############################rc.iptables.config######################## # # this is the config file for rc.iptables # it should be located in /etc/sysconfig/ # # ###################################################################### #########################general setup################################ IPTABLES=/sbin/iptables #max connection rate for incoming SYN and ICMP on our filtered interface NB: not implemented.. kind of difficult.. MAXCONNRATE="10/s" #modules needed / that we want to load MODS="ipt_tos ipt_mark ipt_limit ipt_REJECT ipt_MARK ipt_TOS ipt_LOG \ iptable_mangle ipt_MASQUERADE iptable_filter ipt_MASQUERADE \ ipt_state ip_nat_ftp iptable_nat ip_conntrack_ftp " #internal tables TABLES="nat mangle filter" #root table chains FILTERCH="INPUT OUTPUT FORWARD" MANGLECH="PREROUTING OUTPUT" NATCH="PREROUTING POSTROUTING OUTPUT" ######################################################################## #############################network setup############################## #list of *all* interfaces INTERFACES="eth0 eth1 eth2 lo ppp+" #trusted interfaces - no restrictions IF_TRUSTED="eth0 eth1 lo" #untrusted interfaces IF_UNTRUSTED="eth2" #if's to filter IF_FILTER="eth2" #local addresses #NB: for future use IP_LOCAL="127.0.0.1 192.168.123.45 192.168.43.21" #trusted networks, ie internal nets or trusted nets on otherwise #untrusted interfaces #NB: for future use IP_TRUST="10.0.0.0/8" #internal networks. ie networks on trusted internal interfaces #NB: for future use IP_INTERNAL="192.168.0.0/16 172.16.0.0/12 224.0.0.0/8" # do consistency checking on IP_LOCAL # addressed packets entering/leaving IF_FILTER interfaces? #NB: not yet implemented IF_CHECK=false ##################################################################### ##############################filtering############################## #all the below control what we allow in on our filtered interfaces. # protocols to unanimously accept... #NB: *careful*! FIL_PROTO="icmp" # if you use ipv6, you need below+ipv6tables afaict. #FIL_PROTO="icmp ipv6 ipv6-route ipv6-frag ipv6-crypt ipv6-auth" #states to accept globally - do not include NEW! FIL_STATE="RELATED,ESTABLISHED" #tcp destination ports num/ranges to accept FIL_TCPDEST="smtp auth ssh http https domain 654:656" #udp destination port num/ranges to accept FIL_UDPDEST="domain 1234:1245" #tcp source port num/ranges to accept #NB: *dangerous* FIL_TCPSRC="" #udp src port num/ranges to accept #NB: *dangerous* FIL_UDPSRC="" #source/dst ip/prefix to allow full port access #NB: *dangerous* trusting on /source/ ip is not good FIL_IPSRC="" FIL_IPDST="" #custom filters #becomes iptables -A chain <.....> -j ACCEPT #elements are comma seperated #careful.... FIL_CUST="-p tcp --sport domain --dport domain, \ # -p udp --sport domain --dport domain, \ -p udp -s 123.45.67.89 --dport 123:456" #do wish to log packets that matched nothing on our filtering chains, and #hence we didnt accept? #NB: generates quite a lot of syslog messages FIL_LOGEND=false ################################################################# ###########################masquerading################################ # # interfaces to apply masquerading on # typically your internet interface, and hence probably # also an interface listed in IF_FILTER MASQIF="eth2" # ip/prefix's to masquerade, if any MASQ="192.168.0.0/16" ##exceptions ##all below are applied before masquerading is enabled on MASQIF # # tcp port nums/ranges we never want to masquerade # eg port 80 to force people to use the proxy TCPNOMASQ="80" # udp ports nums/ranges never to masq UDPNOMASQ="" # ip/prefixs never to masq. # NB: default is not to masq anything not in MASQ. so use of this option # 'd be probably just to deny more specific prefixes contained within MASQ. # global udp/tcp masq's will still work for these prefix lengths though NOMASQ="" #tcp port nums/ranges to globally masq TCPMASQ="" #udp port nums/ranges to globally masq UDPMASQ="" ###################################