# $HeadURL$ $LastChangedRevision$ # # Should this software be enabled? (ENABLE) # # Set this to 'true' if you want the iptables script to manage iptables # for you. Otherwise set this to 'false'. There is no default. E.g.: # # ENABLE=true # ENABLE=false # # (The point of this is to ensure that if you install this program then # you automatically get a secure configuration; of course once you start # modifying this configuration then that may no longer be the case.) # ENABLE=true # # Should this machine masquerade? (MASQUERADE_FLAG) # # Set this to 'true' if you have a home network and your contract with # your ISP is to connect only *one* machine to the internet (it probably is) # and it is *this* machine that will connect to the internet. Otherwise # set it to 'false'. There is no default, so you must set it to one # or the other. E.g.: # # MASQUERADE_FLAG=true # MASQUERADE_FLAG=false # MASQUERADE_FLAG=false # # Which interfaces should not be firewalled? (TRUSTED_NICS) # # (Can 'firewall' be used as a verb?) Set this to 'lo' if you don't # trust anybody. Set it to 'lo eth0' if you have a secure home LAN. # Set it to 'lo wlan0' if you have a secure home WLAN. Set it to # 'lo eth0 wlan0' if you have both. You almost certainly do *not* # want to put 'ppp0' in the list. Etc. There is no default. E.g.: # # TRUSTED_NICS=lo # TRUSTED_NICS="lo eth0 dummy0" # TRUSTED_NICS="lo eth0 ath0 dummy0 wlan0 eth1" # TRUSTED_NICS="lo vmnet0 dummy0" # # Hosts to block in both directions (BLOCK_HOSTS) # # This should be a space-separated list of IP addresses optionally # followed by "/" and a netmask or netmask bit count. E.g. here is # the entry for www.remoteapproach.com or there network: # # BLOCK_HOSTS="65.17.226.156" # BLOCK_HOSTS="65.17.226.0/255.255.255.0" # # (This is the format used by the '-d' and '-s' options of iptables(8).) # DO NOT PUT HOSTNAMES HERE! THEY WILL PROBABLY NOT BE RESOLVABLE! # # This setting is applied on all interfaces not listed in TRUSTED_NICS # above. # BLOCK_HOSTS="65.17.226.0/24" # # Do you want to open services not mentioned in /etc/services? # # If you do then you can just reference the ports by port number instead # of port name, but you could also just define some variables here. # The names of the variables is entirely up to you, but the values # should be, just as for OPEN_PORTS below, either 'tcp/' or 'udp/' followed # by the service name (as mentioned in /etc/services) or port number. # Such settings will only be used if referenced in the value of OPEN_PORTS. # E.g.: # SPEAKFREELY_PORTS="udp/2074 udp/2075" LOOKWHOSLISTENING_PORTS="tcp/2076" I2P_PORTS="udp/8887" MY_HTC_PORTS="tcp/9999" MY_AZUREUS_PORTS="tcp/6885 udp/6885 tcp/29000 udp/29000" # # Do you want to open any services to the internet? (OPEN_PORTS) # # List them here. ICMP should be listed as just 'icmp' but TCP and # UDP services should be listed as either 'tcp/' or 'udp/' followed # by the service name (as mentioned in /etc/services) or port number, # or by using a variable name defined above prefixed with '$'. E.g. # to enable access to your web server, your CVS pserver and your # speakfreely audio server (whose ports are defined above) use: # # OPEN_PORTS="tcp/http tcp/cvspserver $SPEAKFREELY_PORTS" # #OPEN_PORTS="$SPEAKFREELY_PORTS $LOOKWHOSLISTENING_PORTS icmp tcp/http tcp/auth tcp/gnutella-svc tcp/svn tcp/ssh $MY_HTC_PORTS $I2P_PORTS $MY_AZUREUS_PORTS" OPEN_PORTS="icmp tcp/gnutella-svc udp/syslog tcp/http tcp/ssh tcp/auth $MY_AZUREUS_PORTS" # # Do you need any special rules? (IPTABLES_CMDS) # # This is an array of calls to iptables. Note it is an array; so you # need to sequence the array index accordingly. The calls are just like # normal calls with the following restrictions: # # *) don't specify "-i "; this will be added automatically # # *) the call must begin "iptables -A ..." or "iptables -I ..."; # this is because the 'undo' code in the 0iptables program is # not intelligent enough to handle anything else. # # E.g. Here is a rule to get the XDMCP browser working properly. This # rule cannot be specified in the OPEN_PORTS definition above because # it is not the destination port that is fixed, it is the source port! # # IPTABLES_CMDS[0]="iptables -A INPUT --protocol udp --sport xdmcp -j ACCEPT" #