[Masq] Lotus Notes Problem

Cristian A. Tarazona N. Fri, 28 Jul 2000 12:30:15 -0700
/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */


Hi


I am traing to filter a Lotus Notes server using "ipchains" and
"ipmasqadm portfw" and at the end of this message is my configuration
file, the NAT for port 80 www works but the  NAT for the lotus notes
server in port 1352 does not work
i don4t understand why?

I did wath Michael Waisberg said in TMS services

" Added the following line to inetd.conf: 1352 stream tcp nowait root
/usr/sbin/tcpd redir --inetd --syslog --name notes www.xxx.yyy.zzz 1352"

please help me

thanks

Cris

#
# Grabbing the config.
#
. /etc/config

#
----------------------------------------------------------------------------

#  /etc/rc.d/rc.firewall
#  Invoked from /etc/rc.d/rc.local.

echo "Starting firewalling... "

#
----------------------------------------------------------------------------

#Permanent Variables that don't need changed.

 ANYWHERE="any/0"
 EXTERNAL_INTERFACE="eth0"
 LOCAL_INTERFACE_1="eth1"
 LOOPBACK_INTERFACE="lo"
 LOOPBACK="127.0.0.0/8"
 NAT_IP="200.15.238.39"              # NAT IP address
 OUTSIDE_IP="200.15.238.39"  # External interface used for NAT to lotus
 NOTES_SERVER=192.255.255.240  # Internel  Lotus Notes server
 LOCALNET_1="192.255.255.0/24"       # Internal Network
 CLASS_A="10.0.0.0/8"
 CLASS_B="172.16.0.0/12"
 CLASS_C="192.168.0.0/16"
 MULTICAST="240.0.0.0/3"
 BROADCAST_0="0.0.0.0"
 BROADCAST_1="255.255.255.255"
 PRIVPORTS="0:1023"
 UNPRIVPORTS="1024:65535"
 RESTRICTED_PORTS="2049"    # (TCP/UDP) NFS
 RESTRICTED_OPENWINDOWS="2000"   # (TCP) openwindows
 RESTRICTED_XWINDOWS="6000:6001"  # (TCP) X windows
 SSH_PORTS="1022:1023"    # range for SSH privileged ports


echo "Starting firewalling... "

# Remove all existing rules belonging to this filter

 ipchains -F

# Set the default policy of the filter to deny.

 ipchains -P input  DENY
 ipchains -P output ACCEPT
 ipchains -P forward DENY

#Crear nuevas cadenas

 ipchains -N icmp-acc
 ipchains -N spoofing
#
----------------------------------------------------------------------------

    # Enable IP Forwarding, if it isn't already
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Enable TCP SYN Cookie Protection
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    # Enable always defragging Protection
    echo 1 > /proc/sys/net/ipv4/ip_always_defrag

    # Enable broadcast echo  Protection
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    # Enable bad error message  Protection
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

    # Enable IP spoofing protection
    # turn on Source Address Verification
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
    done

    # Disable ICMP Redirect Acceptance
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
    done

    # Disable Source Routed Packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
    done

    # Log Spoofed Packets, Source Routed Packets, Redirect Packets
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo 1 > $f
    done


    # These modules are necessary to masquerade their respective
services.
    /sbin/modprobe ip_masq_ftp
 insmod ip_masq_irc
 insmod ip_masq_raudio
 insmod ip_masq_portfw




# ICMP

 ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j
ACCEPT
 ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
 ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
 ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT


#
----------------------------------------------------------------------------

# Disallow certain outgoing traffic to protect yourself from mistakes.

 # openwindows: establishing a connection
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
 -s $OUTSIDE_IP -d $ANYWHERE $RESTRICTED_OPENWINDOWS -j
REJECT

 # Xwindows: establishing a connection
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
 -s $OUTSIDE_IP -d $ANYWHERE $RESTRICTED_XWINDOWS -j REJECT

 # SOCKS: establishing a connection
 ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
 -s $OUTSIDE_IP -d $ANYWHERE 1080 -j REJECT

#
----------------------------------------------------------------------------

# LOOPBACK

 # Unlimited traffic on the loopback interface.
 ipchains -A input  -i $LOOPBACK_INTERFACE  -j ACCEPT

# Avoid ports subject to protocol & system administration problems.

 # Deny access to the NFS, openwindows and X windows unpriveleged ports
 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
 -d $OUTSIDE_IP $RESTRICTED_PORTS -l -j DENY

 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
 -d $OUTSIDE_IP $RESTRICTED_OPENWINDOWS -l -j DENY

 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
 -d $OUTSIDE_IP $RESTRICTED_XWINDOWS -l -j DENY

 # SOCKS: incoming connection
 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
 -s $ANYWHERE -d $OUTSIDE_IP 1080  -j DENY

#
----------------------------------------------------------------------------

# UDP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.

 ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
 -d $OUTSIDE_IP $RESTRICTED_PORTS -l -j DENY

 # UDP INCOMING TRACEROUTE
 # traceroute usually uses -S 32769:65535 -D 33434:33523

 ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
 -s $ANYWHERE 32769:65535 \
 -d $OUTSIDE_IP 33434:33523 -l -j DENY

#
----------------------------------------------------------------------------

    # DNS client (53)
    # ---------------
 ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
 -s $ANYWHERE 53 -d $OUTSIDE_IP $UNPRIVPORTS  -j ACCEPT

 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
 -s $ANYWHERE 53 -d $OUTSIDE_IP $UNPRIVPORTS  -j ACCEPT

#
----------------------------------------------------------------------------

 # HTTP server (80)
 # ----------------

 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 -s $ANYWHERE $UNPRIVPORTS \
 -d $NAT_IP 80  -j ACCEPT


# ------------------------------------------------------------------
 # HTTP server (443)
 # ----------------

 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 -s $ANYWHERE $UNPRIVPORTS \
 -d $NAT_IP 443  -j ACCEPT


# ------------------------------------------------------------------

 # POP server (110)
 # ----------------

 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 -s $ANYWHERE $UNPRIVPORTS \
 -d $NAT_IP 110  -j ACCEPT

# ------------------------------------------------------------------
 # NNTP NEWS client (119)
 # ----------------------
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
 -s $ANYWHERE 119 \
 -d $OUTSIDE_IP $UNPRIVPORTS  -j ACCEPT

# ------------------------------------------------------------------
 # FINGER client (79)
 # ------------------
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
 -s $ANYWHERE 79 \
 -d $OUTSIDE_IP $UNPRIVPORTS  -j ACCEPT

# ------------------------------------------------------------------
 # AUTH client (113)
 # -----------------
 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
 -s $ANYWHERE 113 \
 -d $OUTSIDE_IP $UNPRIVPORTS  -j ACCEPT

# ------------------------------------------------------------------
 # SMTP server (25)
 # ----------------

 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 -s $ANYWHERE $UNPRIVPORTS \
 -d $NAT_IP 25  -j ACCEPT


# ------------------------------------------------------------------
 # IMAP server (143)
 # -----------------

 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
 -s $ANYWHERE $UNPRIVPORTS \
 -d $NAT_IP 143  -j ACCEPT

#
----------------------------------------------------------------------------

# Unlimited traffic within the local network.

 # All internal machines have access to the fireall machine.

 ipchains -A input  -i $LOCAL_INTERFACE_1 -s $LOCALNET_1  -j ACCEPT
 ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1  -j
ACCEPT

#
----------------------------------------------------------------------------

# Masquerade internal traffic.
# All internal traffic is masqueraded externally.

 ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j
MASQ

#
----------------------------------------------------------------------------

#Forward Services to Internal Server
 echo "Forwarding Needed Services"

 ipmasqadm portfw -f

 ipmasqadm portfw -a -P tcp -L $NAT_IP 25 -R $NOTES_SERVER 25
 ipmasqadm portfw -a -P tcp -L $NAT_IP 80 -R $NOTES_SERVER 80
 ipmasqadm portfw -a -P tcp -L $NAT_IP 443 -R $NOTES_SERVER 443
 ipmasqadm portfw -a -P tcp -L $NAT_IP 110 -R $NOTES_SERVER 110
      ipmasqadm portfw -a -P tcp -L $NAT_IP 1352 -R $NOTES_SERVER 1352

#
----------------------------------------------------------------------------

# Enable logging for selected denied packets
# Basically anything that makes it through all the above rules without
getting accepted
# will be denied and logged by the rules below.

 echo "logging enabled"
 ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -d $OUTSIDE_IP -l -j
DENY
 ipchains -A input  -i $EXTERNAL_INTERFACE -p udp -d $OUTSIDE_IP
$PRIVPORTS -l -j DENY
 ipchains -A input  -i $EXTERNAL_INTERFACE -p udp -d $OUTSIDE_IP
$UNPRIVPORTS -l -j DENY
 ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 5 -d
$OUTSIDE_IP -l -j DENY
 ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE
13:18 -d $OUTSIDE_IP -l -j DENY

#
----------------------------------------------------------------------------

echo "forwarding enabled"

echo "Firewall Enabled!"

_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
[Masq] Lotus Notes Problem

Reply via email to
