#!/bin/sh # Incoming, flush and set default policy of deny. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. $FW -I -f $FW -I -p deny # local interface, local machines, going anywhere is valid if [ "$VERBOSE" != "" ] ; then for vars_list in $FW $VERBOSE $IP_ETH0 $M1 $M2 $M3 $M4 $M8 $M10 $M25 $HOST_MASK $LOGGING $ANY_NET $ANY_MASK do echo -ne "$vars_list\n" if [ "$vars_list" = "" ] ; then echo "There's unset variable!" fi done fi # dmitry (kbg) $FW $VERBOSE -I -a accept -V $IP_ETH0 -S $M1/$HOST_MASK -D $ANY_NET/$ANY_MASK $LOGGING # Jane (klay) $FW $VERBOSE -I -a accept -V $IP_ETH0 -S $M2/$HOST_MASK -D $ANY_NET/$ANY_MASK $LOGGING # Vadim (proxy) $FW $VERBOSE -I -a accept -V $IP_ETH0 -S $M4/$HOST_MASK -D $ANY_NET/$ANY_MASK $LOGGING # Jane_T (guest) $FW $VERBOSE -I -a accept -V $IP_ETH0 -S $M8/$HOST_MASK -D $ANY_NET/$ANY_MASK $LOGGING # Noone (acer(logging)) $FW $VERBOSE -I -a accept -V $IP_ETH0 -S $M10/$HOST_MASK -D $ANY_NET/$ANY_MASK $LOGGING # Aleksey (225) $FW $VERBOSE -I -a accept -V $IP_ETH0 -S $M25/$HOST_MASK -D $ANY_NET/$ANY_MASK $LOGGING echo "Done: incoming rules for the LAN." #Deny all from this host. $FW $VERBOSE -I -P all -i deny -S 195.46.168.168 -D $IP_PPP0/$ANY_MASK -o ######################## dialup section begin # this section was written for 2 modems,hence possible ifaces are: # sl0,sl1,ppp1,ppp2 (ppp0 reserverd for a leased line) echo "Configuring rules for dialup clients.." #* # Accept evrything going via ppp1/sl0/sl1 w/ addr 192.168.4.121 (homeppp) # (This dialup addr is allowed to browse the net freely) # this entry is for me only.. # sl0 sl1 are not fully configured, yet. echo "adding entries for home ppp ($HOMEPPP)." for iface in ppp1 ppp2 do $FW $VERBOSE -I -a accept -W $iface -V $IP_ETH0 -S $HOMEPPP/$HOST_MASK -D $ANY_NET/$ANY_MASK $LOGGING done #* # Accept packets going via ppp1/sl0/sl1 w/ addr 192.168.4.120 (emailonly) # to our server only. # (This dialup addr is allowed to access only email servieces & only via ppp) # slip logins are not configured for these clients. echo "adding entries for email-only ppp ($EMAILONLY)." for iface in ppp1 ppp2 do $FW $VERBOSE -I -a accept -W $iface -V $IP_ETH0 -S $EMAILONLY/$HOST_MASK -D $IP_ETH0/$HOST_MASK -o #$FW $VERBOSE -I -a accept -W $iface -V $IP_PPP0 -S $EMAILONLY/$HOST_MASK -D $IP_ETH0/$HOST_MASK -o #$FW $VERBOSE -I -a accept -W $iface -V $IP_LOOPBACK -S $EMAILONLY/$HOST_MASK -D $IP_ETH0/$HOST_MASK -o done #* # Accept evrything going via ppp1/sl0/sl1 w/ addr 192.168.4.122 (freeppp) # (This dialup addr is allowed to browse the net almost freely) # sl0 sl1 - these ifaces are not yet configured for these clients. echo "adding entries for freeppp ($FREEPPP)." for iface in ppp1 ppp2 do $FW $VERBOSE -I -a accept -W $iface -V $IP_ETH0 -S $FREEPPP/$HOST_MASK -D $ANY_NET/$ANY_MASK -o done #* # Accept evrything going via ppp1/sl0/sl1 w/ addr 192.168.4.123 (chief) # (This dialup addr is allowed to browse the net almost freely) # sl0 sl1 - these ifaces are not yet configured for this client. echo "adding entries for chief ($CHIEFPPP)." for iface in ppp1 ppp2 do $FW $VERBOSE -I -a accept -W $iface -V $IP_ETH0 -S $CHIEFPPP/$HOST_MASK -D $ANY_NET/$ANY_MASK -o done # Accept evrything going via ppp1/sl0/sl1 w/ addr 192.168.4.124 (shared) # (This dialup addr is allowed to browse the net almost freely) # sl0 sl1 - these ifaces are not yet configured for this client. echo "adding entries for shared ppp ($SHARED)." for iface in ppp1 ppp2 do $FW $VERBOSE -I -a accept -W $iface -V $IP_ETH0 -S $SHARED/$HOST_MASK -D $ANY_NET/$ANY_MASK -o done # Accept evrything going via ppp1/sl0/sl1 w/ addr 192.168.4.124 (testppp) # (This dialup addr is allowed to browse the net almost freely) # sl0 sl1 - these ifaces are not yet configured for this client. echo "adding entries for shared ppp ($SHARED)." for iface in ppp1 ppp2 do $FW $VERBOSE -I -a accept -W $iface -V $IP_ETH0 -S $TESTPPP/$HOST_MASK -D $IP_ETH0/$HOST_MASK -o done # deny any other interfaces claming dialup address echo "deny any other interfaces claming dialup addresses.." if [ "$VERBOSE" != "" ] ; then for vars_list in $EMAILONLY $HOMEPPP $FREEPPP $CHIEFPPP $SHARED $TESTPPP $IP_ETH0 $IP_PPP0 do echo -ne "$vars_list\n" if [ "$vars_list" = "" ] ; then echo "There's unset variable!" fi done fi for dialup in $EMAILONLY $HOMEPPP $FREEPPP $CHIEFPPP $SHARED $TESTPPP do echo "$dialup:" $FW $VERBOSE -I -a deny -V $IP_ETH0 -S $dialup/$HOST_MASK -D $ANY_NET/$ANY_MASK -o echo "$dialup:" $FW $VERBOSE -I -a deny -V $IP_PPP0 -S $dialup/$HOST_MASK -D $ANY_NET/$ANY_MASK -o done # deny faked packets from ppp0 (our leased line) # claming adresses that must be used locally (all networks designed for private # usage - not in the WAN). Some are already denied. $locals also contains # netmask. echo "deny faked packets from ppp0 (our leased line).." for locals in $RESERVED_1 $RESERVED_2 $RESERVED_3 do $FW $VERBOSE -I -a deny -V $IP_PPP0 -S $locals -D $ANY_NET/$ANY_MASK -o done # remote interface, claiming to be local machines, IP spoofing, get lost echo "remote interface, claiming to be local machines, IP spoofing, get lost" $FW $VERBOSE -I -a deny -V $IP_PPP0 -S $LOC_NET/$NETB_MASK -D $ANY_NET/$ANY_MASK -o # remote interface, any source, going to permanent PPP address is valid echo "remote interface, any source, going to permanent PPP address is valid" $FW $VERBOSE -I -a accept -V $IP_PPP0 -S $ANY_NET/$ANY_MASK -D $IP_PPP0/$HOST_MASK $LOGGING # loopback interface is valid. echo "loopback interface is valid." $FW $VERBOSE -I -a accept -V $IP_LOOPBACK -S $ANY_NET/$ANY_MASK -D $ANY_NET/$ANY_MASK $LOGGING # catch all rule, all other incoming is denied and logged. echo "catch all rule, all other incoming is denied and logged." $FW $VERBOSE -I -a deny -S $ANY_NET/$ANY_MASK -D $ANY_NET/$ANY_MASK -o echo "Done: all incoming rules."