I am resending this message because I did not see it posted after
*12 hours*. My updated message is at the bottom.
> So after wasting/playing 4 hours trying to understand
> ipchains and correct it to secure it, I've run into a
> problem. I have set ipchains to forward MASQ 192.168.1.0
> and deny everything else... (/etc/rc.d/rc.firewall)
>
> ==== start ====
> # Needed to initially load modules
> /sbin/depmod -a
> # Supports the proper masquerading of FTP transfers (active and passive)
> /sbin/modprobe ip_masq_ftp
> #
> # ----------------------------------------------------------------------------
> # Enable IP Forwarding, if it isn't already
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # Enable TCP SYN Cookie Protection
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> # Enable always defragging Protection
> echo 1 > /proc/sys/net/ipv4/ip_always_defrag
>
> # Enable broadcast echo Protection
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> # Enable bad error message Protection
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>
> # Enable IP spoofing protection
> # turn on Source Address Verification
> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 1 > $f
> done
>
> # Disable ICMP Redirect Acceptance
> for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> echo 0 > $f
> done
>
> # Disable Source Routed Packets
> for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
> echo 0 > $f
> done
>
> # Log Spoofed Packets, Source Routed Packets, Redirect Packets
> for f in /proc/sys/net/ipv4/conf/*/log_martians; do
> echo 1 > $f
> done
> # ----------------------------------------------------------------------------
> #
> # MASQ timeouts
> /sbin/ipchains -M -S 7200 10 160
>
> # Configuration line for DHCP configured server
> /sbin/ipchains -A input -i eth0 -p udp -s 0/0 67 -d 0/0 68 -j ACCEPT
>
> # Simple IP forwarding and Masquerading
> /sbin/ipchains -P forward DENY
> /sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ # local network
> # /sbin/ipchains -A forward -s 10.10.10.10 -j MASQ # VPN
>
> ==== end ====
>
> This used to work for the local network (NT and win98).
> It seems to work fine for the LM7.1 firewall and web server.
> The firewall can ping all local machines by name or number,
> and can ping outside world and telnet campus account.
>
> The win98 machine can ping local IP names/numbers but not
> to the outside world.
>
> The NT machine was upgraded to NT-SP6a from SP5 because of
> lousy "SureThing labeler" freezing up. I was able to use
> and access the internet after the upgrade, until I rebooted
> my Linux box... and then nothing. NT can ping local numbers
> only and the linux box (ISP DHCP number) but not by name
> (except itself), and nothing outside the firewall.
> I uninstalled VPN software which was set to use 10.10.10.10
> and re-installed latest VMWare, but no changes.
>
> I have done 'ipchains -F' and reloaded the rc.firewall script
> or simply rebooted (many times). Since all win machines are
> no longer working (and they were before), I don't think I
> can blame them (or M$). The win machines have a static
> 192.168.1.x address and gateway set to linux machine 192.168.1.1
> and DNS set to outsite ISP values.
>
> What did I screw up ? Did I miss a file to clear out ?
>
> Thanks... Dan.
Were the above questions/problems too vague or too difficult
for any answer ? I have exhausted all testing that I can think
of, including leaving firewall wide open. I checked all those
"echo 1 >..." for values without the firewall and the only one
still set to 1 was "echo 1 > /proc/sys/net/ipv4/tcp_syncookies".
Since the LAN machines can ping numbers on LAN but not names,
I thought it was DNS but the server can access internet.
So it leads me to believe that some file is set somewhere that
still has MASQ rules, even if I 'ipchains -F' and reboot with
no firewall. I need to do work support from within my LAN's
NT machine. I was planning to be working from home this week.
Please help me to solve this annoying problem.
Thanks... Dan.
