Hi Charles, > There are two basic ways to do this, and both should be implemented by > creating custom rules in /etc/ipchains.forward (that's what it's for). > > WARNING: All ipchains rules are off the top of my head...they may not be > exactly correct. > > NOTE: /etc/ipchains.forward is sourced *AFTER* the rule that masquerades > the internal network to the world. If you want to change this behavior, you > will need to insert packets into the forward chain using the -I switch. > > The first solution is to create your own masquerade rules allowing the > desired traffic, then deny everything else. Something like: > > $IPCH -I forward -j MASQ -p all -s <proxy-ip> -i $EXTERN_IF > $IPCH -I forward -j DENY -s $INTERN_NET -i $EXTERN_IF > > This will allow only the proxy machine to access the internet. If > necessary, you can make the initial masquerade rule more specific (eg > allowing only traffic destined to appropriate ports by adding the -d switch, > and switching from -p all to -p tcp or -p udp), but you'll have a hard time > getting FTP working properly, and you won't be able to ping, traceroute, > etc. unless you also build specific rules for ICMP traffic. If you do go > the specific route, make sure you also create rules for DNS traffic, which > you probably want to work, although you didn't explicitly say so... Thanks, sounds _exactly_ like what I'm looking for. My first shot was to "simply" edit all rules on the input and forward chain, but as you can imagine, things got rather messy in no time (and again, I don't really care, if in the end, the rules do what I'd want them to, but I don't want to move off too far from the default setup). Sorry about forgetting to mention DNS, that part is still untouched (DNSCache is doing a good job on he router/firewall, even though resolving an adress is much slower than it was with bind using my provider's DNS servers - but that may well be just for now, until that cache get's "filled").
> The other solution would be to create your own rule-chain, and send your > forwarded traffic through the new rules. You would RETURN if packets were > OK, and they would then be masqueraded by the existing default masqerade > rules. The last rule in your new chain would DENY any packets that were not > specifically allowed. Sounds like that would be the way to go, if I wanted to put the existing ruleset without having to mess too much with the scripts. But I think I'd rather go with your first suggestion, since that sounds like I'll stay closer to the original setup (I still have 4 IPs left, and I don't want to rule out the possiblilty that I'll play with those DMZ capabilities you put into Dachstein - remember, I'm still working on a heavily modified Matterhorn setup at home (the setup we're talking about for the additional ipchains rules is in my office, which is why it's so paranoid...), so I'm quite excited about all those new features you put in). > The first option is easier to setup, while the later is likely to have fewer > potentially nasty side effects (since you're not trying to replace any of > the existing ruleset functionality, you're just adding a bit of extra > filtering. Can you explain the "nasty side effects"? If its just that some applications won't work, that's fine with me - I'll resolve those. But obviously, it that means additional vulnerabilities, that's a whole different matter. I'll nmap the server (obviously from somewhere on the net) to be sure, but hey, even nmap can miss something... Thanks for the feedback, I'll try it first thing in the morning (CET) Martin _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
