> I'm starting to fiddle with ipchains. I'm masquarading > router --- [x.x.199.193]FIREWALL[10.1.1.1] --- private network > A few things aren't working. For example, I can't ftp out of the private > clients. The connection is made but the server complains about port > numbers. I guess there's something screwy in the masquerading setup. > Telnet and browsing work fine. Http downloads work fine. insmod ip_masq_ftp also might be "(maxwell) smart" to load other modules. ------ ip_masq_irc 1232 0 (unused) ip_masq_user 2276 0 (unused) ip_masq_cuseeme 776 0 (unused) ip_masq_quake 1008 0 (unused) ip_masq_raudio 2624 0 ip_masq_vdolive 1000 0 (unused) ------ > I've got > ipchains -A forward -j MASQ > added, but just that for now. I have attached script "masquerade" to this mail and it is imo very well documented script that creates some nice rules for ipchains. I use something bit like that myself also. > In addition, I'd like to have internal web/ftp/ssh servers. How can I > forward requests to x.x.199.194 on a given port, say 23, to go to > 10.1.1.Y:23? load modules ip_masq_portfw 2140 0 (unused) ip_masq_autofw 2128 0 (unused) ip_masq_mfw 2792 9 get program named 'ipmasqadm' (version 0.4.2 or more recent) and read the manuals!!! (man ipmasqadm) with following script one forwards all connections from host $* to internal host 10.0.0.10. You'd probably want to rather use ip_masq_portfw or something. -- #!/bin/sh /sbin/ipchains -I forward -d $*/32 -s 10.0.0.10/32 -j MASQ /sbin/ipchains -I input -s $*/32 -m3 /usr/sbin/ipmasqadm mfw -I -m 3 -r 10.0.0.10 -- this is what I use to play games from win machine behind firewall. I'm sure there is more beautiful solution (tm) for this but since this has worked I havent (yet) bothered to find out. -- #fubar echo [EMAIL PROTECTED] | tr acefhiklnptu utpnlkihfeca
#!/bin/sh # # IPCHAINS-FIREWALL V1.6-MASQUERADE # # ----------------------------------------- Ipchains Firewall and MASQ Script - # # Original script by Ian Hall-Beyer ([EMAIL PROTECTED]) # # Contributors: # terminus ([EMAIL PROTECTED]) (ICQ & DHCP, @home testing) # ---------------------------------------------------------------- Interfaces - # Local Interface # This is the interface that is your link to the world LOCALIF="eth0" # Internal Interface # This is the interface for your local network # NOTE: INTERNALNET is a *network* address. All host bits should be 0 INTERNALNET="10.0.0.0/8" # ------------------------------------------------------- Variable definition - # # Set the location of ipchains. IPCHAINS="/sbin/ipchains" # You shouldn't need to change anything in the rest of this section LOCALIP=`/sbin/ifconfig $LOCALIF | grep inet | cut -d : -f 2 | cut -d \ -f 1` LOCALMASK=`/sbin/ifconfig $LOCALIF | grep Mask | cut -d : -f 4` LOCALNET="$LOCALIP/$LOCALMASK" echo "Internal: $INTERNALNET" echo "External: $LOCALNET" REMOTENET="0/0" # -------------------------------------- Flush everything, start from scratch - echo -n "Flushing rulesets.." # Incoming packets from the outside network $IPCHAINS -F input echo -n "." # Outgoing packets from the internal network $IPCHAINS -F output echo -n "." # Forwarding/masquerading $IPCHAINS -F forward echo -n "." echo "Done!" # ---------------------------------- Allow all connections within the network - echo -n "Internal.." #$IPCHAINS -A input -s $INTERNALNET -d $INTERNALNET -j ACCEPT #$IPCHAINS -A output -s $INTERNALNET -d $INTERNALNET -j ACCEPT echo -n ".." echo "Done!" # -------------------------------------------------- Allow loopback interface - echo -n "Loopback.." $IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT $IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT echo -n ".." echo "Done!" # -------------------------------------------------------------- Masquerading - echo -n "Masquerading.." # don't masquerade internal-internal traffic $IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT echo -n "." # don't Masquerade external interface direct $IPCHAINS -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT echo -n "." #$IPCHAINS -A forward -s 130.233.26.60 -d 10.0.0.10 -j MASQ # masquerade all internal IP's going outside $IPCHAINS -A forward -s $INTERNALNET -d $REMOTENET -j MASQ echo -n "." # set Default rule on MASQ chain to Deny #$IPCHAINS -P forward DENY $IPCHAINS -P forward ACCEPT echo -n "." # --------------------- Allow all connections from the network to the outside - $IPCHAINS -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT $IPCHAINS -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT echo -n ".." echo "Done!" # ----------------------------------Set telnet, www and FTP for minimum delay - # This section manipulates the Type Of Service (TOS) bits of the # packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled # in your kernel echo -n "TOS flags.." $IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 telnet -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10 echo -n "..." # Set ftp-data for maximum throughput $IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08 echo -n "." echo "Done!" # ---------------------------------------------------------- Trusted Networks - # Add in any rules to specifically allow connections from hosts/nets that # would otherwise be blocked. # echo -n "Trusted Networks.." # $IPCHAINS -A input -s [trusted host/net] -d $LOCALNET <ports> -j ACCEPT # echo -n "." # echo "Done!" # ----------------------------------------------------------- Banned Networks - # Add in any rules to specifically block connections from hosts/nets that # have been known to cause you problems. These packets are logged. # echo -n "Banned Networks.." # This one is generic # $IPCHAINS -A input -l -s [banned host/net] -d $LOCALNET <ports> -j DENY # echo -n "." # This one blocks ICMP attacks # $IPCHAINS -A input -l -b -i $LOCALIF -p icmp -s [host/net] -d $LOCALNET -j DENY # echo -n "." # echo "Done!" # ------------------------------------------------------ @home-specific rules - # This @home stuff is pretty specific to me (terminus). I get massive port # scans from my neighbors and from pokey admins at @home, so I just got harsh # and blocked all their stuff, with a few exceptions, listed below. # # If someone out there finds out the ip ranges of JUST tci@home, let me know # so i don't end up blocking ALL cablemodems like it's doing now. echo -n "Cable Modem Nets.." # so we can check mail, use the proxy server, hit @home's webpage. # you will want to set these to your local servers, and uncomment them # $IPCHAINS -A input -p tcp -s ha1.rdc1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT # $IPCHAINS -A input -p tcp -s mail.tcma1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT # $IPCHAINS -A input -p tcp -s www.tcma1.wa.home.com -d $LOCALNET 1023:65355 -j ACCEPT # $IPCHAINS -A input -p tcp -s proxy.tcma1.wa.home.com -d $LOCALNET 1023:65535 -j ACCEPT # echo -n "...." # so we can resolve the above hostnames, allow dns queries back to us # $IPCHAINS -A input -p tcp -s ns1.home.net -d $LOCALNET 1023:65535 -j ACCEPT # $IPCHAINS -A input -p tcp -s ns2.home.net -d $LOCALNET 1023:65535 -j ACCEPT # $IPCHAINS -A input -p udp -s ns1.home.net -d $LOCALNET 1023:65535 -j ACCEPT # $IPCHAINS -A input -p udp -s ns2.home.net -d $LOCALNET 1023:65535 -j ACCEPT # echo -n ".." # linux ipchains building script page (I think) # $IPCHAINS -A input -p tcp -s 24.128.61.117 -d $LOCALNET 1023:65535 -j ACCEPT # echo -n "." # Non-@home users may want to leave this uncommented, just to block all # the wannabe crackers. Add any @home hosts you want to allow BEFORE this line. # Blast all other @home connections into infinity and log them. $IPCHAINS -A input -l -s 24.0.0.0/8 -d $LOCALNET -j DENY echo -n "." echo "Done!" # ---------------------------- Specific port blocks on the external interface - # This section blocks off ports/services to the outside that have # vulnerabilities. This will not affect the ability to use these services # within your network. echo -n "Port Blocks.." # NetBEUI/Samba #$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 139 -j DENY #$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 139 -j DENY #echo -n "." # Microsoft SQL $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1433 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1433 -j DENY echo -n "." # Postgres SQL $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5432 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5432 -j DENY echo -n "." # Network File System $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 2049 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 2049 -j DENY echo -n "." # X Displays :0-:2- $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY echo -n "." # X Font Server :0-:2- $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 7100 -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 7100 -j DENY echo -n "." # Back Orifice (logged) $IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 31337 -j DENY $IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 31337 -j DENY echo -n "." # NetBus (logged) $IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 12345:12346 -j DENY $IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 12345:12346 -j DENY echo -n "." echo "Done!" # --------------------------------------------------- High Unprivileged ports - # These are opened up to allow sockets created by connections allowed by # ipchains echo -n "High Ports.." $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT echo -n "." echo "Done!" # ------------------------------------------------------------ Basic Services - echo -n "Services.." # ftp-data (20) and ftp (21) # these will enable ftp connection to mindless from outside $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT echo -n ".." # ssh (22) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 22 -j ACCEPT echo -n "." # telnet (23) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 23 -j ACCEPT # echo -n "." # smtp (25) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j ACCEPT # echo -n "." # DNS (53) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT echo -n ".." # DHCP on LAN side (to make @Home DHCP work) (67/68) # $IPCHAINS -A input -i $INTERNALIF -p udp -s $REMOTENET -d 255.255.255.255/24 67 -j ACCEPT # $IPCHAINS -A output -i $INTERNALIF -p udp -s $REMOTENET -d 255.255.255.255/24 68 -j ACCEPT # echo -n ".." # http (80) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT echo -n "." # POP-3 (110) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 110 -j ACCEPT # echo -n "." # identd (113) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 113 -j ACCEPT # echo -n "." # nntp (119) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 119 -j ACCEPT # echo -n "." # ntp (123) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 123 -j ACCEPT $IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 123 -j ACCEPT echo -n ".." # https (443) $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 443 -j ACCEPT echo -n "." # ICQ Services (it's a server service) (4000) # $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 4000 -j ACCEPT # echo -n "." echo "Done!" # ---------------------------------------------------------------------- ICMP - echo -n "ICMP Rules.." # Use this to deny ICMP attacks from specific addresses # $IPCHAINS -A input -b -i $EXTERNALIF -p icmp -s <address> -d 0/0 -j DENY # echo -n "." # Allow incoming ICMP $IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT $IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT echo -n ".." # Allow outgoing ICMP $IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT $IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT $IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT $IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT echo -n "...." echo "Done!" # -------------------------------------------------------- set default policy - $IPCHAINS -A input -j DENY $IPCHAINS -A output -j ACCEPT echo "" echo "Finished Establishing Firewall."
