Next Previous Contents

6. Common Machine Configuration

6.1 /etc/cipe/ip-up

Kernel 2.0, ipfwadm, cipe 1.0.x




#!/bin/bash 
# ip-up <interface> <myaddr> <daemon-pid> <local> <remote> <arg> 
#3/29/1999 
#An example ip-up script for the older 1.x 2.x kernels using ipfwadm that 
#will setup routes and firewall rules to connect your local class c network 
#to a remote class c network. 

#The rules are configured to prevent spoofing and stuffed routing between 
#the networks.  There are also additional security enhancements commented 
#out towards the bottom of the script. 
#Send questions or comments to [email protected]. 

#-------------------------------------------------------------------------- 
#Set some script variables 
device=$1               # the CIPE interface 
me=$2                   # our UDP address 
pid=$3                  # the daemon's process ID 
ipaddr=$4               # IP address of our CIPE device 
vptpaddr=$5              # IP address of the remote CIPE device 
option=$6               # argument supplied via options 

PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" 

#comment/uncomment to enable/disbale kernel logging for all unauthorized 
#access attempts. Must be same as ip-down script in order to remove rules. 
log="-o" 

#-------------------------------------------------------------------------- 
umask 022 

# just a logging example 
#echo "UP   $*" >> /var/adm/cipe.log 

# many systems like these pid files 
#echo $3 > /var/run/$device.pid 

#-------------------------------------------------------------------------- 

#add route entry for remote cipe network 
network=`expr $ptpaddr : '\([0-9]*\.[0-9]*\.[0-9]*\.\)'`0 
route add -net $network netmask 255.255.255.0 dev $device 

#need to add route entry for host in 2.0 kernels 
route add -host $ptpaddr dev $device 

#-------------------------------------------------------------------------- 
#cipe interface incoming firewall rules 
#must be inserted into list in reverse order 

#deny all other incoming packets to cipe interface 
ipfwadm -I -i deny -W $device -S 0/0 -D 0/0 $log 

#accept incoming packets from remotenet to localnet on cipe interface 
ipfwadm -I -i accept -W $device -S $ptpaddr/24 -D $ipaddr/24 

#accept incoming packets from localnet to remotenet on cipe interface 
ipfwadm -I -i accept -W $device -S $ipaddr/24 -D $ptpaddr/24 

#deny incoming packets, cipe interface, claiming to be from localnet; log 
ipfwadm -I -i deny -W $device -S $ipaddr/24 -D $ipaddr/24 $log 

#-------------------------------------------------------------------------- 
#cipe interface outgoing firewall rules 
#must be inserted into list in reverse order 

#deny all other outgoing packets from cipe interface 
ipfwadm -O -i deny -W $device -S 0/0 -D 0/0 $log 

#accept outgoing from remotenet to localnet on cipe interface 
ipfwadm -O -i accept -W $device -S $ptpaddr/24 -D $ipaddr/24 

#accept outgoing from localnet to remotenet on cipe interface 
ipfwadm -O -i accept -W $device -S $ipaddr/24 -D $ptpaddr/24 

#deny outgoing to localnet from localnet, cipe interface, deny; log 
ipfwadm -O -i deny -W $device -S $ipaddr/24 -D $ipaddr/24 $log 

#-------------------------------------------------------------------------- 
#The forwarding is configured so machines on your local network do not get 
#masqueraded to the remote network.  This provides better access control 
#between networks.  Must be inserted into list in reverse order 

#deny all other forwarding through cipe interface; log 
ipfwadm -F -i deny -W $device -S 0/0 -D 0/0 $log 

#accept forwarding from remotenet to localnet on cipe interfaces 
ipfwadm -F -i accept -W $device -S $ptpaddr/24 -D $ipaddr/24 

#accept forwarding from localnet to remotenet on cipe interfaces 
ipfwadm -F -i accept -W $device -S $ipaddr/24 -D $ptpaddr/24 

#-------------------------------------------------------------------------- 
#Make sure forwarding is enabled in the kernel. The kernel by default may 
#have forwarding disabled. 
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward 

#-------------------------------------------------------------------------- 
#Optional security enhancement - set default forward policy to 
#DENY or REJECT.  If your forwarding default policy is DENY/REJECT 
#you will need to add the following rules to your main forward chain.  It 
#is a good idea to have all default policies set for DENY or 
#REJECT. 

#define machine interfaces 
#localif="eth0" 
#staticif="eth1"                ;cable modem users 
#staticif="ppp0"                ;dialup users 

#a real sloppy way to get the peer ip address from the options file - a new 
#argument with peer ip:port passed to script would be nice. 
#both lines need to be uncommented 
#peerfile=`grep $device /etc/cipe/options.* | cut -f1 -d:` 
#peer=`grep peer $peerfile | cut -f1 -d: | awk '{print $2}'` 

#must log peer ip address for ip-down script 
#echo $peer > /var/run/$device.peerip 

#accept forwarding from localnet to remotenet on internal network interface 
#ipfwadm -F -i accept -W $localif -S $ipaddr/24 -D $ptpaddr/24 
#accept forwarding from remotenet to localnet on internal network interface 
#ipfwadm -F -i accept -W $localif -S $ptpaddr/24 -D $ipaddr/24 
#accept forwarding on staticif from me to peer 
#myaddr=`echo $me | cut -f1 -d:` 
#ipfwadm -F -i accept -W $staticif -S $myaddr -D $peer 
#-------------------------------------------------------------------------- 
#Other optional security enhancement 
#block all incoming requests from everywhere to our cipe udp port 
#except our peer's udp port 

#need to determine udp ports for the cipe interfaces 
#get our udp port 
#if [ "$option" = "" ]; then 
#       myport=`echo $me | cut -f2 -d:` 
#else 
#       myport=$option 
#fi 

#get remote udp port -- peerfile variable must be set above 
#peerport=`grep peer $peerfile | cut -f2 -d:` 

#must log peer udp port for ip-down script 
#echo $peerport > /var/run/$device.peerport 

#get our ip address 
#myaddr=`echo $me | cut -f1 -d:` 

#deny and log all requests to cipe udp port must be inserted first 
#ipfwadm -I -i deny -P udp -W $staticif -S 0/0 -D $myaddr $myport $log 
#accept udp packets from peer at udp cipe port to my udp cipe port 
#ipfwadm -I -i accept -P udp -W $staticif -S $peer $peerport \
#-D $myaddr $myport 

exit 0 

Kernel 2.1/2.2, ipchains, cipe 1.2.x




#!/bin/bash 
# ip-up <interface> <myaddr> <daemon-pid> <local> <remote> <arg> 
#3/29/1999 
#An example ip-up script for the newer 2.1/2.2 kernels using ipchains that 
#will setup routes and firewall rules to connect your local class c network 
#to a remote class c network.  This script creates 3 user defined chains
#-input, output, and forward - for each cipe interface, based on the
#interface name. It will then insert a rule into each of the built-in
#input, output, and forward chains to use the user defined chains. The
#rules are configured to prevent spoofing and stuffed routing between the
#networks. There are also additional security enhancements commented out
#towards the bottom of the script. 
#Send questions or comments to [email protected]. 

#-------------------------------------------------------------------------- 

#Set some script variables 
device=$1               # the CIPE interface 
me=$2                   # our UDP address 
pid=$3                  # the daemon's process ID 
ipaddr=$4               # IP address of our CIPE device 
ptpaddr=$5              # IP address of the remote CIPE device 
option=$6               # argument supplied via options 

PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" 

#comment/uncomment to enable/disbale kernel logging for all unauthorized 
#access attempts. Must be same as ip-down script in order to remove rules. 
log="-l" 

#-------------------------------------------------------------------------- 
umask 022 
# just a logging example 
#echo "UP   $*" >> /var/adm/cipe.log 

# many systems like these pid files 
#echo $3 > /var/run/$device.pid 

#-------------------------------------------------------------------------- 
#add route entry for remote cipe network 
network=`expr $ptpaddr : '\([0-9]*\.[0-9]*\.[0-9]*\.\)'`0 
route add -net $network netmask 255.255.255.0 dev $device 

#-------------------------------------------------------------------------- 
#create new ipchain for cipe interface input rules 
ipchains -N $device"i" 
#flush all rules in chain (sanity flush) 
ipchains -F $device"i" 
#deny incoming packets, cipe interface, claiming to be from localnet; log 
ipchains -A $device"i" -j DENY -i $device -s $ipaddr/24 -d $ipaddr/24 $log 
#accept incoming packets from localnet to remotenet on cipe interface 
ipchains -A $device"i" -j ACCEPT -i $device -s $ipaddr/24 -d $ptpaddr/24 
#accept incoming packets from remotenet to localnet on cipe interface 
ipchains -A $device"i" -j ACCEPT -i $device -s $ptpaddr/24 -d $ipaddr/24 
#deny all other incoming packets 
ipchains -A $device"i" -j DENY -s 0/0 -d 0/0 $log 

#-------------------------------------------------------------------------- 
#create new ipchain for cipe interface output rules 
ipchains -N $device"o" 
#flush all rules in chain (sanity flush) 
ipchains -F $device"o" 
#deny outgoing to localnet from localnet, cipe interface, deny; log 
ipchains -A $device"o" -j DENY -i $device -s $ipaddr/24 -d $ipaddr/24 $log 
#accept outgoing from localnet to remotenet on cipe interface 
ipchains -A $device"o" -j ACCEPT -i $device -s $ipaddr/24 -d $ptpaddr/24 
#accept outgoing from remotenet to localnet on cipe interface 
ipchains -A $device"o" -j ACCEPT -i $device -s $ptpaddr/24 -d $ipaddr/24 
#deny all other outgoing packets 
ipchains -A $device"o" -j DENY -s 0/0 -d 0/0 $log 

#-------------------------------------------------------------------------- 
#The forward chain is configured so machines on your local network do not 
#get masqueraded to the remote network.  This provides better access
#control between networks. 

#create new ipchain for cipe interface forward rules 
ipchains -N $device"f" 
#flush all rules in chain (sanity flush) 
ipchains -F $device"f" 
#accept forwarding from localnet to remotenet on cipe interfaces 
ipchains -A $device"f" -j ACCEPT -i $device -s $ipaddr/24 -d $ptpaddr/24 
#accept forwarding from remotenet to localnet on cipe interfaces 
ipchains -A $device"f" -j ACCEPT -i $device -s $ptpaddr/24 -d $ipaddr/24 
#deny all other forwarding; log 
ipchains -A $device"f" -j DENY -s 0/0 -d 0/0 $log 

#-------------------------------------------------------------------------- 
#Make sure forwarding is enabled in the kernel. New kernels by default have 
#forwarding disabled. 
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward 

#-------------------------------------------------------------------------- 
#insert rules to main input, output, and forward chains to enable new rules 
#for the cipe interface 
ipchains -I input -i $device -j $device"i" 
ipchains -I output -i $device -j $device"o" 
ipchains -I forward -i $device -j $device"f" 

#-------------------------------------------------------------------------- 
#Optional security enhancement - set built-in forward chain policy to 
#DENY or REJECT.  If your main forward chain default policy is DENY/REJECT 
#you will need to add the following rules to your main forward chain.  It 
#is a good idea to have all built-in chain default policies set for DENY or 
#REJECT. 

#define machine interfaces 
#localif="eth0" 
#staticif="eth1"                ;cable modem users 
#staticif="ppp0"                ;dialup users 

#a real sloppy way to get the peer ip address from the options file - a new 
#argument with peer ip:port passed to script would be nice. 
#both lines need to be uncommented 
#peerfile=`grep $device /etc/cipe/options.* | cut -f1 -d:` 
#peer=`grep peer $peerfile | cut -f1 -d: | awk '{print $2}'` 

#must log peer ip address for ip-down script 
#echo $peer > /var/run/$device.peerip 

#accept forwarding from localnet to remotenet on internal network interface 
#ipchains -I forward -j ACCEPT -i $localif -s $ipaddr/24 -d $ptpaddr/24 
#accept forwarding from remotenet to localnet on internal network interface 
#ipchains -I forward -j ACCEPT -i $localif -s $ptpaddr/24 -d $ipaddr/24 
#accept forwarding on staticif from me to peer 
#myaddr=`echo $me | cut -f1 -d:` 
#ipchains -I forward -j ACCEPT -i $staticif -s $myaddr -d $peer 
#-------------------------------------------------------------------------- 
#Other optional security enhancement 
#block all incoming requests from everywhere to our cipe udp port 
#except our peer's udp port 

#need to determine udp ports for the cipe interfaces 
#get our udp port 
#if [ "$option" = "" ]; then 
#       myport=`echo $me | cut -f2 -d:` 
#else 
#       myport=$option 
#fi 

#get remote udp port -- peerfile variable must be set above 
#peerport=`grep peer $peerfile | cut -f2 -d:` 

#must log peer udp port for ip-down script 
#echo $peerport > /var/run/$device.peerport 

#get our ip address 
#myaddr=`echo $me | cut -f1 -d:` 

#deny and log all requests to cipe udp port must be inserted first 
#ipchains -I input -j DENY -p udp -i $staticif -s 0/0 \
#-d $myaddr $myport $log 
#accept udp packets from peer at udp cipe port to my udp cipe port 
#ipchains -I input -j ACCEPT -p udp -i $staticif -s $peer $peerport \
# -d $myaddr $myport 

#-------------------------------------------------------------------------- 
# Set up spoofing protection in kernel as an additional security measure 
#-------------------------------------------------------------------------- 
#Why do I have spoofing protection in the firewall rules in addition to
#this script that sets up spoof protection for each interface in the
#kernel? Guess I'm paranoid. 

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then 
        echo -n "Setting up IP spoofing protection..." 
        iface="/proc/sys/net/ipv4/conf/$device/rp_filter" 
        echo 1 > $iface 
        echo "done." 
else 
        echo "Cannot setup spoof protection in kernel for $device" \
                | mail -s"Security Warning: $device" root 
        exit 1 
fi 

exit 0 

6.2 /etc/cipe/ip-down

Kernel 2.0, ipfwadm, cipe 1.0.x




#!/bin/bash 

# ip-down <interface> <myaddr> <daemon-pid> <local> <remote> <arg> 
#3/29/1999 
#An example ip-down script for the older 1.x 2.x kernels using ipfwadm that 
#will remove firewall rules that were setup to connect your local class c
#network to a remote class c network. 

#-------------------------------------------------------------------------- 
#Set some script variables 
device=$1               # the CIPE interface 
me=$2                   # our UDP address 
pid=$3                  # the daemon's process ID 
ipaddr=$4               # IP address of our CIPE device 
ptpaddr=$5              # IP address of the remote CIPE device 
option=$6               # argument supplied via options 

PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" 

#comment/uncomment to enable/disbale kernel logging for all unauthorized 
#access attempts. Must be same as ip-down script in order to remove rules. 
log="-o" 

#-------------------------------------------------------------------------- 
umask 022 

# just a logging example 
#echo "DOWN   $*" >> /var/adm/cipe.log 

# many systems like these pid files 
#rm -f /var/run/$device.pid 

#-------------------------------------------------------------------------- 
#cipe interface incoming firewall rules 

#delete (deny all other incoming packets to cipe interface) 
ipfwadm -I -d deny -W $device -S 0/0 -D 0/0 $log 

#delete (accept incoming packets from remotenet to localnet on cipe 
#interface) 
ipfwadm -I -d accept -W $device -S $ptpaddr/24 -D $ipaddr/24 

#delete (accept incoming packets from localnet to remotenet on cipe
#interface) 
ipfwadm -I -d accept -W $device -S $ipaddr/24 -D $ptpaddr/24 

#delete (deny incoming packets, cipe interface, claiming to be from
#localnet and log) 
ipfwadm -I -d deny -W $device -S $ipaddr/24 -D $ipaddr/24 $log 

#-------------------------------------------------------------------------- 
#cipe interface incoming firewall rules 

#delete (deny all other outgoing packets from cipe interface) 
ipfwadm -O -d deny -W $device -S 0/0 -D 0/0 $log 

#delete (accept outgoing from remotenet to localnet on cipe interface) 
ipfwadm -O -d accept -W $device -S $ptpaddr/24 -D $ipaddr/24 

#delete (accept outgoing from localnet to remotenet on cipe interface) 
ipfwadm -O -d accept -W $device -S $ipaddr/24 -D $ptpaddr/24 

#delete (deny outgoing to localnet from localnet, cipe interface, deny
#and log) 
ipfwadm -O -d deny -W $device -S $ipaddr/24 -D $ipaddr/24 $log 

#-------------------------------------------------------------------------- 
#cipe interface forwarding firewall rules 

#delete (deny all other forwarding through cipe interface; log) 
ipfwadm -F -d deny -W $device -S 0/0 -D 0/0 $log 

#delete (accept forwarding from remotenet to localnet on cipe interfaces) 
ipfwadm -F -d accept -W $device -S $ptpaddr/24 -D $ipaddr/24 

#delete (accept forwarding from localnet to remotenet on cipe interfaces) 
ipfwadm -F -d accept -W $device -S $ipaddr/24 -D $ptpaddr/24 

#-------------------------------------------------------------------------- 
#Optional security enhancement - set default forward policy to 
#DENY or REJECT.  If your forwarding default policy is DENY/REJECT 
#you will need to add the following rules to your main forward chain.  It 
#is a good idea to have all default policies set for DENY or 
#REJECT. 

#define machine interfaces 
#localif="eth0" 
#staticif="eth1"                ;cable modem users 
#staticif="ppp0"                ;dialup users 

#a real sloppy way to get the peer ip address from the options file - a new 
#argument with peer ip:port passed to script would be nice. 
#both lines need to be uncommented 
#peerfile=`grep $device /etc/cipe/options.* | cut -f1 -d:` 
#peer=`grep peer $peerfile | cut -f1 -d: | awk '{print $2}'` 

#must log peer ip address for ip-down script 
#echo $peer > /var/run/$device.peerip 

#delete (accept forwarding from localnet to remotenet on internal network
interface) 
#ipfwadm -F -d accept -W $localif -S $ipaddr/24 -D $ptpaddr/24 
#delete (accept forwarding from remotenet to localnet on internal network
interface) 
#ipfwadm -F -d accept -W $localif -S $ptpaddr/24 -D $ipaddr/24 
#delete (accept forwarding on staticif from me to peer) 
#myaddr=`echo $me | cut -f1 -d:` 
#ipfwadm -F -d accept -W $staticif -S $myaddr -D $peer 
#-------------------------------------------------------------------------- 
#Other optional security enhancement 
#block all incoming requests from everywhere to our cipe udp port 
#except our peer's udp port 

#need to determine udp ports for the cipe interfaces 
#get our udp port 
#if [ "$option" = "" ]; then 
#       myport=`echo $me | cut -f2 -d:` 
#else 
#       myport=$option 
#fi 

#get remote udp port -- peerfile variable must be set above 
#peerport=`grep peer $peerfile | cut -f2 -d:` 

#must log peer udp port for ip-down script 
#echo $peerport > /var/run/$device.peerport 

#get our ip address 
#myaddr=`echo $me | cut -f1 -d:` 

#delete (deny and log all requests to cipe udp port must be inserted first) 
#ipfwadm -I -d deny -P udp -W $staticif -S 0/0 -D $myaddr $myport $log 
#delete (accept udp packets from peer at udp cipe port to my udp cipe port) 
#ipfwadm -I -d accept -P udp -W $staticif -S $peer $peerport \
#-D $myaddr $myport 

exit 0

Kernel 2.1/2.2, ipchains, cipe 1.2.x




#!/bin/sh 
# ip-down <interface> <myaddr> <daemon-pid> <local> <remote> <arg> 
#3/29/1999 
#An example ip-down script for the newer 2.1/2.2 kernels using ipchains
#that will remove firewall rules that were setup to connect your local
#class c network to a remote class c network.  Optional security
#enhancement rules removal is also added and commented towards end of
#script. 
#Send questions or comments to [email protected]. 

#-------------------------------------------------------------------------- 
#Set some script variables 
device=$1               # the CIPE interface 
me=$2                   # our UDP address 
pid=$3                  # the daemon's process ID 
ipaddr=$4               # IP address of our CIPE device 
ptpaddr=$5              # IP address of the remote CIPE device 
option=$6               # argument supplied via options 
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" 

#comment/uncomment to enable/disbale kernel logging for all unauthorized 
#access attempts 
#must be same as ip-up script in order to remove rules 
log="-l" 

#-------------------------------------------------------------------------- 
umask 022 

# Logging example 
#echo "DOWN $*" >> /var/adm/cipe.log 

# remove the daemon pid file 
#rm -f /var/run/$device.pid 

#-------------------------------------------------------------------------- 
#remove rules from main input, output, and forward chains for cipe
#interface 
ipchains -D input -i $device -j $device"i" 
ipchains -D output -i $device -j $device"o" 
ipchains -D forward -i $device -j $device"f" 

#-------------------------------------------------------------------------- 
#flush all rules in cipe interface input chain 
ipchains -F $device"i" 
#remove cipe interface input chain 
ipchains -X $device"i" 

#-------------------------------------------------------------------------- 
#flush all rules in cipe interface output chain 
ipchains -F $device"o" 
#remove cipe interface output chain 
ipchains -X $device"o" 

#-------------------------------------------------------------------------- 
#flush all rules in cipe interface forward chain 
ipchains -F $device"f" 
#remove cipe interface forward chain 
ipchains -X $device"f" 

#-------------------------------------------------------------------------- 
#Remove optional security enhancement rules 

#get peer ip address 
#peer=`cat /var/run/$device.peerip` 

#define machine interfaces 
#localif="eth0" 
#staticif="eth1"                ;cable modem users 
#staticif="ppp0"                ;dialup users 

#get our ip address 
#myaddr=`echo $me |cut -f1 -d:` 

#delete (accept forwarding from localnet to remotenet on internal network
#interface) 
#ipchains -D forward -j ACCEPT -i $localif -s $ipaddr/24 -d $ptpaddr/24 
#delete (accept forwarding from remotenet to localnet on internal network
#interface) 
#ipchains -D forward -j ACCEPT -i $localif -s $ptpaddr/24 -d $ipaddr/24 
#delete (accept forwarding on staticif from me to peer) 
#ipchains -D forward -j ACCEPT -i $staticif -s $myaddr -d $peer 

#remove peer ip file 
#rm /var/run/$device.peerip 

#-------------------------------------------------------------------------- 
#Remove other optional security enhancement rules 

#get peer udp port 
#peerport=`cat /var/run/$device.peerport` 

#get our udp port 
#if [ "$option" = "" ]; then 
#        myport=`echo $me | cut -f2 -d:` 
#else 
#        myport=$option 
#fi 

#delete (deny and log all requests to cipe udp port must be inserted first) 
#ipchains -D input -j DENY -p udp -i $staticif -s 0/0 \
#-d $myaddr $myport $log 
#delete (accept udp packets from peer at udp cipe port to my udp cipe port) 
#ipchains -D input -j ACCEPT -p udp -i $staticif -s $peer $peerport \
#-d $myaddr $myport 

#remove peer port file 
#rm /var/run/$device.peerport 

#-------------------------------------------------------------------------- 

exit 0 


Next Previous Contents