|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Aboubacar Dramé (abodr
xchg.medisys.ca)Date: Wed May 09 2001 - 09:36:13 CDT
Hi !
I am trying to configure a script to securise a Linux FreesWan on SuSE 7.1
Professional edition ,
I use the sample script below (writed for the Red Hat distribution), I use
the script to replace the
/etc/rc.config.d/firewall.rc.config, but it does not work, what changes can
I do on the script to adapt it for the SuSe 7.1 version to make the ipchains
work ?
Thanks for your help.
Aboubacar Dramé
Montreal, Quebec, Canada
#!/bin/sh
#
#
----------------------------------------------------------------------------
# Last modified by Gerhard Mourani: 10-10-2000
#
----------------------------------------------------------------------------
# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# This software is provided as an example and basis for individual firewall
# development. This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an
# "as is" basis. He makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
#
----------------------------------------------------------------------------
#
# Invoked from /etc/rc.d/init.d/firewall.
# chkconfig: - 60 95
# description: Starts and stops the IPCHAINS Firewall \
# used to provide Firewall network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/ipchains ]; then
exit 0
fi
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewalling Services: "
# Some definitions for easy maintenance.
#
----------------------------------------------------------------------------
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="eth0" # Internet connected interface
# LOCAL_INTERFACE_1="eth1" # Internal LAN interface
# LOOPBACK_INTERFACE="lo" # Your local naming
convention
IPADDR="my.ip.address" # Your IP address
# LOCALNET_1="192.168.1.0/24" # Whatever private range you
use
IPSECSG="my.ipsecsg.address" # Space separated list of remote VPN
gateways
FREESWANVI="ipsec0" # Space separated list of virtual
interfaces
ANYWHERE="any/0" # Match any IP address
# NAMESERVER_1="my.name.server.1" # Everyone must have at
least one
# NAMESERVER_2="my.name.server.2" # Your secondary name server
# ------------------------------------------------------------------
# OUTGOING TRACEROUTE
# -------------------
#ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
# -s $IPADDR $TRACEROUTE_SRC_PORTS \
#-d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT
#
----------------------------------------------------------------------------
# Unlimited traffic within the local network.
# All internal machines have access to the firewall machine.
# ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT
# ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT
#
----------------------------------------------------------------------------
# FreeS/WAN IPSec VPN
# -------------------
# If you are using the FreeSWAN IPSec VPN, you will need to fill in the
# addresses of the gateways in the IPSECSG and the virtual interfaces
for
# FreeS/Wan IPSEC in the FREESWANVI parameters. Look at the beginning of
# this firewall script rules file to set the parameters.
# IPSECSG is a Space separated list of remote gateways. FREESWANVI is a
# Space separated list of virtual interfaces for FreeS/Wan IPSEC
# implementation. Only include those that are actually used.
# Allow IPSEC protocol from remote gateways on external interface
# IPSEC uses three main types of packet:
# IKE uses the UDP protocol and port 500,
# ESP use the protocol number 50, and
# AH use the protocol number 51
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $IPSECSG -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-d $IPSECSG -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p 50 \
-s $IPSECSG -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p 50 \
-d $IPSECSG -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p 51 \
-s $IPSECSG -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p 51 \
-d $IPSECSG -j ACCEPT
# Allow all traffic to FreeS/WAN Virtual Interface
ipchains -A input -i $FREESWANVI \
-s $ANYWHERE \
-d $ANYWHERE -j ACCEPT
ipchains -A output -i $FREESWANVI \
-s $ANYWHERE \
-d $ANYWHERE -j ACCEPT
# Forward anything from the FreeS/WAN virtual interface IPSEC tunnel
ipchains -A forward -i $FREESWANVI \
-s $ANYWHERE \
-d $ANYWHERE -j ACCEPT
# Disable IP spoofing protection to allow IPSEC to work properly
echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
#
----------------------------------------------------------------------------
;;
stop)
echo -n "Shutting Firewalling Services: "
# Remove all existing rules belonging to this filter
ipchains -F
# Delete all user-defined chain to this filter
ipchains -X
# Reset the default policy of the filter to accept.
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
;;
status)
status firewall
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: firewall {start|stop|status|restart|reload}"
exit 1
esac
exit 0
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]