diff options
Diffstat (limited to 'ipmasq/rules/O80firewall.def')
-rw-r--r-- | ipmasq/rules/O80firewall.def | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/ipmasq/rules/O80firewall.def b/ipmasq/rules/O80firewall.def new file mode 100644 index 0000000..d6fe9f8 --- /dev/null +++ b/ipmasq/rules/O80firewall.def @@ -0,0 +1,159 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. + +# Packet filter firewall script for ipmasq (GPL) +# By Osamu Aoki <osamu@aokiconsulting.com> +# +# Firewall are set for external network connection ports listed in $EXTERNAL +# Little consideration taken for shared port. +# +echo "# Firewall for outgoing packets" +############################################################################### +# QUIET ADDRESS (REJECT for internal request) RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $QADDR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -O -a reject -W ${i%%:*} -D $j + ;; + ipchains) + $IPCHAINS --no-warnings -A output -j REJECT -i ${i%%:*} -d $j + ;; + netfilter) + $IPTABLES -A OUTPUT -j REJECT -o ${i%%:*} -d $j + ;; + esac + done + done +fi + +############################################################################### +# ALLOW OUTPUT TCP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $ATCPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -O -a accept -W ${i%%:*} -S $IPOFIF/$NMOFIF $j -P tcp + ;; + ipchains) + $IPCHAINS -A output -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF $j -p tcp + ;; + netfilter) + $IPTABLES -A OUTPUT -j ACCEPT -o ${i%%:*} -s $IPOFIF/$NMOFIF -p tcp --source-port $j + ;; + esac + done + done +fi + +# ALLOW OUTPUT UDP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $AUDPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -O -a accept -W ${i%%:*} -S $IPOFIF/$NMOFIF $j -P udp + ;; + ipchains) + $IPCHAINS -A output -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF $j -p udp + ;; + netfilter) + $IPTABLES -A OUTPUT -j ACCEPT -o ${i%%:*} -s $IPOFIF/$NMOFIF -p udp --source-port $j + ;; + esac + done + done +fi + +############################################################################### +# QUIET OUTPUT TCP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $QTCPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P tcp + ;; + ipchains) + $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p tcp + ;; + netfilter) + $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j + ;; + esac + done + done +fi + +# QUIET OUTPUT UDP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $QUDPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P udp + ;; + ipchains) + $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p udp + ;; + netfilter) + $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j + ;; + esac + done + done +fi + +############################################################################### +# DENY OUTPUT TCP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $DTCPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P tcp -o + ;; + ipchains) + $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p tcp -l + ;; + netfilter) + $IPTABLES -A OUTPUT -j LOG -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j + $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j + ;; + esac + done + done +fi + +# DENY OUTPUT UDP RULES +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + ipnm_cache $i + for j in $DUDPSVR; do + case $MASQMETHOD in + ipfwadm) + $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P udp -o + ;; + ipchains) + $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p udp -l + ;; + netfilter) + $IPTABLES -A OUTPUT -j LOG -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j + $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j + ;; + esac + done + done +fi +echo "#" |