##
#
# initialize.fw: setup the default firewall rules
#
# *** NOTE ***
#
# If you want to have local firewall rules in addition to what NoCat
# provides, add them at the bottom of this file.  They will be recreated
# each time gateway is restarted.
#
##

# The current service classes by fwmark are:
#  3: Public
#  4: Free

# Note: your PATH is inherited from the gateway process
#

if [ $(id -u) = 0 ]; then
    # Enable IP forwarding and rp_filter (to kill IP spoof attempts).
    #
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

    # Load alllll the kernel modules we need.
    #
    rmmod ipchains > /dev/null 2>&1 # for RH 7.1 users.

    for module in ip_tables ipt_REDIRECT ipt_MASQUERADE ipt_MARK ipt_REJECT  \
        ipt_TOS ipt_LOG iptable_mangle iptable_filter iptable_nat ip_nat_ftp \
        ip_conntrack ip_conntrack_ftp ip_conntrack_irc \
        ip_nat_irc ipt_mac ipt_state ipt_mark; do

        modprobe $module
    done
fi

# Flush all user-defined chains
#
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

iptables -t filter -N NoCat 2>/dev/null
iptables -t filter -A FORWARD -j NoCat

iptables -t nat -N NoCat_Capture 2>/dev/null
iptables -t nat -A PREROUTING -j NoCat_Capture

iptables -t nat -N NoCat_NAT 2>/dev/null

#
# Only nat if we're not routing
#
iptables -t nat -D POSTROUTING -j NoCat_NAT 2>/dev/null
[ "$RouteOnly" ] || iptables -t nat -A POSTROUTING -j NoCat_NAT

iptables -t mangle -N NoCat 2>/dev/null
iptables -t mangle -A PREROUTING -j NoCat

fwd="iptables       -t filter -A NoCat"
nat="iptables       -t nat    -A NoCat_NAT"
redirect="iptables  -t nat    -A NoCat_Capture"
mangle="iptables    -t mangle -A NoCat"

for iface in $InternalDevice; do
    for net in $LocalNetwork; do
        $nat -o $ExternalDevice -s $net -j MASQUERADE
    done

    # Set packets from internal devices to fw mark 4, or 'denied', by default.
    $mangle -i $iface -j MARK --set-mark 4
done

for port in 80 443; do
    $redirect -m mark --mark 4 -p tcp --dport $port  -j REDIRECT \
        --to-port $GatewayPort
done

NoCatAllowPolicy (last edited 2007-11-23 18:03:47 by localhost)