ipchains Help

setup e-smith 4.1.2
need publiche in internet internal web server ip 192.168.0.22
access only 80 port
please change my masq file

#!/bin/sh

#------------------------------------------------------------
# DO NOT MODIFY THIS FILE! It is updated automatically by the
# e-smith server and gateway software. Instead, modify the source
# template in the /etc/e-smith/templates directory. For more
# information, see http://www.e-smith.org.
#
# copyright (C) 1999, 2000 e-smith, inc.
#------------------------------------------------------------

# chkconfig: 345 82 35
# description: Configures IP masquerading.

case "$1" in

start)
echo -n "Enabling IP masquerading: "

/sbin/ipchains -F
/sbin/ipchains -X
/sbin/ipchains --flush forward
/sbin/ipchains --flush input
/sbin/ipchains --flush output
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_h323
/sbin/modprobe ip_masq_icq
/sbin/modprobe ip_masq_ipsec
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_pptp
/sbin/modprobe ip_masq_quake
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_vdolive

INTERNALIF=eth0
OUTERIF=eth1
OUTERNET=$(/sbin/e-smith/db configuration get ExternalIP)

/sbin/ipchains --policy forward DENY

/sbin/ipchains --new-chain denylog
/sbin/ipchains --new-chain icmpIn
/sbin/ipchains --append input --protocol icmp --jump icmpIn
/sbin/ipchains --new-chain icmpOut
/sbin/ipchains --append output --protocol icmp --jump icmpOut
# This section manipulates the Type Of Service (TOS) bits of the
# packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
# in your kernel

# Set telnet, www, smtp, pop3 and FTP for minimum delay
/sbin/ipchains --append output -p tcp -d 0/0 80 -t 0x01 0x10
/sbin/ipchains --append output -p tcp -d 0/0 22 -t 0x01 0x10
/sbin/ipchains --append output -p tcp -d 0/0 23 -t 0x01 0x10
/sbin/ipchains --append output -p tcp -d 0/0 21 -t 0x01 0x10
/sbin/ipchains --append output -p tcp -d 0/0 110 -t 0x01 0x10
/sbin/ipchains --append output -p tcp -d 0/0 25 -t 0x01 0x10

# Set ftp-data for maximum throughput
/sbin/ipchains --append output -p tcp -d 0/0 20 -t 0x01 0x08

## Set up kernel to handle dynamic IP masquerading
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

## Set up kernel to enable IP masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward

# set timeouts for tcp tcpfin udp
/sbin/ipchains --masquerading --set 14400 60 600
# Block incoming IP Spoofing

# Turn on Source Address Verification

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f
done
fi

#Turn on SYN COOKIES PROTECTION (Thanks Holger!)
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

/sbin/ipchains --append input -i lo -j ACCEPT
/sbin/ipchains --append output -i lo -j ACCEPT

/sbin/ipchains --append input -p TCP -s 0/0 :19 -i $OUTERIF -j denylog
/sbin/ipchains --append input -p UDP -s 0/0 :19 -i $OUTERIF -j denylog

/sbin/ipchains --append input -p TCP -d 0/0 :19 -i $OUTERIF -j denylog
/sbin/ipchains --append input -p UDP -d 0/0 :19 -i $OUTERIF -j denylog

/sbin/ipchains --append input -s 224.0.0.0/3   -j DENY
/sbin/ipchains --append input -d 224.0.0.0/3    -j DENY

/sbin/ipchains --append output -s 224.0.0.0/3    -j DENY
/sbin/ipchains --append output -d 224.0.0.0/3    -j DENY
/sbin/ipchains --append icmpIn --proto icmp --icmp-type echo-request --jump ACCEPT
/sbin/ipchains --append icmpIn --proto icmp --icmp-type echo-reply --jump ACCEPT
/sbin/ipchains --append icmpIn --proto icmp --icmp-type destination-unreachable --jump ACCEPT
/sbin/ipchains --append icmpIn --proto icmp --icmp-type source-quench --jump ACCEPT
/sbin/ipchains --append icmpIn --proto icmp --icmp-type time-exceeded --jump ACCEPT
/sbin/ipchains --append icmpIn --proto icmp --icmp-type parameter-problem --jump ACCEPT

/sbin/ipchains --append icmpOut --proto icmp --icmp-type echo-request --jump ACCEPT
/sbin/ipchains --append icmpOut --proto icmp --icmp-type echo-reply --jump ACCEPT
/sbin/ipchains --append icmpOut --proto icmp --icmp-type destination-unreachable --jump ACCEPT
/sbin/ipchains --append icmpOut --proto icmp --icmp-type source-quench --jump ACCEPT
/sbin/ipchains --append icmpOut --proto icmp --icmp-type time-exceeded --jump ACCEPT
/sbin/ipchains --append icmpOut --proto icmp --icmp-type parameter-problem --jump ACCEPT

# Allow outgoing ICMP
/sbin/ipchains --append output -p icmp --source 192.168.0.0/255.255.255.0 --destination 0.0.0.0/0 -j ACCEPT

/sbin/ipchains --append forward -s 192.168.0.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -j ACCEPT
/sbin/ipchains --append input -s 192.168.0.0/255.255.255.0 -d 0/0 -j ACCEPT
/sbin/ipchains --append output -d 192.168.0.0/255.255.255.0 -s 0/0 -j ACCEPT

# Allow packets with ack bit set, they are from an established connection.
/sbin/ipchains --append input ! -y -p tcp -s 0.0.0.0/0 -i $OUTERIF -j ACCEPT

/sbin/ipchains --append forward -j MASQ --source 192.168.0.0/255.255.255.0 --destination 0.0.0.0/0

/sbin/ipchains -A input -p tcp -s 0/0 -d $OUTERNET 113 -j ACCEPT
/sbin/ipchains -A input -p udp -s 0/0 -d $OUTERNET 113 -j ACCEPT

/sbin/ipchains --append input -p tcp -s 0/0 -d $OUTERNET 20 -j ACCEPT
/sbin/ipchains --append input -p tcp -s 0/0 -d $OUTERNET 21 -j ACCEPT
/sbin/ipchains --append output ! -y -p tcp -d 0/0 -s $OUTERNET 20 -j ACCEPT
/sbin/ipchains --append output ! -y -p tcp -d 0/0 -s $OUTERNET 21 -j ACCEPT

/sbin/ipchains --append input -p tcp -s 0/0 -d $OUTERNET 80 -j ACCEPT
/sbin/ipchains --append output ! -y -p tcp -d 0/0 -s $OUTERNET 80 -j ACCEPT

/sbin/ipchains --append input -p tcp -s 0/0 -d $OUTERNET 443 -j ACCEPT
/sbin/ipchains --append output ! -y -p tcp -d 0/0 -s $OUTERNET 443 -j ACCEPT

# Accept incoming ESP packets
# Don't bother about AH packets here, as you can't masq them
/sbin/ipchains --append input -p 50 -s 0/0 -d $OUTERNET -j ACCEPT

# Accept incoming GRE packets
/sbin/ipchains --append input -p 47 -s 0/0 -d $OUTERNET -j ACCEPT

/sbin/ipchains --append input -p tcp -s 0/0 -d $OUTERNET 25 -j ACCEPT
/sbin/ipchains --append output ! -y -p tcp -d 0/0 -s $OUTERNET 25 -j ACCEPT

/sbin/ipchains --append input -p tcp -y -s 0/0 -d $OUTERNET 3306 -j denylog

# Ignore RIP - we configure with static or server assigned gateways
# If you want to log packets, set the Logging property of masq to "all"

/sbin/ipchains -A input -i $OUTERIF -p udp -d 0/0 520 --jump DENY

# Ignore random SMB junk on the external interface - don't even bother
# logging it as it is so common on cable and other shared networks
# If you want to log packets, set the Logging property of masq to "all"

/sbin/ipchains -A input -i $OUTERIF -p tcp -d 0/0 137:139 --jump DENY
/sbin/ipchains -A input -i $OUTERIF -p udp -d 0/0 137:139 --jump DENY

/sbin/ipchains --append input -p tcp -y -s 0/0 -d $OUTERNET 3128 -j denylog

# Allow inbound connections from port ftp-data to high ports
/sbin/ipchains --append input -p tcp -y -s 0/0 20 -d $OUTERNET 1024:65535 -j ACCEPT

/sbin/ipchains --append input -p tcp -s 0/0 -d 0/0 1024:65535 -j ACCEPT

/sbin/ipchains --append input -p udp -s 0/0 -d 0/0 1024:65535 -j ACCEPT

# Logging is disabled - set Logging property of masq service to enable
/sbin/ipchains --append denylog --jump DENY

/sbin/ipchains --append icmpIn --jump denylog
/sbin/ipchains --append icmpOut --jump denylog

/sbin/ipchains --policy forward DENY
/sbin/ipchains --append forward --jump DENY

/sbin/ipchains --policy input DENY
/sbin/ipchains --append input --jump denylog

/sbin/ipchains --policy output ACCEPT
/sbin/ipchains --append output --jump ACCEPT
echo "done"
;;

restart)
$0 stop
$0 start
;;

stop)
echo ""
echo -n "Shutting down IP masquerade and firewall rules:"
/sbin/ipchains -P forward DENY
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P input DENY
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
/sbin/ipchains -F
/sbin/ipchains -X
echo "      Done!"
echo "" ;;

*)
echo "Usage: masq {start|stop|restart|...}"
exit 1

esac
exit 0

#------------------------------------------------------------
# TEMPLATE END
#------------------------------------------------------------

ipchains Help

ximik

ipchains Help