All pastes #19665 Raw Edit

Someone

public text v1 · immutable
#19665 ·published 2005-08-10 01:06 UTC
rendered paste body
# Firehol Configuration which implement masquerading and firewalling by Cougar
#
version 5
################################################################################

#### CONFIGURATION ####

# Path to ipTables and other binaries
GREP="/bin/grep"
CUT="/usr/bin/cut"
AWK="/usr/bin/awk"
SED="/bin/sed"
CAT="/bin/cat"
IFCONFIG="/sbin/ifconfig"

# Internal network interface
INTERFACE_LAN="eth0"

# External network interface (Internet)
INTERFACE_WAN="eth1"

# Method used for logging (Ulogd must be installed)
FIREHOL_LOG_MODE="ULOG"

# Custom BitTorrent Service
server_bt_ports="tcp/6881:6889 udp/6881:6889"
client_bt_ports="any"

#### END CONFIG #### 

################################################################################

#-------------------------------------------------------------------------------
#--- Initialize IPTables
echo " "
# Begin network interface IP retrieval
LAN_IP=$($IFCONFIG $INTERFACE_LAN | $GREP inet\ addr | $CUT -f 2 -d \: | $CUT -f 1 -d " ")
WAN_IP=$($IFCONFIG $INTERFACE_WAN | $GREP inet\ addr | $CUT -f 2 -d \: | $CUT -f 1 -d " ")
# Confirmation
echo "Using $INTERFACE_LAN as LAN network interface with IP address of $LAN_IP"
echo "Using $INTERFACE_WAN as WAN network interface with IP address of $WAN_IP"
# End network interface IP retrieval

#-------------------------------------------------------------------------------
#--- Port Forwarding Configuration
echo -n "Configuring port forwarding: "
	#dnat to 10.1.3.1 inface ${INTERFACE_WAN} proto tcp dport 6881:6999
	#dnat to 10.1.3.1 inface ${INTERFACE_WAN} proto udp dport 6881:6999
echo "done." || echo "FAILED."	
#-------------------------------------------------------------------------------

#-------------------------------------------------------------------------------
#--- Firewall for traffic hitting mercury from the Internet
echo -n "Configuring $INTERFACE_WAN: "
interface ${INTERFACE_WAN} world	
	policy reject	
	protection full
	# General declarations
	server ping accept
        client all accept
	# Services on router
	server ssh accept
	server bt accept
echo "done." || echo "FAILED."
#-------------------------------------------------------------------------------

#----------------------------------------------------------------	
#--- Firewall for traffic hitting mercury from the LAN
echo -n "Configuring $INTERFACE_LAN: "	
interface ${INTERFACE_LAN} lan	
	policy reject
	protection full
	# Services on router
	server dhcp accept
	server dns accept
	server ssh accept
	server samba accept
	server ntp accept
	# Services router should ignore
	server cups drop
	# General declarations
	server ping accept
	client all accept
echo "done." || echo "FAILED."
#-------------------------------------------------------------------------------
	 
#-------------------------------------------------------------------------------
#--- Router for masquerading traffic from the LAN to the Internet
echo -n "Configuring router for masquerading traffic from $INTERFACE_LAN to $INTERFACE_WAN: "
router masq inface ${INTERFACE_LAN} outface ${INTERFACE_WAN}
	protection full
	masquerade
	server all accept	# Allows LAN clients access to services on the Internet
echo "done." || echo "FAILED."
#-------------------------------------------------------------------------------
 
#-------------------------------------------------------------------------------
#--- Router for port-forwarded traffic coming from the Internet
echo -n "Configuring router for port forwarding traffic from $INTERFACE_WAN: "
router services inface ${INTERFACE_WAN} outface ${INTERFACE_LAN}
	protection full	
	server all accept	#Accept all services matched against those being forwarded
echo "done." || echo "FAILED."