[KLUG Members] IPChains problem
Rusty Yonkers
members@kalamazoolinux.org
Sat, 8 Jun 2002 19:45:47 -0700 (PDT)
Here is an example of a script that I did for ipchains. It seems to
work pretty good. I do want to do some more on the script down the
road but it is a start. The script came about because I had a person
come into our class to teach us (me included) ipchains and iptables.
So far I like ipchains a little better. I can see that iptables is
better but I got a good handle on the constructs of ipchains and am
going to get really good on that at first then move to iptables.
Well here is the script. Don't forget that you need to put the
command line variable in for the section that you want to run. Oh and
keep in mind that I am a little eccentric!
#!/bin/bash
chain=/sbin/ipchains
my_ip=65.113.83.102
all=0.0.0.0/0
allones=255.255.255.255
web=80
case "$1" in
flameon)
#clear screen so it can be read easily
clear
#flush rules
echo "Flushing existing rules"
$chain -F input
$chain -F output
$chain -F forward
#set policy to deny
echo "Starting policy section"
$chain -P input DENY
$chain -P output ACCEPT
$chain -P forward ACCEPT
#Rules
echo "Setting outgoing web request for $my_ip"
$chain -A input -s $my_ip 1024: -d $all 80 -p tcp -j ACCEPT
echo "Setting incoming web response for $my_ip"
$chain -A input -s $all 80 -d $my_ip 1024: ! -y -p tcp -j ACCEPT
echo "Opening up DNS lookup"
$chain -A input -b -s $my_ip 1024: -d 65.113.83.100 53 -p udp -j
ACCEPT
echo "setting up ssh from home"
$chain -A input -b -s 24.247.108.146 1024: -d $my_ip 22 -p tcp -j
ACCEPT
echo "Setting up ssh on own subnet"
$chain -A input -b -s 65.113.83.96/27 1024: -d 65.113.83.96/27 22 -p
tcp -j ACCEPT
echo "Setting default deny"
$chain -A input -l -j DENY
echo
echo "This is the current state of the firewall"
echo
$chain -L
;;
stupidity)
#clear screen so it can be read easily
clear
#Flush chains
echo "Flushing chains"
$chain -F input
$chain -F output
$chain -F forward
#Clearing input policy
echo "Setting all policys to full accept"
$chain -P input ACCEPT
$chain -P output ACCEPT
$chain -P forward ACCEPT
echo
echo "Well you wanted the stupidity setting."
echo "Keep in mind the the computer is now fully accessable."
echo "Here are the settings of ipchains now."
echo
$chain -L
;;
lockdown)
#clear screen so it can be read easily
clear
#Flush chains
echo "Flushing all existing chains"
$chain -F input
$chain -F output
$chain -F forward
#Set policies for deny
echo "Setting all policies for deny"
$chain -P input DENY
$chain -P output DENY
$chain -P forward DENY
echo
echo "I have now completely locked down the computer."
echo "Here is the listing of current rules for verification."
echo
$chain -L
;;
*)
#This is the section for when there is no command line argument
#or the command line argument is incorrect
clear
echo "You have either failed to enter a command line argument"
echo "or have entered an argument that is invalid."
echo "There are three valid arguments for this script that you need
to chose between."
echo
echo "flameon - will set the firewall rules to allow some traffic
through"
echo "but will protect the box from most outsiders."
echo
echo "lockdown - will completely shutdown the network
conversations."
echo
echo "stupidity - will open the network interface up completely."
echo
;;
esac
=====
Truth is truth ... no matter what I think...
-----------------------------------------
Department of Redundancy Department
-----------------------------------------
Devoted RedHat fan...
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com