192.168.10.0 is my internal network. This masqaurades everything in that
network as my networks external IP, which is dynamic and changes everytime
my cable modem gets reset. Which I've been meaning to call and change...
Anyways, this deny's everything on all other network types. DHCP client
runs on eth0, and the DHCP server runs on eth1. As far as my inetd.conf
file, everythings commented out... And for services, I actually deleted
lines from here. But, this config file works, cuz this is how it was when I
started out. Other services weren't added until later! Anyways, those are
easy. Goto the bottom for those.
--- begin ---
root@shitbox:/etc/rc.d# cat rc.ipchains
#!/bin/bash
echo "Activating IPv4 packet forwarding..."
echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/sbin/ipmasqadm portfw -f
/sbin/ipchains -F
echo "Activating IPv4 packet MASQ"
/sbin/ipchains -A forward -s 192.168.10.0/24 -d ! 192.168.10.0/24 -j MASQ
/sbin/ipchains -A input -b -i eth0 -s 10.0.0.0/8 -d 0.0.0.0/0 -j DENY
/sbin/ipchains -A input -b -i eth0 -s 172.16.0.0/12 -d 0.0.0.0/0 -j DENY
/sbin/ipchains -A input -b -i eth0 -s 192.168.0.0/16 -d 0.0.0.0/0 -j DENY
/sbin/ipchains -A output -b -i eth0 -s 10.0.0.0/8 -d 0.0.0.0/0 -j DENY
/sbin/ipchains -A output -b -i eth0 -s 172.16.0.0/12 -d 0.0.0.0/0 -j DENY
/sbin/ipchains -A output -b -i eth0 -s 192.168.0.0/16 -d 0.0.0.0/0 -j DENY
echo "Activating IPv4 packet filtering"
--- end ---
This goes between the portfw -f and ipchains -F lines.
/usr/sbin/ipmasqadm portfw -a -P tcp -L {ext IP} 80 -R {int IP} 80
/usr/sbin/ipmasqadm portfw -a -P udp -L {ext IP} 80 -R {int IP} 80
Those are purely examples. Showing how you redirect tcp and udp protocols.
80 was the first number to come to mind :)
Hope it helps.
Dennis Stout
Denali Computer Systems
----- Original Message -----
From: "Mahen" <mahen@millinux.com.my>
To: <security-discuss@linuxsecurity.com>
Sent: Tuesday, October 23, 2001 19:39 HRS
Subject: Internet sharing with ipchains
> I got a question. I have configured a server to serve as a firewall and
> provide MASQ connection to the internet. Now after I have set my default
> input policy to DENY nobody can connect the internet via any service
> (www,ftp, etc...). But after I allowed input for port 1023:65535
everything
> seems to work fine. Is there something that I have missed as allowing
> 1023:65535 is making a big hole in the firewall. My intention for the DENY
> as the default input policy is to allow what I permit and DENY everything
by
> default.
>
> ------------------------------------------------------------------------
> To unsubscribe email security-discuss-request@linuxsecurity.com
> with "unsubscribe" in the subject of the message.
>
------------------------------------------------------------------------
To unsubscribe email security-discuss-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
