Hi,
i have 2 server. Server1 is acting as a squid proxy and firewall
server. The server 2 is handing emails and it's default gateway is
server1. I want server2 to use the gateway of server 1 and send /get
mails through server1.
Now what ipchains rule should i make to forward all request( DNS, smtp
and pop3 ) to forward to internet. I am attaching my ipchains rules
files. Please help!!!!!!!!!!!!
Thank you
kapil
--
Kapil Sharma
Senior System Administrator
DSF Internet Services
Email: [EMAIL PROTECTED]
[EMAIL PROTECTED]
Web : http://www.dsfinternet.com
#!/bin/sh
#
# IPCHAINS-FIREWALL V1.6-MASQUERADE
# Local Interface developed by kapil sharma
# This is the interface that is your link to the world
LOCALIF="ppp0"
# Internal Interface
# This is the interface for your local network
# NOTE: INTERNALNET is a *network* address. All host bits should be 0
INTERNALNET="192.168.1.0/24"
# ------------------------------------------------------- Variable
definition -
#
# Set the location of ipchains.
IPCHAINS="/sbin/ipchains"
# You shouldn't need to change anything in the rest of this section
LOCALIP=`ifconfig $LOCALIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
LOCALMASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4`
LOCALNET="$LOCALIP/$LOCALMASK"
echo "Internal: $INTERNALNET"
echo "External: $LOCALNET"
REMOTENET="0/0"
# -------------------------------------- Flush everything, start from
scratch -
echo -n "Flushing rulesets.."
# Incoming packets from the outside network
$IPCHAINS -F input
echo -n "."
# Outgoing packets from the internal network
$IPCHAINS -F output
echo -n "."
# Forwarding/masquerading
$IPCHAINS -F forward
echo -n "."
echo "Done!"
# ---------------------------------- Allow all connections within the
network -
echo -n "Internal.."
$IPCHAINS -A input -s $INTERNALNET -d $INTERNALNET -j ACCEPT
$IPCHAINS -A output -s $INTERNALNET -d $INTERNALNET -j ACCEPT
echo -n ".."
echo "Done!"
# -------------------------------------------------- Allow loopback
interface -
echo -n "Loopback.."
$IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
echo -n ".."
echo "Done!"
# --------------------------------------------------------------
Masquerading -
echo -n "Masquerading.."
# don't masquerade internal-internal traffic
$IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT
echo -n "."
# don't Masquerade external interface direct
$IPCHAINS -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT
echo -n "."
# masquerade all internal IP's going outside
$IPCHAINS -A forward -s $INTERNALNET -d $REMOTENET -j MASQ
echo -n "."
# set Default rule on MASQ chain to Deny
$IPCHAINS -P forward DENY
echo -n "."
# --------------------- Allow all connections from the network to the
outside -
#$IPCHAINS -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT
#$IPCHAINS -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT
#Allow telnet connection from the internal network to remote network
$IPCHAINS -A input -p tcp -s $INTERNALNET -d 0/0 telnet -j ACCEPT
$IPCHAINS -A input -p tcp -s $INTERNALNET -d 0/0 ftp -j ACCEPT
$IPCHAINS -A input -p tcp -s $INTERNALNET -d 0/0 smtp -j ACCEPT
$IPCHAINS -A input -p tcp -s $INTERNALNET -d 0/0 pop-3 -j ACCEPT
$IPCHAINS -A input -p udp -s 192.168.1.0/24 -d 192.168.1.5 -j ACCEPT
# enable transparent proxy
/sbin/ipchains -A input -p tcp -d 127.0.0.1/24 www -j ACCEPT
/sbin/ipchains -A input -p tcp -d 192.168.1.5/24 www -j ACCEPT
/sbin/ipchains -A input -p tcp -d 0/0 www -j REDIRECT 8080
# --------------------Block the sites for local users.
#Block xdrive
$IPCHAINS -A output -d 208.48.218.0/24 -j REJECT
$IPCHAINS -A input -d 208.48.218.0/24 -j REJECT
echo -n ".."
echo "Done!"
# ----------------------------------Set telnet, www and FTP for minimum
delay -
# This section manipulates the Type Of Service (TOS) bits of the
# packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
# in your kernel
echo -n "TOS flags.."
#$IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 telnet -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10
echo -n "..."
# Set ftp-data for maximum throughput
$IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08
echo -n "."
echo "Done!"
# ---------------------------------------------------------- Trusted
Networks -
# Add in any rules to specifically allow connections from hosts/nets
that
# would otherwise be blocked.
# echo -n "Trusted Networks.."
# $IPCHAINS -A input -s [trusted host/net] -d $LOCALNET <ports> -j
ACCEPT
# echo -n "."
# echo "Done!"
# ----------------------------------------------------------- Banned
Networks -
# Add in any rules to specifically block connections from hosts/nets
that
# have been known to cause you problems. These packets are logged.
# echo -n "Banned Networks.."
# This one is generic
# $IPCHAINS -A input -l -s [banned host/net] -d $LOCALNET <ports> -j
DENY
# echo -n "."
# This one blocks ICMP attacks
# $IPCHAINS -A input -l -b -i $LOCALIF -p icmp -s [host/net] -d
$LOCALNET -j DENY
# echo -n "."
# echo "Done!"
# ------------------------------------------------------ @home-specific
rules -
# This @home stuff is pretty specific to me (terminus). I get massive
port
# scans from my neighbors and from pokey admins at @home, so I just got
harsh
# and blocked all their stuff, with a few exceptions, listed below.
#
# If someone out there finds out the ip ranges of JUST tci@home, let me
know
# so i don't end up blocking ALL cablemodems like it's doing now.
echo -n "Cable Modem Nets.."
# so we can check mail, use the proxy server, hit @home's webpage.
# you will want to set these to your local servers, and uncomment them
# $IPCHAINS -A input -p tcp -s ha1.rdc1.wa.home.com -d $LOCALNET
1023:65535 -j ACCEPT
# $IPCHAINS -A input -p tcp -s mail.tcma1.wa.home.com -d $LOCALNET
1023:65535 -j ACCEPT
# $IPCHAINS -A input -p tcp -s www.tcma1.wa.home.com -d $LOCALNET
1023:65355 -j ACCEPT
# $IPCHAINS -A input -p tcp -s proxy.tcma1.wa.home.com -d $LOCALNET
1023:65535 -j ACCEPT
# echo -n "...."
# so we can resolve the above hostnames, allow dns queries back to us
# $IPCHAINS -A input -p tcp -s ns1.home.net -d $LOCALNET 1023:65535 -j
ACCEPT
# $IPCHAINS -A input -p tcp -s ns2.home.net -d $LOCALNET 1023:65535 -j
ACCEPT
# $IPCHAINS -A input -p udp -s ns1.home.net -d $LOCALNET 1023:65535 -j
ACCEPT
# $IPCHAINS -A input -p udp -s ns2.home.net -d $LOCALNET 1023:65535 -j
ACCEPT
# echo -n ".."
# linux ipchains building script page (I think)
# $IPCHAINS -A input -p tcp -s 24.128.61.117 -d $LOCALNET 1023:65535 -j
ACCEPT
# echo -n "."
# Non-@home users may want to leave this uncommented, just to block all
# the wannabe crackers. Add any @home hosts you want to allow BEFORE
this line.
# Blast all other @home connections into infinity and log them.
$IPCHAINS -A input -l -s 24.0.0.0/8 -d $LOCALNET -j DENY
echo -n "."
echo "Done!"
# ---------------------------- Specific port blocks on the external
interface -
# This section blocks off ports/services to the outside that have
# vulnerabilities. This will not affect the ability to use these
services
# within your network.
echo -n "Port Blocks.."
# NetBEUI/Samba
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 139 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 139 -j DENY
echo -n "."
# Microsoft SQL
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1433 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1433 -j DENY
echo -n "."
# Postgres SQL
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5432 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5432 -j DENY
echo -n "."
# Network File System
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 2049 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 2049 -j DENY
echo -n "."
# X Displays :0-:2-
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY
echo -n "."
# X Font Server :0-:2-
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 7100 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 7100 -j DENY
echo -n "."
# Back Orifice (logged)
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 31337 -j DENY
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 31337 -j DENY
echo -n "."
# NetBus (logged)
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 12345:12346 -j
DENY
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 12345:12346 -j
DENY
echo -n "."
echo "Done!"
# --------------------------------------------------- High Unprivileged
ports -
# These are opened up to allow sockets created by connections allowed by
# ipchains
echo -n "High Ports.."
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1023:65535 -j
ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1023:65535 -j
ACCEPT
echo -n "."
echo "Done!"
# ------------------------------------------------------------ Basic
Services -
echo -n "Services.."
# ftp-data (20) and ftp (21)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT
# echo -n ".."
# ssh (22)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 22 -j ACCEPT
# echo -n "."
# telnet (23)
#$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 23 -j ACCEPT
#echo -n "."
# smtp (25)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j ACCEPT
echo -n "."
# DNS (53)
#$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
#$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
#echo -n ".."
# DHCP on LAN side (to make @Home DHCP work) (67/68)
# $IPCHAINS -A input -i $INTERNALIF -p udp -s $REMOTENET -d
255.255.255.255/24 67 -j ACCEPT
# $IPCHAINS -A output -i $INTERNALIF -p udp -s $REMOTENET -d
255.255.255.255/24 68 -j ACCEPT
# echo -n ".."
# http (80)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT
# echo -n "."
# webmin (10001)
#$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 10001 -j ACCEPT
#echo -n "."
# POP-3 (110)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 110 -j ACCEPT
echo -n "."
# identd (113)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 113 -j ACCEPT
# echo -n "."
# nntp (119)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 119 -j ACCEPT
# echo -n "."
# https (443)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 443 -j ACCEPT
# echo -n "."
# ICQ Services (it's a server service) (4000)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 4000 -j ACCEPT
# echo -n "."
echo "Done!"
# ----------------------------------------------------------------------
ICMP -
echo -n "ICMP Rules.."
# Use this to deny ICMP attacks from specific addresses
# $IPCHAINS -A input -b -i $EXTERNALIF -p icmp -s <address> -d 0/0 -j
DENY
# echo -n "."
# Allow incoming ICMP
$IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
$IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
echo -n ".."
# Allow outgoing ICMP
$IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
echo -n "...."
echo "Done!"
#-------------------------------------------------------- setdefault
policy -
$IPCHAINS -A input -j DENY
$IPCHAINS -A output -j ACCEPT
echo ""
echo "Finished Establishing Firewall."
The mailing list archives are available at
http://lists.linux-india.org/cgi-bin/wilma/linux-delhi/
