sslug-teknik team mailing list archive

Thread
Date
IP masquerading problem fortsat

To: <sslug-teknik@xxxxxxxx>
From: "Sebastian Neumann" <neumann@xxxxxxxxxx>
Date: Thu, 3 Aug 2000 20:26:09 +0200
Delivered-to: mailing list sslug-teknik@xxxxxxxx
Mailing-list: contact sslug-teknik-help@xxxxxxxx; run by ezmlm
Hej alle sammen.

For et stykke tid siden, skrev jeg om et problem vedrørende
min IP masquerading opsætning, der simpelthen var holdt op
med at virke !

Jeg blev henvist til at downloade det script der ligger på
SSLUG´s hjemmeside, og modificere det, sådan at det passede
til min forbindelse, men, det vil heller ikke virke. Jeg
kan nu hverken ringe op via diald fra linux boxen, eller
fra andre computere på mit LAN, nedenfor er mit script :

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin

#Aktiver IP forward
echo "1" >/proc/sys/net/ipv4/ip_forward

# Enable syn-cookies (syn-flooding attacks)
echo "1" >/proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP echo-request to broadcast addresses (Smurf
amplifier)
echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable ICMP echo-request altogether (see also below for
ICMP filtering)
# echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all

# Set local port range for listeners (ftp ...)
# The range used here is what will be used for the
connections 
# initiated from the firewall host. If you do masquerading,
then
# masqueraded connections will use the range 61000-65096.
# Thus, in the ipchains rules below we will combine these
two
# ranges into one: 56000:65096
echo "56000 60999" >/proc/sys/net/ipv4/ip_local_port_range

# It seems that this must be done for all network
interfaces
for f in /proc/sys/net/ipv4/conf/*; do
   # Drop all source-routed packets
   echo "0" >$f/accept_source_route 

   # Enable source-address verification (anti spoofing)
   echo "1" >$f/rp_filter
done


######################
# Setup IP firewalling
######################

# Default policies. 
# We deny all input and forwarding, then allow specific
things further down.
# We allow all outgoing traffic - this could be tightened,
but is only
# necessary for very secure installations.
ipchains -P input DENY;  ipchains -F input
ipchains -P forward DENY;  ipchains -F forward
ipchains -P output ACCEPT; ipchains -F output


# Allow anything on trusted interfaces
# ------------------------------------

# Allow anything on the loopback i/f: We trust ourselves.
 ipchains -A input -p all -j ACCEPT -i lo

# Allow anything on the local LAN: We trust the local guys.
 ipchains -A input -p all -j ACCEPT -i eth0


# Handle incoming TCP traffic
# ---------------------------

# Allow all traffic that does not try to setup a connection
(no SYN)
 ipchains -A input -p tcp -j ACCEPT \! -y

# Allow ftp-data connections to listener ports (downloads
and dir listings).
# Would be better if kernel could setup temporary rules
when we start
# an ftp download ("port" command), but this will have to
do for now.
# If you don't like this, consider enforcing use of
passive-mode ftp only.
 ipchains -A input -p tcp -j ACCEPT -s 0/0 ftp-data -d 0/0
56000:65096 -y


# Handle incoming UDP traffic
# ---------------------------

# Allow dns replies to our locally originating requests
# BIND 8 uses the high ports for sending requests; this is
good.
 ipchains -A input -p udp -j ACCEPT -s 0/0 domain -d 0/0
56000:65096

# Allow ntp communication (uses ntp port for request and
reply)
 ipchains -A input -p udp -j ACCEPT -s 0/0 ntp -d 0/0 ntp

# Allow Real Audio/Video in best quality (uses udp).
# NB: This is for listening to RealAudio on the firewall
only!
# Don't do this if you're paranoid - newer (G2) Real Audio
will
# automatically switch to TCP if udp does not work.
#
# By default, you must allow incoming udp to ports
6970:7170,
# but that is WAY too big an area for me. Changing this
does
# require some configuration of the Real Player client
software.
 ipchains -A input -p udp -j ACCEPT -d 0/0 32768:32769


# Handle incoming ICMP
# --------------------

# Allow all, except remote timestamp-, echo- and
address-mask requests,
# and ICMP redirects.and router-advertisements
# (Denying echo-requests means we cannot be ping'ed).
  ipchains -A input -p icmp -s 0/0 timestamp-request    -j
DENY --log
  ipchains -A input -p icmp -s 0/0 address-mask-request -j
DENY --log
  ipchains -A input -p icmp -s 0/0 redirect             -j
DENY --log
  ipchains -A input -p icmp -s 0/0 router-advertisement -j
DENY --log
  ipchains -A input -p icmp -s 0/0 echo-request         -j
DENY --log
  ipchains -A input -p icmp -j ACCEPT


# Log what drops through to here. If we catch anything, it
# will be interesting.
  ipchains -A input --log



# Now, play some tricks with outgoing packets on the modem
link
# Use the TOS field to prioritize different protocols
#
------------------------------------------------------------
-

# http, telnet and ssh get "minimum delay"
ipchains -A output -p tcp -d 0/0 www    -i ppp+ -t 0x01
0x10
ipchains -A output -p tcp -d 0/0 ssh    -i ppp+ -t 0x01
0x10
ipchains -A output -p tcp -d 0/0 telnet -i ppp+ -t 0x01
0x10

# ftp-data, nntp and pop-3 get "low cost"
ipchains -A output -p tcp -d 0/0 ftp-data -i ppp+ -t 0x01
0x02
ipchains -A output -p tcp -d 0/0 nntp     -i ppp+ -t 0x01
0x02
ipchains -A output -p tcp -d 0/0 pop-3    -i ppp+ -t 0x01
0x02



######################
# Setup Masquerading #
######################

### NB: This is disabled by default. If you want to use    
###
###     masquerading, just remove the "###" comment-markers
###
###     from the lines below.                              
###

# Masquerade anything that needs forwarding on the 
# external interface (ppp0, usually), except all the
Windows
# Netbios chit-chat on ports 137 thru 139.
# Note: "-i" on the forward chain refers to the OUTGOING
interface.
ipchains -A forward -i ppp0 -p tcp -s 0/0 137:139 -j DENY
ipchains -A forward -i ppp0 -p udp -s 0/0 137:139 -j DENY
ipchains -A forward -i ppp0 -j MASQ

# Load the masquerading prototcol-modules
# This loads all of the modules in /lib/modules/2.2.x/ipv4/
###for f in /lib/modules/`uname -r`/ipv4/*masq*.o; do
###   /sbin/modprobe `basename $f`
###done

# Enable a hack in the kernel for dial-on-demand Internet
connectivity
# without having a static IP address.
# Without setting this, the first packet that goes out on a
dial-on-demand
# connection has the wrong sender IP address, meaning that
you will have
# to retransmit at least once.
# (This has nothing to do with security - but it is useful
for a home
# network using masquerading).
###echo "1" >/proc/sys/net/ipv4/ip_dynaddr

# Enable forwarding (needed for masquerading)
###echo "1" >/proc/sys/net/ipv4/ip_forward

På min lille IP MASQ box, kører jeg også en DNS server, som
ser ud til at fungere normalt, samtidig med at denne
maskine også står som dhcp server.

På forhånd tak for hjælpen
_______________________________
David Sebastian Neumann
neumann@xxxxxxxxxx
2910dn@xxxxxxxxxxx
Follow ups

Re: IP masquerading problem fortsat
From: tommy, 2000-08-03