# my automated firewall script

## epsilon_da

Hi people, a long time ago i write in a post which i was working in a automated firewall script, and it is done in the most important part, at least is better than the iptables script on gentoo, and is a modification of it. So, now i receive a PM asking me for this script, i prefer to post it to any other who casually want it.

Sorry for my english    :Very Happy: 

Let see the files and a little explanation, i hope which you can understand the code.

filename:  /etc/init.d/firewall

usage:

/etc/init.d/firewall build # forces a rebuild of the entire table

/etc/init.d/firewall update # rebuilds the table only if some ip or configuration is changed

```
#!/sbin/runscript

# Copyright 1999-2005 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.3.2.init,v 1.2 2005/08/10 23:11:12 vapier Exp $

opts="save reload panic build update open close"

[[ -e $(add_suffix /etc/conf.d/${FIREWALL}) ]] && source "$(add_suffix /etc/conf.d/${FIREWALL})"

iptables_bin="/sbin/${FIREWALL}"

ip_bin="${IPBIN}"

case ${FIREWALL} in

   iptables)  iptables_proc="/proc/net/ip_tables_names"

              iptables_save=${IPTABLES_SAVE};;

   ip6tables) iptables_proc="/proc/net/ip6_tables_names"

              iptables_save=${IP6TABLES_SAVE};;

esac

depend() {

   need net

   use logger

   before iptables ip6tables

}

set_table_policy() {

   local chains table=$1 policy=$2

   case ${table} in

      nat)    chains="PREROUTING POSTROUTING OUTPUT";;

      mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;

      filter) chains="INPUT FORWARD OUTPUT";;

      *)      chains="";;

   esac

   local chain

   for chain in ${chains} ; do

      ${iptables_bin} -t ${table} -P ${chain} ${policy}

   done

}

checkkernel() {

   if [[ ! -e ${iptables_proc} ]] ; then

      eerror "Your kernel lacks ${iptables_name} support, please load"

      eerror "appropriate modules and try again."

      return 1

   fi

   return 0

}

checkconfig() {

   if [[ ! -f ${iptables_save} ]] ; then

      build || return 1

   fi

   return 0

}

start() {

   checkconfig || return 1

   ebegin "Loading ${iptables_name} state and starting firewall"

   ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"

   update || return 1

   eend $?

}

stop() {

   if [[ ${SAVE_ON_STOP} == "yes" ]] ; then

      save || return 1

   fi

   checkkernel || return 1

   ebegin "Stopping firewall"

   for a in $(<${iptables_proc}) ; do

      ${iptables_bin} -F -t $a

      ${iptables_bin} -X -t $a

      set_table_policy $a ACCEPT

   done

   eend $?

}

reload() {

   checkkernel || return 1

   ebegin "Flushing firewall"

   for a in $(<${iptables_proc}) ; do

      ${iptables_bin} -F -t $a

      ${iptables_bin} -X -t $a

   done

   eend $?

   start

}

save() {

   ebegin "Saving ${iptables_name} state"

   touch "${iptables_save}"

   chmod 0600 "${iptables_save}"

   ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"

   eend $?

}

panic() {

   checkkernel || return 1

   [[ -e ${svcdir}/started/${iptables_name} ]] && svc_stop

   ebegin "Dropping all packets"

   for a in $(<${iptables_proc}) ; do

      ${iptables_bin} -F -t $a

      ${iptables_bin} -X -t $a

      set_table_policy $a DROP

   done

   eend $?

}

############################################################################

# CHECK IF THE INTERFACE IS UP AND RETURN 0 IF IT IS

iface_is_up() {

local check="\<UP\>" addr=${2:-false}

${addr} && check="\<addr:.*${check}"

/sbin/ifconfig ${1} 2>/dev/null | grep -v Scope | xargs | grep -Eq "${check}" && return 0

return 1

}

############################################################################

# OBTAIN ALMOST ALL INFORMATION NEEDED ABOUT ONE INTERFACE

define_iface(){

IFACE=$2

if iface_is_up $IFACE ; then

   if iface_is_up $IFACE true ; then

      IFACE=${IFACE}

   elif [[  -e "/var/run/adsl-${IFACE}.pid.pppd"  ]]; then

      for (( i=0 ; i<=10 ; i++ )); do # Who have ppp10?

         if [[ -e /var/run/ppp$i.pid && `cat /var/run/ppp$i.pid` == `cat /var/run/adsl-${IFACE}.pid.pppd` ]]; then

         IFACE=ppp$i

         break

         fi

      done

   else

      eerror "${IFACE} is not up in any supported way."

      eval ${1}_IF="down"

      return 1

   fi

else

   eerror "${IFACE} is not up"

   eval ${1}_IF="down"

   return 1

fi

IFCONFIG="/sbin/ifconfig"

GREP="/bin/grep"

CUT="/bin/cut"

IPBIN="/sbin/ip"

IFACESDIR="/var/tmp/ifaces"

IP="`${IFCONFIG} ${IFACE} | ${GREP} -m1 -o 'inet addr:[^ ]*' | ${CUT} -d: -f2`"

BC="`${IFCONFIG} ${IFACE} | ${GREP} -m1 -o 'Bcast:[^ ]*' | ${CUT} -d: -f2`"

GW="`${IFCONFIG} ${IFACE} | ${GREP} -m1 -o 'P-t-P:[^ ]*' | ${CUT} -d: -f2`"

MSK="`${IFCONFIG} ${IFACE} | ${GREP} -m1 -o 'Mask:[^ ]*' | ${CUT} -d: -f2`"

NET="`${IPBIN} route | grep ${IFACE} | ${GREP} -m1 -o '[^ ]* dev' | ${CUT} -d" " -f1`"

einfo "$IFACE:  IP=$IP  Broadcast/Gateway=${BC:-$GW}   Mask=$MSK   Net=$NET"

[[ -e $(add_suffix $IFACESDIR/${1}) ]] && source "$(add_suffix $IFACESDIR/${1})"

eval "OLD_IF=\$${1}_IF"

eval "OLD_IP=\$${1}_IP"

eval "OLD_BC=\$${1}_BC"

eval "OLD_GW=\$${1}_GW"

eval "OLD_MSK=\$${1}_MSK"

eval "OLD_NET=\$${1}_NET"

if [[ ${IFACE} == $OLD_IF && ${IP} == $OLD_IP && ${GW} == $OLD_GW && ${NET} == $OLD_NET ]]; then

   return 2

else

   [[ -e $(add_suffix $IFACESDIR/${1}) ]] && rm "$(add_suffix $IFACESDIR/${1})"

   IS_UPDATED="yes"

   touch $IFACESDIR/${1}

   echo ${1}_IF=$IFACE >> $IFACESDIR/${1}

   echo ${1}_IP=$IP       >> $IFACESDIR/${1}

   echo ${1}_BC=$BC       >> $IFACESDIR/${1}

   echo ${1}_GW=$GW       >> $IFACESDIR/${1}

   echo ${1}_MSK=$MSK    >> $IFACESDIR/${1}

   echo ${1}_NET=$NET    >> $IFACESDIR/${1}

   if [[ $( type -t ${1}_onupdate ) == "function" ]]; then

      ${1}_onupdate || return 1

   fi

fi

eval ${1}_IF=$IFACE

eval ${1}_IP=$IP

eval ${1}_BC=$BC

eval ${1}_GW=$GW

eval ${1}_MSK=$MSK

eval ${1}_NET=$NET

return 0

}

############################################################################

# FLUSH EVERYTHING ON THE FIREWALL

fflush(){

# Flush all existing chains and erase personal chains

CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`

for i in $CHAINS # Delete all rules in chains or all chains

   do

   eval ${iptables_bin} -t $i -F

   done

for i in $CHAINS # Delete user defined chains

   do

   eval ${iptables_bin} -t $i -X

   done

}

############################################################################

# MAKE and UPDATE

build(){

FORCEBUILD="true"

if [[ $( type -t build_firewall ) == "function" ]]; then

   build_firewall || return 1

else

   eerror "Not starting ${iptables_name}.  First create some rules then run:"

   eerror "Look at /etc/conf.d/firewall and add your commands to build_firewall()"

   eerror "/etc/init.d/${iptables_name} save"

   return 1

fi

return 0

}

update(){

FORCEBUILD="false"

if [[ $( type -t build_firewall ) == "function" ]]; then

   build_firewall || return 1

else

   eerror "Not starting ${iptables_name}.  First create some rules then run:"

   eerror "Look at /etc/conf.d/firewall and add your commands to build_firewall()"

   eerror "/etc/init.d/${iptables_name} save"

   return 1

fi

return 0

}

############################################################################

# IF YOU HAVE MULTIPLE DEFAULT ROUTES (ISPs), YOU HAVE TO CALL THIS FUNCTION TO DO SPLITCONNECTION

enrouteit(){

ebegin "-- Making route and rules tables --"

eindent

eindent

eindent

# First we flush our current defaults gateways

for (( i=1 ; i<=$# ; i++ )); do

   eval ${ip_bin} route flush table $i

   eval ${ip_bin} route flush table 20$i

done

eval ${ip_bin} rule flush

eval ${ip_bin} rule add from all table default priority 32767

eval ${ip_bin} rule add from all table main priority 32766

for (( i=1 ; i<=$# ; i++ )); do

   eval "ALIAS=\$$i"

   eval "${ALIAS}_MARK=${i}"

   eval "TEMP_NET=\$${ALIAS}_NET"

   eval "TEMP_IF=\$${ALIAS}_IF"

   eval "TEMP_IP=\$${ALIAS}_IP"

   einfo "$ALIAS Mark is $i and his route table is $i"

# If the interface is down it will go throught the main table,

# so, if there is some internet connection active on main table

# it will be used as fallback

   if [[ ${TEMP_IF} != "down" ]]; then

     eval ${ip_bin} route add default dev ${TEMP_IF} table 20$i

       eval ${ip_bin} route add ${TEMP_NET} dev ${TEMP_IF} \

         proto kernel scope link src ${TEMP_IP} table 20$i

     eval ${ip_bin} route add default dev ${TEMP_IF} table $i

       eval ${ip_bin} route add ${TEMP_NET} dev ${TEMP_IF} \

         proto kernel scope link src ${TEMP_IP} table $i

   fi

   eval ${ip_bin} route add ${LAN_NET} dev ${LAN_IF} proto kernel scope link src ${LAN_IP} table 20$i

   eval ${ip_bin} route add 127.0.0.0/8 dev lo table 20$i

   eval ${ip_bin} route add ${LAN_NET} dev ${LAN_IF} proto kernel scope link src ${LAN_IP} table $i

   eval ${ip_bin} route add 127.0.0.0/8 dev lo table $i

done

eindent

for (( i=1 ; i<=$# ; i++ )); do

   eval ${ip_bin} rule add from all table 20$i priority 3200$i

   eval ${ip_bin} rule add fwmark $i table $i priority 1000$i

done

eoutdent

# This set of commands makes sure all answers to traffic coming in on a particular

# interface get answered from that interface. So, now you can masquerade with your

# firewall what you want to send for ppp1 and what for ppp0.

eval ${ip_bin} route flush cache

eoutdent

eoutdent

eoutdent

return 0

}

```

filename: /etc/conf.d/firewall

usage:

Edit the ovius main function acording to your needs.

```
#!/bin/bash

# Copyright 2006 Diego Jacobi

# Distributed under the terms of the GNU General Public License v2

#nano /etc/sysctl.conf

# Add/Uncomment the following lines:

#net.ipv4.ip_forward = 1

#net.ipv4.conf.default.rp_filter = 1

###### What kind of firewall your system use

FIREWALL="iptables" # default

#firewall="ip6tables"

IPBIN="/sbin/ip"

##### for IPTABLES or IP6TABLES commands use  #####

# eval ${iptables_bin} --whatever ...

##### You can use any other command as well #####

# like:

# eval ${ipbin} route/rule --whatever ...

############################################################################

# PLACE HERE YOUR FIREWALL RULES, YOU HAVE SOME COMMENTED EXAMPLES HERE

build_firewall() {

# Here we will define the interfaces and the alias for each one

# Our script will obtain all needed information for us

# sufix _IF means InterFace

# sufix _IP means IP address

# sufix _GW means Gateway

# sufix _BC means Broadcast

# sufix _MSK means Mask

# sufix _NET means Network in the form 192.168.1.0/255.255.255.0

# example:

# define_iface eth0 LAN

# define_iface eth1 ISP

# LAN_IP    ,   LAN_IF    ,    ISP_IF    ,     ISP_GW    ,    etc

einfo "Defining interfaces. Obtaining information."

eindent

# YOU MUST PLACE ONLY THE ETHERNET DEVICE. AS CONFIGURED IN /etc/conf.d/net

mkdir /var/tmp/ifaces # this line post a warning "directory already exist"

# LAN Interface

# Traffic comming from this IP will go throught a splitted connection

define_iface LAN eth0

# ISPs Interfaces

# Internet Service provider 1

define_iface ARNET eth1

# Internet Service provider 2

define_iface CIUDAD eth2

eoutdent

# IF YOU HAVE MULTIPLE DEFAULT ROUTES (ISPs), YOU HAVE TO CALL THIS FUNCTION TO DO SPLITCONNECTION

# Build routes from scratch to make load balancing with 2 ISP

# CIUDAD will be the default server for unmatched traffic

enrouteit CIUDAD ARNET

if [[ $FORCEBUILD != "true" && $IS_UPDATED != "yes" ]]; then

   # Interfaces wasn't updated, we dont need to do anything

   # if you change the rules, run /etc/init.d/firewall make

   einfo "There is nothing to update"

   return 1

fi

# be sure to define your smtp correctly, depending on which interface the local SMTP is going out

if [[ ${ARNET_IF} != "down" ]]; then

   echo ':smtp.arnet.com.ar dyn_tomtel dyn55555' > /var/qmail/control/smtproutes

fi

if [[ ${CIUDAD_IF} != "down" ]]; then

   echo ':smtp.ciudad.com.ar dyn_tt dyn55555' > /var/qmail/control/smtproutes

fi

ebegin "-- Making Firewall Rules --"

eindent

eindent

eindent

# First we flush our current rules

einfo "Clearing all firewall tables."

fflush

##########################################################################

#

#   THIS IS A MOST VERY COMMON FIREWALL SETUP

# IT ISN'T THE MOST SECURE, BUT IT HAVE ALMOST ALL WHAT PEOPLE NEED

#

##########################################################################

# Setup default policies to handle unmatched traffic

einfo "Setting Policies. INPUT DROP, OUTPUT ACCEPT, FORWARD DROP"

eval ${iptables_bin} -P INPUT DROP

eval ${iptables_bin} -P OUTPUT ACCEPT

eval ${iptables_bin} -P FORWARD DROP

#eval ${iptables_bin} -t nat -P PREROUTING ACCEPT

#eval ${iptables_bin} -t nat -P POSTROUTING ACCEPT

# this line allows outgoing connections to be answered

eval ${iptables_bin} -I INPUT -m state --state ESTABLISHED -j ACCEPT

# There must be a DNS caching daemon like BIND to let lan clients know the outside world

eval ${iptables_bin} -A FORWARD -i ${LAN_IF} -s ${LAN_NET} -j ACCEPT

eval ${iptables_bin} -A FORWARD -i ${LAN_IF} -d ${LAN_NET} -j DROP

##########################################################################

# IN THE NEXT LINES WE WILL EXPLICITLY TELL TO THE FIREWALL:

# WHAT CONNECTION WE WANT TO GET FROM OUTSIDE (http,http,pop3,smtp,etc)

# WHAT PORTS SHOULD BE BLOCKED (emule, msn, kazaa, games, etc.)

#   Note: Some windows spyware use some ports to comunicate with its autor,

#   with a default policy to ACCEPT you will allow spyware to do what they do,

#   so, you can block the ports (if you know it) or explicitly define 

#   what ports can go outside, which for common people is a lot of work

# WHAT LAN PORTS SHOULD BE FORWARDED (some games need that or a DMZ too)

##########################################################################

############ We lock our services so they only work from the LAN ############

einfo "ACCEPT all connections from LAN and our self"

# (Needed of course) (Default on)

# Operate in localhost without limitations

eval ${iptables_bin} -I INPUT -i lo -j ACCEPT

if [[ ${ARNET_IF} != "down" ]]; then

   # Our ip will have complete access

   eval ${iptables_bin} -I INPUT -s ${ARNET_IP} -j ACCEPT

fi

if [[ ${CIUDAD_IF} != "down" ]]; then

   # Our ip will have complete access

   eval ${iptables_bin} -I INPUT -s ${CIUDAD_IP} -j ACCEPT

fi

# (Default on) If you comment you will not have access to here from the LAN_NETwork

eval ${iptables_bin} -I INPUT -s ${LAN_NET} -j ACCEPT

############ Now we start to filter ############

# (e-Mail server)   (Optional)       (Default on)

einfo "ACCEPT incomming mails from anywhere"

eval ${iptables_bin} -A INPUT -p TCP --dport 25 -j ACCEPT  

eval ${iptables_bin} -A INPUT -p UDP --dport 25 -j ACCEPT

einfo "ACCEPT access to our IMAP/POP3 SSL server from anywhere"

eval ${iptables_bin} -A INPUT -p TCP --dport 993 -j ACCEPT #imap-ssl

eval ${iptables_bin} -A INPUT -p UDP --dport 993 -j ACCEPT #imap-ssl

eval ${iptables_bin} -A INPUT -p TCP --dport 995 -j ACCEPT #pop3-ssl

eval ${iptables_bin} -A INPUT -p UDP --dport 995 -j ACCEPT #pop3-ssl

# Using non ssl imap server for local connections (like a webinterface) and lan

einfo "ACCEPT access to our IMAP/POP3 server from LAN and localhost"

eval ${iptables_bin} -A INPUT -s ${LAN_NET} -p TCP --dport 143 -j ACCEPT

eval ${iptables_bin} -A INPUT -s ${LAN_NET} -p UDP --dport 143 -j ACCEPT

#eval ${iptables_bin} -A INPUT -p TCP --dport 110 -j ACCEPT

#eval ${iptables_bin} -A INPUT -p UDP --dport 110 -j ACCEPT

# (web proxy)   (Optional) (Default off)

einfo "REDIRECTing port 80 on ${LAN_NET} to use squid as a transparent proxy"

iptables -t nat -A PREROUTING -s ${LAN_NET} -p tcp --dport 80 -j REDIRECT --to-port 3128

########## Drop TCP / UDP packets to privileged ports ##########

einfo "DROP privileged ports (1:1024,10000) from anywhere except ${LAN_IF}."

eval ${iptables_bin} -A INPUT -p TCP -s ! ${LAN_NET} --dport 1:1024 -j DROP

eval ${iptables_bin} -A INPUT -p UDP -s ! ${LAN_NET} --dport 1:1024 -j DROP

eval ${iptables_bin} -A INPUT -p TCP -s ! ${LAN_NET} --dport 10000 -j DROP # webmin

eval ${iptables_bin} -A INPUT -p TCP -s ! ${LAN_NET} --dport 3128 -j DROP  # squid

############ Marking packages to split connection ############

# Use this only if you have multiple ISP

einfo "Marking packages to split connection."

# By default all computers and ports on my LAN goes throught the fast connection CIUDAD

eval ${iptables_bin} -A PREROUTING -s ${LAN_NET} -t mangle -j MARK --set-mark ${CIUDAD_MARK}

# OUTGOING CONNECTIONS FROM LOCALHOST

# with the next line squid will get all html pages from CIUDAD ISP

eval ${iptables_bin} -A OUTPUT -t mangle -p TCP --dport 80 -j MARK --set-mark ${CIUDAD_MARK}

eval ${iptables_bin} -A OUTPUT -t mangle -p UDP --dport 80 -j MARK --set-mark ${CIUDAD_MARK}

eval ${iptables_bin} -A OUTPUT -t mangle -p TCP --dport 443 -j MARK --set-mark ${CIUDAD_MARK}

eval ${iptables_bin} -A OUTPUT -t mangle -p UDP --dport 443 -j MARK --set-mark ${CIUDAD_MARK}

eval ${iptables_bin} -A OUTPUT -t mangle -p TCP --dport 8080 -j MARK --set-mark ${CIUDAD_MARK}

eval ${iptables_bin} -A OUTPUT -t mangle -p UDP --dport 8080 -j MARK --set-mark ${CIUDAD_MARK}

# with the next line bind will get all dns from CIUDAD ISP

eval ${iptables_bin} -A OUTPUT -t mangle -p TCP --dport 53 -j MARK --set-mark ${CIUDAD_MARK}

eval ${iptables_bin} -A OUTPUT -t mangle -p UDP --dport 53 -j MARK --set-mark ${CIUDAD_MARK}

# I prefer send heavy connections throught ARNET and fast connections throught CIUDAD

eval ${iptables_bin} -A PREROUTING -s ${LAN_NET} -t mangle -p TCP --dport 20:21 -j MARK --set-mark ${ARNET_MARK}

eval ${iptables_bin} -A PREROUTING -s ${LAN_NET} -t mangle -p UDP --dport 20:21 -j MARK --set-mark ${ARNET_MARK}

# This hosts will have to go throught the heavy connection (sorry for them, but they dont need the faster)

eval ${iptables_bin} -A PREROUTING -s 192.168.1.12 -t mangle -j MARK --set-mark ${ARNET_MARK}

eval ${iptables_bin} -A PREROUTING -s 192.168.1.11 -t mangle -j MARK --set-mark ${ARNET_MARK}

eval ${iptables_bin} -A PREROUTING -s 192.168.1.10 -t mangle -j MARK --set-mark ${ARNET_MARK}

eval ${iptables_bin} -A PREROUTING -s 192.168.1.9 -t mangle -j MARK --set-mark ${ARNET_MARK}

eval ${iptables_bin} -A PREROUTING -s 192.168.1.101 -t mangle -j MARK --set-mark ${ARNET_MARK}

########## Add the rules for NAT ##########

if [[ ${ARNET_IF} != "down" ]]; then

  einfo "Making NAT rules throught ${ARNET_IF} for ${LAN_IF}."

  # Forward back connections from internet

  eval ${iptables_bin} -A FORWARD -i ${ARNET_IF} -d ${LAN_NET} -m state --state ESTABLISHED -j ACCEPT

  # Enables masquerading on this interfaces (NAT) (Network Address Translation)

  # What want to go outside will go with the respective ISP IP address attached to it

  eval ${iptables_bin} -t nat -A POSTROUTING -s ${LAN_NET} -o ${ARNET_IF} -j MASQUERADE

  

fi

if [[ ${CIUDAD_IF} != "down" ]]; then

  einfo "Making NAT rules throught ${CIUDAD_IF} for ${LAN_IF}."

  # Forward back connections from internet

  eval ${iptables_bin} -A FORWARD -i ${CIUDAD_IF} -d ${LAN_NET} -m state --state ESTABLISHED -j ACCEPT

  # Enables masquerading on this interfaces (NAT) (Network Address Translation)

  # What want to go outside will go with the respective ISP IP address attached to it

  eval ${iptables_bin} -t nat -A POSTROUTING -s ${LAN_NET} -o ${CIUDAD_IF} -j MASQUERADE

fi

# Tell the kernel that ip forwarding is OK

echo 1 > /proc/sys/net/ipv4/ip_forward

# if you use split connection or multiple default routes: Disabling rp_filter

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $f ; done

# if you have a normal one default connection:

#for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

eoutdent

eoutdent

eoutdent

einfo "-- Firewall finished --"

einfo "If your have problems, you can debug trying:"

eindent

eindent

eindent

einfo "\"netstat -puta\" to see open and stablished connections."

einfo "\"netstat -puta\" an Accept Policy will allow connections to be stablished when you are debuging."

einfo "\"iptraf\" to see what request are being sended and if it is blocked or not."

eoutdent

eoutdent

eoutdent

do_dinamic_dns_stuff

eend $?

# This is so when we boot we don't have to run the rules by hand

save || return 1

}

############################################################################

# SOME INSTRUCTIONS TO OPEN COMPLETELY THE NETWORK AND BE EXPOSED

open() {

stop

return 0

}

############################################################################

# SOME INSTRUCTIONS TO CLOSE COMPLETELY THE NETWORK AND BE AISLATED

close(){

panic

return 0

}

do_dinamic_dns_stuff(){

einfo "-- Updating dinamic DNS at FreeDNS.Afraid.org --"

eindent

eindent

eindent

textbrowser=/usr/bin/links

url_count=5;

name[0]='mydomain.com.ar'

url[0]='http://freedns.afraid.org/dynamic/update.php?FDSGVFDARmysupernumber'

name[1]='myotherdomain.com.ar'

url[1]='http://freedns.afraid.org/dynamic/update.php?FDSAFWERCVSDAmysupernumber2'

# this can be done in better ways, but i was really tired when i do this (and this isnt the better place to have it)

for (( i=0 ; i<$url_count ; i++ )); do

  einfo "Updating Address $i of $url_count -- Domain: ${name[$i]}"

  $textbrowser -dump ${url[$i]} &>/dev/null

done

eoutdent

eoutdent

eoutdent

return 0

}

#ARNET_onupdate(){

## Just in case you need to log or something, you can place your instructions here

#return 0

#}

#CIUDAD_onupdate(){

## Just in case you need to log or something, you can place your instructions here

#return 0

#}

```

ATENTION.

The script is unfinished but functional and commented for me, as you see and i delete some thing which i dont want to tell to the world

Getting information

it extracts all information needed by a firewall of each declared interface with a nickname or alias

define_iface ALIAS ethx

this function only works for ethernets and ppp connections, so if you have other ways to connect like wifi you will have to do a modification, dont worry, is easy

before define the alias you can access all information you need by appending a _IP or _NET, etc. look at the script for detailed information

routing

before make any tables you will have to route

route are deleted when an interface goes down, at diference of iptables

I made a function to automate the proccess for a dual connection (doing spltconnection and using IPMARK as ALIAS_MARK). It works perfectly but remember to have advanced routing activated when compiling. If you have only one internet interface you can teorically use it, but you need to have advanced routing on the firewall which is not by default (i guess)

my two connections are called ARNET and CIUDAD which are the names of my providers.

making split connections takes me a lot of work, there is nothing more than a bit of information about it on internet, but ones you understand it, is really easy.

making the tables

Only you can do this and i am sure you can find better and simpler examples that my.

If you dont know anything about iptables, i will tell you, it is power, iptables cant be automated with a gui tool without reducing all major features and converting it as a normal windows firewall. DO YOUR OWN SCRIPT, at least copy it to somebody.

If you talk spanish this is the better tutorial which i can found http://www.pello.info/filez/firewall/iptables.html.

Remember to use the variables ${iptables} ${ALIAS_IP} ${ALIAS_NET} ${ALIAS_WHATEVER}

variables will only change if your configuration changes or you loss the connection at some point

thats all. now build

```
/etc/init.d/firewall build
```

you will want to add this to /etc/conf.d/net

```
postup() {

# Restart firewall

/etc/init.d/firewall update

# Add dinamic DNS script here

#...

return 0;

}

postdown() {

# Restart firewall

/etc/init.d/firewall update

# por default de gentoo

if is_net_fs /; then

  eerror "root filesystem is network mounted -- can't stop ${IFACE}"

  return 1

fi

return 0

}
```

and also you will want to cron firewall build hourly becouse i couldnt fix just one thing

when adsl connection changes the ip postup is never called becouse ppp doas the reconnection and not the gentoo scripts.

maybe someone can find a fix.

I wont continue this script this year becouse my vacations are finishing i dont want to have work to do on the rest of this days.

good look

----------

