Home Networking Question
Ben Beeson
beesond001 at hawaii.rr.com
Fri Mar 16 00:04:56 PST 2001
Warren,
I sure can post those script(s), but you'll probably hate me afterwards
;-). I am using the pmfirewall with masquerading enabled. Sorry for the
length of the scripts, but they are automatically generated by the
installer -- also a script... It's a pretty cool basic firewall, I only hope I
didn't screw it up .... If you want to skip ahead, the masquerading part is
towards the bottom, just below the detailed rules. Anyway, here goes...
*****************************************************************
This is the "main" script that starts stops etc... It is linked from
/etc/rc.d/init.d to where it really lives.
#!/bin/sh
# pmfirewall
# chkconfig: 2345 50 80
# description: Control script for pmfirewall package.
#
CONFIG_DIR=/usr/local/pmfirewall
# Source function library.
.. /etc/rc.d/init.d/functions
## Read Configuration File
.. $CONFIG_DIR/pmfirewall.conf
case "$1" in
#####START FIREWALL#####
start)
echo -n "Starting PMFirewall:"
## Flush rule sets, start from scratch
$IPCHAINS -F input
$IPCHAINS -F output
$IPCHAINS -F forward
## Read firewall rules
. $CONFIG_DIR/pmfirewall.rules.1
. $CONFIG_DIR/pmfirewall.rules.local
## Read Masq Rules
. $CONFIG_DIR/pmfirewall.rules.masq
# Allow incoming and outgoing ICMP
$IPCHAINS -A input -p icmp -s $REMOTENET -d $OUTERNET -j ACCEPT
$IPCHAINS -A output -p icmp -s $OUTERNET -d $REMOTENET -j ACCEPT
# These are open to sockets created by connections allowed by ipchains
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1023:65535 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 1023:65535 -j ACCEPT
## Set default policy
$IPCHAINS -A output -j ACCEPT
$IPCHAINS -A input -j DENY -l
echo " Done!"
echo ""
echo "Internal: $INTERNALIF $INTERNALNET"
echo "External: $OUTERIF $OUTERNET"
echo "" ;;
#####STOP FIREWALL####
stop)
echo ""
echo -n "Shutting down PMFirewall:"
$IPCHAINS -F input
$IPCHAINS -F output
$IPCHAINS -F forward
$IPCHAINS -P forward DENY
echo " Done!"
echo "" ;;
#####START MASQ#####
masqstart)
echo ""
echo -n "Starting IP Masquerading:"
## Read Masq Rules
. $CONFIG_DIR/pmfirewall.rules.masq
echo " Done!"
echo ""
echo "Internal: $INTERNALIF $INTERNALNET"
echo "External: $OUTERIF $OUTERNET"
echo "" ;;
#####STOP MASQ#####
masqstop)
echo ""
echo -n "Shuting down IP Masquerading:"
$IPCHAINS -F forward
$IPCHAINS -P forward DENY
echo " Done!"
echo "" ;;
restart)
$0 stop
$0 start
;;
uninstall)
$CONFIG_DIR/uninstall
;;
*)
echo ""
echo " USAGE: pmfirewall [command] "
echo ""
echo " COMMANDS:"
echo " start Enables PMFirewall and Masquerading (if installed)."
echo " stop Disables PMFirewall and Masquerading (if installed)."
echo " restart Flushes and reloads the rules in PMFirewall."
echo " masqstart Enables IP Masquerading only (no firewall)."
echo " masqstop Disables IP Masquerading only (no firewall)."
echo " uninstall Completely removes PMFirewall."
echo " help Displays this list of options."
echo ""
exit 1 ;;
esac
exit 0
******************************************
This is the configuration definitions file .....
#!/bin/sh
# pmfirewall.conf - used by pmfirewall package
IPCHAINS=/sbin/ipchains
ATBOOT=1
CONFIG_DIR=/usr/local/pmfirewall
OUTERIF=eth0
REMOTENET=0/0
OUTERIP=`ifconfig $OUTERIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
OUTERMASK=`ifconfig $OUTERIF | grep Mas | cut -d : -f 4`
OUTERNET=$OUTERIP/$OUTERMASK
INTERNALIF=eth1
INTERNALIP=`ifconfig $INTERNALIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
INTERNALMASK=`ifconfig $INTERNALIF | grep Mas | cut -d : -f 4`
INTERNALNET=$INTERNALIP/$INTERNALMASK
***********************************************************
The Basic Firewall rules are here
#!/bin/sh
# pmfirewall.rules.1 used by pmfirewall package
#
#### Start Firewall ####
## Allow loopback interface
$IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
# Allow packets with ack bit set, they are from an established connection.
$IPCHAINS -A input ! -y -p tcp -s $REMOTENET -d $OUTERNET -j ACCEPT
# Block incoming IP Spoofing
# Turn on Source Address Verification
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f
done
fi
#Turn on SYN COOKIES PROTECTION (Thanks Holger!)
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
# Now read pmfirewall.rules.local
**************************************************
More rules here -- my desires reflected in the 'automatically generated... '
part.........
#!/bin/sh
# pmfirewall.rules.local
# ver.PM1 (do not remove this line)
### BEGIN SYSTEM DEFAULTS ###
# Block Nonroutable IP's from entering on the External Interface
$IPCHAINS -A input -j DENY -s 10.0.0.0/8 -d $OUTERNET -i $OUTERIF
$IPCHAINS -A input -j DENY -s 127.0.0.0/8 -d $OUTERNET -i $OUTERIF
$IPCHAINS -A input -j DENY -s 172.16.0.0/12 -d $OUTERNET -i $OUTERIF
$IPCHAINS -A input -j DENY -s 192.168.0.0/16 -d $OUTERNET -i $OUTERIF
# - Specific port blocks on the external interface -
# This section blocks off ports/services to the outside that have
# vulnerabilities. This will not affect the ability to use these services
# within your network.
#
# Back Orifice (logged)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 31337 -j DENY -l
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 31337 -j DENY -l
# NetBus (logged)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 12345:12346 -j DENY -l
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 12345:12346 -j DENY -l
# Trin00 (logged)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1524 -j DENY -l
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 27665 -j DENY -l
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 27444 -j DENY -l
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 31335 -j DENY -l
# Multicast
$IPCHAINS -A input -s 224.0.0.0/8 -d $REMOTENET -j DENY
$IPCHAINS -A input -s $REMOTENET -d 224.0.0.0/8 -j DENY
### END SYSTEM DEFAULTS ###
#### EXAMPLES ###
### ALLOWED NETWORKS
# Add in any rules to specifically allow connections from hosts/nets that
# would otherwise be blocked.
#$IPCHAINS -A input -s [trusted host/net] -d $OUTERNET <ports> -j ACCEPT
### BLOCKED NETWORKS
# Add in any rules to specifically block connections from hosts/nets that
# have been known to cause problems. These packets are logged.
#$IPCHAINS -A input -s [banned host/net] -d $OUTERNET <ports> -j DENY -l
### BLOCK ICMP ATTACKS
#
#$IPCHAINS -A input -b -i $OUTERIF -p icmp -s [host/net] -d $OUTERNET -j DENY -l
#### END OF EXAMPLES ###
### AUTOMATICALLY GENERATED BY THE INSTALL SCRIPT ###
#DHCP CLIENT ALLOW
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 67:68 -i $OUTERIF -j ACCEPT
#SSH
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 22 -j ACCEPT
#IDENTD
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 113 -j REJECT
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 113 -j REJECT
#NTP
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 123 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 123 -j ACCEPT
#NETBIOS
$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 137:139 -i $OUTERIF -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 137:139 -i $OUTERIF -j DENY
#RIP
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 520 -i $OUTERIF -j REJECT
#NFS
$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 2049 -i $OUTERIF -j DENY -l
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 2049 -i $OUTERIF -j DENY -l
#XSERVER
$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 5999:6003 -i $OUTERIF -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 5999:6003 -i $OUTERIF -j DENY
****************************************************
Masquerading rules
#!/bin/sh
#pmfirewall.rules.masq - used by pmfirewall package
#
## Masquerading
## Modules to help certain services
/sbin/depmod -a >/dev/null 2>&1
/sbin/modprobe ip_masq_ftp >/dev/null 2>&1
/sbin/modprobe ip_masq_raudio >/dev/null 2>&1
/sbin/modprobe ip_masq_irc >/dev/null 2>&1
/sbin/modprobe ip_masq_icq >/dev/null 2>&1
/sbin/modprobe ip_masq_quake >/dev/null 2>&1
/sbin/modprobe ip_masq_user >/dev/null 2>&1
/sbin/modprobe ip_masq_vdolive >/dev/null 2>&1
## Masquerading firewall timeouts: tcp conns 8hrs, tcp after fin pkt 60s, udp 10min
$IPCHAINS -M -S 14400 60 600
## Set up kernel to enable IP masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward
## Set up kernel to handle dynamic IP masquerading
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
## Don't Masquerade internal-internal traffic
$IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT
## Don't Masquerade external interface direct
$IPCHAINS -A forward -s $OUTERNET -d $REMOTENET -j ACCEPT
## Masquerade all internal IP's going outside
$IPCHAINS -A forward -s $INTERNALNET -d $REMOTENET -j MASQ
## Set Default rule on MASQ chain to Deny
$IPCHAINS -P forward DENY
## Allow all connections from the network to the outside
$IPCHAINS -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT
# This section manipulates the Type Of Service (TOS) bits of the
# packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
# in your kernel
# Set telnet, www, smtp, pop3 and FTP for minimum delay
$IPCHAINS -A output -p tcp -d 0/0 80 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 22 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 23 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 21 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 110 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 25 -t 0x01 0x10
# Set ftp-data for maximum throughput
$IPCHAINS -A output -p tcp -d 0/0 20 -t 0x01 0x08
# Allow outgoing ICMP
$IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
*****************************************************
I hope you find this useful. If you want this firewall package to look at,
point your browser to this URL:
http://www.pointman.org/PMFirewall/
Thanks in advance,
Ben
On Thu, 15 Mar 2001, you wrote:
> Can you post your ipchains script?
>
> It sounds like a DNS problem. If NAT is configured properly you should be
> able to configure your Windows clients behind the Linux box with the same
> DNS settings as the Linux box itself. All requests will simply be routed
> through the Linux box. It works seemlessly for me.
>
> ----- Original Message -----
> From: "Ben Beeson" <beesond001 at hawaii.rr.com>
> To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
> Sent: Thursday, March 15, 2001 9:43 PM
> Subject: [luau] Home Networking Question
>
>
> > Aloha all,
> >
> > I am trying to setup a small home LAN. My Linux box is RH6.0 based
> and
> > has 2 NICs. My Windoze box has Windows ME and 1 NIC. What I want to do
> is
> > use the Linux box to masquerade the IP for the Windoze box to share the
> > connection for the internet so both computers can use it at the same time.
> Now
> > the problem.... I can telnet from the windoze box to the linux box, and I
> can
> > ping by IP both ways. I can ping by name both ways on the LAN. I cannot
> > however, ping from windoze to outside via anything except the IP address.
> The
> > rest of the networking stuff on the Linux box works great, so I am not too
> > worried... However, I cannot get the balance of the networking stuff to
> > work correctly on the windoze box until this gets resolved. I think I may
> > have either a routing problem, or a DNS problem, but for the life of me, I
> > can't figure it out. If anyone has any words of wisdom, I would be very
> > grateful.
> >
> > Thanks,
> >
> > Ben
> >
> > ---
> > You are currently subscribed to luau as: warren at togami.com
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
>
>
> ---
> You are currently subscribed to luau as: beesond001 at hawaii.rr.com
> To unsubscribe send a blank email to $subst('Email.Unsub')
More information about the LUAU
mailing list