Hello all,
Well, I was all ready to send the message below when I discovered
what the real problem is... the gateway was set wrong in the
unreachable box... so it couldn't route the packets back to the
client.
I include the following as an example of some working settings,
though they are not the safest, they can be tightened. I'm sure there
are others on the list which can critique them. My next step will be
to ensure the only packets into the system are destined for the
appropriate boxes rather than to anywhere i.e.
EXTERN_TCP_PORT0="0/0_www_231.123.123.242"
EXTERN_TCP_PORT1="<my_static_IP>_ssh_231.123.123.242"
instead of
EXTERN_TCP_PORTS="0/0_ssh 0/0_www 0/0_ftp 0/0_20"
There are more, but you get the idea. Personally, I found this list
to be a wealth of configuration info and helped me learn the DCD/LRP.
So I submit this to the archives ;-)
___________________ begin original message ___________________
Hello again,
It's been a long learning curve, but I feel I have most everything
pulled together. I still have a problem that when installed, the
router will only let me SSH into one of two servers, the .243 box.
None of the forwarded services to .242 respond at all. The .244 box
(part distraction, part sacrificial lamb & 100% MacOS) is not online
so I can't say if that is working as yet.
I took the approach of simplifying all the settings and therefore
offering the least security but also the least obscuring to
protocols. I can refine after it works, but at present that is not
the case. But I guess that's blatantly obvious ;-!
So, below you will find some grep'd files removing comments and
altering the _insignificant_ IP numbers. The subnet and the last
octal are real, only the names have been changed to protect... oops
pop-culture strikes again. Well this net is certainly becoming a
'Drag' so I suppose that slip was appropriate =8@
_________________________ begin network.conf
#cat /etc/network.conf
IF_AUTO="eth0 eth1 eth2"
eth0_IPADDR=231.123.123.241
eth0_MASKLEN=29
eth0_BROADCAST=+
eth0_DEFAULT_GW=231.123.123.246
eth0_IP_EXTRA_ADDRS="231.123.123.242
231.123.123.243
231.123.123.244"
eth0_IP_SPOOF=YES
eth0_IP_KRNL_LOGMARTIANS=YES
eth0_IP_SHARED_MEDIA=NO
eth0_BRIDGE=NO
eth0_PROXY_ARP=NO
eth0_FAIRQ=NO
eth1_IPADDR=192.168.70.254
eth1_MASKLEN=24
eth1_BROADCAST=+
eth1_IP_SPOOF=YES
eth1_IP_KRNL_LOGMARTIANS=YES
eth1_IP_SHARED_MEDIA=NO
eth1_BRIDGE=NO
eth1_PROXY_ARP=NO
eth1_FAIRQ=NO
eth2_IPADDR=192.168.71.254
eth2_MASKLEN=24
eth2_BROADCAST=+
eth2_IP_SPOOF=YES
eth2_IP_KRNL_LOGMARTIANS=YES
eth2_IP_SHARED_MEDIA=NO
eth2_BRIDGE=NO
eth2_PROXY_ARP=NO
eth2_FAIRQ=NO
IPFILTER_SWITCH=firewall
EXTERN_IF="eth0"
EXTERN_DHCP=NO
EXTERN_DYNADDR=NO
EXTERN_UDP_PORTS="0/0_domain"
EXTERN_TCP_PORTS="0/0_ssh 0/0_www 0/0_ftp 0/0_20"
INTERN_IF="eth1"
INTERN_NET=192.168.70.0/24
INTERN_IP=192.168.70.254
MASQ_SWITCH=YES
INTERN_SERVERS="tcp_231.123.123.244_20_192.168.71.244_20
tcp_231.123.123.244_ftp_192.168.71.244_ftp
tcp_231.123.123.242_www_192.168.71.242_www
tcp_231.123.123.243_ssh_192.168.71.243_ssh
tcp_231.123.123.242_ssh_192.168.71.242_ssh"
DMZ_SWITCH=YES
DMZ_IF="eth2"
DMZ_NET=192.168.71.0/24
DMZ_SRC=231.123.123.240/29
DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $EXTERN_IP"
DMZ_HIGH_TCP_CONNECT=NO
DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100"
DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
tcp_${DMZ_NET}_domain
icmp_${DMZ_NET}_:
tcp_231.123.123.242_www
tcp_231.123.123.242_ssh
tcp_231.123.123.244_20
tcp_231.123.123.244_ftp
tcp_231.123.123.243_ssh"
DMZ_OUTBOUND_ALL=YES
___________________ end settings _____________________________
#ipchains -L -n -v
#*** only TCP and ALL are shown. UDP etc. have been stripped!
Chain input (policy ACCEPT: 0 packets, 0 bytes):
target prot ifname source destination ports
ACCEPT tcp eth0 0.0.0.0/0 0.0.0.0/0 * -> 22
ACCEPT tcp eth0 0.0.0.0/0 0.0.0.0/0 * -> 80
ACCEPT tcp eth0 0.0.0.0/0 0.0.0.0/0 * -> 21
ACCEPT tcp eth0 0.0.0.0/0 0.0.0.0/0 * -> 20
REJECT tcp eth0 0.0.0.0/0 0.0.0.0/0 * -> 113
ACCEPT tcp eth0 0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
DENY all eth0 0.0.0.0/0 0.0.0.0/0 n/a
ACCEPT all * 0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
target prot ifname mark outsize source destination ports
MASQ tcp * 192.168.71.244 0.0.0.0/0 20 -> *
MASQ tcp * 192.168.71.244 0.0.0.0/0 21 -> *
MASQ tcp * 192.168.71.242 0.0.0.0/0 80 -> *
MASQ tcp * 192.168.71.243 0.0.0.0/0 22 -> *
MASQ tcp * 192.168.71.242 0.0.0.0/0 22 -> *
MASQ all eth2 192.168.70.0/24 192.168.71.0/24 n/a
REJECT tcp eth2 0.0.0.0/0 192.168.71.0/24 * -> 6000:6004
REJECT tcp eth2 0.0.0.0/0 192.168.71.0/24 * -> 7100
ACCEPT tcp eth2 0.0.0.0/0 192.168.71.0/24 * -> 53
ACCEPT tcp eth2 0.0.0.0/0 231.123.123.242 * -> 80
ACCEPT tcp eth2 0.0.0.0/0 231.123.123.242 * -> 22
ACCEPT tcp eth2 0.0.0.0/0 231.123.123.244 * -> 20
ACCEPT tcp eth2 0.0.0.0/0 231.123.123.244 * -> 21
ACCEPT tcp eth2 0.0.0.0/0 231.123.123.243 * -> 22
ACCEPT tcp !y eth2 0.0.0.0/0 192.168.71.0/24 * -> 1024:65535
ACCEPT tcp eth0 192.168.71.0/24 0.0.0.0/0 * -> *
MASQ all eth0 192.168.70.0/24 0.0.0.0/0 n/a
DENY all eth2 0.0.0.0/0 192.168.71.0/24 n/a
DENY all * 0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy ACCEPT: 0 packets, 0 bytes):
target prot ifname mark outsize source destination ports
ACCEPT all * 0.0.0.0/0 0.0.0.0/0 n/a
Chain fairq (0 references):
target prot ifname mark outsize source destination ports
RETURN tcp * 0.0.0.0/0 0.0.0.0/0 * -> 179
RETURN tcp * 0.0.0.0/0 0.0.0.0/0 179 -> *
RETURN tcp * 0.0.0.0/0 0.0.0.0/0 * -> 53
RETURN tcp * 0.0.0.0/0 0.0.0.0/0 53 -> *
RETURN tcp * 0.0.0.0/0 0.0.0.0/0 * -> 23
RETURN tcp * 0.0.0.0/0 0.0.0.0/0 23 -> *
RETURN tcp * 0.0.0.0/0 0.0.0.0/0 * -> 22
RETURN tcp * 0.0.0.0/0 0.0.0.0/0 22 -> *
#ipmasqadm portfw -ln
prot localaddr rediraddr lport rport pcnt pref
TCP 231.123.123.242 192.168.71.242 22 22 9 10
TCP 231.123.123.243 192.168.71.243 22 22 6 10
TCP 231.123.123.242 192.168.71.242 80 80 8 10
TCP 231.123.123.244 192.168.71.244 21 21 8 10
TCP 231.123.123.244 192.168.71.244 20 20 10 10
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
