Please wrap your lines to 72 characters...
On Fri, 5 May 2000, Stefan Srdic wrote:
>
> I've recently attempted to write my own IP routing script (IPchains and
>IPmasquerading). I have some minor problems with my initial script and need some help
>from an
> experienced Linux user.
>
> First off, I have a cable modem for a receiving internet connection with an IP
>address that is provided via DHCP, second, I want my machine to serve as an outgoing
>DHCP
> server for the other machines on my network. The client machines will be using a
>class "C" network address and the DHCP server will only allow a fixed amount of
>clients to
> exist on the network for security reasons!
For DHCP, try adding ...
# Configuration line for DHCP configured server
/sbin/ipchains -A input -i eth0 -p udp -s 0/0 67 -d 0/0 68 -j ACCEPT
> I wrote a script using several resources on the web, I have yet to read the
>IPMasquerading HOW-TO and the IPChains HOW-TO but plan to in the near future.
>Currently I am
> trying to figure out how in the hell to enable to outgoing DHCP server on my
>computer! I have tested out this script with no success! What should I add or change
>in order to
> make it work? IP port forwading is enabled in the kernel and this script is executed
>at boot up.
>
> Here is my script: rc.firewall
>
> #!/bin/sh
> # rc.firewall - IPChains and IPMasquerading, internet firewall/routing script
> #
> echo -n "Setting IP Chains..."
add...
# Load all required IP MASQ modules
# Note: only load required modules that you need
#
# Needed to initially load modules
/sbin/depmod -a
> # modules for IPMasquerading
> /sbin/modprobe ip_masq_ftp
> /sbin/modprobe ip_masq_raudio
change to...
# Supports the masquerading of RealAudio over UDP. Without this module,
# Real Audio WILL function but in TCP mode. This can cause
# a reduction in sound quality.
/sbin/modprobe ip_masq_raudio ports=554,7070,7071,6970,6971
> /sbin/modprobe ip_masq_irc
> /sbin/modprobe ip_vdolive
disable irc and vdolive (vide conferencing) if you don't use them.
> # execute IP Forwading
> echo "1" > /proc/sys/net/ipv4/ip_forward
> # enable host DHCP
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
Use this...
# ----------------------------------------------------------------------------
# Enable IP Forwarding, if it isn't already
echo 1 > /proc/sys/net/ipv4/ip_forward
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable always defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# ----------------------------------------------------------------------------
> # IPChains routing information
> /sbin/ipchains -M -S 7200 10 160
> /sbin/ipchains -P forward DENY
> /sbin/ipchains -A forward -s 192.168.0.1/24 -d 192.168.0.1/24 -j ACCEPT
> /sbin/ipchains -A forward -s 192.168.0.1/24 -d 192.168.0.2/32 -j MASQ
> /sbin/ipchains -A forward -s 192.168.0.1/24 -d 192.168.0.3/32 -j MASQ
or simply use this for local network...
/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ # local network
and then I add lines here to start PortSentry upon bootup (http://www.psionic.com)
> echo "Done!"
>
>
> BTW, I did not write any firewall rules as of yet, I know basically how to and which
>ports to block secure and I will do so once the Masquerading issue is solved!
Hope that helps.
Thanks... Dan.
Keep in touch with http://mandrakeforum.com:
Subscribe the "[EMAIL PROTECTED]" mailing list.
