| HardWall FireWall - / Workstation / NaT / Bridge |
| |
| Readme / Help File |
| |
------------------------------------------------------------
------------------------------------------------------------
| I would like to thank all the people who contributed |
| And have made this Firewall Script / Package Happen. |
| |
| Mandrake, Gorthan, TexNAss, NovaStorm, DeadGuy, Cromd, |
| Warlock, Psycho, TLUG, http://forums.whirlpool.net.au, |
|Taipan, www.netfilter.org & http://freshmeat.net/ipkungfu |
------------------------------------------------------------
| HardWall FireWall is licensed under the General Public License | | and May only be (re)distributed under the terms of this GPL. |
| Please make sure you have read & understood the GPL agreement | | a copy has been provided as reference in this package as GPL.txt |
Script is designed to be placed in '/etc/rc.d/' as 'rc.hwfirewall' After you have obtained an ip address on an External WAN / Ethernet or ppp Interface, it should be launched via something like /etc/ppp/ip-up.local (for DHCP connections you can use '/etc/dhclient-exit-hooks' instead) If you have a Static IP Address you can specify it via the Main.Config file, and just launch it via something like '/etc/rc.local' to start on boot.
Note: HwFirewall package contains a contrib directory with init & dhcp
client / ppp dynamic scripts to help users start the Firewall on
Bootup or When an IP has been obtainend / changed from the ISP.
Users should read these files for information on how to use them.
The files listed bellow in the [] brackets are the files that are used by HardWall Firewall, You can use these Files to set Custom rules aswell as Configure the Firewall for use in your given situation. These Files are intended to be changed only by the user / admin, this way new version's of the FireWall can be installed without too much impact on configuration. the only file that may need to get changed every now and then is the Config file named main.config-hwfw. All files for Hw-Fw are created on the first successful run of the Script, unless they already exist.
| Your HardWall Firewall Configuration |
| Directory will be and must be in. |
| '/etc/hwfw/' |
-----------------------------------------
Please note that in all of the hwfw.rules files in the Config Directory that you will be able to use Global Variable Directives From the Main.Config and Main Firewall Bash script itself bellow is a list of some of the Directives available and what they do, aswell as a description of the files in Config Directory.
| Configuration Files |
-----------------------
[main.config-hwfw] ## This is the Main Configuration File for HardWall Firewall
[allowed.hosts] ## ip addresses of computers / networks requiring access to
## the Internet goes in this file.
[deny.hosts] ## ip addresses of hosts you wish to block access to and from
[forward-hwfw.rules] ## Set forwarding rules here, this includes any port forwarding
$IPTABLES -A DOWNNEW -d 192.168.0.1 -p tcp --dport 5000:6000 -j ACCEPT
[nat-hwfw.rules] ## NAT rules file, used for DNAT (Port Forwarding) & SNAT rules
$IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 4200:4300 -j DNAT --to 172.16.222.221
[mangle-hwfw.rules] ## Mangle rules, used for early marking or for dropping packets
$IPTABLES -t mangle -A FORWARD -i ppp0 -o eth0 -d 192.168.0.1 -j MARK --set-mark 1 $IPTABLES -t mangle -A FORWARD -i ppp0 -o eth0 -d 192.168.0.2 -j MARK --set-mark 2
[output-hwfw.rules] ## Allow Local Services to access the Internet if need be
$IPTABLES -A OUTEXT -p tcp -m multiports --dports 25,80,110,443,465,995 -j ACCEPT
[input-hwfw.rules] ## Allow the Internet to access these local services ...
$IPTABLES -A EXTIN -p tcp -m multiports --dports 25,80,110,443,465,995 -j ACCEPT $IPTABLES -A EXTIN -p udp --dport 53 -j ACCEPT
| Common Global Variable's |
-----------------------------
[ $EXTIF ] External Interface [ $INTIF ] Internal Interface
[ $INTNET ] Internal Network [ $INTIP ] Internal IP Address
[ $NETCAST ] Local Broadcast Addr [ $EXTIP ] External IP Address
[ $BROADCAST ] Broadcast Addr [ $UNIVERSE ] All Hosts or 0.0.0.0/0
[ $IPTABLES ] IPTABLES Binary [ $RESERVED_NET ] List of Blocked Hosts
-------------------------------
| Custom Available Userchains |
-------------------------------
[Table] [Chain] [Usage / Definition]
mangle PRENETCHK Used to Drop all of the $RESERVED_NET Hosts early as possible
mangle DROPNLOG Chain that will Drop & Log for Mangle Table rules.
filter LOCIN Chain for Local INPUT Rules Via Internal Interface
filter LOCOUT Chain for Local OUTPUT Rules Via Internal Interface
filter EXTIN Chain for External Interface INPUT Rules
filter EXTNEW Chain for allowing local services back to the Internet
filter OUTEXT Chain for External Interface OUTPUT Rules
filter DOWNLOAD Chain for Rules Forwarding in the Down Direction
filter DOWNKNOW Used from above to check all the Established,Related Rules
filter DOWNNEW Chain for Port Forwarding / NEW Related Forwarding Rules
filter DOWNSPAM DoS Prevention & Protection Rules for Down Traffic
filter UPLOAD Chain for Rules Forwarding in the Up Direction
filter UPSPAM DoS Prevention & Protection Rules for Up Traffic
filter UP/DOWN TCP Chain used for TCP Protection & extra rules
filter UP/DOWN UDP Chain used for UDP Inspection & Port Protection
filter ICMPDOWN Chain for Input / Down Based ICMP Rules
filter ICMPUP Chain for Output / Up Based ICMP Rules
filter NEWINVALID Chain to Drop & Log New / Invalid Incoming Packets
filter dandgit Chain that will Drop & Log, Can Also start to automatically deny
the packets higher in the rulesets but only if RECENT=1.