> is there an easy way ("easy" in the way that I won't have to make too many
> changes from the default setup, avoiding to drift away too much from the
> default settings) to make a Dachstein CD (1.0.2) firewall block all
> _outgoing_ traffic, except for one host (which runs the proxy servers)?
> Obviously, it's not a terribly big deal to insert the rules to do that,
but
> maybe I'm missing something obvious that would make it even easier (and,
> should I need help from the list one day, easier to explain what my
ipchains
> rules look like, without having to wade through all the extra rules that
> I've inserted).
>
> It's a _very_ simple setup, nothing is port-forwarded to the internal net,
> no DMZ, no external open ports, nothing. Just a masquerading firewall,
that
> should block all traffic, exept for request packets from (and obviously,
> response packets to) the _one_ proxy server.
>
> Before you ask, yes, I'm paranoid - I don't want _any_ connections to be
> able to be initiated from the internal network, except for HTTP, HTTPS and
> FTP (which are handled by a Squid server, running on the internal net).
All
> IPs (internal and external) are static, if that matters.There are two basic ways to do this, and both should be implemented by creating custom rules in /etc/ipchains.forward (that's what it's for). WARNING: All ipchains rules are off the top of my head...they may not be exactly correct. NOTE: /etc/ipchains.forward is sourced *AFTER* the rule that masquerades the internal network to the world. If you want to change this behavior, you will need to insert packets into the forward chain using the -I switch. The first solution is to create your own masquerade rules allowing the desired traffic, then deny everything else. Something like: $IPCH -I forward -j MASQ -p all -s <proxy-ip> -i $EXTERN_IF $IPCH -I forward -j DENY -s $INTERN_NET -i $EXTERN_IF This will allow only the proxy machine to access the internet. If necessary, you can make the initial masquerade rule more specific (eg allowing only traffic destined to appropriate ports by adding the -d switch, and switching from -p all to -p tcp or -p udp), but you'll have a hard time getting FTP working properly, and you won't be able to ping, traceroute, etc. unless you also build specific rules for ICMP traffic. If you do go the specific route, make sure you also create rules for DNS traffic, which you probably want to work, although you didn't explicitly say so... The other solution would be to create your own rule-chain, and send your forwarded traffic through the new rules. You would RETURN if packets were OK, and they would then be masqueraded by the existing default masqerade rules. The last rule in your new chain would DENY any packets that were not specifically allowed. qt $IPCH -F myFilter && qt $IPCH -X myFilter $IPCH -N myFilter $IPCH -A myFilter -j RETURN -p all -s <proxy-ip> $IPCH -A myFilter -j DENY $IPCH -I forward -j myFilter -s $INTERN_NET -i $EXTERN_IF The first option is easier to setup, while the later is likely to have fewer potentially nasty side effects (since you're not trying to replace any of the existing ruleset functionality, you're just adding a bit of extra filtering. As always, use the verbose output of ipchains, specifically the byte and packet counters to debug... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
