#!/bin/sh # config_ppp # Script to finish configuring a Red Hat v6.2 system to function as an # IP Masquerade firewall via ipchains with ppp dialup connection to # the Internet # Assumes system was installed according to the instructions found in: # http://www-jerry.oit.duke.edu/linux/HOWTO/AAAfirewall_install_v62.txt # # uses dhcp client (pump) # uses pppd to dialup connection to an ISP, "demand" dialing # provides dhcpd service to your LAN # provides caching nameserver for your LAN # Assumes machine has one ethernet card (for LAN connection) # and a modem - either internal or external # # # See AAAWHATNOW (/icb/icb_ppp/WHATNOW) for a description of preparing modem # # Requests the following information: # ISP account username, account password, ISP phone number # DNS nameservers, Internal or External Modem # # Written by: Jerry Winegarden, Duke University, 05-30-01 # Last modified: 06/07/01 # Calls: none # Called by: none # Files: none - this script writes all the config files directly # ----------------------------------------------------------------------------- # echo echo Configure Red Hat Linux 6.2 system to function as an IPMasquerade/Firewall echo Connecting to the Internet via PPP dialup. echo echo The following files will be configured: echo echo "/etc/" echo "conf.modules dhcpd.conf hosts hosts.allow hosts.deny" echo "inetd.conf named.boot named.conf resolv.conf sysctl.conf" echo "/etc/rc.d/" echo "rc.local rc.firewall" echo "/etc/sysconfig/" echo "network" echo "/etc/sysconfig/network-scripts" echo "ifcfg-eth0 ifcfg-ppp0 chat-ppp0 chatscript" echo "/etc/ppp/" echo "ip-up.local pap-secrets chap-secrets" echo "/var/state/dhcp/" echo " dhcpd.leases" echo echo -n "Hit any key to continue: " read yn echo "*********************************************************************" echo echo -n "What is your ISP account USER NAME: " read USER echo -n "What is your ISP account PASSWORD: " read PASSW echo -n "What is the ISP phone number: " read PHONENUM echo echo "DNS Primary Nameserver information" echo "If you do not know the IP number for the primary nameserver from your ISP" echo "then just press (ENTER), else type in the IP number (e.g. 152.3.250.1)" echo echo -n "What is your ISP primary DNS name server IP number: " read DNS_IP_NUM echo echo "Your ISP user name: $USER" echo "Your account password: $PASSW" echo "The ISP local phone number: $PHONENUM" echo "The ISP primary DNS Nameserver: $DNS_IP_NUM" echo -n "Hit any key to continue: " read yn # ask if internal or external modem: echo echo -n "Is your modem Internal (i) or External (e), (i/e): " read ml # modemport="0" if [ "$ml" = "i" ] ; then modemport="3" fi if [ "$ml" = "e" ] ; then modemport="0" fi echo "*********************************************************************" echo echo "Making backup copies of current and original versions of configuration " echo "files (listed above): *.bak and *.orig" # make backup copies of original files - only make .orig backup once # check to see if .orig exists. If so, then don't copy again, so that # the .orig is really just that - the very original version before you # started running this script (config_ppp) # # *.bak files will be backup of the CURRENT version before you ran # this script (config_ppp). Each time config_ppp is run, *.bak files # will be created (or copied over) # cd /etc # creates file if it doesn't exist so copy to backup doesn't fail touch /etc/conf.modules touch /etc/dhcpd.conf touch /etc/hosts touch /etc/hosts.allow touch /etc/hosts.deny touch /etc/inetd.conf touch /etc/resolv.conf touch /etc/sysctl.conf touch /etc/rc.d/rc.local # # check to see if .orig files exist. If not, then cp current file to .orig # then copy the current version to .bak if [ ! -r "/etc/conf.modules.orig" ] ; then cp /etc/conf.modules /etc/conf.modules.orig fi /bin/cp -f /etc/conf.modules /etc/conf.modules.bak if [ ! -r "/etc/dhcpd.conf.orig" ] ; then cp /etc/dhcpd.conf /etc/dhcpd.conf.orig fi /bin/cp -f /etc/dhcpd.conf /etc/dhcpd.conf.bak if [ ! -r "/etc/hosts.orig" ] ; then cp /etc/hosts /etc/hosts.orig fi /bin/cp -f /etc/hosts /etc/hosts.bak if [ ! -r "/etc/hosts.allow.orig" ] ; then cp /etc/hosts.allow /etc/hosts.allow.orig fi /bin/cp -f /etc/hosts.allow /etc/hosts.allow.bak if [ ! -r "/etc/hosts.deny.orig" ] ; then cp /etc/hosts.deny /etc/hosts.deny.orig fi /bin/cp -f /etc/hosts.deny /etc/hosts.deny.bak if [ ! -r "/etc/inetd.conf.orig" ] ; then cp /etc/inetd.conf /etc/inetd.conf.orig fi /bin/cp -f /etc/inetd.conf /etc/inetd.conf.bak if [ ! -r "/etc/resolv.conf.orig" ] ; then cp /etc/resolv.conf /etc/resolv.conf.orig fi /bin/cp -f /etc/resolv.conf /etc/resolv.conf.bak if [ ! -r "/etc/sysctl.conf.orig" ] ; then cp /etc/sysctl.conf /etc/sysctl.conf.orig fi /bin/cp -f /etc/sysctl.conf /etc/sysctl.conf.bak if [ ! -r "/etc/rc.d/rc.local.orig" ] ; then cp /etc/rc.d/rc.local /etc/rc.d/rc.local.orig fi /bin/cp -f /etc/rc.d/rc.local /etc/rc.d/rc.local.bak # create new resolv.conf, hosts.allow, hosts.deny, dhcpd.conf from info given echo "Creating /etc/resolv.conf (DNS nameservers list)" echo > /etc/resolv.conf $DNS_IP_NUM echo "Creating /etc/hosts.allow, /etc/hosts.deny " echo "(allowing access only from machines on your LAN (IP numbers 192.168.1.x)" echo > /etc/hosts.deny "ALL:ALL" echo > /etc/hosts.allow "# ALL: means all services" echo >>/etc/hosts.allow "# :LOCAL means localhost (your machine) is granted access" echo >>/etc/hosts.allow "# :..., 192.168.1. means all machines with IP num 192.168.1.x is allowed" echo >>/etc/hosts.allow "# Trailing '.' is significant" echo >>/etc/hosts.allow "# This means you will not be able to telnet or ftp to this router box from" echo >>/etc/hosts.allow "# OUTSIDE your LAN" echo >>/etc/hosts.allow "# But you CAN access it from any machine on the LAN" echo >>/etc/hosts.allow "#" echo > /etc/hosts.allow "ALL: LOCAL, localhost, 192.168.1." # # Create ppp dialup scripts in /etc/ppp, /etc/sysconfig/network-scripts echo Creating /etc/ppp/chatscript echo > /etc/ppp/chatscript "TIMEOUT 5" echo >>/etc/ppp/chatscript '"" ATZ' echo >>/etc/ppp/chatscript OK ATDT $PHONENUM echo >>/etc/ppp/chatscript 'ABORT "NO CARRIER"' echo >>/etc/ppp/chatscript "ABORT BUSY" echo >>/etc/ppp/chatscript 'ABORT "NO DIALTONE"' echo >>/etc/ppp/chatscript "ABORT WAITING" echo >>/etc/ppp/chatscript "TIMEOUT 45" echo >>/etc/ppp/chatscript 'CONNECT ""' echo >>/etc/ppp/chatscript "TIMEOUT 5" echo >>/etc/ppp/chatscript '"login:"' $USER echo >>/etc/ppp/chatscript '"sword:"' $PASSW echo Creating /etc/ppp/pap-secrets echo > /etc/ppp/pap-secrets "# Secrets for authentication using PAP" echo >>/etc/ppp/pap-secrets "# client server secret IP addresses" echo >>/etc/ppp/pap-secrets "$USER * $PASSW" echo Creating /etc/ppp/chap-secrets echo > /etc/ppp/chap-secrets "# Secrets for authentication using CHAP" echo >>/etc/ppp/chap-secrets "# client server secret IP addresses" echo >>/etc/ppp/chap-secrets "$USER * $PASSW" echo Creating files in /etc/sysconfig and /etc/sysconfig/network-scripts echo Modifying /etc/sysconfig/network echo > /etc/sysconfig/network "NETWORKING=yes" echo >>/etc/sysconfig/network 'HOSTNAME="icb"' echo >>/etc/sysconfig/network 'GATEWAY=""' echo >>/etc/sysconfig/network 'GATEWAYDEV=""' echo >>/etc/sysconfig/network 'FORWARD_IPV4="yes"' echo Backing up original echo /etc/sysconfig/network-scripts ifcfg-eth0 as _ifcfg-eth0.orig echo Creating _ifcfg-eth0.manual echo copying _ifcfg-eth0.manual to ifcfg-eth0 if [ ! -r "/etc/sysconfig/network-scripts/_ifcfg-eth0.orig" ] ; then cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/_ifcfg-eth0.orig fi echo > /etc/sysconfig/network-scripts/_ifcfg-eth0.manual 'DEVICE="eth0"' echo >>/etc/sysconfig/network-scripts/_ifcfg-eth0.manual 'BOOTPROTO=""' echo >>/etc/sysconfig/network-scripts/_ifcfg-eth0.manual 'IPADDR="192.168.1.1"' echo >>/etc/sysconfig/network-scripts/_ifcfg-eth0.manual 'NETMASK="255.255.255.0"' echo >>/etc/sysconfig/network-scripts/_ifcfg-eth0.manual 'ONBOOT="yes"' # # (use /bin/cp because .bashrc creates command alias for cp = cp -i # and cp -f then would = cp -i -f, which is just -i, which prompts) # /bin/cp -f /etc/sysconfig/network-scripts/_ifcfg-eth0.manual /etc/sysconfig/network-scripts/ifcfg-eth0 # # Create dhcpd.conf, providing dhcp service with IP numbers in the # range 192.168.1.2 - 192.168.1.200 # The nameserver will be your caching nameserver (192.168.1.1, which # is THIS firewall/router box), followed by any DNS's specified above # echo Creating dhpc service configuration file: /etc/dhcpd.conf echo > /etc/dhcpd.conf "subnet 192.168.1.0 netmask 255.255.255.0 {" echo >>/etc/dhcpd.conf " range 192.168.1.2 192.168.1.200;" echo >>/etc/dhcpd.conf " option routers 192.168.1.1;" echo >>/etc/dhcpd.conf " default-lease-time 2592000;" echo >>/etc/dhcpd.conf " max-lease-time 25920000;" echo >>/etc/dhcpd.conf " option broadcast-address 192.168.1.255;" echo >>/etc/dhcpd.conf "# domain nameservers line(s)" echo >>/etc/dhcpd.conf "# form will be option domain-nameservers..." echo >>/etc/dhcpd.conf "# with either 192.168.1.1; or" echo >>/etc/dhcpd.conf "# 192.168.1.1, ISP_DNS1, ISP_DNS2;" echo >>/etc/dhcpd.conf "# depending on whether you entered any ISP nameserver numbers above." if [ "$DNS_IP_NUM" = "" ] ; then echo >>/etc/dhcpd.conf " option domain-name-servers 192.168.1.1;" fi if [ "$DNS_IP_NUM" != "" ] ; then echo >>/etc/dhcpd.conf " option domain-name-servers 192.168.1.1, $DNS_IP_NUM;" fi echo >>/etc/dhcpd.conf } # # create /var/state/dhcp/dhcpd.leases echo Creating dhcpd service leases list file: /var/state/dhcp/dhcpd.leases touch /var/state/dhcp/dhcpd.leases # # Re-write inetd configuration file: /etc/inetd.conf # (For security, makes sure that all unnecessary services are not enabled). echo "Re-writing /etc/inetd.conf (only allow telnet, ftp, auth)." echo > /etc/inetd.conf "# Allow only telnet, ftp, auth to via inetd" echo >>/etc/inetd.conf "#" echo >>/etc/inetd.conf "telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd" echo >>/etc/inetd.conf "ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a" echo >>/etc/inetd.conf "auth stream tcp wait root /usr/sbin/in.identd in.identd -e -o" # # Set the system's host name (/etc/HOSTNAME) echo "Setting the system HOSTNAME to icb" echo > /etc/HOSTNAME "icb" # # Re-write /etc/sysctl.conf echo "Re-write /etc/sysctl.conf" echo > /etc/sysctl.conf "# 0 Disables packet forwarding" echo >>/etc/sysctl.conf "# 1 Enables packet forwarding" echo >>/etc/sysctl.conf "net.ipv4.ip_forward = 1" echo >>/etc/sysctl.conf "# 1 Enables source route verification" echo >>/etc/sysctl.conf "net.ipv4.conf.all.rp_filter = 1" echo >>/etc/sysctl.conf "# 0 Disables automatic defragmentation" echo >>/etc/sysctl.conf "# 1 Enables automatic defragmentation (needed for IP masqerading, LVS)" echo >>/etc/sysctl.conf "net.ipv4.ip_always_defrag = 1" echo >>/etc/sysctl.conf "# Disables the magic-sysrq key" echo >>/etc/sysctl.conf "kernel.sysrq = 0" # # Check on conf.modules and re-write if necessary # echo echo "******************************************************************" echo "Check on the correct information in /etc/conf.modules" echo "******************************************************************" echo " Make changes (if necessary) to your Module (driver) " echo " configuration file: /etc/conf.modules" echo "******************************************************************" echo "Check below for the following three lines:" echo echo "alias eth0 3c509 or alias eth0 ne or alias eth0 via-rhine" echo "alias tty-ldisc-3 ppp_deflate" echo "alias char-major-108 ppp_generic" echo echo "The first line loads the driver for your ethernet card. If you" echo "have a PCI card or an ISA card with Plug-n-Play working, there will" echo "be just one line for eth0: alias eth0 ..." echo "If you have an ISA ethernet card with Plug and Play DISabled, then" echo "you must have manually set the IRQ and I/O address on the card" echo "and there must be an additional 'options' line in conf.modules like this:" echo echo "alias eth0 ne" echo "options eth0 io=0x300 irq=3" echo "-------------------------------------------------------------------" echo " CHECK HERE" echo "Current contents of /etc/conf.modules:" echo cat /etc/conf.modules echo echo "-------------------------------------------------------------------" echo -n "Is your ethernet card driver module properly loaded with 'alias eth0 (y/n): " read yn if [ "$yn" != "y" ] ; then echo -n "What is the correct ethernet card module name (e.g. ne or 3c509): " read ETHMOD echo "adding line to /etc/conf.modules: alias eth0 $ETHMOD" echo >>/etc/conf.modules "alias eth0 $ETHMOD" fi # echo echo -n "Does your conf.modules file contain: alias tty-ldisc-3 ppp_deflate (y/n): " read yn if [ "$yn" != "y" ] ; then echo "adding line to /etc/conf.modules: alias tty-ldisc-3 ppp_deflate" echo >>/etc/conf.modules "alias tty-ldisc-3 ppp_deflate" fi echo echo -n "Does your conf.modules file contain: alias char-major-108 ppp_generic (y/n): " read yn if [ "$yn" != "y" ] ; then echo "adding line to /etc/conf.modules: alias char-major-108 ppp_generic" echo >>/etc/conf.modules "alias char-major-108 ppp_generic" fi # # Create /etc/ppp/ip-up.local echo "Creating /etc/ppp/ip-up.local (to run the rc.firewall script)" echo > /etc/ppp/ip-up.local "#!/bin/bash" echo >>/etc/ppp/ip-up.local "/etc/rc.d/rc.firewall" # echo "making the ip-up.local script executable" chmod +x /etc/ppp/ip-up.local # # Create /etc/sysconfig/network-scripts/ifcfg-ppp0 and chat-ppp0 # echo > /etc/sysconfig/network-scripts/chat-ppp0 "'ABORT' 'BUSY'" echo >>/etc/sysconfig/network-scripts/chat-ppp0 "'ABORT' 'ERROR'" echo >>/etc/sysconfig/network-scripts/chat-ppp0 "'ABORT' 'NO CARRIER'" echo >>/etc/sysconfig/network-scripts/chat-ppp0 "'ABORT' 'NO DIALTONE'" echo >>/etc/sysconfig/network-scripts/chat-ppp0 "'ABORT' 'Invalid Login'" echo >>/etc/sysconfig/network-scripts/chat-ppp0 "'ABORT' 'Login incorrect'" echo >>/etc/sysconfig/network-scripts/chat-ppp0 "'' 'ATZ'" echo >>/etc/sysconfig/network-scripts/chat-ppp0 "'OK' 'ATDT $PHONENUM'" echo >>/etc/sysconfig/network-scripts/chat-ppp0 "'CONNECT' ''" echo >>/etc/sysconfig/network-scripts/chat-ppp0 "'ogin:' '$USER'" echo >>/etc/sysconfig/network-scripts/chat-ppp0 "'sword:' '$PASSW'" # echo > /etc/sysconfig/network-scripts/ifcfg-ppp0 'DEVICE="ppp0"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'ONBOOT="yes"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'USERCTL="no"' #echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'MODEMPORT="/dev/ttyS3"' # modemport 0 = External on Com1 (kudzu will detect) # modemport 1 = Internal on Com4 (set IRQ=3, I/O=0x2e8) echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 MODEMPORT="/dev/ttyS"$modemport echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'LINESPEED="115200"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'PERSIST="yes"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'DEFABORT="yes"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'DEBUG="no"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'INITSTRING="ATZ"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'DEFROUTE="yes"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'HARDFLOWCTL="yes"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'ESCAPECHARS="no"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'PPPOPTIONS="ipcp-accept-local ipcp-accept-remote demand idle 3000"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 PAPNAME=\"$USER\" echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'REMIP="10.0.0.2"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'NETMASK=""' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'IPADDR="10.0.0.1"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'MRU=""' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'MTU=""' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'DISCONNECTTIMEOUT="60"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'RETRYTIMEOUT="5"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'BOOTPROTO="dhcp"' echo >>/etc/sysconfig/network-scripts/ifcfg-ppp0 'PEERDNS="yes"' # # Create firewall script, /etc/rc.d/rc.firewall.ppp and copy to # /etc/rc.d/rc.firewall # echo > /etc/rc.d/rc.firewall.ppp "#!/bin/sh" echo >>/etc/rc.d/rc.firewall.ppp "# /etc/rc.d/rc.firewall - STRONG IP Masquerade setup IPCHAINS (2.2.x kernels)" echo >>/etc/rc.d/rc.firewall.ppp "# from IP-Masquerade-HOWTO, modified by Jerry Winegarden, 11/22/99" echo >>/etc/rc.d/rc.firewall.ppp "# PPP Dialup Internet connection version" echo >>/etc/rc.d/rc.firewall.ppp "#" echo >>/etc/rc.d/rc.firewall.ppp "PATH=/sbin:/bin:/usr/sbin:/usr/bin" echo >>/etc/rc.d/rc.firewall.ppp "# Load all required IP MASQ modules " echo >>/etc/rc.d/rc.firewall.ppp "#" echo >>/etc/rc.d/rc.firewall.ppp "# Needed to initially load modules" echo >>/etc/rc.d/rc.firewall.ppp "depmod -a" echo >>/etc/rc.d/rc.firewall.ppp "# Supports proper masquerading of FTP's using PORT method" echo >>/etc/rc.d/rc.firewall.ppp "modprobe ip_masq_ftp" echo >>/etc/rc.d/rc.firewall.ppp "# mod loads for Real Audio, Quake, etc" echo >>/etc/rc.d/rc.firewall.ppp "# modprobe ip_masq_raudio" echo >>/etc/rc.d/rc.firewall.ppp "modprobe ip_masq_irc" echo >>/etc/rc.d/rc.firewall.ppp "# modprobe ip_masq_vdolive" echo >>/etc/rc.d/rc.firewall.ppp "#" echo >>/etc/rc.d/rc.firewall.ppp "# RH 6.1 or earlier:" echo >>/etc/rc.d/rc.firewall.ppp "# CRITICAL: Enable IP forwarding (DISabled by default)" echo >>/etc/rc.d/rc.firewall.ppp "#echo \"1\" > /proc/sys/net/ipv4/ip_forward" echo >>/etc/rc.d/rc.firewall.ppp "# RH 6.2 or later, comment out the above statement." echo >>/etc/rc.d/rc.firewall.ppp "# Use entry in /etc/sysctl.conf instead" echo >>/etc/rc.d/rc.firewall.ppp "# net.ipv4.ip_forward = 1" echo >>/etc/rc.d/rc.firewall.ppp "#" echo >>/etc/rc.d/rc.firewall.ppp "# get external IP num from DHCP for external connection (eth1)" echo >>/etc/rc.d/rc.firewall.ppp "# allow time to get dynamically assigned ip #:" echo >>/etc/rc.d/rc.firewall.ppp "echo \"1\" > /proc/sys/net/ipv4/ip_dynaddr" echo >>/etc/rc.d/rc.firewall.ppp "# define variables intint, intnet, extint, extip" echo >>/etc/rc.d/rc.firewall.ppp "# extip for eth1 for dsl/cable modem (uncomment next line, comment ppp0 lines)" echo >>/etc/rc.d/rc.firewall.ppp "#export extip=\"\`/sbin/ifconfig eth1 | grep 'inet addr' | awk '{print \$2}' | sed -e 's/.*://'\`\"" echo >>/etc/rc.d/rc.firewall.ppp "export extip=\"\`/sbin/ifconfig | grep -A 4 ppp0 | awk '/inet/{print \$2}' | sed -e s/addr://\`\"" echo >>/etc/rc.d/rc.firewall.ppp "export extint=\"ppp0\"" echo >>/etc/rc.d/rc.firewall.ppp "# assign internal IP num (for LAN) to eth0" echo >>/etc/rc.d/rc.firewall.ppp "export intint=\"eth0\"" echo >>/etc/rc.d/rc.firewall.ppp "export intnet=\"192.168.1.0/24\"" echo >>/etc/rc.d/rc.firewall.ppp echo >>/etc/rc.d/rc.firewall.ppp "# MASQ timeouts 2 hrs (7200 secs) TCP 10 sec TCP/IP \"FIN\" 160 sec UDP" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -M -S 7200 10 160" echo >>/etc/rc.d/rc.firewall.ppp "#" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -F input" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -P input REJECT" echo >>/etc/rc.d/rc.firewall.ppp "# incoming" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -A input -i \$intint -s \$intnet -d 0.0.0.0/0 -j ACCEPT" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -A input -i \$extint -s \$intnet -d 0.0.0.0/0 -l -j REJECT" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -A input -i \$extint -s 0.0.0.0/0 -d \$extip/32 -j ACCEPT" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT" echo >>/etc/rc.d/rc.firewall.ppp "# outgoing" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -F output" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -P output REJECT" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -A output -i \$intint -s 0.0.0.0/0 -d \$intnet -j ACCEPT" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -A output -i \$extint -s 0.0.0.0/0 -d \$intnet -l -j REJECT" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -A output -i \$extint -s \$intnet -d 0.0.0.0/0 -l -j REJECT" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -A output -i \$extint -s \$extip/32 -d 0.0.0.0/0 -j ACCEPT" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT" echo >>/etc/rc.d/rc.firewall.ppp "# forwarding" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -F forward" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -P forward DENY" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -A forward -i \$extint -s \$intnet -d 0.0.0.0/0 -j MASQ" echo >>/etc/rc.d/rc.firewall.ppp "ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT" # make /etc/rc.d/rc.firewall.ppp executible chmod +x /etc/rc.d/rc.firewall.ppp # copy /etc/rc.d/rc.firewall.ppp to the production script: rc.firewall /bin/cp -f /etc/rc.d/rc.firewall.ppp /etc/rc.d/rc.firewall # end of config_ppp # *********************************************************************** # use chkconfig to start/stop processes (except for dhcpd, # which needs to be started with a parameter.) # use chkconfig to turn off netfs, portmap, sendmail /sbin/chkconfig --level 2345 netfs off /sbin/chkconfig --level 2345 portmap off /sbin/chkconfig --level 2345 sendmail off # # use chkconfig to turn on named /sbin/chkconfig --level 2345 named on # # if not laptop, then turn off pcmcia and apmd # echo -n "Is this box a laptop (y/n): " read yn if [ "$yn" != "y" ] ; then chkconfig --level 2345 apmd off chkconfig --level 2345 pcmcia off fi # NOTE: add startup for dhcpd to end of /etc/rc.d/rc.local (dhcpd eth0) # (instead of using linuxconf to start it up with this parameter) # declare -i isit export isit="`grep dhcpd /etc/rc.d/rc.local | wc -l`" if [ "$isit" = 0 ] ; then echo >> /etc/rc.d/rc.local "#" echo >> /etc/rc.d/rc.local "# start up dhcpd with parameter eth0" echo >> /etc/rc.d/rc.local "dhcpd eth0 &" fi