#!/bin/bash # IP Masquerade & Firewall Setup for ipchains # Author: Brian Bothwell (sysrage@sysrage.net) echo 1 > /proc/sys/net/ipv4/ip_forward ## Flush all chains ipchains -F input ipchains -F output ipchains -F forward ## Set Default Policies ipchains -P input ACCEPT ipchains -P output ACCEPT ipchains -P forward DENY ## IPMasq Rule ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0 # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) ipchains -M -S 7200 10 160 ## Allow FTP and SSH + telnet ipchains -A input -i eth0 --proto tcp --dport 20:23 --jump ACCEPT ## Allow SMTP ipchains -A input -i eth0 --proto tcp --dport 25 --jump ACCEPT ipchains -A input -i eth0 --proto tcp --dport 110 --jump ACCEPT ## Allow HTTP and HTTPS ipchains -A input -i eth0 --proto tcp --dport 80 --jump ACCEPT ipchains -A input -i eth0 --proto tcp --dport 443 --jump ACCEPT ## Allow Auth ipchains -A input -i eth0 --proto tcp --dport 113 --jump ACCEPT ## This is needed for resolving IPs ipchains -A input -i eth0 --proto tcp --dport 53 --jump ACCEPT ipchains -A input -i eth0 --proto udp --dport 53 --jump ACCEPT ipchains -A input -i eth0 --proto tcp --dport 137:138 --jump ACCEPT ipchains -A input -i eth0 --proto udp --dport 137:138 --jump ACCEPT ## Talk ports ipchains -A input -i eth0 --proto udp --dport 517:518 --jump ACCEPT ## Allow all user ports ipchains -A input -i eth0 --proto tcp --dport 1019:65535 --jump ACCEPT ipchains -A input -i eth0 --proto udp --dport 1019:65535 --jump ACCEPT ## Allow ICMP replies (Don't log in case of smurf) ipchains -A input -i eth0 --proto icmp --jump ACCEPT ## Deny Everything Else ipchains -A input -i eth0 --log --jump DENY ## Speed up output ipchains -A output -p tcp -d 0/0 -t 0x01 0x08 ## Flush forwarding rules ipmasqadm autofw -F ### Start forwarding rules # ICQ ipmasqadm autofw -A -r udp 4000 4000 -h 192.168.1.2 ipmasqadm autofw -A -r tcp 20020 20039 -h 192.168.1.2 # Diablo 2 #ipmasqadm autofw -A -r tcp 4000 4000 -h 192.168.1.2 ipmasqadm autofw -A -r tcp 6112 6119 -h 192.168.1.2 ipmasqadm autofw -A -r udp 6112 6119 -h 192.168.1.2 # IParty # ipmasqadm autofw -A -r tcp 6004 6004 -h 192.168.0.14 # ipmasqadm autofw -A -r udp 6004 6004 -h 192.168.0.14 # Re-Volt + Midtown Madness #ipmasqadm autofw -A -r tcp 2300 2400 -h 192.168.0.14 #ipmasqadm autofw -A -r tcp 47600 47800 -h 192.168.0.14 #ipmasqadm autofw -A -r udp 2300 2400 -h 192.168.0.14 #ipmasqadm autofw -A -r udp 47600 47800 -h 192.168.0.14 #ipmasqadm autofw -A -r udp 28800 28900 -h 192.168.0.14 # Midtown Madness Only #ipmasqadm autofw -A -r tcp 1600 1700 -h 192.168.0.14 #ipmasqadm autofw -A -r udp 1600 1700 -h 192.168.0.14 #ipmasqadm autofw -A -r tcp 64700 64900 -h 192.168.0.14 #ipmasqadm autofw -A -r udp 64700 64900 -h 192.168.0.14 # CUSeeMe #ipmasqadm autofw -A -r tcp 1503 1503 -h 192.168.0.14 #ipmasqadm autofw -A -r udp 24032 24032 -h 192.168.0.14 # Gnutella #ipmasqadm autofw -A -r tcp 6346 6346 -h 192.168.0.14 #ipmasqadm autofw -A -r udp 6346 6346 -h 192.168.0.14 # Napster #ipmasqadm autofw -A -r tcp 6699 6699 -h 192.168.0.14 #ipmasqadm autofw -A -r udp 6699 6699 -h 192.168.0.14 # Dialpad #ipmasqadm autofw -A -r udp 51200 51201 -h 192.168.0.14 #ipmasqadm autofw -A -r tcp 51210 51210 -h 192.168.0.14 # Quake # ipmasqadm autofw -A -r tcp 26000 28000 -h 192.168.0.14 # ipmasqadm autofw -A -r udp 26000 28000 -h 192.168.0.14 # nox #ipmasqadm autofw -A -r udp 18590 18599 -h 192.168.0.14 # Kali #ipmasqadm autofw -A -r udp 2213 2213 -h 192.168.0.14 #ipmasqadm autofw -A -r udp 6666 6666 -h 192.168.0.14 # (This way of forwarding is just an expirement. Use the method shown above.) # Unreal #ipmasqadm autofw -A -r tcp 7600 7900 -h 192.168.0.14 #ipmasqadm autofw -A -r udp 7600 7900 -h 192.168.0.14 #export port=7600 # while [ $port -le 7900 ] # do # ipmasqadm portfw -a -P tcp -L 64.30.197.199 $port -R 192.168.0.14 $port # export port=$((port+1)) # done #export port=7600 # while [ $port -le 7900 ] # do # ipmasqadm portfw -a -P udp -L 64.30.197.199 $port -R 192.168.0.14 $port # export port=$((port+1)) # done