Salut,
% *** MISSON Didier wrote: ***
%
% Firewall/MASQ avec support H.323 fonctionne bien ici: appel-sortant et
% appel-entrant. Un peu de pr�cision:
%
% - appel-sortant : 2 hosts (ou plus) dans le m�me LAN peuvent "inviter"
% les correspondants ext�rieurs diff�rents simultann�ment.
%
% - appel-entrant : un correspondant ext�rieur peut "inviter" un
% SEUL host dans le LAN via port-forwarding.
% Je vais essayer installer un proxy-h323 pour g�rer multi
% appel-entrant pour plusieurs hosts dans LANS.
%
%
% Didier> tr�s int�ressant.
% Tu peux nous en dire plus sur ce FireWall?
% C'est quoi? Un PC Linux? Une distri sp�cifique?
% Et bas�e sur kernel 2.4 et IP Table?
%
C'est un PC-Linux (Pentium-100MHz, 16 MB de RAM) bas� sur GNU/Linux Debian-Woody
dont un kernel 2.4.18 et iptables-v1.2.6a .
Sur une machine un peu plus puissance, j'ai utilis� une source propre du
kernel 2.4.18 et puis download les patches de Newnat (celui j'utilise
est Newnat-13) via cvs sur le serveur de netfilter.samba.org :
http://netfilter.samba.org/downloads.html#cvs
Et puis faire patching la source du kernel avec netfilter-cvs.
Une remarque ici: n'include pas les patches qui demandent une nouvelle
compilation du binaire iptables (exemple tftp: pas tr�s gentille ce
patche). Merci � Beno�t Joseph qui m'a aider de d�boguer iptables avec
les modules nat_h323*.o .
et compiler le kernel � la Debian (ou avec la m�thode normal mais faire
attention de ne pas effacer les anciens modules apr�s un "make
modules-install") :
make menuconfig
make-kpkg --revision=h323.01 kernel-image
Apr�s une compilation r�ussie (oui j'ai rat� plusieurs fois) je
tranfert le package kernel-image-h323.01*.deb vers le petit
PC-Linux-Firewall , l'installe et puis appliquer les r�gles firewall
pour iptables.
Tu peux trouver le petit script (attach� dans cet email) contenant les
simples r�gles pour un LAN maison.
Quelques remarques:
- l'ordre de chargement des modules est important !
- le nat-helper reconnait une communication H.323 et il ouvre
dynamiquement les ports dynamiques UDP (uniquement pour le client
Netmeeting, tandis que pour Gnomemeeting, c'est assez propre avec
UDP/5000-5001 ) et une fois que la session est finie le helper
ferme ces portes dynamiques. Donc, pas besoin d'ouvrir en permanant
les portes non-privil�g� (UDP/1024 --> 65535).
% Pour le moment, j'ai CoyoteLinux avec un kernel 2.2.
% Il y a un module H323, mais qui ne fait pas tout �a je crois...
Oui, il existe un patche h323 pour un kernel 2.2.16 ou plus mais on a
besoin d'utiliser ipchains et ipmasqadm. Un peu long pour les r�gles de
firewall avec ces 2 outils, pour moi.
Amicalement,
--
---------------------------
Truong <[EMAIL PROTECTED]>
---------------------------
#!/bin/sh
# Firewall setup.
#
# Setting up iptables
#
# ----------------------
# check if needed iptables modules are loaded
/sbin/modprobe ipt_MARK
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_LOG
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_h323
/sbin/modprobe ip_conntrack_talk
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_mangle
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_h323
/sbin/modprobe ip_nat_talk
/sbin/modprobe ip_nat_irc
/sbin/modprobe ipt_MIRROR
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_TCPMSS
/sbin/modprobe ipt_length
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_tcpmss
/sbin/modprobe ipt_tos
/sbin/modprobe ipt_ttl
/sbin/modprobe ip_tables
/sbin/modprobe ip_queue
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_helper
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_state
/sbin/modprobe ipt_unclean
# ----------------------
# eth0 default device.
#
# OUTSIDE_DEV=eth0
# OUTSIDE_IP=
# OUTSIDE_NETMASK=
# OUTSIDE_NETWORK=
# OUTSIDE_BROADCAST=
# OUTSIDE_GATEWAY=
# I need to get my current IP address
OUTSIDE_DEV=eth0
# if OUTSIDE_IP is not static
OUTSIDE_IP=""
# get OUTSIDE_IP if it's given by dhcp
if [ ${OUTSIDE_IP}x = "x" ]; then
OUTSIDE_IP=`/sbin/ifconfig $OUTSIDE_DEV | grep 'inet addr:' | \
awk '{print $2}' | sed -e 's/addr://'`
fi
# be carefull here: 'Mask' in English, and 'Masque' in French
# OUTSIDE_NETMASK=130.104.21.128
OUTSIDE_NETMASK=`/sbin/ifconfig $OUTSIDE_DEV | grep 'Mask:' | \
awk '{print $4}' | sed -e 's/Mask://'`
# OUTSIDE_NETWORK=130.104.21.0
OUTSIDE_NETWORK=`echo $OUTSIDE_IP | /bin/sed -e 's/\.[0-9]*$/.0/'`
# find my BROADCAST address (X.X.X.128).
OUTSIDE_BROADCAST=`echo $OUTSIDE_IP | /bin/sed -e 's/\.[0-9]*$/.127/'`
# gateway on OUTSIDE_DEV : need to use 'route -n'
OUTSIDE_GATEWAY=130.104.21.1
#
# Your inside network, this has 10.42.42.* set as default, this is
# addresses assigned for internal networks according to RFC 1918.
#
# eth1 is the default device for the internal network.
#
INSIDE_IP=192.168.1.3
INSIDE_DEV=eth1
INSIDE_NETWORK=192.168.1.0
INSIDE_NETMASK=255.255.255.0
INSIDE_BROADCAST=192.168.1.255
#
# Do you want to do port forwaring to an internal server?
# Set the server IP here and sort out the port stuff later in this file.
#
# Remember: INSIDE_IP=192.168.1.3 is on this floppyfw-host
#
SERVER_FTP_IP=192.168.1.10
SERVER_SSH_IP=192.168.1.10
SERVER_WEB_IP=192.168.1.10
SERVER_WEB_SSL_IP=192.168.1.10
# NM = Netmeeting 3.0 on Windows
# CLIENT_H323_IP=192.168.1.30
# SERVER_FONE_IP=192.168.1.20
#
# Stopping forwarding (this script may be run during normal uptime because
# for re-lease of HDCP or demand dialing / PPPoE.
#
echo "0" > /proc/sys/net/ipv4/ip_forward
#
# Brad suggested this:
# And he suggested to check and maybe change the formatting.
# We'll do that later.
#
echo "Starting firewall with the following config:"
echo
echo " Inside Outside"
echo " Network: ${INSIDE_NETWORK} ${OUTSIDE_NETWORK}"
echo " Device: ${INSIDE_DEV} ${OUTSIDE_DEV}"
echo "IP Address: ${INSIDE_IP} ${OUTSIDE_IP}"
echo " Netmask: ${INSIDE_NETMASK} ${OUTSIDE_NETMASK}"
echo " Broadcast: ${INSIDE_BROADCAST} ${OUTSIDE_BROADCAST}"
echo " Gateway: [None Set] ${OUTSIDE_GATEWAY}"
echo
#
# Flushing the chains.
#
iptables -F
iptables -t nat -F
iptables -X
iptables -Z # zero all counters
#
# Policy for chains DROP everything
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#
# Do not allow private network (according by IANA) on $OUTSIDE_DEV (eth0)
#
iptables -t nat -A PREROUTING -i $OUTSIDE_DEV -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i $OUTSIDE_DEV -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i $OUTSIDE_DEV -s 172.16.0.0/12 -j DROP
iptables -t nat -A PREROUTING -i $OUTSIDE_DEV -s 224.0.0.0/4 -j DROP
iptables -t nat -A PREROUTING -i $OUTSIDE_DEV -s 240.0.0.0/5 -j DROP
iptables -t nat -A PREROUTING -i $OUTSIDE_DEV -d 127.0.0.0/8 -j DROP
#
# Good old masquerading.
#
iptables -t nat -A POSTROUTING -o ${OUTSIDE_DEV} -j MASQUERADE
#
# Forwarding outside ports to an internal server.
# This used to be the ipchains / ipmasqadm portfw command.
#
##########################################
### FTP (21) --> ${SERVER_FTP_IP}:21 ###
##########################################
# iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 21 -j DNAT --to
${SERVER_FTP_IP}:21
#iptables -A FORWARD -p tcp -d ${SERVER_FTP_IP} --dport 21 -o ${INSIDE_DEV} -j ACCEPT
##########################################
### SSH (22) --> ${SERVER_SSH_IP}:22 ###
##########################################
iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 22 -j DNAT --to
${SERVER_SSH_IP}:22
iptables -A FORWARD -p tcp -d ${SERVER_SSH_IP} --dport 22 -o ${INSIDE_DEV} -j ACCEPT
################
### WEB (80) ###
################
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to
${SERVER_WEB_IP}:80
#iptables -A FORWARD -p tcp -d ${SERVER_WEB_IP} --dport 80 -o ${INSIDE_DEV} -j ACCEPT
##########################
### Speakfreely (2074) ###
##########################
# iptables -A PREROUTING -t nat -p udp -d ${OUTSIDE_IP} --dport 2074 -j DNAT --to
${SERVER_FONE_IP}:2074
# iptables -A FORWARD -p udp -d ${SERVER_FONE_IP} --dport 2074 -o ${INSIDE_DEV} -j
ACCEPT
################################################
### H.323 : GnomeMeeting or Netmeeting : ###
################################################
#
# Infomation from http://www.soti.org/~soggie/linux/gm/
#
# protocol dport description strategy
#
# TCP 389 ILS (LDAP) outbound: TCP Masquerading
# inbound: N/A
#
# TCP 522 UserLocalServer Deprecated in favour of ILS
#
# TCP 1503 T.120 Not supported or used by GM
#
# TCP 1720 H.323 outbound: TCP MASQ
# (H.225 call setup) inbound: redirect to port 1720
# (H.245 call control) of the internal GM client
#
#
# TCP 1731 MS audio call control Not supported or used by GM
#
# TCP 1024:65536 H.245 call control Use a H.323 NAT helper
#
# UDP 1024:65536 H.225 RTCP/RTP streaming Use a H.323 NAT helper
#
###################
echo " "
echo " About NAT/MASQ for H323 "
echo " "
CLIENT_H323_IP=192.168.1.30
# CLIENT_H323_IP=192.168.1.20
### just for a test ###
### accept outbound for Internet_Locator_Server/LDAP (TCP/389)
#iptables -A FORWARD -p tcp -d ${CLIENT_H323_IP} --dport 389 -o ${INSIDE_DEV} -j ACCEPT
### accept outbound for H.323 protocol (TCP/1720)
#iptables -A FORWARD -p tcp -d ${CLIENT_H323_IP} --dport 1720 -o ${INSIDE_DEV} -j
ACCEPT
### end of just for a test ###
# GM_PORTS="5000:5001" # GNOME_MEETING_PORTS
# HIGH_PORTS="1024:65535" # Netmeeting dynamique ports
# ---- TCP Port ----
TCP_PORTS="389 522 1503 1720 1731"
for PORT in $TCP_PORTS ; do
iptables -t nat -A PREROUTING -p tcp -i ${OUTSIDE_DEV} -d ${OUTSIDE_IP} \
--dport $PORT -j DNAT --to ${CLIENT_H323_IP}:$PORT
iptables -A FORWARD -p tcp -d ${CLIENT_H323_IP} \
--dport $PORT -o ${INSIDE_DEV} -j ACCEPT
done
#echo " "
# ---- UDP Port ----
iptables -t nat -A PREROUTING -p udp -d ${OUTSIDE_IP} --dport 631 \
-j DNAT --to ${CLIENT_H323_IP}:631
#echo " About UDP HIGH_PORTS but no need "
#iptables -t nat -A PREROUTING -p udp -d ${OUTSIDE_IP} --dport $HIGH_PORTS \
# -j DNAT --to ${CLIENT_H323_IP}:1024:65535
echo " "
### END H.323 ###
#
# Keep state.
#
iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEV} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEV} -j DROP
#
# This is mainly for PPPoE usage but it won't hurt anyway so we'll just
# keep it here.
#
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#
# We don't like the NetBIOS and Samba leaking..
#
iptables -t nat -A PREROUTING -p TCP -i ${INSIDE_DEV} --dport 135:139 -j DROP
iptables -t nat -A PREROUTING -p UDP -i ${INSIDE_DEV} --dport 137:139 -j DROP
iptables -t nat -A PREROUTING -p TCP -i ${INSIDE_DEV} --dport 445 -j DROP
iptables -t nat -A PREROUTING -p UDP -i ${INSIDE_DEV} --dport 445 -j DROP
#
# We would like to ask for names (DNS) from our floppyfw box
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Ping and friends.
iptables -A OUTPUT -p icmp -j ACCEPT # to both sides.
iptables -A INPUT -p icmp -j ACCEPT
# And also, DHCP, but we can basically accept anything from the inside.
iptables -A INPUT -i ${INSIDE_DEV} -j ACCEPT
iptables -A OUTPUT -o ${INSIDE_DEV} -j ACCEPT
#
# If the user wants to have the fake identd running, the identd has to
# be able to answer.
#
if [ ${FAKEIDENT} ]
then
iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEV} -j ACCEPT
fi
#
# And, some attempt to get interactive sesions a bit more interactive
# under load:
#
iptables -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos
Maximize-Throughput
#
# Finally, list what we have
#
iptables -L
# If broken DNS:
#iptables -L -n
#
# This enables dynamic IP address following
#
echo 7 > /proc/sys/net/ipv4/ip_dynaddr
#
# Rules set, we can enable forwarding in the kernel.
#
echo " "
echo "Enabling IP forwarding."
echo " "
echo "1" > /proc/sys/net/ipv4/ip_forward
### EOF ###
