[fw-wiz] Ipchains Questions!

From: Δημήτρης Δεμίρης (ddemiris@microstore.gr)
Date: 11/01/02


From: "Δημήτρης Δεμίρης" <ddemiris@microstore.gr>
To: <firewall-wizards@honor.icsalabs.com>
Date: Fri Nov  1 08:31:29 2002

Hello,

Here is the problem:

I have a linux server that acts as a router for a network. It has two
ethernet cards installed and a permanent connection on one card.
I want to be able to "cut" the internet access on a group of workstations
e.g. 192.168.1.21 to 192.168.1.30 but to have lan access...the firewall is
working with ipchains now just fine..

I'm sending you my example /etc/rc.d/init.d/firewall script...

#!/bin/sh
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
extip="192.168.0.1"
extif="eth0"
intif="eth1"
intnet="192.168.1.0/24"
ipchains -M -S 7200 10 60
ipchains -F input
ipchains -P input REJECT
ipchains -F output
ipchains -P output REJECT
ipchains -F forward
ipchains -P forward DENY
# Setup input policy
# local interface, local machines, going anywhere is valid
ipchains -A input -i $intif -s $intnet -d 0.0.0.0/0 -j ACCEPT
# reject IP spoofing where external computer claims to be a local
ipchains -A input -i $extif -s $intnet -d 0.0.0.0/0 -l -j REJECT
# allow external access via external interface
ipchains -A input -i $extif -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
# loopback interface is valid
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# Setup output policy
# all outgoing traffic is allowed
ipchains -A output -i $intif -s 0.0.0.0/0 -d $intnet -j ACCEPT
# prevent traffic for local network from using external interface
ipchains -A output -i $extif -s 0.0.0.0/0 -d $intnet -l -j REJECT
# prevent traffic from local network from using external interface
ipchains -A output -i $extif -s $intnet -d 0.0.0.0/0 -l -j REJECT
# anything else can go out
ipchains -A output -i $extif -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
# loopback interface is valid
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# Setup forwarding policy
# Masquerade local net traffic to anywhere
ipchains -A forward -i $extif -s $intnet -d 0.0.0.0/0 -j MASQ

Thank you in advance..

-----------------------------------------------------------------
Dimitris P. Demiris -- System Administrator, Microstore SA
K. Kartali 206, 38221 Volos - Greece.
Tel : +30421-78230 / +30421-47802
Fax : +30421-78232 / +30421-49835
GSM Phone : +30932-254990
Email: Dimitris.Demiris@microstore.gr
WWW : http://www.microstore.gr
ICQ Number: 127016024
Fingerprint: 5D8F F443 C09A 768A 88A7 4AF1 DEC3 8353 9F1C C4FD
-----------------------------------------------------------------

-Gorgan Network-



Relevant Pages

  • RE: firewall settings in rc.firewall
    ... Some generic statements on how to develop a network policy if you have ... Work out from the log what traffic/packets are required, ... keep-state out via <your external interface> ...
    (freebsd-questions)
  • Re: Approaches of interprocess communication
    ... | Inter-process TCP/IP communication between two processes on the same | host invariably uses the loopback interface (network 127.0.0.0). ... | The transmit driver for the loopback interface receives a datagram from | the local network layer and immediately announces its reception back to ... However on Solaris I have observed local connections to an external interface actually increasing the packet count on the loopback, but I can't confirm whether those connections were to services specifically bound only to the external interface. ... Certainly on Windows XP there is a host-specific route via 127.0.0.1 to the external interfaces as well as the network route via the external interface. ...
    (comp.lang.python)
  • Re: IP Forwarding: Att: Mike Burger
    ... > I did the 'ip addr' command. ... The network topology goes like this: ... Note that my external interface, eth0 in my case, has 3 IPs. ...
    (RedHat)
  • IPCHAINS ... again
    ... to connect with a pc in the internal network, ... I change ip configuration on the client like said in the ... this is my ipchains config script: ... # Accept input packet from my partner ...
    (comp.os.linux.security)
  • Configuring VLAN in 6500 Switch
    ... IP address of the external interface. ... I would like to set up a "routable" VLAN... ... The network my external interface is on ... things this way as opposed to just configuring static NATs? ...
    (comp.dcom.sys.cisco)