Firewall+Masquerading+Diald+Dynamic IP-HOWTO: The Shell Scripts

3. The Shell Scripts

You should consider the rc.firewall script still as experimental!

3.1 Required Networking Information

For the rc.firewall* scripts to work correctly you need some information about your network configuration and some from your ISP. These are:

The internal network address(es) and the subnet mask (normally any of the private IP address ranges like 192.168.1.0 with subnet mask 255.255.255.0, or more shortly 192.168.1.0/24)
The interfaces to be used for routing between your local network(s) and the internet respectively your ISP (normally these would be eth0 and ppp0 for dial up connection).
The IP addresses of the nameservers of your ISP (may be more than one)

3.2 /etc/rc.d/rc.firewall and /etc/rc.d/rc.firewall.ipchains

/etc/rc.d/rc.firewall is the main script for ipfwadm while /etc/rc.d/rc.firewall.ipchains is the main script for ipchians. Both handle all the firewall rules. There is no need to change anything in there except if you want to add some ip_masq modules which can be found in /lib/modules/2.0.36/ipv4 where 2.0.36 should be replaced with your kernel version number. In this case you can add a line at the beginning of the script.

If you make any changes except those mentioned above they are not supported by me! If you like your changes to become globally available please send them to me and I will publish them if applicable.

The script tries to be very restrictiv to give you the most secure environment it can but is very simple to configure via only one configuration file called /etc/rc.d/rc.firewall.var or /etc/rc.d/rc.firewall.var respectively. But if you allow everything this is not my fault!

Remember to exactly know what to allow and what impact this could have for your environment! There´s no need to allow services which are not used.

The parameters the script expects are:

$1 The name of the interface which is used for connecting the firewall box to the internet independent of how the connection is done, either via dial-up or via a leased line or even via a LAN, e.g. ethernet or token ring.
$2 The IP address or range of the internal used addresses in the form a.b.c.d/nn where a.b.c.d is the IP or the network address and nn is the representation of the subnetmask, e.g nn = 24 for the subnetmask 255.255.255.0. A single IP address is only useful when you have a leased line, or when using diald with the addroute option in /etc/diald.conf. In all other cases a IP range will be the convenient way. Under normal circumstances you won't have to deal with this because the scripts take care for you.

The script is divided into four sections:

Modules and Default Behaviour In this section you can add some ip_masq modules as stated above. Again: This is the only thing to change or add in this script!!!
Output Rules This section defines the rules for traffic from the internal network to the internet.
Input Rules Here the rules for incoming traffic are defined.
Masquerading Rules This section is the easiest one because everything will be masqueraded with no restriction. This can be done because the other rules defined before will do restriction before and after masquerading takes place.

Everything not explicitly allowed before will be denied and logged to syslog.

3.3 /etc/rc.firewall.diald.add and /etc/rc.firewall.ipchains.diald.add

This script is quite simple, it only contains one line:

#!/bin/sh
. /etc/rc.d/rc.firewall "$1" "$3"

or for the ipchains version

#!/bin/sh
. /etc/rc.d/rc.firewall.ipchains "$1" "$3"

It is used by diald, when the connection is up and running, via the addroute /etc/rc.d/rc.firewall.diald.add or addroute /etc/rc.d/rc.firewall.ipchains.diald.add entry in /etc/diald.conf. Diald passes some information to the given script of which only the first and the third parameter is used in rc.firewall or rc.firewall.ipchains. But because rc.firewall and rc.firewall.ipchains only expect two parameters this roundabout way is necessary.

The parameters used are:

Name of the new interface (normally ppp0 for modem connections or ippp0 for ISDN)
The (dynamically) assigned IP address for the interface gotten from the ISP

3.4 /etc/rc.firewall.diald.del and /etc/rc.firewall.ipchains.diald.del

This script again is a very simple one line script:

#!/bin/sh
. /etc/rc.d/rc.firewall sl0 "192.168.0.0/16"

or for the ipchains version

#!/bin/sh
. /etc/rc.d/rc.firewall.ipchains sl0 "192.168.0.0/16"

This one is used when diald has closed the connection when no packets are received anymore going to the internet via the delroute /etc/rc.d/rc.firewall.diald.add or delroute /etc/rc.d/rc.firewall.ipchains.diald.add entry in /etc/diald.conf. In this case we can´t use the parameters diald passes to the script because they are too restrictiv only allowing the linux box new connections to be made. Hence we must put in "better" ones. In this example we pass sl0 as the snoop device for diald because only packets going through diald´s snoop device may be checked in the firewall. Normally there's no need to touch this parameter except if you changed the snoop device to some other value or if you don't have a dial-up connection but a leased line connected to one "hardcoded" interface.

The second parameter is the IP range of the internal used IP addresses where 192.168.0.0/16 means every address beginning with 192.168. The 16 is the short form of the subnet mask and is equivalent to 255.255.0.0. This parameter has to reflect your network IP ranges.

3.5 /etc/rc.d/rc.firewall.var and /etc/rc.d/rc.firewall.var.ipchains

This script holds the variables used by the rc.firewall* scripts. For more information on setting the variables see Configuring /etc/rc.d/rc.firewall.var. These variable files are the same for the ipfwadm and the ipchains version now but may become different in a future version of the ipchains script therefore both files are included.

3.6 /usr/local/bin/fwlist and /usr/local/bin/fwlist.ipchains

With /usr/local/bin/fwlist or /usr/local/bin/fwlist.ipchains you can get a list of your firewall rules. The syntax is:

fwlist [-I] [-O] [-M] [>file] fwlist.ipchains [-I] [-O] [-M] [>file]

With no options all rules will be shown, with the options -I, -O or -M you can restrict the output to the input, output or masquerading rules respectively, or any combination of them.

The output of the script will be sent to the standard output /dev/stdout which can be redirected to a file.

3.7 /usr/local/bin/countRules.pl

This perl script shows the numbering scheme used in debug mode of diald because diald counts the rules and tells syslog only the number. With the script you can get a list of the rules numbered like diald does in the syslog. This perl script should also be bundled with this HOWTO. If not have a look at the main site for this HOWTO.

Don't forget to replace @filter_files = ("/etc/diald/phone.filter"); at the beginning of the script with the right path and ruleset file you use.

Thanks to the diald mailinglist for the script!

Next Previous Contents