Hi ! I am trying to configure a script to securise a Linux FreesWan on SuSE 7.1 Professional edition , I use the sample script below (writed for the Red Hat distribution), I use the script to replace the /etc/rc.config.d/firewall.rc.config, but it does not work, what changes can I do on the script to adapt it for the SuSe 7.1 version to make the ipchains work ? Thanks for your help. Aboubacar Dramé Montreal, Quebec, Canada #!/bin/sh # # ---------------------------------------------------------------------------- # Last modified by Gerhard Mourani: 10-10-2000 # ---------------------------------------------------------------------------- # Copyright (C) 1997, 1998, 1999 Robert L. Ziegler # # Permission to use, copy, modify, and distribute this software and its # documentation for educational, research, private and non-profit purposes, # without fee, and without a written agreement is hereby granted. # This software is provided as an example and basis for individual firewall # development. This software is provided without warranty. # # Any material furnished by Robert L. Ziegler is furnished on an # "as is" basis. He makes no warranties of any kind, either expressed # or implied as to any matter including, but not limited to, warranty # of fitness for a particular purpose, exclusivity or results obtained # from use of the material. # ---------------------------------------------------------------------------- # # Invoked from /etc/rc.d/init.d/firewall. # chkconfig: - 60 95 # description: Starts and stops the IPCHAINS Firewall \ # used to provide Firewall network services. # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. if [ ${NETWORKING} = "no" ] then exit 0 fi if [ ! -x /sbin/ipchains ]; then exit 0 fi # See how we were called. case "$1" in start) echo -n "Starting Firewalling Services: " # Some definitions for easy maintenance. # ---------------------------------------------------------------------------- # EDIT THESE TO SUIT YOUR SYSTEM AND ISP. EXTERNAL_INTERFACE="eth0" # Internet connected interface # LOCAL_INTERFACE_1="eth1" # Internal LAN interface # LOOPBACK_INTERFACE="lo" # Your local naming convention IPADDR="my.ip.address" # Your IP address # LOCALNET_1="192.168.1.0/24" # Whatever private range you use IPSECSG="my.ipsecsg.address" # Space separated list of remote VPN gateways FREESWANVI="ipsec0" # Space separated list of virtual interfaces ANYWHERE="any/0" # Match any IP address # NAMESERVER_1="my.name.server.1" # Everyone must have at least one # NAMESERVER_2="my.name.server.2" # Your secondary name server # ------------------------------------------------------------------ # OUTGOING TRACEROUTE # ------------------- #ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ # -s $IPADDR $TRACEROUTE_SRC_PORTS \ #-d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT # ---------------------------------------------------------------------------- # Unlimited traffic within the local network. # All internal machines have access to the firewall machine. # ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT # ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT # ---------------------------------------------------------------------------- # FreeS/WAN IPSec VPN # ------------------- # If you are using the FreeSWAN IPSec VPN, you will need to fill in the # addresses of the gateways in the IPSECSG and the virtual interfaces for # FreeS/Wan IPSEC in the FREESWANVI parameters. Look at the beginning of # this firewall script rules file to set the parameters. # IPSECSG is a Space separated list of remote gateways. FREESWANVI is a # Space separated list of virtual interfaces for FreeS/Wan IPSEC # implementation. Only include those that are actually used. # Allow IPSEC protocol from remote gateways on external interface # IPSEC uses three main types of packet: # IKE uses the UDP protocol and port 500, # ESP use the protocol number 50, and # AH use the protocol number 51 ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $IPSECSG -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -d $IPSECSG -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p 50 \ -s $IPSECSG -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p 50 \ -d $IPSECSG -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p 51 \ -s $IPSECSG -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p 51 \ -d $IPSECSG -j ACCEPT # Allow all traffic to FreeS/WAN Virtual Interface ipchains -A input -i $FREESWANVI \ -s $ANYWHERE \ -d $ANYWHERE -j ACCEPT ipchains -A output -i $FREESWANVI \ -s $ANYWHERE \ -d $ANYWHERE -j ACCEPT # Forward anything from the FreeS/WAN virtual interface IPSEC tunnel ipchains -A forward -i $FREESWANVI \ -s $ANYWHERE \ -d $ANYWHERE -j ACCEPT # Disable IP spoofing protection to allow IPSEC to work properly echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter # ---------------------------------------------------------------------------- ;; stop) echo -n "Shutting Firewalling Services: " # Remove all existing rules belonging to this filter ipchains -F # Delete all user-defined chain to this filter ipchains -X # Reset the default policy of the filter to accept. ipchains -P input ACCEPT ipchains -P output ACCEPT ipchains -P forward ACCEPT ;; status) status firewall ;; restart|reload) $0 stop $0 start ;; *) echo "Usage: firewall {start|stop|status|restart|reload}" exit 1 esac exit 0