General Purpose Firewall and VPN for Linux

shutdown -h now  - shuts down linux.
Shutdown -r now  - reboots linux.
<ctrl><alt><del> at one of the text screens shuts down and reboots linux but doesn't work on the graphics screen.


Implemented with Redhat Linux 7.3

When installing linux choose the grub bootloader and turn off the firewall.

I tend to install everything even though it takes ~ 3GB and is way overkill. Oh well... Just make sure you install bzip, gzip, bzip2, tar, zip, etc...


Redhat linux 7.3 took away linuxconf.  If you like linuxconf, download the following rpms (I usually download them to /usr/src)

ftp://mirror.cs.wisc.edu/pub/mirrors/linux/redhat/7.2/en/os/i386/RedHat/RPMS/gnome-linuxconf-0.67.1-1.i386.rpm
and
ftp://mirror.cs.wisc.edu/pub/mirrors/linux/redhat/7.2/en/os/i386/RedHat/RPMS/linuxconf-1.25r7-3.i386.rpm

Then

cd /usr/src
rpm -ivh linuxconf-1.25r7-3.i386.rpm
rpm -ivh gnome-linuxconf-0.67.1-1.i386.rpm

To install it.

If this is going to primarily be a server then I recommend telling the system to come up in text mode by default (It asks whether you want to come up in graphics mode or not as the last question after all of the files are installed).
When you want to get to graphics mode, log in as root (or whoever) and type    startx    to bring up the graphics screen. Logging out will shut the graphics screen down again.
If the system is set to come up in graphics mode and you want to switch it to come up in text mode, edit   /etc/inittab  and change the line that says   id:5:initdefault   to   id:3:initdefault   .
The next time you reboot, it will come up in text mode.


VPN:
see: http://www.advancevpn.com/en/download_other.html 
for general details though it's recommendations are summed up in this document.
This has been used with Linux-2.4.18.x


Notes:
All of the following commands are done in a term screen as root.

foobar is a generic term refering to filenames, computernames, or whatever. There is confusion about its orgin and it currently isn't an acronym for anything. If you want to read up on where it came from, search the internet!

File Extensions	gz = gzip
		bz = bzip
		bz2 = bzip2
		tar = tar (Tape Archive)

Most files you get from the internet are tared and zipped. To unzip and unarchive them, do the following.

gzip  -cd   fobar.tar.gz | tar -xv     or bzip or bzip2, etc...
(d stands for decompress, and c stands for write to standard out. The pipe symbol | means send the output to the next command. In tar, the x means unpack and the v means verbose (List files while unpacking)

you can unzip files using gunzip, bunzip, bunzip2, unzip, etc...
gunzip foobar.tar.gz    will become foobar.tar


Other commands we'll be using are 
ls	list (Same as dir in dos)
vi	text editor as described below
ln	links a new filename to an existing file.
chmod	changes the access rights and can make a file executable
patch	takes text files with lists of file names and adds the + lines, removes the - lines and uses the other lines to find the location. With a little practice you can even sometimes figure out what the patch writer is trying to do.

ls  may show colors. If so, light blue = executable and green = link file representing a file in a different location. I use ls -al when I want to list a directory with the chmod security listed or length ways instead of columns. If I were to do an ls -al *, the command will recurse into subdirectories. To stop recursion use -d (Means list directory name, not contents) or ls -ald *  If it you want it to pause like dir /p in dos do ls|less. The pipe | symbol sends the output from ls to the less command which is like the dos more command only with more features, hence they called it less... I don't know... In SCO Unix the command was called pg. Go figure.

Remember the man program for manuals. man ls will tell you all of the list options.
Sub note: the -rwxr-xr-x in the ls -al command is showing you the security. The first character is d for directory, - for file, l for link to file, c or b for character or block device (See dev directory for those. They are devices represented as files such as the cdrom, network cards, parallel port, hard drive, tape drive, etc). The first rwx is the users Read Write eXecutable, the second 3 characters is the group rights, the third 3 characters is the rights for everybody else. The x for directories indicates whether someone can ls the directory, else it tells the system that the file is executable. A rarely used flag is s. It shows up in place of x and means that the program, when running has access to files as if the owner of the program were logged in and running it. Example -rwsr-xr-x 1 root root 26216 Mar 24 19:23 /bin/rm would mean that anyone using the rm (remove command like del in dos) would have superuser, Administrator, root whatever rights to all files that the progam wanted access to. Hence joeblow logs in. cd /  then rm -rf * would be able to delete all files on the system. Poof. Cool huh? To enable this wonderful feature use chmod u+s /bin/rm  (No don't really do it! Man, I was only kidding.)
To change the owner of a file use chown joeblow foobar and to change the group of a file use chgrp joeblow foobar. To recurse use the -R option because -r would make too much sense. Actually I think -R was chosen because ls uses -r to mean reverse order sorting.

General reference:
To add new users, useradd joeblow
To change passwords  passwd joeblow  (It will ask for new password)

to use vi (the text based text editor)
vi foobar.txt
You will be in "command mode" as opposed to "edit mode"
A = Append to end of line
a = Append starting after current character
i = Insert starting before current character
I = Insert starting at beginning of line
c = Wipe out everything from current character to end-of-line and go into append.
R = Replace characters starting at current character (Will switch to insert mode then you get to end of line as opposed to changing the next line)
r = Replace current character then go back to command mode
dd = delete current line
4dd = delete 4 lines (I think you get the idea here)
yy = copy current line to buffer
3yy = copy 3 lines to buffer
p = paste copy buffer after current line
J = Join next line to current line
x = Delete current character
G = go to End of file
8G = go to line 8
1G = go to beginning of file
:x = save and exit
:x! = save and exit even though file is set to ReadOnly
:q = quit without saving
:q! = quit without saving even though somethings have changed
/foobar = search for the word foobar
/ = continue previous search
:w = save file but don't exit
:n = go to next file (Assuming you did vi foobar* to edit several foobar files)
:g/foobar/s//abcd = replace first occurance of foobar with abcd in all lines
:g/foobar/s//abcd/g = replace all occurances of foobar with abcd on all lines
:f = File stats such as name, length, and position of cursor within file

When in edit mode
<ESC> to get back to command mode

For rest of commands, see man vi


most linux commands have on-line manuals. To see the manual use man. (Example    man tar  will show all tar commands and uses)

download the following: (I usually download all linux operating system stuff, like ppp and pptp, to the /usr/src directory, and all application stuff, like netscape and realplayer, to /usr/local)


linux openssl support patch from one of these sites
http://www.advancevpn.com/public/linux-2.4.16-openssl-0.9.6b-mppe.patch.gz
http://www.planetmirror.com/pub/mppe/linux-2.4.16-openssl-0.9.6b-mppe.patch.gz
(This patch works fine on linux 2.4.18)

poptop's pptp program from one of these sites.
http://www.advancevpn.com/public/pptpd-1.1.2.tar.gz
http://www.planetmirror.com/pub/mppe/pptpd-1.1.3.tar.gz
(poptop. These are really version 1.0.1 from www.poptop.org as far as I can tell.)

ppp version 2.4.1 from one of these sites.
http://www.planetmirror.com/pub/mppe/ppp-2.4.1-3mppe.src.rpm
(The above rpm has all of the patches included. To unpack, type
rpm -ivh ppp-2.4.1-3mppe.src.rpm    The unpacked files will be in /usr/src/redhat/SOURCES directory. You can move it to /usr/src
[  cd /usr/src/redhat/SOURCES ;mv * /usr/src  ])
http://wlan.informatik.uni-bremen.de/doku/debian/download/sonstiges/ppp-2.4/ppp-2.4.1-mppe.tar.gz    (I assume all of the patches are zipped into here though I didn't check.)


gunzip linux-2.4.16-openssl-0.9.6b.mppe.patch.gz  Assuming the patch is gzipped.

cd /usr/src/linux-2.4

patch -p1 <../linux-2.4.16-openssl-0.9.6b.mppe.patch

(Patch may warn that a part of the patch has already been installed. If so at the Assume -R?[n] choose n and at the Apply anyway?[n] choose n)

make menuconfig

go down to Network device support
	set PPP PPP BSD-Compress to M
then arrow to exit, then exit again, and at the save command, choose yes.

make dep clean bzImage modules 

(Compiles linux and it's modules where modules are anything set to M as opposed to * in the menuconfig screen. The advantage of modules is that computer memory and resources are only used when that modules is first used, but the advantage of * is faster execution and not having to worry about whether the module has loaded. See commands such as lsmod = list loaded modules, insmod = load a specific module, modprobe = load a specific module and all modules needed to run that module. Modules are in the /lib/module/2.4.18-3custom directory and include things like network cards, video cards, sound cards, ipv4(tcp/ip four byte) ipv6(new tcp/ip six byte standard that's not yet used), and much much more... order now!)

assuming no errors

make install modules_install 

(This installs vmlinuz in the /boot directory, edits the /boot/grub/grub.conf file, creates the /lib/modules/2.4.18-3custom directory and copies all of the modules there (I'll bet you can tell which instruction after make does what))

When done:

cd /boot
ls

The new kernel is probably vmlinuz-2.4.18-3custom.

This name actually comes from the Makefile file in /usr/src/linux-2.4. The forth or so line down says EXTRAVERSION = -3custom. If you want something different then change it or blank it out before doing the      make dep clean bzImage     command.

mkinitrd initrd-2.4.18-3custom.img 
(Or whatever the new kernel is called. This makes the initrd-2.4.18-3custom.img file)

cd /boot/grub
vi grub.conf 
The file should already have title Red Hat Linux (2.4.18-3custom) created in it. If it doesn't then just duplicate everything from title Red Hat Linux (2.4.18-3) through initrd /boot/initrd-2.4.18-3.img except adding custom after the 3 (2.4.18-3custom).
If the entry for custom is already there, then it is probably missing the initrd /boot/initrd-2.4.18-3custom.img line.
Arrow down to kernel /boot/vmlinuz-2.4.18-3custom ro root=/dev/hda1 and type    A   (for Add to end of line, then press)  <enter> <tab>  initrd /boot/initrd-2.4.18-3custom.img    <ESC>  

arrow up to default=0  and set to 0 or 1 depending on whether the custom entry is the first or second entry. To change using vi, arrow to the 0 then press r (for replace this character) 1 (or 0 depending on choice)

:x  <enter> (For save and exit).

My grub.conf file looks as follows:

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You do not have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /, eg.
#          root (hd0,0)
#          kernel /boot/vmlinuz-version ro root=/dev/hda1
#          initrd /boot/initrd-version.img
#boot=/dev/hda
default=0
timeout=10
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
title Red Hat Linux (2.4.18-3custom)
	root (hd0,0)
	kernel /boot/vmlinuz-2.4.18-3custom ro root=/dev/hda1
	initrd /boot/initrd-2.4.18-3custom.img
title Red Hat Linux (2.4.18-3)
	root (hd0,0)
	kernel /boot/vmlinuz-2.4.18-3 ro root=/dev/hda1
	initrd /boot/initrd-2.4.18-3.img



The next stuff you can do while the kernel is compiling

In the /usr/src directory

gzip -cd ppp-2.4.1.tar.gz| tar -xv

  (gunzip the ppp-2.4.1 patch files if they are gzipped)
gunzip ppp-2.4.1-MSCHAPv2-fix.patch.gz 
gunzip ppp-2.4.1-openssl-0.9.6b-mppe.patch.gz (If it's gzipped, ppp-2.4.1-openssl-0.9.6b-mppe.patch might already exist and the zipped one might be ppp-2.4.1-openssl-0.9.6b-patch.gz with a dash before patch instead of a period)

cd ppp-2.4.1 
patch -p1 <../ppp-2.4.1-make.patch
patch -p1 <../ppp-2.4.1-MSCHAPv2-fix.patch
patch -p1 <../ppp-2.4.1-openssl-0.9.6b-mppe.patch
patch -p1 <../ppp-2.4.1-warnings.patch

(We don't do anything with the ppp-2.3 patches nor the ppp-2.4.0 patch)

make    (To compile ppp)
make install (To install ppp)

Can do next stuff while above is compiling as well

In the /usr/src directory

gunzip -cd pptpd-1.1.2.tar.gz|tar -xv   (or pptpd-1.1.3)

cd pptpd-1.1.2    (or pptpd-1.1.3) 

make

make install


(Ok take a deep breath. We're almost done!)


cd /etc

vi modules.conf

Use GA <enter> to append to end of file

alias char-major-108 ppp_generic
alias tty-ldisc-3 ppp_async
alias tty-ldisc-14 ppp_synctty
alias ppp-compress-18 ppp_mppe
alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate
<ESC> :x <enter>

cd /etc/ppp

vi options.pptp (This is a new file)
i (for insert)

debug
name *
lock
mtu 1490
mru 1490
proxyarp
auth
+chap
+chapms
+chapms-v2
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 3
lcp-echo-interval 5
deflate 0
mppe-128
mppe-40
mppe-stateless

<ESC> :x <enter>

 (If you skip the mppe entries in the above file the VPN won't encrypt the vpn session though the password can still be encrypted. This makes the connection faster if you don't care so much about complete privacy. It is still harder than normal for a snooper to observe what you are doing.)

cd /etc

vi pptpd.conf  (Another new file)

debug

#The localip is the address used for this side of the pptp route.
#It should be an available internal ipaddress. The following
#example is assuming 192.168.0.0 netmask 255.255.255.0
#and that 192.168.0.180 through 192.168.0.182 are available
#for pptpd.conf and ppp/chap-secrets

localip 192.168.0.180
option /etc/ppp/options.pptp

<ESC> :x <enter>

cd /etc/ppp     (You could do all of the /etc first then /etc/ppp but this is more fun!)

vi chap-secrets   (This is where we create vpn users. We don't have to create users on the linux system itself)

Append to the end of the file (  GA <enter> )

lee * xyzzy_password 192.168.0.181
\ \lee * xyzzy_password 192.168.0.181
\ \\lee * xyzzy_password 192.168.0.181
HOWDY\\tom * abcd_efg 192.168.0.182

<ESC> :x <enter>

For most people the first line works fine.
use the \ \ and \ \\ examples when the remote computer doesn't belong to a windows domain but the remote computer keeps failing the connection.
You can enter the person all three times with no problem. The chap validation just finds the one that works.
The second example is when someone belongs to a domain.
In win98 if the Network Properties->Client for Microsoft Networks->Windows NT domain has anything in it, you need the domain before the persons login name. Even when the Log on to Windows NT domain box is not checked.


The IP addresses will be assigned to those individuals.
If they can't ping the network then use
(win95 & 98) winipcfg
or (WinNT 2000 XP) dos prompt ipconfig
to find out what address was assigned to the ppp vpn connection.
If Microsoft Windows isn't assigning it correctly then
in the Windows->Dialup Networking->foobarVPN-> Server Types->TCP/IP Settings choose Specify an IP address and set it to the one you want.
While we're talking about the Winxxx VPN settings, turn off the use default gateway on remote network checkbox in the TCP/IP settings and under the server types, uncheck the Log on to network, NetBEUI, and IPX/SPX Compatible check boxes and testout checking the Require encrypted password and Require data encryption boxes (the encryption boxes will let you know if encryption's working. Don't do data encryption if you left the mppe stuff out of the options.pptp file.

Still in the /etc/ppp directory
 (Lets setup the firewall rules for iptables.)
vi ip-up.local (Probably a new file)
i    (for insert)

#!/bin/sh
#set the ipinternal_network to the internal network address.
#The 24 represents the mask of 255.255.255.0
#Since each segment is a byte (8 bits) 3*8=24 for the first 3
#255's.
#ipinternal is the internal ipaddress of this machine
#set it to whatever you set the internal network card to.
#internal is the name of the network card. Usually either
#eth0 or eth1 (check out the ipcfg-eth0 and ipcfg-eth1
#files in the /etc/sysconfig/network-scripts directory if you don't #know. These file are where the system gets the ip addresses from.

ipinternal_network="192.168.2.0/24"
ipinternal="192.168.2.109"
internal="eth0"
ppp=$1
ttyprt=$2
baudrt=$3
localip=$4
remoteip=$5
case $2
in
 /dev/pts/*)
 echo "$(date): ip-up   1:$1 2:$2 3:$3 4:$4 5:$5 6:$6" >> /var/log/pptpd.log
 /sbin/iptables -P FORWARD DROP
 echo 1 > /proc/sys/net/ipv4/ip_forward
 /sbin/iptables -I FORWARD -s $remoteip -d $ipinternal_network -j ACCEPT
 /sbin/iptables -I FORWARD -s $ipinternal_network -d $remoteip -j ACCEPT
 /sbin/iptables -I INPUT -i $ppp -s $ipinternal_network  -j ACCEPT
 /sbin/iptables -I OUTPUT -o $ppp -d $ipinternal_network  -j ACCEPT
 echo "$(date): ip-up  Firewall rules set for $1:$5" >> /var/log/pptpd.log
 ;;
esac

<ESC> :x <enter>

vi ip-down.local
i  (for insert mode)
#!/bin/sh
#set the ipinternal_network to the internal network address.
#The 24 represents the mask of 255.255.255.0
#Since each segment is a byte (8 bits) 3*8=24 for the first 3
#255's.
#ipinternal is the internal ipaddress of this machine
#set it to whatever you set the internal network card to.
#internal is the name of the network card. Usually either
#eth0 or eth1 (check out the ipcfg-eth0 and ipcfg-eth1
#files in the /etc/sysconfig/network-scripts directory if you don't #know. These file are where the system gets the ip addresses from.

ipinternal_network="192.168.0.0/24"
ipinternal="192.168.0.1"
internal="eth0"
ppp=$1
ttyprt=$2
baudrt=$3
localip=$4
remoteip=$5
case $2
in
 /dev/pts/*)
 echo "$(date): ip-down   1:$1 2:$2 3:$3 4:$4 5:$5 6:$6" >> /var/log/pptpd.log
 /sbin/iptables -D FORWARD -s $remoteip -d $ipinternal_network -j ACCEPT
 /sbin/iptables -D FORWARD -s $ipinternal_network -d $remoteip -j ACCEPT
 /sbin/iptables -D INPUT -i $ppp -s $ipinternal_network  -j ACCEPT
 /sbin/iptables -D OUTPUT -o $ppp -d $ipinternal_network  -j ACCEPT
 echo "$(date): ip-down Firewall rules set for $1:$5" >> /var/log/pptpd.log
 ;;
esac

<ESC> :x <enter>


chmod a+x ip-up.local ip-down.local   (This command tells linux that the files are executable as opposed to data files)


cd /etc/rc.d/init.d

vi pptpd.init  (New file)
i   (Insert mode again)

#!/bin/sh
#
# Startup script for pptpd
#
# chkconfig: 345 85 15
# description: PPTP server
# processname: pptpd
# config: /etc/pptpd.conf


# Source function library.
. /etc/rc.d/init.d/functions
# See how we were called.
case "$1" in
  start)
        echo -n "Starting pptpd: "
        if [ -f /var/lock/subsys/pptpd ] ; then
                echo
                exit 1
        fi

        /usr/sbin/pptpd -d
        echo
        touch /var/lock/subsys/pptpd
        ;;
  stop)
        echo -n "Shutting down pptpd: "
        killproc pptpd
        echo
        rm -f /var/lock/subsys/pptpd
        ;;
  status)
        status pptpd
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  *)
        echo "Usage: $0 {start|stop|restart|status}"
        exit 1
esac

exit 0

<ESC> :x <enter>

chmod a+x pptpd.init

This is used to start and stop the poptop server.
Now were going to set it up to automatically start and stop.
This is handled in the rc1.d through rc6.d directories. Anything beginning with a K is either not started or stopped and anything beginning with an S is started. The numbers help control the order in which things start (using normal aphanumeric sorting I assume).

cd ../rc1.d

ln -s ../init.d/pptpd.init K15pptpd.init      (ln is the link command. It creates a representation of the actual file and most stuff doesn't know that it is just a reference to the actual file. ls shows links in a different color from normal files. If you do a     ls  -ald  K15pptpd.init  in the directory it should show that the file is linked to K15pptpd.init->/etc/rc.d/init.d/pptpd.init
Green means an executable file (chmod a+x stuff), and light blue means link. In the ls command ls -ald a means all, l means long, d means show directory name if is a directory instead of it's contents.)

cd ../rc6.d

use up arrow to get the ln -s ../init.d/pptpd.init K15pptpd.init  command back.

Then press enter

cd ../rc2.d

ln -s ../init.d/pptpd.init S80pptpd.init     (in 2 through 5 we are telling pptp to start unless it's already running)

cd ../rc3.d

Use up arrow to get the ln -s ../init/pptpd.init S80pptpd.init command back.

Then press enter

cd ../rc4.d

up arrow to the ln command for the S80pptpd.init and enter

cd ../rc5.d

up arrow again for the S80pptpd.init command and enter

cd /etc/rc.d

vi rc.local

GA <enter>  (To append to end of file)

/etc/iptables.rule.src
<ESC> :x <enter>

This is going to be the name of the firewall rule entries. I chose the name structure back when ipchains was used and you could condense the rules down to a smaller format that I called cmp for compiled. You can name it whatever you want. I'll bet you didn't care did you.

cd /etc

vi iptables.rule.src   (Note this is the same name as is in the rc.local file. If you deside on a different name, make sure they match!!!)

i   (for insert mode)

#!/bin/sh

echo 'Turn on anti-spoofing for all interfaces'
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

#Turnoff explicit congestion notification
echo 1 >/proc/sys/net/ipv4/tcp_ecn

#echo 'Load Masqing modules'
#for i in $(/bin/ls -1 /lib/modules/$(/bin/uname -r)/kernel/net/ipv4/ip_masq_*) ; \
#do
#echo loading module $i
#/sbin/insmod $i
#done

/sbin/modprobe iptable_nat

echo 'Setting up firewall rules'
#Set ipexternal to your external ip address. Ipexternalnetwork to
#your external trunk with mask.
#In this case 66.240.91.56 is the ("0" ip address before the first valid one)
#and 29 out of 32 bits represents 255.255.255.248 
#(32-29 = 3 bits is 0 though 7 and represents 248    255-248 = 7 )
#make sure internal represents the internal network card name and external
#represents the external network card name
ipexternal="66.240.91.62"
ipexternalnetwork="66.240.91.56/29"
ipinternal="192.168.0.1"
ipinternalnetwork="192.168.0.0/24"
#ipinternal_smtp="10.0.0.1"  An example I left in from a client that needed an inside
#smtp="25"   smtp server accessable from the outside.
internal="eth0"
external="eth1"

echo 'Flushing old rules'

iptables --flush
iptables -t nat --flush
iptables -X

echo 'Set policies'

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

echo 'General Rules'

echo 'Syn-flood protection'
iptables -A INPUT -p tcp -d $ipexternal --syn -m limit --limit 1/s -j ACCEPT
echo 'Furtive port scanner'
iptables -A INPUT -p tcp -d $ipexternal --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
echo 'Ping of death'
iptables -A INPUT -p icmp -d $ipexternal --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp -d $ipexternal --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

echo 'Forwarding and Masqing'
iptables -t nat -A POSTROUTING -o $external -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

echo 'general rule set'
#NOTE: the -j LOG entries are what is filling up the screen on linux in text mode
#If you don't like it rem out the lines with the # sign
iptables -N general-rule-set
iptables -A general-rule-set -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A general-rule-set -m state --state NEW -i ! $external -j ACCEPT
iptables -A general-rule-set -i $external -m limit -j LOG --log-prefix "Bd pckt frm extntwrk"
iptables -A general-rule-set -i ! $external -m limit -j LOG --log-prefix "Bd pckt frm int ntwrk"

echo 'specific rule set'
iptables -N specific-rule-set
iptables -A specific-rule-set -i $external -p tcp --dport smtp -j ACCEPT
iptables -A specific-rule-set -i $external -p udp --dport smtp -j ACCEPT
iptables -A specific-rule-set -i $external -p tcp --dport ssh -j ACCEPT
iptables -A specific-rule-set -i $external -p udp --dport ssh -j ACCEPT
iptables -A specific-rule-set -i $external -p tcp --dport www -j ACCEPT
iptables -A specific-rule-set -i $external -p udp --dport www -j ACCEPT
#Note: the remmed out line that is next is dangerous because
#it means you intend to telnet into here from the source address.
#If someone snoops in on you, they could get your password then
#use ssh to get in from their computer. ssh is the encrypted telnet
#port and as seen above, is allowed from anywhere.
#If you must have telnet ability note that I have -s and an IP address.
#This ip address should be set to the address of the computer coming
#in. If you don't know the ip address because it's dynamic then 
#leave the -s and address out altogether so everybody can try to 
#break in!!!!
#Also note. ssh allows you to connect as root. Unlike telnet.
#This means someone can run a bruteforce password search against the
#ssh port until they break in. Either pick a really good password
#or use the -s to limit the ip addresses or rem the line out with #
#iptables -A specific-rule-set -i $external -p udp -s 205.145.3.8--dport telnet -j ACCEPT
iptables -A specific-rule-set -i $external -p TCP --dport 1723 -j ACCEPT
iptables -A specific-rule-set -i $external -p UDP --dport 1723 -j ACCEPT
iptables -A specific-rule-set -i $external -p 47  -j ACCEPT
iptables -A INPUT -j general-rule-set
iptables -A FORWARD -j general-rule-set
iptables -A INPUT -j specific-rule-set
iptables -A FORWARD -j specific-rule-set

echo 'NAT external port to internal server'
#iptables -t nat -A PREROUTING -p tcp -d $ipexternal --dport $smtp -j DNAT --to $ipinternal_smtp:$smtp

#iptables -t nat -A POSTROUTING -p tcp -d $ipinternal_smtp -j SNAT --to $ipinternal


<ESC> :x <enter>

chmod a+x iptables.rule.src 


Well.... I think we are done!!!!


Oh... You can make a vpn connection to the computer from your windows computer even though your on the inside trunk. Though the route won't get used unless you play with the windows route command. But it's way to easily test passwords and connections.

Oh...Oh... wait... I forgot... Dang it! No, I remember... 
To start and stop services such as pptp and network use the commands in the init.d directory

/etc/rc.d/init.d/pptpd.init stop
/etc/rc.d/init.d/pptpd.init start

/etc/rc.d/init.d/network stop
/etc/rc.d/init.d/network start
/etc/rc.d/init.d/network restart

cd /etc/rc.d/init.d
then typing pptpd.init stop   won't work because linux only runs commands in the PATH directories or absolute path named files.

You could do ./pptpd.init stop since the ./ means "in current directory"
Linux does this so cracker's can't cleverly save a file such as ls in the... say... tmp directory that has cd /;rm -rf * in it instead and have you cd /tmp then ls  and wipe everything out. Whereas in DOS you could since DOS always runs files in the current directory over pathed directories. That's how I broke into the old Novell systems by putting the my version of the login program (That saved all passwords before running the real login program) in the c:\ so autoexec.bat would run it instead of the mapped one on the network drive.

Lee Lofgren 7/18/2002 Of the Gregorian calender.