrote:
I know this is a CentOS/Linux list, but I seriously wish they would take a cue from *BSD and start integrating pf with modern Linux distributions.
What advantages does pf hold over iptables? And please don't start of with it is more secure BS.
Quoting Robert Spangler lazydog@zoominternet.net:
On Tue December 26 2006 19:43, Peter Serwe wrote:
I know this is a CentOS/Linux list, but I seriously wish they would take a cue from *BSD and start integrating pf with modern Linux distributions.
What advantages does pf hold over iptables? And please don't start of with it is more secure BS.
Transparent bridging firewall sitting in front of ADSL modem when PPPoE is used. That one can't be implemented using Netfilter.
| modem | <-----> | bridge/fw | <------> | PC / PPPoE endpoint |
Here's why:
- Raw PPPoE packets will not be handled over to Netfilter for inspection. - Even if they were, you'd need special Netfilter modules and/or hacks to inspect encapsulated IP packets (inside raw PPPoE packets). Such module doesn't exist, and might not be trivial or even possible to implement.
When investigating this particular problem with Netfilter, I found couple of HOWTOs describing how to do this kind of stuff on *BSD.
On Wednesday 27 December 2006 07:51, Robert Spangler wrote:
On Tue December 26 2006 19:43, Peter Serwe wrote:
I know this is a CentOS/Linux list, but I seriously wish they would take a cue from *BSD and start integrating pf with modern Linux distributions.
What advantages does pf hold over iptables? And please don't start of with it is more secure BS.
Stateful firewall failover with pfsync?
A rule application program (pfctl) that checks syntax of rules before applying them to make sure there are no errors, and also dynamically re-orders your rules for best performance?
Built in dynamic rules based on SSH logins with authpf?
Packet logging to tcpdump compatible logfiles?
There's a few. Some might have iptables counterparts I don't know of, but these are a few of the benefits I've been enjoying lately on some OpenBSD firewall boxes, and they are all succeintly documented with examples in the man pages (it's a real culture shock using BSD when used to linux. The man pages actually adequately explain complex programs, and are complete).
I've been meaning to test the firewall failover with the NAT load balancing features to see how well it performs WRT LVS. From what I hear I might expect a bit better performance and/or scalability out of LVS, but the ease of setup and configuration of OpenBSD and pf may trump that if it's not a large gap (and it isn't required to scale too much).
The VPN program they created (isakmpd) works well and allows for stateful failover with sasyncd, and I believe has been successfully ported to linux (sans sasyncd I imagine). I would think porting pf would be much harder, but one of it's core features (stateful failover) is something that iptables has failed to implement for quite a while now, and the project that was trying to do it (ctsync) was dead in the water last time I checked.
-
Aleksandar Milivojevic -
Craig White -
Kevan Benson -
Linux Man -
Michael Velez -
Morten Torstensen -
Peter Serwe -
Ralph Angenendt -
Robert Spangler