# You should not edit this file. Instead, create a file with the same # name as this one, but with a .rul extension instead of .def. The # .rul file will override this one. # # However, any changes you make to this file will be preserved. # Packet filter firewall script for ipmasq (GPL) # By Osamu Aoki # # Firewall are set for external network connection ports listed in $EXTERNAL # Little consideration taken for shared port. # echo "# Firewall for outgoing packets" ############################################################################### # QUIET ADDRESS (REJECT for internal request) RULES if [ -n "$EXTERNAL" ]; then for i in $EXTERNAL; do ipnm_cache $i for j in $QADDR; do case $MASQMETHOD in ipfwadm) $IPFWADM -O -a reject -W ${i%%:*} -D $j ;; ipchains) $IPCHAINS --no-warnings -A output -j REJECT -i ${i%%:*} -d $j ;; netfilter) $IPTABLES -A OUTPUT -j REJECT -o ${i%%:*} -d $j ;; esac done done fi ############################################################################### # ALLOW OUTPUT TCP RULES if [ -n "$EXTERNAL" ]; then for i in $EXTERNAL; do ipnm_cache $i for j in $ATCPSVR; do case $MASQMETHOD in ipfwadm) $IPFWADM -O -a accept -W ${i%%:*} -S $IPOFIF/$NMOFIF $j -P tcp ;; ipchains) $IPCHAINS -A output -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF $j -p tcp ;; netfilter) $IPTABLES -A OUTPUT -j ACCEPT -o ${i%%:*} -s $IPOFIF/$NMOFIF -p tcp --source-port $j ;; esac done done fi # ALLOW OUTPUT UDP RULES if [ -n "$EXTERNAL" ]; then for i in $EXTERNAL; do ipnm_cache $i for j in $AUDPSVR; do case $MASQMETHOD in ipfwadm) $IPFWADM -O -a accept -W ${i%%:*} -S $IPOFIF/$NMOFIF $j -P udp ;; ipchains) $IPCHAINS -A output -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF $j -p udp ;; netfilter) $IPTABLES -A OUTPUT -j ACCEPT -o ${i%%:*} -s $IPOFIF/$NMOFIF -p udp --source-port $j ;; esac done done fi ############################################################################### # QUIET OUTPUT TCP RULES if [ -n "$EXTERNAL" ]; then for i in $EXTERNAL; do ipnm_cache $i for j in $QTCPSVR; do case $MASQMETHOD in ipfwadm) $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P tcp ;; ipchains) $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p tcp ;; netfilter) $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j ;; esac done done fi # QUIET OUTPUT UDP RULES if [ -n "$EXTERNAL" ]; then for i in $EXTERNAL; do ipnm_cache $i for j in $QUDPSVR; do case $MASQMETHOD in ipfwadm) $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P udp ;; ipchains) $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p udp ;; netfilter) $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j ;; esac done done fi ############################################################################### # DENY OUTPUT TCP RULES if [ -n "$EXTERNAL" ]; then for i in $EXTERNAL; do ipnm_cache $i for j in $DTCPSVR; do case $MASQMETHOD in ipfwadm) $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P tcp -o ;; ipchains) $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p tcp -l ;; netfilter) $IPTABLES -A OUTPUT -j LOG -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j ;; esac done done fi # DENY OUTPUT UDP RULES if [ -n "$EXTERNAL" ]; then for i in $EXTERNAL; do ipnm_cache $i for j in $DUDPSVR; do case $MASQMETHOD in ipfwadm) $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P udp -o ;; ipchains) $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p udp -l ;; netfilter) $IPTABLES -A OUTPUT -j LOG -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j ;; esac done done fi echo "#"