summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'net-misc')
-rw-r--r--net-misc/monmotha/ChangeLog11
-rw-r--r--net-misc/monmotha/Manifest16
-rw-r--r--net-misc/monmotha/files/digest-monmotha-2.3.81
-rw-r--r--net-misc/monmotha/files/digest-monmotha-2.3.8_pre70
-rw-r--r--net-misc/monmotha/files/rc.firewall-2.3.8-pre71357
-rw-r--r--net-misc/monmotha/monmotha-2.3.8.ebuild (renamed from net-misc/monmotha/monmotha-2.3.8_pre7.ebuild)16
6 files changed, 27 insertions, 1374 deletions
diff --git a/net-misc/monmotha/ChangeLog b/net-misc/monmotha/ChangeLog
index 4dddb52662b5..9773fdfab7b0 100644
--- a/net-misc/monmotha/ChangeLog
+++ b/net-misc/monmotha/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for net-misc/monmotha
-# Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/monmotha/ChangeLog,v 1.5 2004/11/23 21:07:58 sekretarz Exp $
+# Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/monmotha/ChangeLog,v 1.6 2005/02/10 13:10:21 dragonheart Exp $
+
+*monmotha-2.3.8 (10 Feb 2005)
+
+ 10 Feb 2005; Daniel Black <dragonheart@gentoo.org>
+ -files/rc.firewall-2.3.8-pre7, +monmotha-2.3.8.ebuild,
+ -monmotha-2.3.8_pre7.ebuild:
+ Version bump as per bug #80946. Thanks to Curtis Magyar <curtm4n@gmail.com>
23 Nov 2004; Karol Wojtaszek <sekretarz@gentoo.org>
monmotha-2.3.8_pre7.ebuild:
diff --git a/net-misc/monmotha/Manifest b/net-misc/monmotha/Manifest
index ace920be5bf9..6677fe0c36cd 100644
--- a/net-misc/monmotha/Manifest
+++ b/net-misc/monmotha/Manifest
@@ -1,15 +1,7 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
+MD5 f9c4b0f9e282a433739c6a93a0554827 ChangeLog 847
+MD5 a50952d1b6569bd8b21821d0625a3ec9 monmotha-2.3.8.ebuild 1362
MD5 9a9f7a607b21cb94eb3b402fcc57ea1e monmotha-2.3.8_pre7.ebuild 1185
-MD5 1d249ebf9a70938427d7999471add0b6 ChangeLog 660
-MD5 5368c139957ecdf3fed36278f89e926e files/rc.firewall-2.3.8-pre7 55183
MD5 d41d8cd98f00b204e9800998ecf8427e files/digest-monmotha-2.3.8_pre7 0
MD5 b3f639c3a99e5294907fec299abfa02c files/monmotha.rc6 937
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.2.6 (GNU/Linux)
-
-iD8DBQFBo6a7Z/iYVBmujdURAgsdAJ9UmK4W7GbZNh3aRXDmpNKQLZXVfgCgu1YK
-Ro/X4k2bDRZIOWP+xqzEDO8=
-=Nmno
------END PGP SIGNATURE-----
+MD5 5368c139957ecdf3fed36278f89e926e files/rc.firewall-2.3.8-pre7 55183
+MD5 f9171b64cd98abf12dd87ce0348f4267 files/digest-monmotha-2.3.8 61
diff --git a/net-misc/monmotha/files/digest-monmotha-2.3.8 b/net-misc/monmotha/files/digest-monmotha-2.3.8
new file mode 100644
index 000000000000..3986b769125e
--- /dev/null
+++ b/net-misc/monmotha/files/digest-monmotha-2.3.8
@@ -0,0 +1 @@
+MD5 b77c845fa2eca44a25dc5e0e7cc234c2 rc.firewall-2.3.8 56204
diff --git a/net-misc/monmotha/files/digest-monmotha-2.3.8_pre7 b/net-misc/monmotha/files/digest-monmotha-2.3.8_pre7
deleted file mode 100644
index e69de29bb2d1..000000000000
--- a/net-misc/monmotha/files/digest-monmotha-2.3.8_pre7
+++ /dev/null
diff --git a/net-misc/monmotha/files/rc.firewall-2.3.8-pre7 b/net-misc/monmotha/files/rc.firewall-2.3.8-pre7
deleted file mode 100644
index 9876ea8af8d2..000000000000
--- a/net-misc/monmotha/files/rc.firewall-2.3.8-pre7
+++ /dev/null
@@ -1,1357 +0,0 @@
-#!/bin/bash
-# ----------------------------------------------------------------------|
-# This is it...MonMotha's Firewall 2.3.8-pre7! |
-# All your h4x0rZ are belong to Linux/Netfilter! |
-# ----------------------------------------------------------------------|
-# 2.3 RELEASE NOTES: This is the 2.2 series with some extra stuff, |
-# including MAC address matching, stateful matching, port forwarding, |
-# per-proto accept behavior, and some other stuff that I might think |
-# about adding later. |
-# ----------------------------------------------------------------------|
-# COMMENTS from MonMotha: |
-# |
-# Please do not email me directly with usage questions. I don't have |
-# the time or resources to keep up. Check the configuration help at |
-# the URL posted below then post to the users list if you have any |
-# further questions. |
-# --MonMotha |
-# |
-# When emailing me or the mailing lists, keep in mind that HTML email |
-# may be silently rejected as an anti-spam measure. Configure your UA |
-# to use plain text for mail. |
-# --MonMotha |
-# |
-# A list of known bugs can be found at: |
-# http://www.mplug.org/phpwiki/index.php?MonMothaKnownBugs |
-# please check this list before reporting bugs. Bugs can be reported |
-# directly to me or to the devel mailing list. Please ask to be CCed |
-# if you mail the devel list and are not a member. |
-# --MonMotha |
-# |
-# Mailing lists are now available. See the distribution website at |
-# <http://monmotha.mplug.org> for more info. |
-# --MonMotha |
-# |
-# Note another change of my email address. New address is: |
-# <monmotha@indy.rr.com>. Hopefully I can keep this one for a while. |
-# --MonMotha |
-# |
-# I will be entering "feature freeze" when 2.3.8 goes final. Please |
-# make sure to have any patches or feature requests in by then. |
-# I expect 2.3.7 to be closing in on deserving the "stable" marking. |
-# --MonMotha |
-# |
-# Please note the change of my e-mail address. The new address is: |
-# obi-wan@starwarsfan.com. The old address (bvmopen@usa.net) will be |
-# discontinued as of July 31, 2001. |
-# --MonMotha |
-# |
-# When e-mailing to report a bug, please check first that it has not |
-# already been fixed in the next prerelease (which can be found at the |
-# distribution site). |
-# --MonMotha |
-# |
-# Before e-mailing me, please check the distribution site (which can be |
-# found at http://freshmeat.net/projects/mothafirewall as it changes |
-# sometimes) for a new version. |
-# --MonMotha |
-# |
-# Please...PLEASE give me feedback on your experiences with this script |
-# I would really like to know what everyone wants, what works, and |
-# about the inevitable bugs present in anything. |
-# |
-# Direct all feedback to: monmotha@indy.rr.com |
-# --MonMotha |
-# |
-# When e-mailing with problems, please include firewall script version, |
-# iptables version, kernel version, and GNU BASH version. If you think |
-# your problem might be related to kernel configuration, please attach |
-# the .config file for your kernel. |
-# --MonMotha |
-# |
-# ----------------------------------------------------------------------|
-# SYSTEM REQUIREMENTS: You must have either compiled the appropriate |
-# iptables support into your 2.4 kernel or have loaded all the |
-# applicable modules BEFORE you run this script. This script will not |
-# load modules for you. |
-# |
-# You will need (at least) the following kernel options to use |
-# this firewall: CONFIG_NETFILTER, CONFIG_IP_NF_IPTABLES, |
-# CONFIG_IP_NF_FILTER, CONFIG_IP_NF_MATCH_STATE and |
-# CONFIG_IP_NF_TARGET_REJECT. |
-# To use the masquerading you will also need (at least): |
-# CONFIG_IP_NF_CONNTRACK, CONFIG_IP_NF_NAT, CONFIG_IP_NF_NAT_NEEDED |
-# and CONFIG_IP_NF_TARGET_MASQUERADE. |
-# Additional options may be needed to use other features. |
-# |
-# You need iptables. Get it at "http://netfilter.filewatcher.org". |
-# Some of the features will need patches only present in the CVS |
-# |
-# This script was written (and partially tested) with iptables CVS |
-# and kernel 2.4.x (non testing) in mind. |
-# |
-# Also, this is a BASH shell script...any 2.x version of GNU BASH |
-# should work. |
-# ----------------------------------------------------------------------|
-# |
-# ALL USERS, READ THE FOLLOWING: |
-# |
-# This is distributed under the BSD liscense sans advertising clause: |
-# |
-# Redistribution and use in source and binary forms, with or without |
-# modification, are permitted provided that the following conditions |
-# are met: |
-# |
-# 1.Redistributions of source code must retain the above copyright |
-# notice, this list of conditions and the following disclaimer. |
-# 2.Redistributions in binary form must reproduce the above |
-# copyright notice, this list of conditions and the following |
-# disclaimer in the documentation and/or other materials provided |
-# with the distribution. |
-# 3.The name of the author may not be used to endorse or promote |
-# products derived from this software without specific prior |
-# written permission. |
-# |
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
-# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
-# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
-# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
-# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE |
-# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
-# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER |
-# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR |
-# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN |
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE |
-# |
-# While this may be used freely for commercial use, I do REQUEST that |
-# any commercial users please tell me via e-mail at |
-# monmotha@indy.rr.com that they are using it, why they chose it, |
-# how well it works, etc. |
-# |
-# ----------------------------------------------------------------------|
-# IMPORTANT: This firewall is currently in beta! It may be too |
-# restrictive or insecure. |
-# ----------------------------------------------------------------------|
-# CHANGELOG: (Since 2.3.0-pre1a only) |
-# version 2.3.8-pre7: Fix syntax error in ALLOW_HOSTWISE_PROTO |
-# version 2.3.8-pre7b: More sanity checking |
-# LOCIP option for DENY_HOSTWISE options |
-# LOCIP option for DENY_ALL |
-# version 2.3.8-pre7a: Clarify liscense |
-# Alias TCP_ALLOW and UDP_ALLOW to |
-# ALLOW_HOSTWISE_xxx as they contain |
-# redundant code |
-# Move BAD_ICMP to non-experimental options |
-# Changed exit status; review your scripts |
-# Additional sanity checking |
-# Add ALLOW_HOSTWISE_PROTO option |
-# version 2.3.8-pre6: Fix comment errors |
-# Fix a bug in config checks |
-# Add BRAINDEAD_ISP option |
-# version 2.3.8-pre5: More fixes for multiple LAN interfaces |
-# Fix a syntax error in ALLOW_HOSTWISE_TCP |
-# version 2.3.8-pre5d: Intersubnet Routing should work again |
-# TOS Mangles default to off |
-# version 2.3.8-pre5c: Port forwards apply to all interfaces only |
-# when LOCIP is used |
-# Multiple LAN Interfaces (breaks DMZ) |
-# version 2.3.8-pre5b: Fix missing fi near line 1160 |
-# version 2.3.8-pre5a: Fix BAD_ICMP and echo-request |
-# Fix port forwards |
-# Add checks for limit and REJECT |
-# Local IP options for TCP/UDP allows (and |
-# hostwise allows) |
-# Port forwards now apply to all interfaces |
-# Remove redundant disclaimer |
-# version 2.3.8-pre4: Fix typo in SUPER_EXEMPT |
-# Fix reversal of DMZIN/OUT |
-# Fix reversed logic in port forwards |
-# version 2.3.8-pre3: Fix DHCP server syntax error |
-# Replace ALLOW_ALL with SUPER_EXEMPT |
-# Fix ALLOW_OUT_TCP |
-# Fix SNAT status reporting |
-# Removed some obsoleted code |
-# Move DHCP server to stable options |
-# Add local IP to port forwards |
-# version 2.3.8-pre2: Don't create ULDROP unless used in case |
-# system doesn't have ULOG support |
-# ALLOW_OUT_TCP now allows a destination port |
-# Additional sanity checks |
-# Add ULREJECT and ULTREJECT targets |
-# BLACKHOLEs should now work |
-# Fix status reporting in local traffic rules |
-# DMZ Fixes (Hans Bieshaar) |
-# Flush and delete SYSTEST (Hans) |
-# Syncookies set off if not on (Hans) |
-# Fix REJECT messages for ICMP (Hans) |
-# Explicit denies are now global (Hans) |
-# Remove FORWARD -d $INTERNAL_LAN; it is not |
-# needed for internet and can pose a |
-# security risk (this may break things) |
-# (Hans) |
-# SYNCOOKIES default to off (Hans) |
-# We had a debate on this one, feel free |
-# to email me regarding it. |
-# Config directives for RP_FILTER and |
-# accept strict source routed (Hans) |
-# Add BAD_ICMP directive |
-# version 2.3.8-pre1: Add ULDROP (ULOG and DROP) target |
-# Restructuring to allow the following: |
-# BLACKHOLEs are now global (not just inet) |
-# All explicit denies override TCP/UDP |
-# forwards. |
-# All explicit denies ovrride ALLOW_HOSTWISE |
-# BLACKHOLEs should now work for computers |
-# behind the firewall as well as the |
-# firewall itself. |
-# Fix for iptables 1.2.3 log level info |
-# version 2.3.7: No changes from pre8 |
-# version 2.3.7-pre8: Change email address on liscense |
-# Revert to pre6 behavior of dropping ICMP |
-# echo-request (take global DROP= policy) |
-# Allow everything from interface lo |
-# Correct pre7 changelog |
-# Special rules for DHCP servers |
-# version 2.3.7-pre7: Fix version number in changelog entry below |
-# Fix 127.0.0.1 INPUT handling. |
-# Only enable IP forwarding if it's needed |
-# (INTERNAL_LAN defined) |
-# Tweak flood parameters |
-# Hostwise allows now override explicit, |
-# denies but not blackholes |
-# ICMP echo-request will no longer take the |
-# specified drop policy when it doesn't |
-# comply with limits, straight DROP will |
-# be used instead |
-# Fix REJECT handling in TREJECT and LTREJECT |
-# Add transparent proxy support (Joshua Link) |
-# version 2.3.7-pre6: Fix status reporting on SSR SysCtl loop |
-# Fix the SSR SysCtl loop |
-# Remove stateful match from forward chain |
-# version 2.3.7-pre5: Make the default policy actually be DROP |
-# instead of just saying it is |
-# Add stateful matching to forward chain to |
-# prevent people from routing onto your |
-# internal network (please tell me if |
-# breaks anything). Thanks to Martin |
-# Mosny for noticing this |
-# Block Source Routed Packets to help with |
-# the above problem |
-# Add option for TCP SynCookies on or off |
-# Fix BLACKHOLE directive (was being applied |
-# to INPUT/OUTPUT after the jump for |
-# INETIN/INETOUT so didn't apply for |
-# the internet). Thanks to Gerry Doris |
-# for noticing this |
-# Add DHCP client to default UDP port allows |
-# Note email address change |
-# Changed emphesis in comments |
-# Forwarding of port ranges (Vinny and Eddie) |
-# version 2.3.7-pre4: Line 414, missing subnet match caused all |
-# packets from anywhere to be allowed. |
-# Fixed. |
-# version 2.3.7-pre3: Fix missing fi (fatal syntax error) |
-# Fix logging in TCPACCEPT chain |
-# version 2.3.7-pre2: Add route verification (thanks to Jeremy |
-# Frank) |
-# Add blackhole directive |
-# Updated configuration sanity checks |
-# Ripped out SSH Stuff as it isn't needed |
-# True default DROP on INPUT |
-# Don't run the INTERNAL_LAN loop if no nets |
-# Upped the default SYN limit as large |
-# numbers of small FTP transfers would |
-# overload it quickly |
-# Form cleanups |
-# version 2.3.7-pre1: Maybe the FTP will work now (fixes for the |
-# RELATED state) |
-# Now works with both LAN and DMZ iface null |
-# Moved static NAT to stable options |
-# Change parser to /bin/bash not /bin/sh |
-# version 2.3.6: Add TTL mangling |
-# Added some more EFNet servers to the list |
-# Fix in the DMZOUT chain |
-# Fix FTP stuff |
-# version 2.3.5: Fixes to make port forwarding work again |
-# version 2.3.4: USE_MASQ has been changed to MASQ_LAN in port fw |
-# Fix syntax error in TCP port forwards |
-# General cleanup |
-# Fixes in port forwarding |
-# It's LTREJECT, not TLREJECT |
-# More TOS mangling |
-# version 2.3.3: Fatal syntax error in IP forward detect fix |
-# Don't bail on no IP forward for no LAN |
-# version 2.3.3-pre1: Reject with tcp-reset for TCP option |
-# Removed the huge list of censorship |
-# Moved the port forwards to stable options |
-# Moved the TOS mangling to stable options |
-# Check before enabling IP Forwarding and |
-# IP SynCookies |
-# Don't run censorship loop if no rules |
-# Request low latency TOS on UDP packets for |
-# games on ports 4000-7000 (Diablo II) |
-# Fix bad syntax in the port forwarding loops |
-# Reversed DMZIN and DMZOUT fixed |
-# Various syntax fixes |
-# Stateful inspection on forward chain |
-# Other stateful matching changes |
-# version 2.3.2: Fixed bad syntax in DMZ_IFACE loop |
-# version 2.3.2-pre2: Put a real liscense on it (BSD liscense) |
-# Changed format of ALLOW_HOSTWISE and |
-# DENY_HOSTWISE to be less confusing |
-# (the ":" was changed to ">") |
-# Added LOG_FLOOD option to tweak log limit |
-# Added SYN_FLOOD option to tweak SYN limit |
-# Added PING_FLOOD option to tweak PING limit |
-# version 2.3.2-pre1: Stateful matching on active FTP and SSH |
-# rules (thanks to Len Padilla) |
-# Fixed a minor bug in chain creation order |
-# (thanks to Peter Lindman) |
-# TOS Optimizations (thanks to vesa alatalo) |
-# Begin DMZ Support |
-# Proofread comments and correct |
-# Use BASH builtins instead of sed |
-# (thanks to Craig Ludington) |
-# Fixed "USE_SNAT" bug in port forwarding |
-# (has been changed to "SNAT_LAN") |
-# (thanks to Frédéric Marchand) |
-# Tuned down default TCP allows (remove POP3) |
-# version 2.3.1: Option for 1:1 or subnet:1 static NAT |
-# Internet censorship options |
-# version 2.3.1-pre2: Added option to deny specific ports from |
-# specific hosts |
-# Added limiting to logging chains to prevent |
-# log DoSing |
-# Spiffed up comments |
-# Changed the "AUTH_ALLOW" and "DNS" options |
-# to be more generic and flexible |
-# version 2.3.1-pre1: Updated comments for new kernel version |
-# Removed double drop setting |
-# Updated for iptables-1.2 |
-# Began a kernel option list |
-# version 2.3.0: No changes from pre1g |
-# version 2.3.0-pre1g: Tuned down default TCP allows |
-# Restructure to SSH loop |
-# Status Reporting Fixes (newlines, etc.) |
-# Fix log prefix length on accept loops |
-# version 2.3.0-pre1f: Moved the ICMP echo-request limit to where |
-# it should have been |
-# Allows the rest of the ICMP like it should |
-# Remove the interface matching from ICMP |
-# echo-request (not needed) |
-# version 2.3.0-pre1e: Fixed an issue in the invalid matching |
-# version 2.3.0-pre1d: Spiffed up comments |
-# Port Forwarding |
-# Moved the deny setting to normal options |
-# version 2.3.0-pre1c: Minor fixes that don't (currently) affect |
-# functionality |
-# version 2.3.0-pre1b: Security fix documented in 2.1.13 |
-# Slight logic change in TCP_ALLOW loop |
-# Don't print allow messages if nothign is |
-# allowed by that loop |
-# Changed IPTables download URL |
-# version 2.3.0-pre1a: Initial branch from 2.1.12 |
-# Add stuff in release notes except port fw |
-# ----------------------------------------------------------------------|
-# You NEED to set this! |
-# Configuration follows: |
-# |
-# Notes about configuration: |
-# Some things take more than one option; separate with spaces. |
-# You probably don't want all the ports I have under here open, portscan|
-# yourself to find what you want open. |
-# If you want to used host-based identd allowing, do NOT put 113 in |
-# TCP_ALLOW and DO set ALLOW_TCP_HOSTWISE (using 113 as the port).|
-# Of course, you can also put 113 in TCP_ALLOW to allow anyone. |
-# The same applies to DNS zone transfers (only use port 53 and UDP). |
-# MAC_MASQ is ONLY used for the purposes of masquerading and it will |
-# override the MASQ_LAN setting for masquerading. However, you |
-# must still define MASQ_LAN properly. |
-# INTERNAL_LAN must always be properly defined. |
-# You can use hostnames anywhere, but you'll need to have access to the |
-# DNS server when the script runs and you might not get the expected |
-# results since the DNS lookup is only done once. |
-# You can mix and match hosts with public IPs and masqueraded hosts in |
-# INTERNAL_LAN as long as you define the ones to use NAT later. |
-# DMZ support can currently be considered (at best) PREALPHA. |
-# It should work without a LAN, leave INTERNAL_LAN blank. |
-
-
-# Main configuration, modify to suit your setup. Help can be found at:
-# http://www.mplug.org/phpwiki/index.php?MonMothaReferenceGuide
-
-
-IPTABLES="/usr/sbin/iptables" # set to your iptables location, must be set
-TCP_ALLOW="22" # TCP ports to allow (port<LOCIP)
-UDP_ALLOW="68 6112 6119 4000" # UDP ports to allow (port<LOCIP)
-INET_IFACE="eth1" # the interface your internet's on (one only), must be set
-LAN_IFACE="eth0" # the interface(s) your LAN is on
-INTERNAL_LAN="192.168.0.0/24 192.168.1.0/24" # The internal LAN (including DMZs but not censored hosts)
-MASQ_LAN="192.168.0.0/24 192.168.1.0/24" # the internal network(s) to be masqueraded (this is overridden by MAC_MASQ)
-SNAT_LAN="" # Internal networks/hosts to use static NAT (format is <internal ip or network>:<external ip>) (this is overridden by MAC_SNAT)
-DROP="TREJECT" # What to do with packets we don't want: DROP, REJECT, TREJECT (Reject with tcp-reset for TCP), LDROP (log and drop), LREJECT (log and reject), LTREJECT (log and reject with tcp-reset), ULDROP (ULOG and DROP)
-DENY_ALL="" # Internet hosts to explicitly deny from accessing your system at all; format is "IP<LOCIP"
-DENY_HOSTWISE_TCP="" # Specific hosts to deny access to specific TCP ports; format is "IP>PORT<LOCIP"
-DENY_HOSTWISE_UDP="" # Specific hosts to deny access to specific UDP ports; format is "IP>PORT<LOCIP"
-BLACKHOLE="" # People you don't want to have anything to do with (equivlent of my old TK_DROP). This is a bidirectional drop.
-BLACKHOLE_DROP="DROP" # What to do for the blackholes (same options as DROP directive above)
-ALLOW_HOSTWISE_TCP="" # Specific hosts allowed access to specific TCP ports; format is "IP>PORT<LOCIP"
-ALLOW_HOSTWISE_UDP="" # Specific hosts allowed access to specific UDP ports; format is "IP>PORT<LOCIP"
-TCP_FW="" # TCP port forwards, form is "SPORT:DPORT>DESTIP<LOCIP" <LOCIP may be omitted
-UDP_FW="" # UDP port forwards, form is "SPORT:DPORT>DESTIP<LOCIP" <LOCIP may be omitted
-MANGLE_TOS_OPTIMIZE="FALSE" # TOS "optimizations" on or off (TRUE/FALSE toggle)
-DHCP_SERVER="FALSE" # Set to true if you run a DHCP server. DHCP clients do not need this. This allows broadcasts to the server from potential clients on the LAN to succeede.
-BAD_ICMP="5 9 10 15 16 17 18" # ICMP messages to NOT allow in from internet
-ENABLE="N" # Set to 'Y' when it's configured; this is for your own safety
-
-# Flood Params. You will still recieve the packets and the bandwidth will be used, but this will cause floods to be ignored (useful against SYNFLOODS especially)
-LOG_FLOOD="2/s" # Limit on logging (for LTREJECT, LREJECT and LDROP, the packet will always take the policy regardless of logging)
-SYN_FLOOD="20/s" # GLOBAL limit on SYN packets (servers will probably need even higher sustained rates as this isn't on a per IP basis)
-PING_FLOOD="1/s" # GLOBAL limit on ICMP echo-requests to reply to
-
-# Outbound filters
-ALLOW_OUT_TCP="" # Internal hosts allowed to be forwarded out on TCP (do not put this/these host/s in INTERNAL_LAN, but do define their method of access [snat, masq] if not a public ip)
-PROXY="" # Redirect for Squid or other TRANSPARENT proxy. Syntax to specify the proxy is "host:port".
-
-# Below here is experimental (please report your successes/failures)
-MAC_MASQ="" # MAC addresses permitted to use masquerading, leave blank to not use
-MAC_SNAT="" # MAC addresses permitted to use static NAT, leave blank to not use (format is <MAC Address>:<external ip>)
-TTL_SAFE="" # How many hops packets need to make once they get on your LAN (null disables the mangling) (requires patch from patch-o-matic)
-USE_SYNCOOKIES="FALSE" # TCP SynCookies on or off (TRUE/FALSE toggle)
-RP_FILTER="TRUE" # Turns rp_filter on or off on all interfaces (TRUE/FALSE toggle)
-ACCEPT_SOURCE_ROUTE="FALSE" # Turns accept_source_route on or off on all interfaces (TRUE/FALSE toggle)
-SUPER_EXEMPT="" # Hosts which get to bypass the packet filter entirely (be REALLY careful with these)
-BRAINDEAD_ISP="FALSE" # Force no fragments, useful if your ISP has a broken firewall or if you are on a tunneled connection (like PPPoE DSL)
-ALLOW_HOSTWISE_PROTO="" # Specific hosts allowed access on specific IP protocols; format is "IP>PROTO<LOCIP"
-
-
-# Only touch these if you're daring (PREALPHA stuff, as in basically non-functional)
-DMZ_IFACE="" # Interface your DMZ is on (leave blank if you don't have one)
-
-
-# ----------------------------------------------------------------------|
-# These control basic script behavior; there should be no need to |
-# change any of these settings for normal use. |
-# ----------------------------------------------------------------------|
-FILTER_CHAINS="INETIN INETOUT DMZIN DMZOUT TCPACCEPT UDPACCEPT LDROP LREJECT TREJECT LTREJECT"
-UL_FILTER_CHAINS="ULDROP ULREJECT ULTREJECT"
-LOOP_IFACE="lo"
-
-# ----------------------------------------------------------------------|
-# You shouldn't need to modify anything below here |
-# Main Script Starts |
-# ----------------------------------------------------------------------|
-
-# Let's load it!
-echo "Loading iptables firewall:"
-
-# Configuration Sanity Checks
-echo -n "Checking configuration..."
-
-# It's hard to run an iptables script without iptables...
-if ! [ -x $IPTABLES ] ; then
- echo
- echo "ERROR IN CONFIGURATION: ${IPTABLES} doesn't exist or isn't executable!"
- exit 4
-fi
-
-# Basic interface sanity
-for dev in ${LAN_IFACE} ; do
- if [ "$dev" = "${DMZ_IFACE}" ] && [ "$dev" != "" ]; then
- echo
- echo "ERROR IN CONFIGURATION: DMZ_IFACE and LAN_IFACE can't have a duplicate interface!"
- exit 1
- fi
-done
-
-# Create a test chain to work with for system ablilities testing
-${IPTABLES} -N SYSTEST
-if [ "$?" != "0" ] ; then
- echo
- echo "IPTABLES can't create new chains or the script was interrupted previously!"
- echo "Flush IPTABLES rulesets or delete chain SYSTEST and try again."
- exit 4
-fi
-
-# Check for ULOG support
-${IPTABLES} -A SYSTEST -j ULOG > /dev/null 2>&1
-if [ "$?" = "0" ] ; then
- HAVE_ULOG="true"
-else
- HAVE_ULOG="false"
-fi
-
-# Check for LOG support
-${IPTABLES} -A SYSTEST -j LOG > /dev/null 2>&1
-if [ "$?" != "0" ] ; then
- echo
- echo "Your kernel lacks LOG support reqiored by this script. Aborting."
- exit 3
-fi
-
-# Check for stateful matching
-${IPTABLES} -A SYSTEST -m state --state ESTABLISHED -j ACCEPT > /dev/null 2>&1
-if [ "$?" != "0" ] ; then
- echo
- echo "Your kernel lacks stateful matching, this would break this script. Aborting."
- exit 3
-fi
-
-# Check for the limit match
-${IPTABLES} -A SYSTEST -m limit -j ACCEPT > /dev/null 2>&1
-if [ "$?" != "0" ] ; then
- echo
- echo "Support not found for limiting needed by this script. Aborting."
- exit 3
-fi
-
-# Check for REJECT
-${IPTABLES} -A SYSTEST -j REJECT > /dev/null 2>&1
-if [ "$?" != "0" ] ; then
- echo
- echo "Support not found for the REJECT target needed by this script. Aborting."
- exit 3
-fi
-
-# Check DROP sanity
-if [ "$DROP" = "" ] ; then
- echo
- echo "There needs to be a DROP policy (try TREJECT)!"
- exit 1
-fi
-if [ "$DROP" = "ACCEPT" ] ; then
- echo
- echo "The DROP policy is set to ACCEPT; there is no point in loading the firewall as there wouldn't be one."
- exit 2
-fi
-if [ "$DROP" = "ULDROP" ] || [ "$DROP" = "ULREJECT" ] || [ "$DROP" = "ULTREJECT" ] ; then
- if [ "$HAVE_ULOG" != "true" ] ; then
- echo
- echo "You have selected a ULOG policy, but your system lacks ULOG support."
- echo "Please choose a policy that your system has support for."
- exit 5
- fi
-fi
-
-# Problems with blackholes?
-if [ "$BLACKHOLE" != "" ] && [ "$BLACKHOLE_DROP" = "" ] ; then
- echo
- echo "You can't use blackholes and not have a policy for them!"
- exit 1
-fi
-
-# Has it been configured?
-if ! [ "$ENABLE" = "Y" ] ; then
- echo
- echo "You need to *EDIT YOUR CONFIGURATION* and set ENABLE to Y!"
- exit 99
-fi
-
-# Flush and remove the chain SYSTEST
-${IPTABLES} -F SYSTEST
-${IPTABLES} -X SYSTEST
-
-# Seems ok...
-echo "passed"
-
-
-# ===============================================
-# ----------------Preprocessing------------------
-# ===============================================
-
-# Turn TCP_ALLOW and UDP_ALLOW into ALLOW_HOSTWISE
-echo -n "Performing TCP_ALLOW and UDP_ALLOW alias preprocessing..."
-if [ "$TCP_ALLOW" != "" ] ; then
- for rule in ${TCP_ALLOW} ; do
- ALLOW_HOSTWISE_TCP="${ALLOW_HOSTWISE_TCP} 0/0>$rule"
- done
-fi
-if [ "$UDP_ALLOW" != "" ] ; then
- for rule in ${UDP_ALLOW} ; do
- ALLOW_HOSTWISE_UDP="${ALLOW_HOSTWISE_UDP} 0/0>$rule"
- done
-fi
-echo "done"
-
-
-# ===============================================
-# -------Set some Kernel stuff via SysCTL--------
-# ===============================================
-
-# Turn on IP forwarding
-
-if [ "$INTERNAL_LAN" != "" ] ; then
- echo -n "Checking IP Forwarding..."
- if [ -e /proc/sys/net/ipv4/ip_forward ] ; then
- echo 1 > /proc/sys/net/ipv4/ip_forward
- echo "enabled."
- else
- echo "support not found! This will cause problems if you need to do any routing."
- fi
-fi
-
-# Enable TCP Syncookies
-echo -n "Checking IP SynCookies..."
-if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
- if [ "$USE_SYNCOOKIES" = "TRUE" ] ; then
- echo 1 > /proc/sys/net/ipv4/tcp_syncookies
- echo "enabled."
- else
- echo 0 > /proc/sys/net/ipv4/tcp_syncookies
- echo "disabled."
- fi
-else
- echo "support not found, but that's OK."
-fi
-
-# Enable Route Verification to prevent martians and other such crud that
-# seems to be commonplace on the internet today
-echo -n "Checking Route Verification..."
-if [ "$INET_IFACE" != "" ] ; then
- if [ -e /proc/sys/net/ipv4/conf/$INET_IFACE/rp_filter ] ; then
- if [ "$RP_FILTER" = "TRUE" ] ; then
- echo 1 > /proc/sys/net/ipv4/conf/$INET_IFACE/rp_filter
- echo -n "activated:${INET_IFACE} "
- else
- echo 0 > /proc/sys/net/ipv4/conf/$INET_IFACE/rp_filter
- echo -n "disabled:${INET_IFACE} "
- fi
- else
- echo "not found:${INET_IFACE} "
- fi
-fi
-
-if [ "$LAN_IFACE" != "" ] ; then
- for dev in ${LAN_IFACE} ; do
- if [ -e /proc/sys/net/ipv4/conf/$dev/rp_filter ] ; then
- if [ "$RP_FILTER" = "TRUE" ] ; then
- echo 1 > /proc/sys/net/ipv4/conf/$dev/rp_filter
- echo -n "activated:$dev "
- else
- echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter
- echo -n "disabled:$dev "
- fi
- else
- echo "not found:$dev "
- fi
- done
-fi
-
-if [ "$DMZ_IFACE" != "" ] ; then
- if [ -e /proc/sys/net/ipv4/conf/$DMZ_IFACE/rp_filter ] ; then
- if [ "$RP_FILTER" = "TRUE" ] ; then
- echo 1 > /proc/sys/net/ipv4/conf/$DMZ_IFACE/rp_filter
- echo -n "activated:${DMZ_IFACE} "
- else
- echo 0 > /proc/sys/net/ipv4/conf/$DMZ_IFACE/rp_filter
- echo -n "disabled:${DMZ_IFACE} "
- fi
- else
- echo "not found:${DMZ_IFACE} "
- fi
-fi
-echo
-
-# Tell the Kernel to Ignore Source Routed Packets
-echo -n "Refusing SSR Packets via SysCtl..."
-if [ "$INET_IFACE" != "" ] ; then
- if [ -e /proc/sys/net/ipv4/conf/$INET_IFACE/accept_source_route ] ; then
- if [ "$ACCEPT_SOURCE_ROUTE" = "TRUE" ] ; then
- echo "1" > /proc/sys/net/ipv4/conf/$INET_IFACE/accept_source_route
- echo -n "disabled:${INET_IFACE} "
- else
- echo "0" > /proc/sys/net/ipv4/conf/$INET_IFACE/accept_source_route
- echo -n "activated:${INET_IFACE} "
- fi
- else
- echo "not found:${INET_IFACE} "
- fi
-fi
-
-if [ "$LAN_IFACE" != "" ] ; then
- for dev in ${LAN_IFACE} ; do
- if [ -e /proc/sys/net/ipv4/conf/$dev/accept_source_route ] ; then
- if [ "$ACCEPT_SOURCE_ROUTE" = "TRUE" ] ; then
- echo "1" > /proc/sys/net/ipv4/conf/$dev/accept_source_route
- echo -n "disabled:$dev "
- else
- echo "0" > /proc/sys/net/ipv4/conf/$dev/accept_source_route
- echo -n "activated:$dev "
- fi
- else
- echo "not found:$dev "
- fi
- done
-fi
-
-if [ "$DMZ_IFACE" != "" ] ; then
- if [ -e /proc/sys/net/ipv4/conf/$DMZ_IFACE/accept_source_route ] ; then
- if [ "$ACCEPT_SOURCE_ROUTE" = "TRUE" ] ; then
- echo "1" > /proc/sys/net/ipv4/conf/$DMZ_IFACE/accept_source_route
- echo -n "disabled:${DMZ_IFACE} "
- else
- echo "0" > /proc/sys/net/ipv4/conf/$DMZ_IFACE/accept_source_route
- echo -n "activated:${DMZ_IFACE} "
- fi
- else
- echo "not found:${DMZ_IFACE} "
- fi
-fi
-echo
-
-# ===============================================
-# --------Actual NetFilter Stuff Follows---------
-# ===============================================
-
-# Flush everything
-# If you need compatability, you can comment some or all of these out,
-# but remember, if you re-run it, it'll just add the new rules in, it
-# won't remove the old ones for you then, this is how it removes them.
-echo -n "Flush: "
-${IPTABLES} -t filter -F INPUT
-echo -n "INPUT "
-${IPTABLES} -t filter -F OUTPUT
-echo -n "OUTPUT1 "
-${IPTABLES} -t filter -F FORWARD
-echo -n "FORWARD "
-${IPTABLES} -t nat -F PREROUTING
-echo -n "PREROUTING1 "
-${IPTABLES} -t nat -F OUTPUT
-echo -n "OUTPUT2 "
-${IPTABLES} -t nat -F POSTROUTING
-echo -n "POSTROUTING "
-${IPTABLES} -t mangle -F PREROUTING
-echo -n "PREROUTING2 "
-${IPTABLES} -t mangle -F OUTPUT
-echo -n "OUTPUT3"
-echo
-
-# Create new chains
-# Output to /dev/null in case they don't exist from a previous invocation
-echo -n "Creating chains: "
-for chain in ${FILTER_CHAINS} ; do
- ${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
- ${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
- ${IPTABLES} -t filter -N ${chain}
- echo -n "${chain} "
-done
-if [ ${HAVE_ULOG} = "true" ] ; then
- for chain in ${UL_FILTER_CHAINS} ; do
- ${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
- ${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
- ${IPTABLES} -t filter -N ${chain}
- echo -n "${chain} "
- done
-fi
-echo
-
-# Default Policies
-# INPUT policy is drop as of 2.3.7-pre5
-# Policy can't be reject because of kernel limitations
-echo -n "Default Policies: "
-${IPTABLES} -t filter -P INPUT DROP
-echo -n "INPUT:DROP "
-${IPTABLES} -t filter -P OUTPUT ACCEPT
-echo -n "OUTPUT:ACCEPT "
-${IPTABLES} -t filter -P FORWARD DROP
-echo -n "FORWARD:DROP "
-echo
-
-# ===============================================
-# -------Chain setup before jumping to them------
-# ===============================================
-
-#These logging chains are valid to specify in DROP= above
-#Set up LDROP
-echo -n "Setting up drop chains chains: "
-${IPTABLES} -t filter -A LDROP -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "TCP Dropped "
-${IPTABLES} -t filter -A LDROP -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "UDP Dropped "
-${IPTABLES} -t filter -A LDROP -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "ICMP Dropped "
-${IPTABLES} -t filter -A LDROP -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level 4 --log-prefix "FRAGMENT Dropped "
-${IPTABLES} -t filter -A LDROP -j DROP
-echo -n "LDROP "
-
-#And LREJECT too
-${IPTABLES} -t filter -A LREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "TCP Rejected "
-${IPTABLES} -t filter -A LREJECT -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "UDP Rejected "
-${IPTABLES} -t filter -A LREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "ICMP Rejected "
-${IPTABLES} -t filter -A LREJECT -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level 4 --log-prefix "FRAGMENT Rejected "
-${IPTABLES} -t filter -A LREJECT -j REJECT
-echo -n "LREJECT "
-
-#Don't forget TREJECT
-${IPTABLES} -t filter -A TREJECT -p tcp -j REJECT --reject-with tcp-reset
-${IPTABLES} -t filter -A TREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
-${IPTABLES} -t filter -A TREJECT -p icmp -j DROP
-${IPTABLES} -t filter -A TREJECT -j REJECT
-echo -n "TREJECT "
-
-#And LTREJECT
-${IPTABLES} -t filter -A LTREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "TCP Rejected "
-${IPTABLES} -t filter -A LTREJECT -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "UDP Rejected "
-${IPTABLES} -t filter -A LTREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "ICMP Rejected "
-${IPTABLES} -t filter -A LTREJECT -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level 4 --log-prefix "FRAGMENT Rejected "
-${IPTABLES} -t filter -A LTREJECT -p tcp -j REJECT --reject-with tcp-reset
-${IPTABLES} -t filter -A LTREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
-${IPTABLES} -t filter -A LTREJECT -p icmp -j DROP
-${IPTABLES} -t filter -A LTREJECT -j REJECT
-echo -n "LTREJECT "
-
-#And ULOG stuff, same as above but ULOG instead of LOG
-if [ ${HAVE_ULOG} = "true" ] ; then
- ${IPTABLES} -t filter -A ULDROP -p tcp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_TCP
- ${IPTABLES} -t filter -A ULDROP -p udp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_UDP
- ${IPTABLES} -t filter -A ULDROP -p icmp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_ICMP
- ${IPTABLES} -t filter -A ULDROP -f -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_FRAG
- ${IPTABLES} -t filter -A ULDROP -j DROP
- echo -n "ULDROP "
-
- ${IPTABLES} -t filter -A ULREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_TCP
- ${IPTABLES} -t filter -A ULREJECT -p udp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_UDP
- ${IPTABLES} -t filter -A ULREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_UDP
- ${IPTABLES} -t filter -A ULREJECT -f -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_FRAG
- ${IPTABLES} -t filter -A ULREJECT -j REJECT
- echo -n "LREJECT "
-
- ${IPTABLES} -t filter -A ULTREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_TCP
- ${IPTABLES} -t filter -A ULTREJECT -p udp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_UDP
- ${IPTABLES} -t filter -A ULTREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_ICMP
- ${IPTABLES} -t filter -A ULTREJECT -f -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_FRAG
- ${IPTABLES} -t filter -A ULTREJECT -p tcp -j REJECT --reject-with tcp-reset
- ${IPTABLES} -t filter -A ULTREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
- ${IPTABLES} -t filter -A ULTREJECT -p icmp -j DROP
- ${IPTABLES} -t filter -A ULTREJECT -j REJECT
- echo -n "ULTREJECT "
-fi
-#newline
-echo
-
-
-# Set up the per-proto ACCEPT chains
-echo -n "Setting up per-proto ACCEPT: "
-
-# TCPACCEPT
-# SYN Flood "Protection"
-${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit ${SYN_FLOOD} -j ACCEPT
-${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit ${LOG_FLOOD} -j LOG --log-prefix "Possible SynFlood "
-${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -j ${DROP}
-${IPTABLES} -t filter -A TCPACCEPT -p tcp ! --syn -j ACCEPT
-# Log anything that hasn't matched yet and ${DROP} it since it isn't TCP and shouldn't be here
-${IPTABLES} -t filter -A TCPACCEPT -m limit --limit ${LOG_FLOOD} -j LOG --log-prefix "Mismatch in TCPACCEPT "
-${IPTABLES} -t filter -A TCPACCEPT -j ${DROP}
-echo -n "TCPACCEPT "
-
-#UDPACCEPT
-${IPTABLES} -t filter -A UDPACCEPT -p udp -j ACCEPT
-# Log anything not UDP and ${DROP} it since it's not supposed to be here
-${IPTABLES} -t filter -A UDPACCEPT -m limit --limit ${LOG_FLOOD} -j LOG --log-prefix "Mismatch on UDPACCEPT "
-${IPTABLES} -t filter -A UDPACCEPT -j ${DROP}
-echo -n "UDPACCEPT "
-
-#Done
-echo
-
-# =================================================
-# -------------------Exemptions--------------------
-# =================================================
-if [ "$SUPER_EXEMPT" != "" ] ; then
- echo -n "Super Exemptions: "
- for host in ${SUPER_EXEMPT} ; do
- ${IPTABLES} -t filter -A INPUT -s ${host} -j ACCEPT
- ${IPTABLES} -t filter -A OUTPUT -d ${host} -j ACCEPT
- ${IPTABLES} -t filter -A FORWARD -s ${host} -j ACCEPT
- ${IPTABLES} -t filter -A FORWARD -d ${host} -j ACCEPT
- echo -n "${host} "
- done
- echo
-fi
-
-
-# =================================================
-# ----------------Explicit Denies------------------
-# =================================================
-
-#Blackholes will not be overridden by hostwise allows
-if [ "$BLACKHOLE" != "" ] ; then
- echo -n "Blackholes: "
- for host in ${BLACKHOLE} ; do
- ${IPTABLES} -t filter -A INPUT -s ${host} -j ${BLACKHOLE_DROP}
- ${IPTABLES} -t filter -A OUTPUT -d ${host} -j ${BLACKHOLE_DROP}
- ${IPTABLES} -t filter -A FORWARD -s ${host} -j ${BLACKHOLE_DROP}
- ${IPTABLES} -t filter -A FORWARD -d ${host} -j ${BLACKHOLE_DROP}
- echo -n "${host} "
- done
- echo
-fi
-
-if [ "$DENY_ALL" != "" ] ; then
- echo -n "Denying hosts: "
- for rule in ${DENY_ALL} ; do
- echo "$rule" | {
- IFS='<' read shost dhost
- if [ "$dhost" == "" ] ; then
- ${IPTABLES} -t filter -A INPUT -s ${shost} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -s ${shost} -j ${DROP}
- else
- ${IPTABLES} -t filter -A INPUT -s ${shost} -d ${dhost} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -s ${shost} -d ${dhost} -j ${DROP}
- fi
- }
- echo -n "${rule} "
- done
- echo
-fi
-
-
-
-if [ "$DENY_HOSTWISE_TCP" != "" ] ; then
- echo -n "Hostwise TCP Denies: "
- for rule in ${DENY_HOSTWISE_TCP} ; do
- echo "$rule" | {
- IFS='><' read shost port dhost
- echo "$port" | {
- IFS='-' read fsp lsp
- if [ "$dhost" == "" ] ; then
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INPUT -p tcp -s ${shost} --dport ${fsp}:${lsp} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p tcp -s ${shost} --dport ${fsp}:${lsp} -j ${DROP}
- else
- ${IPTABLES} -t filter -A INPUT -p tcp -s ${shost} --dport ${port} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p tcp -s ${shost} --dport ${port} -j ${DROP}
- fi
- else
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INPUT -p tcp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p tcp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j ${DROP}
- else
- ${IPTABLES} -t filter -A INPUT -p tcp -s ${shost} -d ${dhost} --dport ${port} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p tcp -s ${shost} -d ${dhost} --dport ${port} -j ${DROP}
- fi
- fi
- echo -n "${rule} "
- }
- }
- done
- echo
-fi
-
-if [ "$DENY_HOSTWISE_UDP" != "" ] ; then
- echo -n "Hostwise UDP Denies: "
- for rule in ${DENY_HOSTWISE_UDP} ; do
- echo "$rule" | {
- IFS='><' read shost port dhost
- echo "$port" | {
- IFS='-' read fsp lsp
- if [ "$dhost" == "" ] ; then
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INPUT -p udp -s ${shost} --dport ${fsp}:${lsp} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p udp -s ${shost} --dport ${fsp}:${lsp} -j ${DROP}
- else
- ${IPTABLES} -t filter -A INPUT -p udp -s ${shost} --dport ${port} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p udp -s ${shost} --dport ${port} -j ${DROP}
- fi
- else
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INPUT -p udp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p udp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j ${DROP}
- else
- ${IPTABLES} -t filter -A INPUT -p udp -s ${shost} -d ${dhost} --dport ${port} -j ${DROP}
- ${IPTABLES} -t filter -A FORWARD -p udp -s ${shost} -d ${dhost} --dport ${port} -j ${DROP}
- fi
- fi
- echo -n "${rule} "
- }
- }
- done
- echo
-fi
-
-
-
-#Invalid packets are always annoying
-echo -n "${DROP}ing invalid packets..."
-${IPTABLES} -t filter -A INETIN -m state --state INVALID -j ${DROP}
-echo "done"
-
-
-# ------------------------------------------------------------------------
-
-# Internet jumps to INET chains and DMZ
-# Set up INET chains
-echo -n "Setting up INET chains: "
-${IPTABLES} -t filter -A INPUT -i ${INET_IFACE} -j INETIN
-for dev in ${LAN_IFACE} ; do
- ${IPTABLES} -t filter -A FORWARD -i ${INET_IFACE} -o $dev -j INETIN
-done
-echo -n "INETIN "
-
-${IPTABLES} -t filter -A OUTPUT -o ${INET_IFACE} -j INETOUT
-for dev in ${LAN_IFACE} ; do
- ${IPTABLES} -t filter -A FORWARD -o ${INET_IFACE} -i $dev -j INETOUT
-done
-echo -n "INETOUT "
-echo
-
-if [ "$BRAINDEAD_ISP" = "TRUE" ] ; then
- ${IPTABLES} -t filter -A INETOUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-fi
-
-# For now we'll subject the DMZ to the same rules as the internet when going onto the trusted LAN
-# And we'll let it go anywhere on the internet
-if [ "$DMZ_IFACE" != "" ] ; then
- echo -n "Setting up DMZ Chains: "
- ${IPTABLES} -A OUTPUT -o ${DMZ_IFACE} -j DMZOUT
- ${IPTABLES} -A FORWARD -i ${LAN_IFACE} -o ${DMZ_IFACE} -j DMZOUT
- ${IPTABLES} -A FORWARD -i ${INET_IFACE} -o ${DMZ_IFACE} -j ACCEPT
-
- echo -n "DMZOUT "
- echo -n "DMZ for Internet Forwarding to INETOUT..."
- ${IPTABLES} -A DMZOUT -j INETOUT
-
- ${IPTABLES} -A INPUT -i ${DMZ_IFACE} -j DMZIN
-
- echo -n "DMZIN "
- echo
- echo -n "DMZ for LAN and localhost Forwarding to INETIN..."
- ${IPTABLES} -A FORWARD -i ${DMZ_IFACE} -o ${LAN_IFACE} -j DMZOUT
- ${IPTABLES} -A FORWARD -i ${DMZ_IFACE} -o ${INET_IFACE} -j ACCEPT
- ${IPTABLES} -A DMZOUT -o ${LAN_IFACE} -j INETIN
- echo "done"
- echo -n "done"
-fi
-
-# ------------------------------------------------------------------------
-
-
-# Local traffic to internet or crossing subnets
-# This should cover what we need if we don't use masquerading
-# Unfortunately, MAC address matching isn't bidirectional (for
-# obvious reasons), so IP based matching is done here
-echo -n "Local Traffic Rules: "
-if [ "$INTERNAL_LAN" != "" ] ; then
- for subnet in ${INTERNAL_LAN} ; do
- ${IPTABLES} -t filter -A INPUT -s ${subnet} -j ACCEPT
- ${IPTABLES} -t filter -A FORWARD -s ${subnet} -o ! ${INET_IFACE} -i ! ${INET_IFACE} -j ACCEPT
- echo -n "${subnet}:ACCEPT "
- done
-fi
-
-# 127.0.0.0/8 used to need an entry in INTERNAL_LAN, but routing of that isn't needed
-# so an allow is placed on INPUT so that the computer can talk to itself :)
-${IPTABLES} -t filter -A INPUT -i ${LOOP_IFACE} -j ACCEPT
-echo -n "loopback:ACCEPT "
-
-# DHCP server magic
-# Allow broadcasts from LAN to UDP port 67 (DHCP server)
-if [ "$DHCP_SERVER" = "TRUE" ] ; then
- for dev in ${LAN_IFACE} ; do
- ${IPTABLES} -t filter -A INPUT -i $dev -p udp --dport 67 -j ACCEPT
- done
- echo -n "dhcp:ACCEPT"
-fi
-echo #newline from local traffic rules
-
-
-
-if [ "$PROXY" != "" ] ; then
- echo -n "Setting up Transparent Proxy to ${PROXY}: "
- for subnet in ${INTERNAL_LAN} ; do
- echo "$PROXY" | {
- IFS=':' read host port
- if [ "$host" = "localhost" ] || [ "$host" = "127.0.0.1" ] ; then
- ${IPTABLES} -t nat -A PREROUTING -s ${subnet} -p tcp --dport 80 -j REDIRECT --to-port ${port}
- echo -n "${subnet}:PROXY "
- else
- ${IPTABLES} -t nat -A PREROUTING -s ${subnet} -p tcp --dport 80 -j DNAT --to ${host}:${port}
- echo -n "${subnet}:PROXY "
- fi
- }
- done
- echo
-fi
-
-if [ "$ALLOW_OUT_TCP" != "" ] ; then
- echo -n "Internet censorship TCP allows: "
- for rule in ${ALLOW_OUT_TCP} ; do
- echo "$rule" | {
- IFS=':' read intip destip dport
- ${IPTABLES} -t filter -A FORWARD -s ${intip} -d ${destip} -p tcp --dport ${dport} -o ${INET_IFACE} -j ACCEPT
- echo -n "${intip}:${destip} "
- }
- done
- echo
-fi
-
-# Set up basic NAT if the user wants it
-if [ "$MASQ_LAN" != "" ] ; then
- echo -n "Setting up masquerading: "
- if [ "$MAC_MASQ" = "" ] ; then
- for subnet in ${MASQ_LAN} ; do
- ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE
- echo -n "${subnet}:MASQUERADE "
- done
- else
- for address in ${MAC_MASQ} ; do
- ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j MASQUERADE
- echo -n "${address}:MASQUERADE "
- done
- fi
- echo
-fi
-if [ "$SNAT_LAN" != "" ] ; then #Static NAT used
- echo -n "Setting up static NAT: "
- if [ "$MAC_SNAT" = "" ] ; then
- for rule in ${SNAT_LAN} ; do
- echo "$rule" | {
- IFS=':' read host destip
- ${IPTABLES} -t nat -A POSTROUTING -s ${host} -o ${INET_IFACE} -j SNAT --to-source ${destip}
- echo -n "${host}:SNAT "
- }
- done
- else
- for rule in ${MAC_SNAT} ; do
- echo "$rule" | {
- IFS=':' read address destip
- ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j SNAT --to-source ${destip}
- echo -n "${address}:SNAT "
- }
- done
- fi
- echo
-fi
-
-#TCP Port-Forwards
-if [ "$TCP_FW" != "" ] ; then
- echo -n "TCP Port Forwards: "
- for rule in ${TCP_FW} ; do
- echo "$rule" | {
- IFS=':><' read srcport destport host shost
- echo "$srcport" | {
- IFS='-' read fsp lsp
- if [ "$shost" = "" ] ; then
- if [ "$lsp" != "" ] ; then
- echo "$destport" | {
- IFS='-' read fdp ldp
- ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p tcp --dport ${fsp}:${lsp} -j DNAT --to-destination ${host}:${destport}
- }
- else
- ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p tcp --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
- fi
- else
- if [ "$lsp" != "" ] ; then
- echo "$destport" | {
- IFS='-' read fdp ldp
- ${IPTABLES} -t nat -A PREROUTING -p tcp -d ${shost} --dport ${fsp}:${lsp} -j DNAT --to-destination ${host}:${destport}
- }
- else
- ${IPTABLES} -t nat -A PREROUTING -p tcp -d ${shost} --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
- fi
- fi
- echo -n "${rule} "
- }
- }
- done
- echo
-fi
-
-#UDP Port Forwards
-if [ "$UDP_FW" != "" ] ; then
- echo -n "UDP Port Forwards: "
- for rule in ${UDP_FW} ; do
- echo "$rule" | {
- IFS=':><' read srcport destport host shost
- echo "$srcport" | {
- IFS='-' read fsp lsp
- if [ "$shost" = "" ] ; then
- if [ "$lsp" != "" ] ; then
- echo "$destport" | {
- IFS='-' read fdp ldp
- ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p udp --dport ${fsp}:${lsp} -j DNAT --to-destination ${host}:${destport}
- }
- else
- ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p udp --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
- fi
- else
- if [ "$lsp" != "" ] ; then
- echo "$destport" | {
- IFS='-' read fdp ldp
- ${IPTABLES} -t nat -A PREROUTING -p udp -d ${shost} --dport ${fsp}:${lsp} -j DNAT --to-destination ${host}:${destport}
- }
- else
- ${IPTABLES} -t nat -A PREROUTING -p udp -d ${shost} --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
- fi
- fi
- echo -n "${rule} "
- }
- }
- done
- echo
-fi
-
-
-
-# =================================================
-# -------------------ICMP rules--------------------
-# =================================================
-
-if [ "$BAD_ICMP" != "" ] ; then
- echo -n "${DROP}ing ICMP messages specified in BAD_ICMP..."
- for message in ${BAD_ICMP} ; do
- ${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ${message} -j ${DROP}
- echo -n "${message} "
- done
- echo
-fi
-
-# Flood "security"
-# You'll still respond to these if they comply with the limits (set in config)
-# There is a more elegant way to set this using sysctl, however this has the
-# advantage that the kernel ICMP stack never has to process it, lessening
-# the chance of a very serious flood overloading your kernel.
-# This is just a packet limit, you still get the packets on the interface and
-# still may experience lag if the flood is heavy enough
-echo -n "Flood limiting: "
-# Ping Floods (ICMP echo-request)
-${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit ${PING_FLOOD} -j ACCEPT
-${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -j ${DROP}
-echo -n "ICMP-PING "
-echo
-
-echo -n "Allowing the rest of the ICMP messages in..."
-${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT
-echo "done"
-
-
-
-# ================================================================
-# ------------Allow stuff we have chosen to allow in--------------
-# ================================================================
-
-
-# Hostwise allows
-if [ "$ALLOW_HOSTWISE_TCP" != "" ] ; then
- echo -n "Hostwise TCP Allows: "
- for rule in ${ALLOW_HOSTWISE_TCP} ; do
- echo "$rule" | {
- IFS='><' read shost port dhost
- echo "$port" | {
- IFS='-' read fsp lsp
- if [ "$dhost" == "" ] ; then
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INETIN -p tcp -s ${shost} --dport ${fsp}:${lsp} -j TCPACCEPT
- else
- ${IPTABLES} -t filter -A INETIN -p tcp -s ${shost} --dport ${port} -j TCPACCEPT
- fi
- else
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INETIN -p tcp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j TCPACCEPT
- else
- ${IPTABLES} -t filter -A INETIN -p tcp -s ${shost} -d ${dhost} --dport ${port} -j TCPACCEPT
- fi
- fi
- echo -n "${rule} "
- }
- }
- done
- echo
-fi
-
-if [ "$ALLOW_HOSTWISE_UDP" != "" ] ; then
- echo -n "Hostwise UDP Allows: "
- for rule in ${ALLOW_HOSTWISE_UDP} ; do
- echo "$rule" | {
- IFS='><' read shost port dhost
- echo "$port" | {
- IFS='-' read fsp lsp
- if [ "$dhost" == "" ] ; then
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INETIN -p udp -s ${shost} --dport ${fsp}:${lsp} -j UDPACCEPT
- else
- ${IPTABLES} -t filter -A INETIN -p udp -s ${shost} --dport ${port} -j UDPACCEPT
- fi
- else
- if [ "$lsp" != "" ] ; then
- ${IPTABLES} -t filter -A INETIN -p udp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j UDPACCEPT
- else
- ${IPTABLES} -t filter -A INETIN -p udp -s ${shost} -d ${dhost} --dport ${port} -j UDPACCEPT
- fi
- fi
- echo -n "${rule} "
- }
- }
- done
- echo
-fi
-
-if [ "$ALLOW_HOSTWISE_PROTO" != "" ] ; then
- echo -n "Hostwise IP Protocol Allows: "
- for rule in ${ALLOW_HOSTWISE_PROTO} ; do
- echo "$rule" | {
- IFS='><' read shost proto dhost
- if [ "$dhost" == "" ] ; then
- ${IPTABLES} -t filter -A INETIN -p ${proto} -s ${shost} -j ACCEPT
- else
- ${IPTABLES} -t filter -A INETIN -p ${proto} -s ${shost} -d ${dhost} -j ACCEPT
- fi
- echo -n "${rule} "
- }
- done
- echo
-fi
-
-echo -n "Allowing established outbound connections back in..."
-${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED -j ACCEPT
-echo "done"
-
-# RELATED on high ports only for security
-echo -n "Allowing related inbound connections..."
-${IPTABLES} -t filter -A INETIN -p tcp --dport 1024:65535 -m state --state RELATED -j TCPACCEPT
-${IPTABLES} -t filter -A INETIN -p udp --dport 1024:65535 -m state --state RELATED -j UDPACCEPT
-echo "done"
-
-
-# =================================================
-# ----------------Packet Mangling------------------
-# =================================================
-
-
-# TTL mangling
-# This is probably just for the paranoid, but hey, isn't that what
-# all security guys are? :)
-if [ "$TTL_SAFE" != "" ] ; then
- ${IPTABLES} -t mangle -A PREROUTING -i ${INET_IFACE} -j TTL --ttl-set ${TTL_SAFE}
-fi
-
-# Type of Service mangle optimizations (the ACTIVE FTP one will only work for uploads)
-# Most routers tend to ignore these, it's probably better to use
-# QoS. A packet scheduler like HTB is much more efficient
-# at assuring bandwidth availability at the local end than
-# ToS is.
-if [ "$MANGLE_TOS_OPTIMIZE" = "TRUE" ] ; then
- echo -n "Optimizing traffic: "
- ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
- echo -n "telnet "
- ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
- echo -n "ssh "
- ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Minimize-Cost
- echo -n "ftp-data "
- ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
- echo -n "ftp-control "
- ${IPTABLES} -t mangle -A OUTPUT -p udp --dport 4000:7000 -j TOS --set-tos Minimize-Delay
- echo -n "diablo2 "
- echo
-fi
-
-# What to do on those INET chains when we hit the end
-echo -n "Setting up INET policies: "
-# Drop if we cant find a valid inbound rule.
-${IPTABLES} -t filter -A INETIN -j ${DROP}
-echo -n "INETIN:${DROP} "
-# We can send what we want to the internet
-${IPTABLES} -t filter -A INETOUT -j ACCEPT
-echo -n "INETOUT:ACCEPT "
-echo
-
-# All done!
-echo "Done loading the firewall!"
diff --git a/net-misc/monmotha/monmotha-2.3.8_pre7.ebuild b/net-misc/monmotha/monmotha-2.3.8.ebuild
index 8f7bfb7ef165..5879f20dab0d 100644
--- a/net-misc/monmotha/monmotha-2.3.8_pre7.ebuild
+++ b/net-misc/monmotha/monmotha-2.3.8.ebuild
@@ -1,6 +1,6 @@
-# Copyright 1999-2004 Gentoo Foundation
+# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/monmotha/monmotha-2.3.8_pre7.ebuild,v 1.8 2004/11/23 21:07:58 sekretarz Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/monmotha/monmotha-2.3.8.ebuild,v 1.1 2005/02/10 13:10:21 dragonheart Exp $
DESCRIPTION="MonMotha IPTables-based firewall script."
HOMEPAGE="http://monmotha.mplug.org/firewall/"
@@ -11,11 +11,21 @@ IUSE=""
SLOT="0"
RDEPEND=">=net-firewall/iptables-1.2.5"
+MY_PVP=(${PV//[-\._]/ })
+
+S=${WORKDIR}
+
+SRC_URI="http://monmotha.mplug.org/~monmotha/firewall/firewall/${MY_PVP[0]}.${MY_PVP[1]}/rc.firewall-${PV}"
+
+src_unpack() {
+ cp ${DISTDIR}/${A} ${S}/
+}
+
src_install() {
exeinto /etc/init.d
newexe "${FILESDIR}/monmotha.rc6" monmotha
exeinto /etc/monmotha
- newexe "${FILESDIR}/rc.firewall-${PV/_pre/-pre}" monmotha
+ newexe "${S}/rc.firewall-${PV}" monmotha
}
pkg_postinst () {