Jan R�korajski <[email protected]>

PREAMBLE:
Version 3.0.0 is a complete rewrite of old firewall-init package. The old style
config sytnax was too painful to maintain and could not cope with all features
of iptables.

As of version 2.99.0 this package is distributed on GNU GPL, for all
previous versions BSD license applies.

firewall-init HOWTO

I. What is it?

Firewall-init provides a SysV-init style start-up script and /etc/sysconfig
control over the available kernel IP packet filter using iptables(8). In other
words, instead of having to write your own script to be run by init for
firewalling or having to shove all of your rules in rc.local you can use the
handy configuration files provided.

II. What does it include?

The base package comes with the following files:
<file>                                  <description>
/etc/rc.d/init.d/firewall               -- initscript that starts/stops firewalling.
/etc/sysconfig/firewall                 -- main control file.
/etc/sysconfig/firewall.d/functions     -- shell functions library
/etc/sysconfig/firewall.d/ipv4          -- directory holding 'direction policy' files.
/etc/sysconfig/firewall.d/ipv6          -- directory holding 'direction policy' files.
/usr/share/doc/firewall-init-*/README   -- this file.

III. /etc/rc.d/init.d/firewall

This script controls starting and stopping the firewall and must be called with
one option: start or stop. It runs after networking in start run-levels (to
allow using rpcinfo (portmap) to detect some services not using fixed port
number) and after networking in stop run-levels. First it checks whether or not
firewalling should be turned on in /etc/sysconfig/firewall and if yes sets
default polices from that files. Following that it sets any further policies as
found in /etc/sysconfig/firewall.d/$proto/$table/$CHAIN.

IV. /etc/sysconfig/firewall

The format for this file is:

# Controls if firewall should be started
FIREWALL=(yes|no)

# Location of programs/configuration files
FIREWALL_DIR="/etc/sysconfig/firewall.d"

iptables="/usr/sbin/iptables"
ip6tables="/usr/sbin/ip6tables"

# Which tables you want set up for IPv4 (filter, nat, mangle, drop)
ipv4_TABLES="filter"

# Which tables you want set up for IPv4 (filter, mangle)
ipv6_TABLES=

# Connetion tracking (defaults to yes as it's VERY usefull also on non-nat boxes)
CONNTRACK="yes"

# Which ports to track (FTP,IRC,Eggdrop) empty = defaults
# May be needed by conntrack and NAT
FTP_PORTS=
IRC_PORTS=
EGGDROP_PORTS=

# FXP (direct FTP 2 FTP transport) support in conntrack_ftp
FTP_FXP="yes"

# Size (in KB) of hash tables for connection tracking and NAT
# default is 1/16384 of memory
CONNTRACK_HASHSIZE=
NAT_HASHSIZE=

# Policies for chains ($proto_$table_$CHAIN):
# IPv4:
ipv4_filter_INPUT="ACCEPT"
ipv4_filter_OUTPUT="ACCEPT"
ipv4_filter_FORWARD="DROP"

ipv4_nat_OUTPUT="ACCEPT"
ipv4_nat_PREROUTING="ACCEPT"
ipv4_nat_POSTROUTING="ACCEPT"

ipv4_mangle_OUTPUT="ACCEPT"
ipv4_mangle_PREROUTING="ACCEPT"

ipv4_drop_DROPPING="DROP"

# IPv6:
ipv6_filter_INPUT="ACCEPT"
ipv6_filter_OUTPUT="ACCEPT"
ipv6_filter_FORWARD="DROP"

ipv6_mangle_OUTPUT="ACCEPT"
ipv6_mangle_PREROUTING="ACCEPT"

V. Firewalls: /etc/sysconfig/firewall.d/$proto/$table/$CHAIN

NOTE: These files are shell scripts for POSIX compliant /bin/sh.

Each of these files must contain a function that will be called by the
main code, this function must be named like this:

$proto_$table_$CHAIN_rules()
{
# Your rules here
}

where:
$proto is ipv4 or ipv6
$table is the name of the table (ipv4: filter, nat, mangle, drop;
                                ipv6: filter, mangle)
$CHAIN is the chain name (depends on table)

So, for example, function containing rules for IPv4 table filter for INPUT
chain will look like this:

ipv4_filter_INPUT_rules()
{
}

VI. Example

The files in /etc/sysconfig/firewall.d/ in the distribution contain commented
out example rules.

VII. Masquerading

Masquerading an internal network through host is accomplished using the nat
table and POSTROUTING chain. So in order to masquerade  an internal network of
192.168.0.0/24 (one of the private addresses), the following lines should be
placed in /etc/sysconfig/firewall.d/ipv4/nat/POSTROUTING:

ipv4_nat_POSTROUTING_rules()
{
       $iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
       $iptables -t nat -A POSTROUTING -j DROP
}

Be warned that, unlike in ipchains, masquerading is done NOT ON FORWARD, but
after the packet has been routed, so don't set FORWARD chain policy to DROP ;)

VIII. Logging

Errors from iptables(8) because of improper rules are logged to syslogd with a
priority of user.notice.

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.