Re: [linux-delhi] ipchains

Sat, 01 Jul 2000 08:19:54 -0700 

Hi

Similar problem, I am facing. I have 1 server from which I am doing proxy
and mailserver both. I have 2 network cards 1 connected to my ISP thru
leased line and the other to LAN. But my problem is that proxy is working
fine but I am not able to
download all the mails to this server and redistribute them to the users who
are having windows nodes and want to access their mails using Outlook
express etc.
I have configured POP accounts for them but it is unable to find the socket.
I think
I have messed up something in configuration between two lan cards.
Can this problem be tackled by IPCHAINS if yes pls tell me .

Sanjay Gupta

kapil sharma wrote:

> Hi,
>  i have 2 server. Server1 is acting as a squid proxy and firewall
> server.  The server 2 is handing emails and it's default gateway is
> server1. I want server2 to use the gateway of server 1 and send /get
> mails through server1.
>  Now what ipchains rule should i make to forward all request( DNS, smtp
> and pop3 ) to forward to internet. I am attaching my ipchains rules
> files. Please help!!!!!!!!!!!!
>
>  Thank you
>  kapil
>
> --
> Kapil Sharma
> Senior System Administrator
> DSF Internet Services
> Email: [EMAIL PROTECTED]
>        [EMAIL PROTECTED]
> Web  : http://www.dsfinternet.com
>
> #!/bin/sh
> #
> # IPCHAINS-FIREWALL V1.6-MASQUERADE
> # Local Interface developed by kapil sharma
> # This is the interface that is your link to the world
>
> LOCALIF="ppp0"
>
> # Internal Interface
> # This is the interface for your local network
> # NOTE: INTERNALNET is a *network* address. All host bits should be 0
>
> INTERNALNET="192.168.1.0/24"
>
> # ------------------------------------------------------- Variable
> definition -
> #
> # Set the location of ipchains.
>
> IPCHAINS="/sbin/ipchains"
>
> # You shouldn't need to change anything in the rest of this section
>
> LOCALIP=`ifconfig $LOCALIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`
>
> LOCALMASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4`
> LOCALNET="$LOCALIP/$LOCALMASK"
>
> echo "Internal: $INTERNALNET"
> echo "External: $LOCALNET"
>
> REMOTENET="0/0"
>
> # -------------------------------------- Flush everything, start from
> scratch -
>
> echo -n "Flushing rulesets.."
>
> # Incoming packets from the outside network
> $IPCHAINS -F input
> echo -n "."
>
> # Outgoing packets from the internal network
>
> $IPCHAINS -F output
> echo -n "."
>
> # Forwarding/masquerading
> $IPCHAINS -F forward
> echo -n "."
>
> echo "Done!"
>
> # ---------------------------------- Allow all connections within the
> network -
>
> echo -n "Internal.."
>
> $IPCHAINS -A input -s $INTERNALNET -d $INTERNALNET -j ACCEPT
> $IPCHAINS -A output -s $INTERNALNET -d $INTERNALNET -j ACCEPT
> echo -n ".."
>
> echo "Done!"
>
> # -------------------------------------------------- Allow loopback
> interface -
>
> echo -n "Loopback.."
>
> $IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
> $IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
> echo -n ".."
>
> echo "Done!"
>
> # --------------------------------------------------------------
> Masquerading -
>
> echo -n "Masquerading.."
>
> # don't masquerade internal-internal traffic
> $IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT
> echo -n "."
>
> # don't Masquerade external interface direct
> $IPCHAINS -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT
> echo -n "."
>
> # masquerade all internal IP's going outside
> $IPCHAINS -A forward -s $INTERNALNET -d $REMOTENET -j MASQ
> echo -n "."
>
> # set Default rule on MASQ chain to Deny
> $IPCHAINS -P forward DENY
> echo -n "."
>
> # --------------------- Allow all connections from the network to the
> outside -
>
> #$IPCHAINS -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT
> #$IPCHAINS -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT
> #Allow telnet connection from the internal network to remote network
> $IPCHAINS -A input -p tcp -s $INTERNALNET -d 0/0 telnet -j ACCEPT
> $IPCHAINS -A input -p tcp -s $INTERNALNET -d 0/0 ftp -j ACCEPT
> $IPCHAINS -A input -p tcp -s $INTERNALNET -d 0/0 smtp -j ACCEPT
> $IPCHAINS -A input -p tcp -s $INTERNALNET -d 0/0 pop-3 -j ACCEPT
> $IPCHAINS -A input -p udp -s 192.168.1.0/24 -d 192.168.1.5 -j ACCEPT
> # enable transparent proxy
> /sbin/ipchains -A input -p tcp -d 127.0.0.1/24 www -j ACCEPT
> /sbin/ipchains -A input -p tcp -d 192.168.1.5/24 www -j ACCEPT
> /sbin/ipchains -A input -p tcp -d 0/0 www -j REDIRECT 8080
>
> # --------------------Block the sites for local users.
>
> #Block xdrive
> $IPCHAINS -A output -d 208.48.218.0/24 -j REJECT
> $IPCHAINS -A input -d 208.48.218.0/24 -j REJECT
>
> echo -n ".."
>
> echo "Done!"
>
> # ----------------------------------Set telnet, www and FTP for minimum
> delay -
> # This section manipulates the Type Of Service (TOS) bits of the
> # packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
> # in your kernel
>
> echo -n "TOS flags.."
>
> #$IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10
> $IPCHAINS -A output -p tcp -d 0/0 telnet -t 0x01 0x10
> $IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10
> echo -n "..."
>
> # Set ftp-data for maximum throughput
> $IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08
> echo -n "."
>
> echo "Done!"
>
> # ---------------------------------------------------------- Trusted
> Networks -
> # Add in any rules to specifically allow connections from hosts/nets
> that
> # would otherwise be blocked.
>
> # echo -n "Trusted Networks.."
>
> # $IPCHAINS -A input -s [trusted host/net] -d $LOCALNET <ports> -j
> ACCEPT
> # echo -n "."
>
> # echo "Done!"
>
> # ----------------------------------------------------------- Banned
> Networks -
> # Add in any rules to specifically block connections from hosts/nets
> that
> # have been known to cause you problems. These packets are logged.
>
> # echo -n "Banned Networks.."
>
> # This one is generic
> # $IPCHAINS -A input -l -s [banned host/net] -d $LOCALNET <ports> -j
> DENY
> # echo -n "."
>
> # This one blocks ICMP attacks
> # $IPCHAINS -A input -l -b -i $LOCALIF -p icmp -s [host/net] -d
> $LOCALNET -j DENY
> # echo -n "."
>
> # echo "Done!"
>
> # ------------------------------------------------------ @home-specific
> rules -
> # This @home stuff is pretty specific to me (terminus).  I get massive
> port
> # scans from my neighbors and from pokey admins at @home, so I just got
> harsh
> # and blocked all their stuff, with a few exceptions, listed below.
> #
> # If someone out there finds out the ip ranges of JUST tci@home, let me
> know
> # so i don't end up blocking ALL cablemodems like it's doing now.
>
> echo -n "Cable Modem Nets.."
>
> # so we can check mail, use the proxy server, hit @home's webpage.
> # you will want to set these to your local servers, and uncomment them
>
> # $IPCHAINS -A input -p tcp -s ha1.rdc1.wa.home.com -d $LOCALNET
> 1023:65535 -j ACCEPT
> # $IPCHAINS -A input -p tcp -s mail.tcma1.wa.home.com -d $LOCALNET
> 1023:65535 -j ACCEPT
> # $IPCHAINS -A input -p tcp -s www.tcma1.wa.home.com -d $LOCALNET
> 1023:65355 -j ACCEPT
> # $IPCHAINS -A input -p tcp -s proxy.tcma1.wa.home.com -d $LOCALNET
> 1023:65535  -j ACCEPT
> # echo -n "...."
>
> # so we can resolve the above hostnames, allow dns queries back to us
> # $IPCHAINS -A input -p tcp -s ns1.home.net -d $LOCALNET 1023:65535 -j
> ACCEPT
> # $IPCHAINS -A input -p tcp -s ns2.home.net -d $LOCALNET 1023:65535 -j
> ACCEPT
> # $IPCHAINS -A input -p udp -s ns1.home.net -d $LOCALNET 1023:65535 -j
> ACCEPT
> # $IPCHAINS -A input -p udp -s ns2.home.net -d $LOCALNET 1023:65535 -j
> ACCEPT
> # echo -n ".."
>
> # linux ipchains building script page (I think)
> # $IPCHAINS -A input -p tcp -s 24.128.61.117 -d $LOCALNET 1023:65535 -j
> ACCEPT
> # echo -n "."
>
> # Non-@home users may want to leave this uncommented, just to block all
> # the wannabe crackers. Add any @home hosts you want to allow BEFORE
> this line.
>
> # Blast all other @home connections into infinity and log them.
> $IPCHAINS -A input -l -s 24.0.0.0/8 -d $LOCALNET -j DENY
> echo -n "."
>
> echo "Done!"
>
> # ---------------------------- Specific port blocks on the external
> interface -
> # This section blocks off ports/services to the outside that have
> # vulnerabilities. This will not affect the ability to use these
> services
> # within your network.
>
> echo -n "Port Blocks.."
>
> # NetBEUI/Samba
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 139 -j DENY
> $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 139 -j DENY
> echo -n "."
>
> # Microsoft SQL
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1433 -j DENY
> $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1433 -j DENY
> echo -n "."
>
> # Postgres SQL
>
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5432 -j DENY
> $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5432 -j DENY
> echo -n "."
>
> # Network File System
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 2049 -j DENY
> $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 2049 -j DENY
> echo -n "."
>
> # X Displays :0-:2-
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY
> $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY
> echo -n "."
>
> # X Font Server :0-:2-
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 7100 -j DENY
> $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 7100 -j DENY
> echo -n "."
>
> # Back Orifice (logged)
> $IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 31337 -j DENY
> $IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 31337 -j DENY
> echo -n "."
>
> # NetBus (logged)
> $IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 12345:12346 -j
> DENY
> $IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 12345:12346 -j
> DENY
> echo -n "."
>
> echo "Done!"
>
> # --------------------------------------------------- High Unprivileged
> ports -
> # These are opened up to allow sockets created by connections allowed by
>
> # ipchains
>
> echo -n "High Ports.."
>
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1023:65535 -j
> ACCEPT
> $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1023:65535 -j
> ACCEPT
> echo -n "."
>
> echo "Done!"
>
> # ------------------------------------------------------------ Basic
> Services -
>
> echo -n "Services.."
>
> # ftp-data (20) and ftp (21)
> # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT
> # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT
> # echo -n ".."
>
> # ssh (22)
> # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 22 -j ACCEPT
> # echo -n "."
>
> # telnet (23)
>  #$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 23 -j ACCEPT
>  #echo -n "."
>
> # smtp (25)
>  $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j ACCEPT
>  echo -n "."
>
> # DNS (53)
> #$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
> #$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
> #echo -n ".."
>
> # DHCP on LAN side (to make @Home DHCP work) (67/68)
> # $IPCHAINS -A input -i $INTERNALIF -p udp -s $REMOTENET -d
> 255.255.255.255/24 67 -j ACCEPT
> # $IPCHAINS -A output -i $INTERNALIF -p udp -s $REMOTENET -d
> 255.255.255.255/24 68 -j ACCEPT
> # echo -n ".."
>
> # http (80)
> # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT
> # echo -n "."
>
> # webmin (10001)
>  #$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 10001 -j ACCEPT
>  #echo -n "."
>
> # POP-3 (110)
>  $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 110 -j ACCEPT
>  echo -n "."
>
> # identd (113)
> # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 113 -j ACCEPT
> # echo -n "."
>
> # nntp (119)
> # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 119 -j ACCEPT
> # echo -n "."
>
> # https (443)
> # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 443 -j ACCEPT
> # echo -n "."
>
> # ICQ Services (it's a server service) (4000)
> # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 4000 -j ACCEPT
> # echo -n "."
>
> echo "Done!"
>
> # ----------------------------------------------------------------------
> ICMP -
>
> echo -n "ICMP Rules.."
>
> # Use this to deny ICMP attacks from specific addresses
> # $IPCHAINS -A input -b -i $EXTERNALIF -p icmp -s <address> -d 0/0 -j
> DENY
> # echo -n "."
>
> # Allow incoming ICMP
> $IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
> $IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
> echo -n ".."
>
> # Allow outgoing ICMP
> $IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
> $IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
> $IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
> $IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
> echo -n "...."
>
> echo "Done!"
>
> #-------------------------------------------------------- setdefault
> policy -
> $IPCHAINS -A input -j DENY
> $IPCHAINS -A output -j ACCEPT
>
> echo ""
> echo "Finished Establishing Firewall."
>
> The mailing list archives are available at
> http://lists.linux-india.org/cgi-bin/wilma/linux-delhi/


The mailing list archives are available at 
http://lists.linux-india.org/cgi-bin/wilma/linux-delhi/

Reply via email to