This is my latest "home project". Partly because I need its functionality
and partly to have the satisfaction of seeing it work and keep the gray
cells in condition.
I'vee been on this IPchains thing for the last few weeks trying to
understand the automatisms and its functioning. Since my opinion is that
there's no point in re-inventing the wheel - not shared by everybody,
especially not by some HOWTO writers who think that it's good for us to
read incomprehensibele articles and not understand anything, thus always
starting from scratch - I tryed to find feedback from other people having
been through the same thing. I seem to have found something that gave the
impression of beeing exactly that: The updated IPchains HOWTO of this
year.
It explains the config procedures of the older 2.0.x kernel and the 2.2.x
ones. I was interested in the latter. The HOWTO included a strong firewall
script which gives the impression to be ready for use minus a few
adjustements concerning ones own network setup.
What I would like to have is your first impression when you see it. Is
there anything that strikes you as bizarre and impossible? Especially
concerning the script actually being so watertight it blocks ALL traffic
to and from the server. So badly that even after deleting all the rules
the access to the server stays blocked and the only solution is to reboot
it!!
What I would like to know is, before contacting the writer of the HOWTO,
if it's me who is responsible for the mess up - I noticed several times in
the past to be the cause of the error while blaming the system -or if it's
the HOWTO which is to blame.
<rant>
In the latter case I would like to air some of my frustration and send my
feedback directly to the author as I think it's inadmisible for these kind
of problems to still find their way through to the Linux community.
I have been going more into details of understanding the system and had to
extensively use the doc's, HOWTO's and manuals. The state some of it is in
is terrible, a lot of it is in a bad shape, outdated or not tested prior
to release. With these kind of documents it would be better not to
distribute them at all. Most of the time they are a source of problems
rather than the other way around.
</rant>
Looking forward to your feedback!
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/
_/ Zoran GRBIC _/ Linux user & advocate _/
_/ UNIX Sys Analyst _/ Both Micro$oft's clean _/
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/
Mailed with Linux & Pine...
P.S. The script
#!/bin/bash
#
# /etc/rc.d/rc.firewall: An example of a Semi-Strong IPCHAINS firewall ruleset.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules
# are shown below but are commented from loading.
# Needed to initially load modules
#
/sbin/depmod -a
# Supports the proper masquerading of FTP file transfers using the PORT method
/sbin/modprobe ip_masq_ftp
# Supports the masquerading of RealAudio over UDP.
# Without this module, RealAudio WILL function but in TCP mode.
# This can cause a reduction in sound quality.
/sbin/modprobe ip_masq_raudio
# Supports the masquerading of IRC DCC file transfers
/sbin/modprobe ip_masq_irc
# Supports the masquerading of Quake and QuakeWorld by default.
# This modules is for for multiple users behind the Linux MASQ server.
# If you are going to play Quake I, II, and III, use the second example.
#
# NOTE: If you get ERRORs loading the QUAKE module, you are running an old
# kernel that has bugs in it. Please upgrade to the newest kernel.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
/sbin/modprobe ip_masq_quake
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
/sbin/modprobe ip_masq_cuseeme
#Supports the masquerading of the VDO-live video conferencing software
/sbin/modprobe ip_masq_vdolive
# CRITICAL: Enable IP forwarding since it is disabled by default.
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward
# CRITICAL: Enable automatic IP defragmenting since it is disabled by default in
2.2.x kernels
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
following
# option. This enables dynamic-ip address hacking in IP MASQ, making the life
with Diald and
# similar programs much easier.
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# Otherwise specify your Static IP address here.
# If you have a DYNAMIC IP address, you need to make this ruleset understand your
# IP address everytime you get a new IP. To do this, enable the following one-line
# script. (Please note that the different single and double quote characters MATTER).
#
#
# DHCP users:
# -----------
# If you get your TCP/IP address via DHCP, **you will need ** to enable the #ed
out command
# below underneath the PPP section AND replace the word "ppp0" with the name of
your EXTERNAL
# Internet connection (eth0, eth1, etc) on the lines for "ppp-ip" and "extip".
It should be
# also noted that the DHCP server can change IP addresses on you. To fix this,
users should
# configure their DHCP client to re-run the firewall ruleset everytime the DHCP
lease is
# renewed.
#
# NOTE #1: Some newer DHCP clients like "pump" do NOT have this ability
to run scripts
# after a lease-renew. Because of this, you need to replace it
with something
# like "dhcpcd" or "dhclient".
#
# NOTE #2: The syntax for "dhcpcd" has changed in recent versions.
#
# Older versions used syntax like:
# dhcpcd -c /etc/rc.d/rc.firewall eth0
#
# Newer versions use syntax like:
# dhcpcd eth0 /etc/rc.d/rc.firewall
#
#
# PPP users:
# ----------
# If you aren't already aware, the /etc/ppp/ip-up script is always run when a PPP
# connection comes up. Because of this, we can make the ruleset go and get the
# new PPP IP address and update the strong firewall ruleset.
#
# If the /etc/ppp/ip-up file already exists, you should edit it and add a line
# containing "/etc/rc.d/rc.firewall" near the end of the file.
#
# If you don't already have a /etc/ppp/ip-up sccript, you need to create the
following
# link to run the /etc/rc.d/rc.firewall script.
#
# ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
#
# * You then want to enable the #ed out shell command below *
#
# PPP and DHCP Users:
# -------------------
# Remove the # on the line below and place a # in front of the line after that.
#
extip= "`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
# For PPP users with STATIC IP addresses:
#extip="your.static.PPP.address"
# ALL PPP and DHCP users must set this for the correct EXTERNAL interface name
extdev=ppp0
# Assign the internal IP device and network
intdev=eth0
intnet=192.168.168.0/24
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall
# timeout in ICQ itself)
ipchains -M -S 7200 10 60
######################################################################################
# Incoming, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
ipchains -F input
ipchains -P input REJECT
# local interface, local machines, going anywhere is valid
ipchains -A input -i $intdev -s $intnet -d 0.0.0.0/0 -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
ipchains -A input -i $extdev -s $intnet -d 0.0.0.0/0 -l -j REJECT
# remote interface, any source, going to permanent PPP address is valid
ipchains -A input -i $extdev -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
# loopback interface is valid.
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
#############################################################################
# Outgoing, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
ipchains -F output
ipchains -P output REJECT
# local interface, any source going to local net is valid
ipchains -A output -i $intdev -s 0.0.0.0/0 -d $intnet -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
#ipchains -A output -i $extdev -s 0.0.0.0/0 -d $intnet -l -j REJECT
# outgoing from local net on remote interface, stuffed masquerading, deny
#ipchains -A output -i $extdev -s $intnet -d 0.0.0.0/0 -l -j REJECT
# anything else outgoing on remote interface is valid
ipchains -A output -i $extdev -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
# loopback interface is valid.
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
#############################################################################
# Forwarding, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
ipchains -F forward
ipchains -P forward DENY
# Masquerade from local net on local interface to anywhere.
ipchains -A forward -i $extdev -s $intnet -d 0.0.0.0/0 -j MASQ
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
### -- End of file.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
