sslug-teknik team mailing list archive

Thread
Date
Re: IP masquerading problem fortsat

To: sslug-teknik@xxxxxxxx
From: tommy <lergravsvej@xxxxxxxx>
Date: Thu, 03 Aug 2000 21:50:18 +0200
Delivered-to: mailing list sslug-teknik@xxxxxxxx
Mailing-list: contact sslug-teknik-help@xxxxxxxx; run by ezmlm
Newsgroups: sslug.teknik
Organization: SSLUG
Sebastian Neumann wrote:

> Hej alle sammen.
>
> For et stykke tid siden, skrev jeg om et problem vedrørende
> min IP masquerading opsætning, der simpelthen var holdt op
> med at virke !
>
> Jeg blev henvist til at downloade det script der ligger på
> SSLUG´s hjemmeside, og modificere det, sådan at det passede
> til min forbindelse, men, det vil heller ikke virke. Jeg
> kan nu hverken ringe op via diald fra linux boxen, eller
> fra andre computere på mit LAN, nedenfor er mit script :
>
> #!/bin/sh
> PATH=/bin:/sbin:/usr/bin:/usr/sbin
>
> #Aktiver IP forward
> echo "1" >/proc/sys/net/ipv4/ip_forward
>
> # Enable syn-cookies (syn-flooding attacks)
> echo "1" >/proc/sys/net/ipv4/tcp_syncookies
>
> # Disable ICMP echo-request to broadcast addresses (Smurf
> amplifier)
> echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> # Disable ICMP echo-request altogether (see also below for
> ICMP filtering)
> # echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all
>
> # Set local port range for listeners (ftp ...)
> # The range used here is what will be used for the
> connections
> # initiated from the firewall host. If you do masquerading,
> then
> # masqueraded connections will use the range 61000-65096.
> # Thus, in the ipchains rules below we will combine these
> two
> # ranges into one: 56000:65096
> echo "56000 60999" >/proc/sys/net/ipv4/ip_local_port_range
>
> # It seems that this must be done for all network
> interfaces
> for f in /proc/sys/net/ipv4/conf/*; do
>    # Drop all source-routed packets
>    echo "0" >$f/accept_source_route
>
>    # Enable source-address verification (anti spoofing)
>    echo "1" >$f/rp_filter
> done
>
> ######################
> # Setup IP firewalling
> ######################
>
> # Default policies.
> # We deny all input and forwarding, then allow specific
> things further down.
> # We allow all outgoing traffic - this could be tightened,
> but is only
> # necessary for very secure installations.
> ipchains -P input DENY;  ipchains -F input
> ipchains -P forward DENY;  ipchains -F forward
> ipchains -P output ACCEPT; ipchains -F output
>
> # Allow anything on trusted interfaces
> # ------------------------------------
>
> # Allow anything on the loopback i/f: We trust ourselves.
>  ipchains -A input -p all -j ACCEPT -i lo
>
> # Allow anything on the local LAN: We trust the local guys.
>  ipchains -A input -p all -j ACCEPT -i eth0
>
> # Handle incoming TCP traffic
> # ---------------------------
>
> # Allow all traffic that does not try to setup a connection
> (no SYN)
>  ipchains -A input -p tcp -j ACCEPT \! -y
>
> # Allow ftp-data connections to listener ports (downloads
> and dir listings).
> # Would be better if kernel could setup temporary rules
> when we start
> # an ftp download ("port" command), but this will have to
> do for now.
> # If you don't like this, consider enforcing use of
> passive-mode ftp only.
>  ipchains -A input -p tcp -j ACCEPT -s 0/0 ftp-data -d 0/0
> 56000:65096 -y
>
> # Handle incoming UDP traffic
> # ---------------------------
>
> # Allow dns replies to our locally originating requests
> # BIND 8 uses the high ports for sending requests; this is
> good.
>  ipchains -A input -p udp -j ACCEPT -s 0/0 domain -d 0/0
> 56000:65096
>
> # Allow ntp communication (uses ntp port for request and
> reply)
>  ipchains -A input -p udp -j ACCEPT -s 0/0 ntp -d 0/0 ntp
>
> # Allow Real Audio/Video in best quality (uses udp).
> # NB: This is for listening to RealAudio on the firewall
> only!
> # Don't do this if you're paranoid - newer (G2) Real Audio
> will
> # automatically switch to TCP if udp does not work.
> #
> # By default, you must allow incoming udp to ports
> 6970:7170,
> # but that is WAY too big an area for me. Changing this
> does
> # require some configuration of the Real Player client
> software.
>  ipchains -A input -p udp -j ACCEPT -d 0/0 32768:32769
>
> # Handle incoming ICMP
> # --------------------
>
> # Allow all, except remote timestamp-, echo- and
> address-mask requests,
> # and ICMP redirects.and router-advertisements
> # (Denying echo-requests means we cannot be ping'ed).
>   ipchains -A input -p icmp -s 0/0 timestamp-request    -j
> DENY --log
>   ipchains -A input -p icmp -s 0/0 address-mask-request -j
> DENY --log
>   ipchains -A input -p icmp -s 0/0 redirect             -j
> DENY --log
>   ipchains -A input -p icmp -s 0/0 router-advertisement -j
> DENY --log
>   ipchains -A input -p icmp -s 0/0 echo-request         -j
> DENY --log
>   ipchains -A input -p icmp -j ACCEPT
>
> # Log what drops through to here. If we catch anything, it
> # will be interesting.
>   ipchains -A input --log
>
> # Now, play some tricks with outgoing packets on the modem
> link
> # Use the TOS field to prioritize different protocols
> #
> ------------------------------------------------------------
> -
>
> # http, telnet and ssh get "minimum delay"
> ipchains -A output -p tcp -d 0/0 www    -i ppp+ -t 0x01
> 0x10
> ipchains -A output -p tcp -d 0/0 ssh    -i ppp+ -t 0x01
> 0x10
> ipchains -A output -p tcp -d 0/0 telnet -i ppp+ -t 0x01
> 0x10
>
> # ftp-data, nntp and pop-3 get "low cost"
> ipchains -A output -p tcp -d 0/0 ftp-data -i ppp+ -t 0x01
> 0x02
> ipchains -A output -p tcp -d 0/0 nntp     -i ppp+ -t 0x01
> 0x02
> ipchains -A output -p tcp -d 0/0 pop-3    -i ppp+ -t 0x01
> 0x02
>
> ######################
> # Setup Masquerading #
> ######################
>
> ### NB: This is disabled by default. If you want to use
> ###
> ###     masquerading, just remove the "###" comment-markers
> ###
> ###     from the lines below.
> ###
>
> # Masquerade anything that needs forwarding on the
> # external interface (ppp0, usually), except all the
> Windows
> # Netbios chit-chat on ports 137 thru 139.
> # Note: "-i" on the forward chain refers to the OUTGOING
> interface.
> ipchains -A forward -i ppp0 -p tcp -s 0/0 137:139 -j DENY
> ipchains -A forward -i ppp0 -p udp -s 0/0 137:139 -j DENY
> ipchains -A forward -i ppp0 -j MASQ
>
> # Load the masquerading prototcol-modules
> # This loads all of the modules in /lib/modules/2.2.x/ipv4/
> ###for f in /lib/modules/`uname -r`/ipv4/*masq*.o; do
> ###   /sbin/modprobe `basename $f`
> ###done
>
> # Enable a hack in the kernel for dial-on-demand Internet
> connectivity
> # without having a static IP address.
> # Without setting this, the first packet that goes out on a
> dial-on-demand
> # connection has the wrong sender IP address, meaning that
> you will have
> # to retransmit at least once.
> # (This has nothing to do with security - but it is useful
> for a home
> # network using masquerading).
> ###echo "1" >/proc/sys/net/ipv4/ip_dynaddr
>
> # Enable forwarding (needed for masquerading)
> ###echo "1" >/proc/sys/net/ipv4/ip_forward
>
> På min lille IP MASQ box, kører jeg også en DNS server, som
> ser ud til at fungere normalt, samtidig med at denne
> maskine også står som dhcp server.
>
> På forhånd tak for hjælpen
> _______________________________
> David Sebastian Neumann
> neumann@xxxxxxxxxx
> 2910dn@xxxxxxxxxxx

proev at fjerne ###


######################
# Setup Masquerading #
######################

### NB: This is disabled by default. If you want to use
###
###     masquerading, just remove the "###" comment-markers
###
###     from the lines below.
###
References

IP masquerading problem fortsat
From: Sebastian Neumann, 2000-08-03