From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GkV9j-0003pT-JJ for garchives@archives.gentoo.org; Thu, 16 Nov 2006 00:31:04 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kAG0Smwa007401; Thu, 16 Nov 2006 00:28:48 GMT Received: from mail.netspace.net.au (thunder.netspace.net.au [203.10.110.71]) by robin.gentoo.org (8.13.8/8.13.8) with ESMTP id kAG0Qjbi030322 for ; Thu, 16 Nov 2006 00:26:46 GMT Received: from [172.16.0.52] (ppp246-231.static.internode.on.net [203.122.246.231]) by mail.netspace.net.au (Postfix) with ESMTP id C0FF54C2B5 for ; Thu, 16 Nov 2006 11:26:43 +1100 (EST) Subject: Re: [gentoo-user] Help with script for iptables From: Iain Buchanan To: gentoo-user@lists.gentoo.org In-Reply-To: <200611152029.35737.michaelkintzios@gmail.com> References: <200611152029.35737.michaelkintzios@gmail.com> Content-Type: text/plain Date: Thu, 16 Nov 2006 09:56:41 +0930 Message-Id: <1163636801.16385.109.camel@orpheus> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.8.1.1 Content-Transfer-Encoding: 7bit X-Archives-Salt: fb488aa8-09db-4f34-9566-4bce8b57bfc6 X-Archives-Hash: 352a2af5d48deb7c442fa3ac5f0839a2 On Wed, 2006-11-15 at 20:29 +0000, Mick wrote: > Hi All, > > I have been using Daniel Robbins' basic script for years but now on a laptop I > have more than one ways of connecting to the Internet. The script uses the > variable UPLINK to define the incoming interface like so: > ============================================== > #change this to the name of the interface that provides your "uplink" > #(connection to the Internet) you could try modifying the script slightly: > UPLINK="eth0" make that UPLINK="eth0 ppp0" # space separated then I was going to say use a for i in x; do ...; done loop, but I realised that won't work exactly, because of the line > iptables -A INPUT -i ! ${UPLINK} -j ACCEPT then something strange would happen. What you're really saying is "for every interface not specified, accept incoming packets". This gets a bit tricky, cause you either have to parse the output of ifconfig (ugly) or specify the interface that are NOT "uplinks" (prone to user error). You could say: UPLINK="eth0 wlan0 ppp0" if [ "$1" = "start" ] then echo "Starting firewall..." iptables -P INPUT DROP for IFS in `ifconfig | grep "Link encap:" | awk '{print $1}'`; do for UPIFS in ${UPLINK}; do # if IFS isn't in UPIFS, then accept all trafic on IFS if ... forget that! too ugly. What are you really trying to do? Make all your interface the "uplink", ie. firewalled? In that case, just say this: > UPLINK="who cares?" > > if [ "$1" = "start" ] > then > echo "Starting firewall..." > iptables -P INPUT DROP > iptables -A INPUT -i lo -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT done! Now everything is firewalled, and only lo is trusted. However, I haven't seen the rest of this script, so I don't know if that will break things. Maybe you want to post back with some more info if that doesn't suit your needs... cya! -- Iain Buchanan "How many people work here?" "Oh, about half." -- gentoo-user@gentoo.org mailing list