firewall2

Na de nodige omzwervingen door bergen howto's, zo'n beetje alles gelezen wat er in het forum stond, eindelijk een firewall "naar mijn wens" en nog makkellijk te configureren ook !
Aangezien alle voorbeelden van fantastische firewalls waarschijnlijk voor versie 0.5 waren en maar niet werkte voor 0.6 pre3 was het "effe zoeke...."
Ik dank hierbij Walter, JP, Micheal voor de bijdrage die ze geleverd hebben voor de firewalls die in het forum staan en die maar niet wilde werken, met mijn 0.6 pre3. Misschien is het wijzer om oplossingen te posten in het forum welke proef ondervindelijk werken ipv bijvoorbeeld firewalls te posten die niet werken en gekopieerd zijn van een redhat distributie site.
OK, uiteindelijk werkt het wel, maar door goed turen naar het scherm als ie opstart, waar iets fout zo kunnen gaan. en je afvragen waarom iemand dit gepost heeft in het forum als oplossing terwijl dat het helemaal niet is.!
Deze firewall komt van een aantal postings in het forum en deze zijn:
http://www.lintegrate.nl/phorum/read.php?f=1&i=1690&t=1478 met mega dank aan Henk de Jong voor de network.ini
http://www.lintegrate.nl/phorum/read.php?f=1&i=1318&t=1318 met mega dank aan Henk de Jong voor de config en de firewall.ini
Zonder deze scripts was het nooit gelukt
Ze zijn aangepast voor mijn situatie verion 0.6 pre3, hoe ze voor andere versies werken, heb ik geen idee

Ik heb de veranderingen in vet gezet om de verschillen te zien omdat ze anders niet te zien zijn.....
Leerzaam is het zeker, maar als Linux leek kan het knap frustrerend zijn.......
Helemaal foutloos werkt het nog niet, tenminste ik zie tijdens het opstarten dat er bepaalde dingen niet gevonden worden, maar dat heeft verder geen invloed op de werking....
Waarschijnijk zit het in de network.ini (de foutmeldingen), dus wie durft...( 'k ga er zelf ook nog wel meestoeien)
Maar niet getreurt hier is ie dan, werkend getest met verschillende types servers.

Je hoeft nu alleen nog de config in te vullen en de in firewall.ini hoef je niet te editten, kan natuurlijk wel om meer servers toe te voegen.
gewoon y or n veranderen van de service die je wilt gebruiken en het ipadress van de desbetreffende server invullen.

Ik heb het nog niet voor alle services gedaan, puur uit luiheid en ik deze dingen niet testen kan

Het eerste deel de "config" file:

# Filename: config
# Configuration for floppyfw
#
# For configuring of modules to use : /modules.lst
# For configuring logging: /syslogd.cfg
# For configuring network interface cards (usually not necessary): /syslinux.cfg
# For configuring firewall rules and incoming traffic: /firewall.ini
#

# Indien provider geen xs4all is, vervang alle "xs4all.nl" in de naam van je eigen provider.
# Vergeet "DOMAIN" onderin het script niet.

# Vul hieronder de inlog gegevens in.
# Vervang door je eigen settings.
# Verwijder de "<" en de ">".
# Commentaar begint met #
#
# Voor Basic-adsl @xs4all-basic-adsl
# Voor Fast-adsl @xs4all-fast-adsl

USER_IDENT=@xs4all-basic-adsl
USER_PASSWORD=

# Vul hieronder 2 IP adressen in om de verbinding te checken.
# ping.xs4all.nl = 194.109.104.104
# www.cisco.com = 198.133.219.25
PING1=194.109.104.104
PING2=198.133.219.25

# je vaste ipadress invullen bij net_ip
# Outside network:
OUTSIDE_IP=PPTP
NET_IP=

# eth0 default device.
#
OUTSIDE_DEV=ppp0
OUTSIDE_NETMASK=255.255.255.0
OUTSIDE_BROADCAST=10.0.0.255

# Inside network:
#
# This has 192.168.0.* set as default, addresses assigned for internal networks according
# according RFC 1918.
#
# eth1 is the default device for the internal network.
#
INSIDE_IP=192.168.0.*
INSIDE_DEV=eth1
INSIDE_NETMASK=255.255.255.0
INSIDE_BROADCAST=192.168.0.255
LOCAL_NET=192.168.0.0/24

# Modem settings:
#
MODEMSIDE_DEV=eth0
MODEMSIDE_IP=10.0.0.150
MODEMSIDE_BROADCAST=10.0.0.255
MODEMSIDE_NETMASK=255.255.255.0
MODEM_IP=10.0.0.138

# Vul hier de DNS'en in.
# En eventueel domeinnaam en hostname.
#
NAME_SERVER_IP1=194.109.6.66
NAME_SERVER_IP2=194.109.9.99
DOMAIN=xs4all.nl
HOSTNAME=floppyfw

#
# (y)es or (n)o
#
OPEN_SHELL=y
ONLY_8M=n

# change * to ip adress from the logging machine
USE_SYSLOG=n
SYSLOG_FLAGS="-R 192.168.0.* -O /dev/null"

path_ipchains=ipchains
path_ipmasqadm=ipmasqadm

# class A private networks
class_a="10.0.0.0/8"
# class B private networks
class_b="172.16.0.0/12"
# class C private networks
class_c="192.168.0.0/16"
# class D multicast addresses
class_d="224.0.0.0/4"
# class E reserved addresses
class_e="240.0.0.0/5"

unpriv_ports="1024:65535"

# Open port 67 (bootps) for DHCP server
dhcp=n

# This is all generic protection against spoofing
spoofing_protection=y

# Refusing some common ports
# Especially necessary to set this feature when opening ALL unpriv_ports
# for instance due to ICQ filetransfer.
# Avoid ports subject to protocol & system administration problems.
refuse_common_ports=y

# Refusing some Trojan-ports
# Especially necessary to set this feature when opening ALL unpriv_ports
# for instance due to ICQ filetransfer.
# Trojan-ports: disable incoming connections to common trojan ports
block_trojans=y

# ICMP settings
# Only accept pings from www.watchmyserver.com (195.179.115.45)
# icmp trafic
# 0 = echo-reply needed by ping
# 3 = destination-unreachable needed by any TCP/UDP trafic
# 5 = redirect needed by routing if not running routing daemon
# 8 = echo-request needed by ping
#11 = time-exceeded needed by traceroute
accept_pings=y

# Block IP-numbers from certain file
ip_block=n

# ICQ filetransfer
# Unfortunatelly ICQ uses the whole unpriv_port range for client to client connections (filetransfer)
# Enabling this feature will open ALL unpriv_ports. Hackers are then able to establish a
# connection to these ports.
icq_filetransfer_all=n
# Restricted ICQ filetransfer based on IP-address
icq_filetransfer_friends=n

# FTP - Server
ftp_active=n
# Sustain establishing data channel for FTP in passive mode
ftp_passive=n
# FTP - Active FTP for client
# Sustain FTP - please note that port 20 (ftp-data) for ACTIVE FTP sessions should NOT use
# SYN-filtering. Because of this, we must specifically allow it in. You'lld better not use active FTP,
# but set your FTP-client into passive mode
ftp_client=y
# erg belangrijk als je ftp clients normaal wil laten werken

# SSH server and client trafic
# Any trafic to/from ssh deamon permitted
ssh=n

# Open port 23 (telnet) for Telnet
telnet=n

# Open port 25 (smtp) for SMTP-server
SMTP_IP=
smtp=n

# Open port 53 (domain) for DNS-server
dns=n

# Open port 80 (http) for webserver
# WEP_IP is the IPadress from your webserver
WEB_IP=
http=y

# Open poort 443 (https) for webserver
HTTPS_IP=
https=n

# Open port 110 (pop3) for POP3-server
POP_IP=
pop3=n

# Open port 995 (pop3s) for POP3-server over SSL
POP3S_IP=
pop3s=n

# Open port 113 (auth/ident) for ident-server
# On some distributions "auth" needs to be replaced by "ident"
auth=n

# NTP: Allow external computers to connect to the Linux server ITSELF for
# NTP (time) updates -----> ntp.xs4all.nl = 194.109.6.65 = ntp_ip
# Open port 123 (ntp) for NTP
ntp_address=194.109.6.65
ntp_tcp=n
# Open udp-protocol timeserver ...
ntp_udp=n

# Open port 143 (imap) for IMAP-server
imap=n
# Open port 993 (imaps) for IMAP-server over SSL
imaps=n

# Open port 10000 (webmin) for Webmin-server
webmin=n

# open port 5900 for vnc
VNC_IP=
vnc_with_server=n

# open port 5800 for vnc
VNCWEB_IP=
vnc_with_webserver=n
# eof config

De firewall
# Filename: firewall.ini
# Firewall script by Henk de Jong V0.5
# http://www.nu2.nu
# Firewall setup
. /etc/config

# Rules set, we can enable forwarding in the kernel.
echo "Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward

# MASQ timeouts
# >> 2 hrs timeout for TCP session timeouts
# 60 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 600 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
$path_ipchains -M -S 20000 60 600

# Flush and clearing rulez and setting default policies
echo "Flushing and clearing rules ...";
$path_ipchains -F
$path_ipchains -X
$path_ipchains -Z
echo "Setting default policies ...";
$path_ipchains -P input DENY
$path_ipchains -P output DENY
$path_ipchains -P forward DENY

# Loopback settings
#--------------------------
echo "Enabling loopback settings ...";
$path_ipchains -A input -i lo -j ACCEPT
$path_ipchains -A output -i lo -j ACCEPT
$path_ipchains -A input -i $OUTSIDE_DEV -d 127.0.0.0/8 -j DENY -l

# Modem traffic
#-------------------
echo "Initializing modemrules ...";
# Refuse spoofing
$path_ipchains -A input -i $OUTSIDE_DEV -s $NET_IP -j DENY -l

# Only trafic between modem and server is welcome
$path_ipchains -A input -i $MODEMSIDE_DEV -s $MODEM_IP -d $MODEMSIDE_IP -j ACCEPT
$path_ipchains -A output -i $MODEMSIDE_DEV -s $MODEMSIDE_IP -d $MODEM_IP -j ACCEPT

# View your modemsettings with your browser via http://10.0.0.138 from every
# computer on your LAN
$path_ipchains -A forward -i $MODEMSIDE_DEV -s $LOCAL_NET -d $MODEM_IP -j MASQ

# Local traffic
#---------------
echo "Enabling local traffic ...";
# Assemble before forwarding
$path_ipchains -A output -f -i $INSIDE_DEV -j DENY

# Refuse spoofing
$path_ipchains -A input -i $OUTSIDE_DEV -s $LOCAL_NET -j DENY -l
$path_ipchains -A input -s $NET_IP -j DENY -l

# Everything else is fine
$path_ipchains -A input -i $INSIDE_DEV -s $LOCAL_NET -j ACCEPT
$path_ipchains -A output -i $INSIDE_DEV -d $LOCAL_NET -j ACCEPT

# Masquerade
#-------------------
echo "Setting masquerading ...";
# Higher ports needed to accept incoming/outgoing calls
# Any trafic from masqueraded machines/server accepted
# Reject any trafic not started by masqueraded machine/server
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP $unpriv_ports ! -y -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP $unpriv_ports -d any/0 -j ACCEPT

# Check if UDP connections are needed
$path_ipchains -A input -p udp -i $OUTSIDE_DEV -s any/0 -d $NET_IP $unpriv_ports -j ACCEPT
$path_ipchains -A output -p udp -i $OUTSIDE_DEV -s $NET_IP $unpriv_ports -d any/0 -j ACCEPT

# All local trafic is masqueraded externally
$path_ipchains -A forward -i $OUTSIDE_DEV -s $LOCAL_NET -j MASQ

# DHCP server communicatie
#---------------------------
# Open port 67 (bootps) for DHCP server
if [ $dhcp = "y" ]; then
echo "Setup DHCP ...";
$path_ipchains -A input -p udp -i $INSIDE_DEV -s any/0 --sport 68 -d $INSIDE_BROADCAST --dport 67 -j ACCEPT
$path_ipchains -A output -p udp -i $INSIDE_DEV -s $local_ip -d $INSIDE_BROADCAST -j ACCEPT

$path_ipchains -A input -p udp -i $INSIDE_DEV --dport bootps --sport bootpc -j ACCEPT
$path_ipchains -A output -p udp -i $INSIDE_DEV --sport bootps --dport bootpc -j ACCEPT
fi;

# This is all generic protection against spoofing
#-------------------------------------------------
if [ $spoofing_protection = "y" ]; then
echo "Setting up generic protection against spoofing ..."

# Block Packets with Stuffed Routing
$path_ipchains -A input -s 0.0.0.0 -j DENY -l
$path_ipchains -A output -s 0.0.0.0 -j DENY -l
$path_ipchains -A input -s 255.255.255.255 -j DENY -l
$path_ipchains -A output -s 255.255.255.255 -j DENY -l

# Block Fragmented Packets
$path_ipchains -A input -f -j DENY -l

# Block all reserved private IP addresses
$path_ipchains -A input -i $OUTSIDE_DEV -s $class_a -j DENY -l
$path_ipchains -A input -i $OUTSIDE_DEV -s $class_b -j DENY -l
$path_ipchains -A input -i $OUTSIDE_DEV -s $class_c -j DENY -l
$path_ipchains -A input -i $OUTSIDE_DEV -s $class_d -j DENY -l
$path_ipchains -A input -i $OUTSIDE_DEV -s $class_e -j DENY -l

# Block all ip addresses reserved by IANA (for the time being)
# this changes regulary, see http://www.iana.org/assignments/ipv4-address-space
# Updated 25 May 2001
RESERVED_NET="
0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \
5.0.0.0/8 \
7.0.0.0/8 \
23.0.0.0/8 \
27.0.0.0/8 \
31.0.0.0/8 \
36.0.0.0/8 37.0.0.0/8 \
39.0.0.0/8 \
41.0.0.0/8 42.0.0.0/8 \
58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
68.0.0.0/8 69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 \
82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 \
95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 \
102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \
108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \
114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \
120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \
126.0.0.0/8 127.0.0.0/8 \
197.0.0.0/8 \
219.0.0.0/8 220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 \
224.0.0.0/8 225.0.0.0/8 226.0.0.0/8 227.0.0.0/8 228.0.0.0/8 229.0.0.0/8 \
230.0.0.0/8 231.0.0.0/8 232.0.0.0/8 233.0.0.0/8 234.0.0.0/8 235.0.0.0/8 \
236.0.0.0/8 237.0.0.0/8 238.0.0.0/8 239.0.0.0/8 \
240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \
246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \
252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"

for NET in $RESERVED_NET; do
$path_ipchains -A input -s $NET -j DENY -l
done;

fi;

# Refusing some common ports
#------------------------------
# Especially necessary to set this feature when opening ALL unpriv_ports
# for instance due to ICQ filetransfer.
# Avoid ports subject to protocol & system administration problems.
if [ $refuse_common_ports = "y" ]; then
echo "Refuse connection to common known ports ...";

# SOCKS: disable incoming connections on port 1080
# Big-Brother: disable incoming connections on port 1984
# Openwindows: disable incoming connections on port 2000
# NFS: disable incoming connections to port 2049
# SQUID: disable incoming connections on port 3128
# Xwindows: disable incoming connections on ports 6000:6063
# Block IRC on ports 6665:6669
# WEBPROXY: disable incoming connections on port 8080

common_ports_refused="1080 1984 2000 2049 3128 6000:6063 6665:6669 8080"

for common_ports in $common_ports_refused;
do
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV --dport $common_ports -j DENY -l
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV --dport $common_ports -j DENY -l
$path_ipchains -A input -p udp -i $OUTSIDE_DEV --dport $common_ports -j DENY -l
$path_ipchains -A output -p udp -i $OUTSIDE_DEV --dport $common_ports -j DENY -l

done;

fi;

# Refusing some Trojan-ports
#------------------------------
# Especially necessary to set this feature when opening ALL unpriv_ports
# for instance due to ICQ filetransfer.
# Trojan-ports: disable incoming connections to common trojan ports

if [ $block_trojans = "y" ]; then
echo "Block Trojans ...";

# Block Subseven (1.7/1.9) 1243 / 6711:6713
# Block Backdoor-G and Subseven (2.X) 1999 / 6776 / 27374
# Block NetBus 12345:12346
# Block NetBus 2 Pro 20034
# Block Stacheldraht 16660 / 60001 / 65000
# Block Back Orifice, Deep BO 31337:31338
# Block Back Orifice 2K 54320:54321
# Block Trinity v3\n 33270
# Block Trin00 1524 / 27444 / 27665 / 31335
# Block Cheeseworm 10008

trojan_ports="1243 6711:6713 1999 6776 27374 12345:12346 20034 16660 60001 \
65000 31337:31338 54320:54321 33270 1524 27444 27665 31335 10008"

for trojans in $trojan_ports;
do
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV --dport $trojans -j DENY -l
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV --dport $trojans -j DENY -l
$path_ipchains -A input -p udp -i $OUTSIDE_DEV --dport $trojans -j DENY -l
$path_ipchains -A output -p udp -i $OUTSIDE_DEV --dport $trojans -j DENY -l

done;

fi;

# ICMP settings
#-----------------------
# Only accept pings from www.watchmyserver.com (195.179.115.45)
# icmp trafic
# 0 = echo-reply needed by ping
# 3 = destination-unreachable needed by any TCP/UDP trafic
# 5 = redirect needed by routing if not running routing daemon
# 8 = echo-request needed by ping
#11 = time-exceeded needed by traceroute

if [ $accept_pings = "y" ]; then
echo "Set accept pings ...";
$path_ipchains -A input -i $OUTSIDE_DEV -p icmp --icmp-type 0 -s any/0 -d $NET_IP -j ACCEPT
$path_ipchains -A input -i $OUTSIDE_DEV -p icmp --icmp-type 3 -s any/0 -d $NET_IP -j ACCEPT
$path_ipchains -A input -i $OUTSIDE_DEV -p icmp --icmp-type 8 -s any/0 -d $NET_IP -j ACCEPT
$path_ipchains -A input -i $OUTSIDE_DEV -p icmp --icmp-type 11 -s any/0 -d $NET_IP -j ACCEPT

$path_ipchains -A output -i $OUTSIDE_DEV -p icmp --icmp-type 3 -s $NET_IP -d any/0 -j ACCEPT
$path_ipchains -A output -i $OUTSIDE_DEV -p icmp --icmp-type 8 -s $NET_IP -d any/0 -j ACCEPT
$path_ipchains -A output -i $OUTSIDE_DEV -p icmp --icmp-type 0 -s $NET_IP -d any/0 -j ACCEPT
$path_ipchains -A output -i $OUTSIDE_DEV -p icmp --icmp-type 11 -s $NET_IP -d any/0 -j ACCEPT

# Deny or Accept redirect icmp-packet, ik heb deze vast veranderd omdat ik niet weet waarom zoiets open zou moeten staan
$path_ipchains -A input -i $OUTSIDE_DEV -p icmp --icmp-type 5 -s any/0 -d $NET_IP -j DENY

else
echo "Set no pings accepted ...";
$path_ipchains -A input -i $OUTSIDE_DEV -p icmp --icmp-type 0 -s any/0 -d $NET_IP -j ACCEPT
$path_ipchains -A input -i $OUTSIDE_DEV -p icmp --icmp-type 3 -s any/0 -d $NET_IP -j ACCEPT
$path_ipchains -A input -i $OUTSIDE_DEV -p icmp --icmp-type 8 -s 195.179.115.45 -d $NET_IP -j ACCEPT
$path_ipchains -A input -i $OUTSIDE_DEV -p icmp --icmp-type 11 -s any/0 -d $NET_IP -j ACCEPT

$path_ipchains -A output -i $OUTSIDE_DEV -p icmp --icmp-type 3 -s $NET_IP -d any/0 -j ACCEPT
$path_ipchains -A output -i $OUTSIDE_DEV -p icmp --icmp-type 8 -s $NET_IP -d any/0 -j ACCEPT
$path_ipchains -A output -i $OUTSIDE_DEV -p icmp --icmp-type 0 -s $NET_IP -d 195.179.115.45 -j ACCEPT
$path_ipchains -A output -i $OUTSIDE_DEV -p icmp --icmp-type 11 -s $NET_IP -d 195.179.115.45 -j ACCEPT

# Deny redirect icmp-packet
$path_ipchains -A input -i $OUTSIDE_DEV -p icmp --icmp-type 5 -s any/0 -d $NET_IP -j DENY -l
fi;

# Block IP-numbers from certain file
#-------------------------------------
if [ $ip_block = "y" ]; then
blockipnumbers=`cat $path_ip_block_file`;
for blockips in $blockipnumbers;
do
$path_ipchains -I input -s $blockips -j DENY -l
$path_ipchains -I output -d $blockips -j DENY -l
$path_ipchains -I forward -d $blockips -j DENY -l
done;
echo "Setting up file with IP-numbers to block ...";
fi;

# ICQ filetransfer
#---------------------
# Unfortunatelly ICQ uses the whole unpriv_port range for client to client connections (filetransfer)
# Enabling this feature will open ALL unpriv_ports. Hackers are then able to establish a
# connection to these ports.
if [ $icq_filetransfer_all = "y" ]; then
echo "Enabling ICQ filetransfer ... !!! Caution, opens ALL unpriv_ports ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -d $NET_IP --dport $unpriv_ports -y -j ACCEPT
fi;

# Restricted ICQ filetransfer based on IP-address
if [ $icq_filetransfer_friends = "y" ]; then
echo "Enable restricted ICQ filetransfer ...";
for icq_ip in $icq_friends;
do
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $icq_ip --sport $unpriv_ports -d $NET_IP --dport $unpriv_ports -j ACCEPT
done;
fi;

# FTP-server
#-----------------
if [ $ftp_active = "y" -o $ftp_passive = "y" ]; then
# Open port 21 (ftp) for passive FTP-server
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 21 -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 21 -d any/0 ! -y -j ACCEPT
fi;

if [ $ftp_active = "y" ]; then
# Open port 20 (ftp-data) for active FTP-server
echo "Sustain active FTP ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 20 ! -y -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 20 -d any/0 -j ACCEPT
fi

if [ $ftp_passive = "y" ]; then
# Sustain establishing data channel for FTP in passive mode
echo "Sustain passive FTP ... !!! Caution, opens ALL unpriv_ports ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport $unpriv_ports -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport $unpriv_ports -d any/0 ! -y -j ACCEPT
fi;

# FTP - Active FTP for client
#------------------------------------
# Sustain FTP - please note that port 20 (ftp-data) for ACTIVE FTP sessions should NOT use
# SYN-filtering. Because of this, we must specifically allow it in. You'lld better not use active FTP,
# but set your FTP-client into passive mode
if [ $ftp_client = "y" ]; then
echo "Enable possibility to ftp with a ftp-client ..."
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 --sport ftp-data -d $NET_IP --dport $unpriv_ports -j ACCEPT -l
fi;

# SSH server and client trafic (port 22)
#------------------------------------
# Any trafic to/from ssh deamon permitted
if [ $ssh = "y" ]; then
echo "Enable SSH ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 22 -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 22 -d any/0 ! -y -j ACCEPT
fi;

# Telnet
#----------
# Open port 23 (telnet) for Telnet
if [ $telnet = "y" ]; then
echo "Sustain Telnet ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 23 -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 23 -d any/0 ! -y -j ACCEPT
fi;

# SMTP-server
#-------------
# Open port 25 (smtp) for SMTP-server
if [ $smtp = "y" ]; then
echo "Opening SMTP for mailserver ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 25 -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 25 -d any/0 ! -y -j ACCEPT
$path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s $NET_IP 25 -d $SMTP_IP --dport 25 -l -j ACCEPT
$path_ipmasqadm portfw -a -P tcp -L $NET_IP 25 -R $SMTP_IP 25
fi;

# DNS-server
#-----------------
# Open port 53 (domain) for DNS-server
if [ $dns = "y" ]; then
echo "Enable DNS ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 53 -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 53 -d any/0 ! -y -j ACCEPT
$path_ipchains -A input -p udp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 53 -j ACCEPT
$path_ipchains -A output -p udp -i $OUTSIDE_DEV -s $NET_IP --sport 53 -d any/0 -j ACCEPT
fi;

# Apache - webserver
#----------------------------
# Open port 80 (http) for webserver
if [ $http = "y" ]; then
echo "Give access to webserver ..."
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 80 -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 80 -d any/0 ! -y -j ACCEPT
$path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s $NET_IP 80 -d $WEB_IP --dport 80 -l -j ACCEPT
$path_ipmasqadm portfw -a -P tcp -L $NET_IP 80 -R $WEB_IP 80
fi;

# Open poort 443 (https) for webserver
if [ $https = "y" ]; then
echo "Setup SSL ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 443 -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 443 -d any/0 ! -y -j ACCEPT
$path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s $NET_IP 433 -d $HTTPS_IP --dport 443 -l -j ACCEPT
$path_ipmasqadm portfw -a -P tcp -L $NET_IP 443 -R $HTTPS_IP 443
fi;

# POP3-server
#-------------------
# Open port 110 (pop3) for POP3-server
if [ $pop3 = "y" ]; then
echo "Open POP3 connection ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 110 -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 110 -d any/0 ! -y -j ACCEPT
$path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s $NET_IP 110 -d $POP_IP --dport 110 -l -j ACCEPT
$path_ipmasqadm portfw -a -P tcp -L $NET_IP 110 -R $POP_IP 110
fi;

# Open port 995 (pop3s) for POP3-server over SSL
if [ $pop3s = "y" ]; then
echo "Open POP3 over SSL ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 995 -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 995 -d any/0 ! -y -j ACCEPT
$path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s $NET_IP 995 -d $POP3S_IP --dport 995 -l -j ACCEPT
$path_ipmasqadm portfw -a -P tcp -L $NET_IP 995 -R $POP3S_IP 995
fi;

# Auth-server (ident)
#-----------------------
# Open port 113 (auth/ident) for ident-server
# On some distributions "auth" needs to be replaced by "ident"
if [ $auth = "y" ]; then
echo "Enable Auth ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 113 -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 113 -d any/0 ! -y -j ACCEPT

else
echo "Reject instead of drop Auth requests ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 113 -j REJECT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 113 -d any/0 ! -y -j REJECT
fi;

# NTP: Allow external computers to connect to the Linux server ITSELF for
# NTP (time) updates -----> ntp.xs4all.nl = 194.109.6.65 = ntp_ip
#------------------------------------------------------------------------------
# Open port 123 (ntp) for NTP
if [ $ntp_tcp = "y" ]; then
echo "Open tcp-protocol timeserver ...";
for ntp_address in $ntp_ip; do
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s $ntp_address --sport 123 -d $NET_IP --dport 123 -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 123 -d $ntp_address --dport 123 -j ACCEPT
done;
fi;

if [ $ntp_udp = "y" ]; then
echo "Open udp-protocol timeserver ...";
for ntp_address in $ntp_ip; do
$path_ipchains -A input -p udp -i $OUTSIDE_DEV -s $ntp_address --sport 123 -d $NET_IP --dport 123 -j ACCEPT
$path_ipchains -A output -p udp -i $OUTSIDE_DEV -s $NET_IP --sport 123 -d $ntp_address --dport 123 -j ACCEPT
done;
fi;

# IMAP-server
#---------------
# Open port 143 (imap) for IMAP-server
if [ $imap = "y" ]; then
echo "Open IMAP connection ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 143 -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 143 -d any/0 ! -y -j ACCEPT
fi;

# Open port 993 (imaps) for IMAP-server over SSL
if [ $imaps = "y" ]; then
echo "Open IMAP over SSL ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 993 -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 993 -d any/0 ! -y -j ACCEPT
fi;

# Webmin-server
#---------------
# Open port 10000 (webmin) for Webmin-server
if [ $webmin = "y" ]; then
echo "Enable Webmin ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 10000 -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 10000 -d any/0 ! -y -j ACCEPT

else
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 10000 -j DENY
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 10000 -d any/0 ! -y -j DENY
$path_ipchains -A input -p udp -i $OUTSIDE_DEV -s any/0 -d $NET_IP --dport 10000 -j DENY
$path_ipchains -A output -p udp -i $OUTSIDE_DEV -s $NET_IP --sport 10000 -d any/0 -j DENY
fi;

# VNC-server
#-------------
# It is more secure to establish a VNC-connection with Linux server via a SSH-tunnel
# Establish an unencrypted VNC-connection with Linux server
# Default display :1
if [ $vnc_with_server = "y" ]; then
echo "Setup routing VNC to server ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -d $NET_IP --dport 5900 -y -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 5900 ! -y -j ACCEPT
$path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s $NET_IP 5900 -d $VNC_IP --dport 5900 -l -j ACCEPT
$path_ipmasqadm portfw -a -P tcp -L $NET_IP 5900 -R $VNC_IP 5900

else
echo "Disabling routing VNC to server ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -d $NET_IP --dport 5900 -y -j DENY
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 5900 ! -y -j DENY
fi;

# VNC-webserver
#-------------
# It is more secure to establish a VNC-webconnection with Linux server via a SSH-tunnel
# Establish an unencrypted VNC-webconnection with Linux server
# Default display :1
if [ $vnc_with_webserver = "y" ]; then
echo "Setup routing VNC to webserver ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -d $NET_IP --dport 5800 -y -j ACCEPT
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 5800 ! -y -j ACCEPT
$path_ipchains -A input -p tcp -i $MODEMSIDE_DEV -s $NET_IP 5800 -d $VNCWEB_IP --dport 5800 -l -j ACCEPT
$path_ipmasqadm portfw -a -P tcp -L $NET_IP 5800 -R $VNCWEB_IP 5800

else
echo "Disabling routing VNC to webserver ...";
$path_ipchains -A input -p tcp -i $OUTSIDE_DEV -d $NET_IP --dport 5800 -y -j DENY
$path_ipchains -A output -p tcp -i $OUTSIDE_DEV -s $NET_IP --sport 5800 ! -y -j DENY
fi;

# Logging
#----------------
# All other incoming, forwarding and outgoing is denied and logged.
$path_ipchains -A input -i $OUTSIDE_DEV -s any/0 -d any/0 -j DENY -l
$path_ipchains -A output -i $OUTSIDE_DEV -s any/0 -d any/0 -j DENY -l
$path_ipchains -A forward -i $OUTSIDE_DEV -s any/0 -d any/0 -j DENY -l

echo $datum "Firewall is up!"
echo;
# eof firewall.ini

de network.ini
anders werkt het helemaal niet

# Filename: network.ini V0.5
#!/bin/sh

#
# Remember to set up the network interface card with IRQ and base address
# in syslinux.cfg
#
# Edited by Edo-Martijn Janssen 16-4-2001.
# modified by Henk de Jong http://www.nu2.nu

#
# Grabbing the config.
#
. /etc/config

/bin/ifconfig lo 127.0.0.1

#
# Inside:
#
/bin/ifconfig ${INSIDE_DEV} ${INSIDE_IP} netmask ${INSIDE_NETMASK} broadcast ${INSIDE_BROADCAST}

echo "${INSIDE_IP} ${HOSTNAME}.inside" >> /etc/hosts

#
# Outside
#
# Setting up secrets files in case they're necessary
#
echo "Creating pap-secrets and chap-secrets files"
echo "This file created by network.ini" > /etc/ppp/pap-secrets
echo "#User #Server #Password #IP " >> /etc/ppp/pap-secrets
echo "${USER_IDENT} * ${USER_PASSWORD} * " >> /etc/ppp/pap-secrets
chmod 600 /etc/ppp/pap-secrets
cp /etc/ppp/pap-secrets /etc/ppp/chap-secrets

#
echo "Creating adsl file."
echo "pty \"/bin/pptp 10.0.0.138 --nolaunchpppd --phone pc1\" " > /etc/ppp/peers/adsl
echo "idle 0" >> /etc/ppp/peers/adsl
# uncomment for debugging
# echo "debug" >> /etc/ppp/peers/adsl
echo "user \"${USER_IDENT}\" " >> /etc/ppp/peers/adsl
echo "usepeerdns" >> /etc/ppp/peers/adsl
echo "defaultroute" >> /etc/ppp/peers/adsl
echo "persist" >> /etc/ppp/peers/adsl

#
# boot up the appropriate network protocol
#
case "${OUTSIDE_IP}" in
PPTP)
echo "Preparing for PPTP"
# For PPTP we need these modules
if [ ! -e /lib/modules/ppp.o ] ; then
echo "You must have the package ppp.bz2 installed to use PPP."
exit 1
fi
if [ ! -e /bin/pptp ] ; then
echo "You must have the package pptp.bz2 installed to use PPTP."
exit 1
fi
echo "Creating options file."
# edit the ppp 'options' file as necessary
echo "idle 0" > /etc/ppp/options
echo "debug" >> /etc/ppp/options
echo "noauth" >> /etc/ppp/options
echo "user \"${USER_IDENT}\" " >> /etc/ppp/options
echo "noauth" >> /etc/ppp/options
echo "usepeerdns" >> /etc/ppp/options
echo "defaultroute" >> /etc/ppp/options
/bin/ifconfig ${MODEMSIDE_DEV} ${MODEMSIDE_IP} netmask ${MODEMSIDE_NETMASK} broadcast ${MODEMSIDE_BROADCAST}
;;
*)
echo " "
echo "This floppy can only use PPTP."
echo "Set PPTP behind OUTSIDE_IP in config file."
;;
esac

echo "Setting up name server (etc/resolv.conf) "
echo "domain ${DOMAIN}" >> /etc/resolv.conf
echo "search ${DOMAIN}" >> /etc/resolv.conf
echo "nameserver ${NAME_SERVER_IP1}" >> /etc/resolv.conf
echo "nameserver ${NAME_SERVER_IP2}" >> /etc/resolv.conf

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

#Turn on source address verication in kernel
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
echo "Enabling anti spoofing: "
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo -n " $interface "
echo 1 > $interface
done
fi;

# Disable ICMP Redirect acceptance
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $interface;
done
fi;

# Disable ICMP send_redirect
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
for interface in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $interface;
done
fi;

# Don't accept source routed packets
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
for interface in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $interface;
done
fi;

# Log spoofed packets, source routed packets, redirect packets
if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
for interface in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $interface;
done
fi;

# Turn on syn cookies protection in kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi;

# ICMP Broadcasting protection
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi;

# ICMP Dead Error Messages protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi;

# Enable automatic IP defragmenting
if [ -e /proc/sys/net/ipv4/ip_always_defrag ]; then
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
fi;

# Turn on dynamic TCP/IP address hacking ... turn of with echo 0 > ...
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
fi;

# Enable the LooseUDP patch which some Internet-based games require
#
# If you are trying to get an Internet game to work through your IP MASQ box,
# and you have set it up to the best of your ability without it working, try
# enabling this option (delete the "#" character). This option is disabled
# by default due to possible internal machine UDP port scanning
# vunerabilities.
# Turned off by default ... turn on with echo 1 > ...
if [ -e /proc/sys/net/ipv4/ip_masq_udp_dloose ]; then
echo 0 > /proc/sys/net/ipv4/ip_masq_udp_dloose
fi;
# eof network.ini