ip masquerading no working.

From: Chenome (vanyuan@mweb.co.za)
Date: 09/11/02

• Next message: Matthias Pitzl: "Re: ip masquerading no working."
• Previous message: Charlie: "Re: iptables and port 1533"
• Next in thread: Matthias Pitzl: "Re: ip masquerading no working."
• Reply: Matthias Pitzl: "Re: ip masquerading no working."
• Reply: Chenome: "Re: ip masquerading no working."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: vanyuan@mweb.co.za (Chenome)
Date: 10 Sep 2002 23:40:15 -0700

Helo all.

I've for the last 3 days been spending my time setting up a firewall
with iptables. I've learned quite allot, and came up with the
following firewall... Although, I need to change the default FORWARD
policy to DROP. When I do this, the people on my network cant browse
the net. I change it back (to accept), it works.

Could anyone please have a look, and see what might be wrong. Also if
anyone can see any "loopholes", let me know.

Thanks Allot.

Derek..

Here follows script. (Also, I think this script will be useful for
anyone who's running a small network @home or business, and only needs
the general ports and so forth enabled...once its finished, and this
last thing has been fixed)

#!/bin/sh
PATH=/sbin
export PATH
IPT=iptables

# define interfaces
# internal interface
IINT=eth0
# external interface (can be ppp+, eth#, ippp+, etc.)
IEXT=ippp+
# internal network
INTNET=192.168.0.0/24

# First, turn off forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

# Load appropriate modules
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

# Flush all chains and delete user chains
for i in filter nat mangle
do
$IPT -t $i -F
$IPT -t $i -X
done

# Set default policies for chains
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

# Internal Interfaces
$IPT -A INPUT -i $IINT -j ACCEPT
$IPT -A OUTPUT -o $IINT -j ACCEPT
$IPT -A INPUT -i $IEXT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Set up ip forwarding and Masquerading for internal network
$IPT --table nat -A POSTROUTING -i $IEXT -j MASQUERADE
$IPT -A FORWARD -i IINT -j ACCEPT

# Allow ICMP
$IPT -A INPUT -p icmp -j ACCEPT

# ssh Client
$IPT -A INPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j
ACCEPT

# HTTP Client
$IPT -A INPUT -p tcp -m tcp --sport http --dport 1024: -m state
--state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --sport https --dport 1024: -m state
--state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --sport webcache --dport 1024: -m state
--state ESTABLISHED -j ACCEPT

# DNS Client
$IPT -A INPUT -s 192.168.0.19 -p udp -m udp --sport 53 -m state
--state ESTABLISHED -j ACCEPT
$IPT -A INPUT -s 196.2.19.111 -p udp -m udp --sport 53 -m state
--state ESTABLISHED -j ACCEPT

# FTP client (active and passive)
$IPT -A INPUT -p tcp -m tcp --sport ftp -m state --state ESTABLISHED
-j ACCEPT
$IPT -A INPUT -p tcp -m tcp --sport ftp-data -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m state
--state ESTABLISHED -j ACCEPT

# Email SMTP / pop3
$IPT -A INPUT -p tcp -m tcp --sport smtp -m state --state
ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --sport pop3 -m state --state
ESTABLISHED -j ACCEPT

# A few mangle rules
$IPT -t mangle -A PREROUTING -m multiport -p tcp --dport 80,21,22 -j
TOS --set-tos 16
$IPT -t mangle -A PREROUTING -m multiport -p tcp --sport 80,21,22 -j
TOS --set-tos 16
$IPT -t mangle -A PREROUTING -p tcp --dport ftp-data -j TOS --set-tos
8
$IPT -t mangle -A PREROUTING -p tcp --sport ftp-data -j TOS --set-tos
8
$IPT -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos 4
$IPT -t mangle -A PREROUTING -p tcp --dport 110 -j TOS --set-tos 2

# if you have a line in your /etc/sysctl.conf like this:
# net.ipv4.ip_forward = 1
# uncomment the following and comment out the echo line below it
/sbin/sysctl -p > /dev/null
# echo 1 > /proc/sys/net/ipv4/ip_forward

#--------------------end----------------------------------

Thanks

---

• Next message: Matthias Pitzl: "Re: ip masquerading no working."
• Previous message: Charlie: "Re: iptables and port 1533"
• Next in thread: Matthias Pitzl: "Re: ip masquerading no working."
• Reply: Matthias Pitzl: "Re: ip masquerading no working."
• Reply: Chenome: "Re: ip masquerading no working."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Putting Active Directory Server On Its Own Segment ... modifications on all your domain controllers first). ... > a rogue client machine on our network. ... > give access to on the ISA Server? ... > Internal network to access DNS on the Active Directory perimiter network, ... (microsoft.public.isa) RE: 401.2 Errors ... Since the Internal network settings are correct. ... access rule affects the authentication between the client and SBS, ... 'Microsoft Firewall' service. ... I can confirm that the ISA Firewall Client is ... (microsoft.public.windows.server.sbs) Some Applications traffic are not validated by Firewall Client. ... - Clients on Internal network with Firewall Client installed ... - All firewall Rules allowed only for "Authenticated users" (or more ... Out of the Internal Network, ... (microsoft.public.isaserver) Applications traffic are not validated by Firewall Client. ... - Clients on Internal network with Firewall Client installed ... - All firewall Rules allowed only for "Authenticated users" (or more ... Out of the Internal Network, ... (microsoft.public.isa) Some Applications traffic are not validated by Firewall Client. ... - Clients on Internal network with Firewall Client installed ... - All firewall Rules allowed only for "Authenticated users" (or more ... Out of the Internal Network, ... (microsoft.public.isa.configuration)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2002-10