| 1 |
On Wed, 2006-11-15 at 20:29 +0000, Mick wrote: |
| 2 |
> Hi All, |
| 3 |
> |
| 4 |
> I have been using Daniel Robbins' basic script for years but now on a laptop I |
| 5 |
> have more than one ways of connecting to the Internet. The script uses the |
| 6 |
> variable UPLINK to define the incoming interface like so: |
| 7 |
> ============================================== |
| 8 |
> #change this to the name of the interface that provides your "uplink" |
| 9 |
> #(connection to the Internet) |
| 10 |
|
| 11 |
you could try modifying the script slightly: |
| 12 |
|
| 13 |
> UPLINK="eth0" |
| 14 |
|
| 15 |
make that |
| 16 |
UPLINK="eth0 ppp0" # space separated |
| 17 |
|
| 18 |
then I was going to say use a |
| 19 |
for i in x; do ...; done |
| 20 |
loop, but I realised that won't work exactly, because of the line |
| 21 |
> iptables -A INPUT -i ! ${UPLINK} -j ACCEPT |
| 22 |
then something strange would happen. |
| 23 |
|
| 24 |
What you're really saying is "for every interface not specified, accept |
| 25 |
incoming packets". This gets a bit tricky, cause you either have to |
| 26 |
parse the output of ifconfig (ugly) or specify the interface that are |
| 27 |
NOT "uplinks" (prone to user error). |
| 28 |
|
| 29 |
You could say: |
| 30 |
|
| 31 |
UPLINK="eth0 wlan0 ppp0" |
| 32 |
|
| 33 |
if [ "$1" = "start" ] |
| 34 |
then |
| 35 |
echo "Starting firewall..." |
| 36 |
iptables -P INPUT DROP |
| 37 |
for IFS in `ifconfig | grep "Link encap:" | awk '{print $1}'`; do |
| 38 |
for UPIFS in ${UPLINK}; do |
| 39 |
# if IFS isn't in UPIFS, then accept all trafic on IFS |
| 40 |
if ... |
| 41 |
|
| 42 |
forget that! too ugly. What are you really trying to do? Make all your |
| 43 |
interface the "uplink", ie. firewalled? |
| 44 |
|
| 45 |
In that case, just say this: |
| 46 |
|
| 47 |
> UPLINK="who cares?" |
| 48 |
> |
| 49 |
> if [ "$1" = "start" ] |
| 50 |
> then |
| 51 |
> echo "Starting firewall..." |
| 52 |
> iptables -P INPUT DROP |
| 53 |
> iptables -A INPUT -i lo -j ACCEPT |
| 54 |
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
| 55 |
|
| 56 |
done! Now everything is firewalled, and only lo is trusted. |
| 57 |
|
| 58 |
However, I haven't seen the rest of this script, so I don't know if that |
| 59 |
will break things. Maybe you want to post back with some more info if |
| 60 |
that doesn't suit your needs... |
| 61 |
|
| 62 |
cya! |
| 63 |
-- |
| 64 |
Iain Buchanan <iaindb at netspace dot net dot au> |
| 65 |
|
| 66 |
"How many people work here?" |
| 67 |
"Oh, about half." |
| 68 |
|
| 69 |
-- |
| 70 |
gentoo-user@g.o mailing list |
Archives