So after wasting/playing 4 hours trying to understand
ipchains and correct it to secure it, I've run into a
problem. I have set ipchains to forward MASQ 192.168.1.0
and deny everything else... (/etc/rc.d/rc.firewall)
==== start ====
# Needed to initially load modules
/sbin/depmod -a
# Supports the proper masquerading of FTP transfers (active and passive)
/sbin/modprobe ip_masq_ftp
#
# ----------------------------------------------------------------------------
# Enable IP Forwarding, if it isn't already
echo 1 > /proc/sys/net/ipv4/ip_forward
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable always defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# ----------------------------------------------------------------------------
#
# MASQ timeouts
/sbin/ipchains -M -S 7200 10 160
# Configuration line for DHCP configured server
/sbin/ipchains -A input -i eth0 -p udp -s 0/0 67 -d 0/0 68 -j ACCEPT
# Simple IP forwarding and Masquerading
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ # local network
# /sbin/ipchains -A forward -s 10.10.10.10 -j MASQ # VPN
==== end ====
This used to work for the local network (NT and win98).
It seems to work fine for the LM7.1 firewall and web server.
The firewall can ping all local machines by name or number,
and can ping outside world and telnet campus account.
The win98 machine can ping local IP names/numbers but not
to the outside world.
The NT machine was upgraded to NT-SP6a from SP5 because of
lousy "SureThing labeler" freezing up. I was able to use
and access the internet after the upgrade, until I rebooted
my Linux box... and then nothing. NT can ping local numbers
only and the linux box (ISP DHCP number) but not by name
(except itself), and nothing outside the firewall.
I uninstalled VPN software which was set to use 10.10.10.10
and re-installed latest VMWare, but no changes.
I have done 'ipchains -F' and reloaded the rc.firewall script
or simply rebooted (many times). Since all win machines are
no longer working (and they were before), I don't think I
can blame them (or M$). The win machines have a static
192.168.1.x address and gateway set to linux machine 192.168.1.1
and DNS set to outsite ISP values.
What did I screw up ? Did I miss a file to clear out ?
Thanks... Dan.
