diff options
Diffstat (limited to 'ipmasq/rules/I80firewall.def')
-rw-r--r-- | ipmasq/rules/I80firewall.def | 158 |
1 files changed, 158 insertions, 0 deletions
diff --git a/ipmasq/rules/I80firewall.def b/ipmasq/rules/I80firewall.def new file mode 100644 index 0000000..ee1a507 --- /dev/null +++ b/ipmasq/rules/I80firewall.def @@ -0,0 +1,158 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. + +# Packet filter firewall script for ipmasq (GPL) +# By Osamu Aoki <osamu@aokiconsulting.com> +# +# Firewall are set for external network connection ports listed in $EXTERNAL +# Little consideration taken for shared port. +# +echo "# Firewall for incoming packets" +############################################################################### +# QUIET INPUT ADDRESS (Deny for forein packet) RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $QADDR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -a deny -W ${i%%:*} -S $j + ;; + ipchains) + $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -s $j + ;; + netfilter) + $IPTABLES -A INPUT -j DROP -i ${i%%:*} -s $j + ;; + esac + done + done +fi +############################################################################### +# ALLOW INPUT TCP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $ATCPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -a accept -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P tcp + ;; + ipchains) + $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p tcp + ;; + netfilter) + $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j + ;; + esac + done + done +fi + +# ALLOW INPUT UDP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $AUDPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -a accept -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P udp + ;; + ipchains) + $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p udp + ;; + netfilter) + $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j + ;; + esac + done + done +fi + +############################################################################### +# QUIET INPUT TCP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $QTCPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P tcp + ;; + ipchains) + $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p tcp + ;; + netfilter) + $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j + ;; + esac + done + done +fi + +# QUIET INPUT UDP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $QUDPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P udp + ;; + ipchains) + $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p udp + ;; + netfilter) + $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j + ;; + esac + done + done +fi + +############################################################################### +# DENY INPUT TCP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $DTCPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P tcp -o + ;; + ipchains) + $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p tcp -l + ;; + netfilter) + $IPTABLES -A INPUT -j LOG -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j + $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j + ;; + esac + done + done +fi + +# DENY INPUT UDP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $DUDPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P udp -o + ;; + ipchains) + $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p udp -l + ;; + netfilter) + $IPTABLES -A INPUT -j LOG -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j + $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j + ;; + esac + done + done +fi +echo "#" |