7 # Homepage: http://reaim.sourceforge.net/
9 # Copyright: Mark Cooke, March 2002. All Rights Reserved.
11 # License: GNU General Public License, Version 2.
13 # CVS Data: $Id: firewall.sh,v 1.6 2003/03/27 14:39:36 mark-c Exp $
17 # Sample script to configure the necessary firewall rules
18 # for ReAim using iptables. See the source for an ipt/NetBSD example.
22 # No warranty. Patches, bug reports, success stories and other contributions
26 # -------------------------
27 # User configurable section
28 # -------------------------
30 # The user must uncomment the INSIDE_IF and OUTSIDE_IF
31 # lines, and select the appropriate network interfaces
32 # for this script to use to configure networking.
34 # Example ethernet-connected cable / corporate firewall:
38 # Example home LAN with dialup:
42 #--------------------------------------------------------------
43 # SHOULD NOT HAVE TO CHANGE ANYTHING BELOW HERE
44 #--------------------------------------------------------------
49 echo "Usage: newchain {name}"
52 # If chain already exists just flush it, else create it.
53 $IPT $2 -L -n | grep "$1 " > /dev/null
62 # Just in case we don't have the sbin directories in the
63 # path, tag them to the end.
64 export PATH=$PATH:/sbin:/usr/sbin
66 # Sanity check the user supplied interfaces...
68 if [ X${INSIDE_IF} = "X" ];
70 echo "INSIDE_IF was not defined. Please adjust the start of the script."
73 grep -q "${INSIDE_IF}:" /proc/net/dev
76 echo "INSIDE_IF (${INSIDE_IF}) is not listed as an interface in /proc/net/dev."
81 if [ X${OUTSIDE_IF} = "X" ];
83 echo "OUTSIDE_IF was not defined. Please adjust the start of the script."
86 grep -q "${OUTSIDE_IF}:" /proc/net/dev
89 echo "OUTSIDE_IF (${OUTSIDE_IF}) is not listed as an interface in /proc/net/dev."
94 if [ ${INSIDE_IF} = ${OUTSIDE_IF} ];
96 echo "INSIDE_IF and OUTSIDE_IF are not allowed to be the same device!"
100 # Find the iptables tool...
102 IPT=`which iptables 2>/dev/null`
103 if [ X${IPT} = "X" ];
105 echo "Unable to locate iptables. Please ensure you have it installed."
109 # Check to see if iptables is available by looking in /proc
111 # This basically ensures that the user's already loaded the iptables
114 if [ ! -f /proc/net/ip_tables_names ];
116 echo "Unable to find iptables information in /proc."
120 # Check we have root privs
123 echo "iptables requires root privs to run."
127 echo "--------------------------------------------------------------"
128 echo "WARNING: This script has not been production tested."
129 echo " Uncomment the IPT_X="\$IPT" line if you're brave!"
130 echo " The following is what would be done..."
131 echo "--------------------------------------------------------------"
136 # Create new chains or flush existing ones with these names.
139 newchain REAIM_PRE "-t nat"
141 # Add the AIM accept rules to the outside interface...
142 $IPT_X -I REAIM_IN 1 -i ${OUTSIDE_IF} -p tcp --dport 4443 -j ACCEPT
143 $IPT_X -I REAIM_IN 1 -i ${OUTSIDE_IF} -p tcp --dport 5190 -j ACCEPT
144 $IPT_X -I REAIM_IN 1 -i ${OUTSIDE_IF} -p tcp --dport 5566 -j ACCEPT
146 # Add the MSN accept rules to the outside interface...
147 $IPT_X -I REAIM_IN 1 -i ${OUTSIDE_IF} -p tcp --dport 1864 -j ACCEPT
149 # Add the DYNAMIC DCC port range to the outside interface...
150 $IPT_X -I REAIM_IN 1 -i ${OUTSIDE_IF} -p tcp --dport 40000:40099 -j ACCEPT
152 # Add the AIM port interception rules to the inside interface...
153 $IPT_X -I REAIM_PRE 1 -t nat -i ${INSIDE_IF} -p tcp --dport 5190 -j REDIRECT --to-port 5190
154 $IPT_X -I REAIM_IN 1 -i ${INSIDE_IF} -p tcp --dport 4443 -j ACCEPT
155 $IPT_X -I REAIM_IN 1 -i ${INSIDE_IF} -p tcp --dport 5190 -j ACCEPT
156 $IPT_X -I REAIM_IN 1 -i ${INSIDE_IF} -p tcp --dport 5566 -j ACCEPT
158 # Add the MSN port interception rules to the inside interface...
159 $IPT_X -I REAIM_PRE 1 -t nat -i ${INSIDE_IF} -p tcp --dport 1863 -j REDIRECT --to-port 1863
160 $IPT_X -I REAIM_IN 1 -i ${INSIDE_IF} -p tcp --dport 1863:1864 -j ACCEPT
163 # Add the REAIM_* chains to the appropriate place, but only if they
164 # didn't already exist.
165 $IPT -L INPUT -n | grep "^REAIM_IN " > /dev/null
168 $IPT_X -I INPUT 1 -j REAIM_IN
171 $IPT -L PREROUTING -t nat -n | grep "^REAIM_PRE " > /dev/null
174 $IPT_X -I PREROUTING 1 -t nat -j REAIM_PRE