#!/bin/sh # # rc.firewall-ipfwadm # # A Initial SIMPLE IP Masquerade setup for 2.0.x kernels using IPFWADM # FWVER="2.03" # # 2.03 - Added comments on why the default policy is ACCEPT # 2.02 - Added clarification that PPPoE users need to use # "ppp0" instead of "eth0" for their external interface # # # Once IP Masquerading has been tested, with this simple # ruleset, it is highly recommended to use a stronger # IPTABLES ruleset either given later in this HOWTO or # from another reputable resource. # echo -e "\n\nLoading simple rc.firewall-ipfwadm version $FWVER..\n" #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the NATing will occur and the internal network # should preferably be addressed with a RFC1918 private addressing # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # If you are a PPPoE or analog modem user: # # EXTIF="ppp0" # # ** Please change this to reflect your specific configuration ** # EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" # Network Address of the Internal Network # # This example rc.firewall-ipfwadm file uses the 192.168.0.0 network # with a /24 or 255.255.255.0 netmask. # # ** Change this variable to reflect your specific setup ** # INTLAN="192.168.0.0/24" echo -e " Internal Interface: $INTLAN\n" # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current available IP # MASQ modules are shown below but are commented out from loading. echo -en "Loading modules: " # Needed to initially load modules # /sbin/depmod -a # Supports the proper masquerading of FTP file transfers using the PORT method # echo -en "FTP, " /sbin/modprobe ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # #echo -en "RealAudio, " #/sbin/modprobe ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #echo -en "Irc, " #/sbin/modprobe ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. These modules # are for multiple users behind the Linux MASQ server. If you are going to # play Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #echo -en "Quake, " #Quake I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #echo -en "CuSeeme, " #/sbin/modprobe ip_masq_cuseeme #Supports the masquerading of the VDO-live video conferencing software # #echo -en "VdoLive, " #/sbin/modprobe ip_masq_vdolive echo ". Done loading modules." #CRITICAL: Enable IP forwarding since it is disabled by default # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward #CRITICAL: Enable automatic IP defragmenting since it is disabled by default # # This used to be a compile-time option but the behavior was changed # in 2.2.12. This option is required for both 2.0 and 2.2 kernels. # echo " enabling AlwaysDefrag.." echo "1" > /proc/sys/net/ipv4/ip_always_defrag # Dynamic IP users: # # If you get your Internet IP address dynamically from SLIP, PPP, or DHCP, # enable the following option. This enables dynamic-ip address hacking in # IP MASQ, making the life with DialD, PPPd, and similar programs much easier. # #echo " enabling DynamicAddr.." #echo "1" > /proc/sys/net/ipv4/ip_dynaddr #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is REJECT # # Isn't ACCEPT insecure? To some degree, YES, but this is our testing # phase. Once we know that IPMASQ is working well, I recommend you run # the rc.firewall-*-stronger rulesets which set the defaults to DROP but # also include the critical additional rulesets to still let you connect to # the IPMASQ server, etc. # echo " clearing any existing rules and setting default policy.." /sbin/ipfwadm -I -p accept /sbin/ipfwadm -O -p accept /sbin/ipfwadm -F -p reject /sbin/ipfwadm -I -f /sbin/ipfwadm -O -f /sbin/ipfwadm -F -f # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # echo " setting default timers.." /sbin/ipfwadm -M -s 7200 10 160 # DHCP: For people who receive their external IP address from either DHCP or # BOOTP such as DSL or Cablemodem users, it is necessary to use the # following before the deny command. # # This example is currently commented out. # # #/sbin/ipfwadm -I -a accept -S 0/0 67 -D 0/0 68 -W $EXTIF -P udp # Enable simple IP forwarding and Masquerading # # NOTE: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on interface eth0. # # ** Please change this network number, subnet mask, and your Internet # ** connection interface name to match your internal LAN setup. # echo " enabling IPMASQ functionality on $EXTIF" /sbin/ipfwadm -F -p deny /sbin/ipfwadm -F -a m -W $EXTIF -S $INTLAN -D 0.0.0.0/0 echo -e "\nDone.\n"