Daniel Woods wrote:
>
> > So after wasting/playing 4 hours trying to understand
> > ipchains and correct it to secure it, I've run into a
> > problem. I have set ipchains to forward MASQ 192.168.1.0
> > and deny everything else... (/etc/rc.d/rc.firewall)
> >
> > ==== start ====
> > # Needed to initially load modules
> > /sbin/depmod -a
> > # Supports the proper masquerading of FTP transfers (active and passive)
> > /sbin/modprobe ip_masq_ftp
> > #
> > # ----------------------------------------------------------------------------
> > # Enable IP Forwarding, if it isn't already
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> >
> > # Enable TCP SYN Cookie Protection
> > echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> >
> > # Enable always defragging Protection
> > echo 1 > /proc/sys/net/ipv4/ip_always_defrag
> >
> > # Enable broadcast echo Protection
> > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> >
> > # Enable bad error message Protection
> > echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> >
> > # Enable IP spoofing protection
> > # turn on Source Address Verification
> > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> > echo 1 > $f
> > done
> >
> > # Disable ICMP Redirect Acceptance
> > for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> > echo 0 > $f
> > done
> >
> > # Disable Source Routed Packets
> > for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
> > echo 0 > $f
> > done
> >
> > # Log Spoofed Packets, Source Routed Packets, Redirect Packets
> > for f in /proc/sys/net/ipv4/conf/*/log_martians; do
> > echo 1 > $f
> > done
> > # ----------------------------------------------------------------------------
> > #
> > # MASQ timeouts
> > /sbin/ipchains -M -S 7200 10 160
> >
> > # Configuration line for DHCP configured server
> > /sbin/ipchains -A input -i eth0 -p udp -s 0/0 67 -d 0/0 68 -j ACCEPT
> >
> > # Simple IP forwarding and Masquerading
> > /sbin/ipchains -P forward DENY
> > /sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ # local network
> > # /sbin/ipchains -A forward -s 10.10.10.10 -j MASQ # VPN
> >
> > ==== end ====
> >
> > This used to work for the local network (NT and win98).
> > It seems to work fine for the LM7.1 firewall and web server.
> > The firewall can ping all local machines by name or number,
> > and can ping outside world and telnet campus account.
> >
> > The win98 machine can ping local IP names/numbers but not
> > to the outside world.
> >
> > The NT machine was upgraded to NT-SP6a from SP5 because of
> > lousy "SureThing labeler" freezing up. I was able to use
> > and access the internet after the upgrade, until I rebooted
> > my Linux box... and then nothing. NT can ping local numbers
> > only and the linux box (ISP DHCP number) but not by name
> > (except itself), and nothing outside the firewall.
> > I uninstalled VPN software which was set to use 10.10.10.10
> > and re-installed latest VMWare, but no changes.
> >
> > I have done 'ipchains -F' and reloaded the rc.firewall script
> > or simply rebooted (many times). Since all win machines are
> > no longer working (and they were before), I don't think I
> > can blame them (or M$). The win machines have a static
> > 192.168.1.x address and gateway set to linux machine 192.168.1.1
> > and DNS set to outsite ISP values.
> >
> > What did I screw up ? Did I miss a file to clear out ?
> >
> > Thanks... Dan.
>
> Were the above questions/problems too vague or too difficult
> for any answer ? I have exhausted all testing that I can think
> of, including leaving firewall wide open. I checked all those
> "echo 1 >..." for values without the firewall and the only one
> still set to 1 was "echo 1 > /proc/sys/net/ipv4/tcp_syncookies".
> Since the LAN machines can ping numbers on LAN but not names,
> I thought it was DNS but the server can access internet.
> So it leads me to believe that some file is set somewhere that
> still has MASQ rules, even if I 'ipchains -F' and reboot with
> no firewall. I need to do work support from within my LAN's
> NT machine. I was planning to be working from home this week.
> Please help me to solve this annoying problem.
>
> Thanks... Dan.
Well, I am having difficulty visualizing the topology. And in
this case it is important.
How is this net configured--where are the connects and
hubs/switches, and the i/f to the outside world?
...
And you can find any other references to ipchains with rgrep, if
that's what you think it is....
# rgrep -r -F -l "ipchains" /etc
should tell you nearly everything--small chance of /usr/sbin
Take care
Civileme
