richard <[EMAIL PROTECTED]> wrote:
> ...
> Telnet seems to be disbled.
> any attempt to telnet to port 23 is refused , but I can ftp to it .
>
> I checked in /usr/sbin and in.telnetd was missing, I've tried replacing the
> missing deamon with one from a Redhat distro.
> but still no telnet function.
add:
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
to your /etc/inetd.conf (you may be able to just uncomment it
from there, its probably already in just commented out). Then
kill -hup the ined process ('ps ax|egrep inetd', get thePID,
'kill -HUP thePID') to get it to re-read the config file.
> I also need to be able to disable the firewall so I can run my on firewall
> scripts for ipchains.
Huh? ipchains -f doesn't do the job? (or is that 'ipchains -F' - hmm, well,
whichever).
> The immediate thing that must be got functional is routing and masq from the
> LAN which has a 44.0.0.0 domain through to the internet.
A couple of good references are:
http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-3.html
http://ipmasq.cjb.net/
The short answer is: hack up my firewall scripts below - but beware
that ALL warrantees are null and void, including fitness to any purpose
at all. You get cracked, it aint' my fault!
> Or have I like with Suse to disable the dchp deamon and just use the client
> after the first ethernet port is set up so that the second port eth1 can be
> used with a fixed ip address..
Um, are you asking how to have dhcpcd only listen to the first ethernet port?
(the cable modem one) Depends upon your dhcpcd - if its ISC's, there's an
'interfaces' line (I believe) in the config file that lets you tell it
where to listen.
rc
any firewall gurus want to comment on my firewall rules?
Here's what I call rc.firewall (in /etc/rc.d/init.d):
#!/bin/bash
# rc.firewall - Initial SIMPLE IP Masquerade setup for 2.1/2.x kernels using IPchains
#
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current available IP MASQ
modules
# are shown below but are commented out from loading.
# Needed to initially load modules
#
/sbin/depmod -a
# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp
# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
/sbin/modprobe ip_masq_raudio
# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc
# Supports the masquerading of Quake and QuakeWorld by default. This modules is
# for for multiple users behind the Linux MASQ server. If you are going to play
# Quake I, II, and III, use the second example.
#
# NOTE: If you get ERRORs loading the QUAKE module, you are running an old
# ----- kernel that has bugs in it. Please upgrade to the newest kernel.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme
#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive
#CRITICAL: Enable IP forwarding since it is disabled by default
#
# Redhat Users: you may try changing the options in /etc/sysconfig/network
from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#CRITICAL: Enable automatic IP defragmenting since it is disabled by default
#
# This used to be a compile-time option but the behavior was changed in
2.2.12
#
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
# Dynamic IP users:
#
# If you get your Internet IP address dynamically from SLIP, PPP, or DHCP, enable
this following
# option. This enables dynamic-ip address hacking in IP MASQ, making the life
# with DialD, PPPd, and similar programs much easier.
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable the LooseUDP patch which some Internet-based games require
#
# If you are trying to get an Internet game to work through your IP MASQ box,
# and you have set it up to the best of your ability without it working, try
# enabling this option (delete the "#" character). This option is disabled
# by default due to possible internal machine UDP port scanning
# vunerabilities.
#
#echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
# set up ip addresses and such
extip="fixed ip address goes here" - note - you MUST go see the web pages
# I mentioned above if you are using dynamic IP!!!!!!!!!
extint="ppp0"
intint="eth0"
intnet="10.40.0.0/15" # I'm using 10.40.0.0 netmask 255.255.0.0
# flush all the chains.
ipchains -F forward
ipchains -F output
ipchains -F input
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall
timeout in ICQ itself)
#
ipchains -M -S 7200 10 60
-v
# internal net to internal net, no problem with anything (for now!)
ipchains -A input -v -i $intnet -s $intnet -d $intnet -j ACCEPT
ipchains -A input -v -i lo -s $intnet -d $intnet -j ACCEPT
# I don't think I want microsloth names service over the net! ESPECIALLY
# outbound!
ipchains -A input -v -i $intnet -s $intnet 137 -p tcp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 137 -p udp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 138 -p tcp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 138 -p udp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 139 -p tcp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 139 -p udp -d 0.0.0.0/0 -j REJECT
# other things I don't want going out:
ipchains -A input -v -i $intnet -s $intnet 67 -p tcp -d 0.0.0.0/0 -j REJECT # bootp
ipchains -A input -v -i $intnet -s $intnet 67 -p udp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 68 -p tcp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 68 -p tcp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 201 -p udp -d 0.0.0.0/0 -j REJECT #
appletalk
ipchains -A input -v -i $intnet -s $intnet 201 -p udp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 202 -p udp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 202 -p udp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 204 -p udp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 204 -p udp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 206 -p udp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 206 -p udp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 213 -p udp -d 0.0.0.0/0 -j REJECT # ipx
ipchains -A input -v -i $intnet -s $intnet 213 -p udp -d 0.0.0.0/0 -j REJECT
ipchains -A input -v -i $intnet -s $intnet 389 -p udp -d 0.0.0.0/0 -j REJECT # ldap
ipchains -A input -v -i $intnet -s $intnet 389 -p udp -d 0.0.0.0/0 -j REJECT
# accept anything else from local interface going outbound:
ipchains -A input -v -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT
# local to local is ok
ipchains -A input -v -i lo -d 0.0.0.0/0 -j ACCEPT
# reject anything on ppp saying its inside
ipchains -A input -v -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -v -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
# reject anything outisde trying to use pop3
ipchains -A input -v -i $extint -p tcp -d 0.0.0.0/0 110 -l -j REJECT
ipchains -A input -v -i $extint -p udp -d 0.0.0.0/0 110 -l -j REJECT
# accept anything already connected.
ipchains -A input -v -i $extint -p TCP ! -y -d 0.0.0.0/0 -j ACCEPT
# accept any outside packets to SSH and SMTP (on both udp and tcp)
ipchains -A input -v -i $extint -p tcp -d $extip/32 22 -j ACCEPT
# real soon now we will remove these 2:
ipchains -A input -v -i $extint -p tcp -d $extip/32 25 -j ACCEPT
ipchains -A input -v -i $extint -p udp -d $extip/32 25 -j ACCEPT
# allow dns REPLIES
# note the direction here!
ipchains -A input -v -i $extint -p tcp -s 0.0.0.0/0 53 -d $extip/32 -j ACCEPT
ipchains -A input -v -i $extint -p udp -s 0.0.0.0/0 53 -d $extip/32 -j ACCEPT
# disallow icmp redirect
ipchains -A input -i $extint -p ICMP -s 5 -l -j REJECT
# but allow other ICMP thingys
ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -p ICMP -j ACCEPT
# disallow all others and log.
/sbin/ipchains -A input -v -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
ipchains -P input REJECT
ipchains -F output
ipchains -P output REJECT
ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT
ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT
ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
# here's the masq stuff, if that's all you care about:
ipchains -F forward
ipchains -P forward DENY
ipchains -A forward -s $intnet -d 0.0.0.0/0 -j MASQ
ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1>/proc/sys/net/ipv4/ip_always_defrag
exit 0
---thats the end of rc.firewall----
Here is /etc/rc.d/init.d/firewall, which is linked to as follows:
lrwxrwxrwx 1 root root 18 Oct 14 13:13 rc2.d/S01.firewall ->
../init.d/firewall*
lrwxrwxrwx 1 root root 18 Oct 14 13:13 rc5.d/S01.firewall ->
../init.d/firewall*
(Beware - those may not be right for you!)
Here's the file:
#!/bin/bash
#
# Source function library.
. /etc/rc.d/init.d/functions
# See how we were called.
case "$1" in
start)
action "Setting firewall rules:" /etc/rc.d/init.d/rc.firewall
echo
;;
stop)
action "Sorry but I cannot stop the firewall." /etc/rc.d/init.d/fail
;;
status)
;;
restart)
$0 stop
$0 start
;;
reload)
$0 start
;;
*)
echo "Usage: firewall {start|stop|restart|reload|status}"
exit 1
esac
exit 0
Rusty Carruth Email: [EMAIL PROTECTED] or [EMAIL PROTECTED]
Voice: (480) 345-3621 SnailMail: Schlumberger ATE
FAX: (480) 345-8793 7855 S. River Parkway, Suite 116
Ham: N7IKQ @ 146.82+,pl 162.2 Tempe, AZ 85284-1825
ICBM: 33 20' 44"N 111 53' 47"W
