At 03:11 PM 3/15/2002, Luke Scharf wrote: >I've searched http://groups.google.com and and the web for a quick >recipe. I've also scanned the general documentation, but I haven't >figured out exactly how to do this yet. > >I have a machine that's running Debian Potato a web server and an >ipmasq. The machine has an "internal" and "external" network card. The >internal network runs on 10.0.0.0/24 and the external network has a >static IP address. > >I've apt-get install'd the ipmasq package and the IPMasq functionality >works great. What I'd like to do now is to use ipchains to do the >following: >1. On the external interface, I would like to only accept traffic from >port 22 and port 80. >2. The internal interface should be wide open - the internal network we >trust the users who are physically in the room not to be malicious. > >Can you all point me to a recipe on how to do this? Is there any >documentation that applies to this specific situation?
Here's a (really really super) basic recipe In this example, eth0 is external and eth1 is internal ====================================== echo " - Disabling IP Spoofing attacks." for file in /proc/sys/net/ipv4/conf/*/rp_filter do echo "1" > $file done echo " - Changing IP masquerading timeouts." /sbin/ipchains -M -S 7200 10 60 /sbin/modprobe ip_masq_ftp ipchains -F ipchains -P input DENY ipchains -P output ACCEPT ipchains -P forward DENY ipchains -A input -i eth0 -d 0/0 22 -j ACCEPT ipchains -A input -i eth0 -d 0/0 80 -j ACCEPT ipchains -A input -i eth1 -j ACCEPT ipchains -A forward -s 10.0.0.0/24 -j MASQ ====================================== No port forwarding, really basic.... (this script has no warranty that it will work... but it *is* a highly condensed simple version of what we run here. so, I rate the chances as pretty good that it'll work) One question though... while you trust your users not to be malicious, do you trust your users not to accidentally open a malicious email attachment, accidentally browse a malicious website with a vulnerable browser, or other mistakes? If not, you might want to tighten down outbound traffic as well. Jer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
