Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / etc / firehol / examples / lan-gateway.conf < prev next >

Wrap

Text File | 2005-10-18 | 5.0 KB | 188 lines

# # $Id: lan-gateway.conf,v 1.1 2003/10/12 13:43:42 ktsaou Exp $ # # Configuration file for a LAN router with one ethernet interface (eth0) # for the LAN and a PPP interface for connecting to the Internet. # # The LAN works with private IP addresses. # # This script will also setup a transparent cache for all the PCs on the # local LAN. # ---------------------------------------------------------------------------- # CUSTOM SERVICES # ---------------------------------------------------------------------------- # See the section "Adding Services" in the documentation # Example service x, listening on port TCP/z # > server_x_ports="tcp/z" # > client_x_ports="default" # ---------------------------------------------------------------------------- # NETWORK DEFINITIONS - Normally, only these are to be touched by you. # ---------------------------------------------------------------------------- # You can define anything you like, assuming you are using it later. # --- HOME --- # The definition of our HOME LAN. HOME_MYIP="10.0.0.1" # The IP on our HOME LAN HOME_MYIF="eth0" # The HOME LAN interface HOME_BCAST="10.0.255.255" # The HOME LAN broadcast HOME_LAN="10.0.0.0/16" # The HOME LAN HOME_SERVICES="all" # Do we run a DHCP server on the HOME LAN? HOME_DHCP=1 # Set to 0 to disable # --- PUBLIC --- # The definition of our PUBLIC interface. PUBLIC_MYIP="" # Leave empty for dynamic IP PUBLIC_MYIF="ppp+" # The public interface PUBLIC_SERVICES="smtp http" # Is the PPP interface a DIAL-ON-DEMAND? DIAL_ON_DEMAND=1 # Set to 0 to disable # --- TRUSTED --- # Hosts in the internet I trust for accessing private services # Empty these to disable. TRUSTED_IPS="my-office-pc.example.com" TRUSTED_SERVICES="ssh http" # --- TRANSPARENT CACHE --- # Run a transparent cache? SQUID_PORT="3128" # Leave empty to disable SQUID SQUID_USERS="squid" # Users to be excluded from the cache SQUID_EXCLUDE="" # Web Server IPs to be excluded from the cache # --- BLACKLIST --- # A space-separated list of IPs to be blocked. blacklist="" # ---------------------------------------------------------------------------- # HELPERS # ---------------------------------------------------------------------------- # Block all traffic from/to certain IPs if [ ! -z "${blacklist}" ] then blacklist full "${blacklist}" fi # Setup a transparent squid, only if SQUID_PORT is set. if [ ! -z "${SQUID_PORT}" ] then transparent_squid "${SQUID_PORT}" "${SQUID_USERS}" \ inface "${HOME_MYIF}" src "${HOME_LAN}" \ `test ! -z "${SQUID_EXCLUDE}" && echo "dst not '${SQUID_EXCLUDE}'"` fi # ---------------------------------------------------------------------------- # NETWORK ADDRESS TRANSLATION # ---------------------------------------------------------------------------- # Change the source/destination of packets... # Should we do SNAT or MASQUERADE? # If there is a PUBLIC_MYIP defined, we should do SNAT, otherwise MASQ. # if [ ! -z "${PUBLIC_MYIP}" ] then snat to "${PUBLIC_MYIP}" \ outface "${PUBLIC_MYIF}" \ src "${HOME_LAN}" dst not "${UNROUTABLE_IPS}" else masquerade "${PUBLIC_MYIF}" fi # To have some public service hit an internal machine, do this: # (the example redirects external port TCP/26 to internal IP 10.0.0.2 port 25) # # > dnat to 10.0.0.2:25 \ # > inface "${PUBLIC_MYIF}" \ # > src not "${HOME_LAN} ${UNROUTABLE_IPS}" \ # > proto tcp dport 26 # # For each such statement, the router at the end has to support it. # ---------------------------------------------------------------------------- # PROTECT SELF # ---------------------------------------------------------------------------- # Protect the firewall host... # --- HOME --- # Protect us from the HOME LAN interface "${HOME_MYIF}" home src "${HOME_LAN}" dst "${HOME_MYIP} ${HOME_BCAST}" policy reject server "${HOME_SERVICES}" accept client all accept # DHCP needs 0.0.0.0/255.255.255.255 access. if [ ${HOME_DHCP} -eq 1 ] then interface "${HOME_MYIF}" dhcp server dhcp accept fi # --- PUBLIC --- # Protect us from the PUBLIC interface "${PUBLIC_MYIF}" internet \ src not "${UNROUTABLE_IPS}" \ `test ! -z "${PUBLIC_MYIP}" && echo "dst '${PUBLIC_MYIP}'"` protection strong policy drop # Are there any trusted PCs/services? if [ ! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ] then server "${TRUSTED_SERVICES}" accept src "${TRUSTED_PCS}" fi server "${PUBLIC_SERVICES}" accept client all accept # DIAL-ON-DEMAND needs this in case there is a PUBLIC_MYIP defined. if [ ${DIAL_ON_DEMAND} -eq 1 ] then interface "${PUBLIC_MYIF}" dialup client all accept fi # ---------------------------------------------------------------------------- # PROTECT ROUTING # ---------------------------------------------------------------------------- # Protect the LAN... # Route traffic for the clients on the LAN router internet2lan inface "${PUBLIC_MYIF}" outface "${HOME_MYIF}" \ src not "${UNROUTABLE_IPS}" dst "${HOME_LAN}" # route all client traffic client all accept # For the dnat example above, this is needed: # > server smtp accept dst 10.0.0.2