/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Fred Brown wrote:
> I have a client with a 2.0.x Kernel-based Linux f/w with MASQ. Whoever set
> it up for him put in the basic rules and has effectively set it up as a
> router. I need to make it more secure for him and have found much of what I
> need from the various FAQs, etc., but I'm stuck on one minor problem.
>
> He needs to allow anyone to connect via SMTP into a mail server behind the
> firewall but limit access to port 799 (Remotely Possible), port 21 (FTP) and
> port 1433 (SQL Server) to a particular class-C address space.
>
> Currently his rc.firewall has the following lines:
>
> ipfwadm -F -p deny
> ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0
>
> /usr/local/sbin/ipportfw -C
> /usr/local/sbin/ipportfw -A -t207.102.179.130/21 -R 192.168.0.60/21
> /usr/local/sbin/ipportfw -A -t207.102.179.130/25 -R 192.168.0.62/25
> /usr/local/sbin/ipportfw -A -t207.102.179.130/799 -R 192.168.0.60/799
> /usr/local/sbin/ipportfw -A -t207.102.179.130/1433 -R 192.168.0.60/1433
>
> If I want to limit access to ports 21, 799 and 1433 to say the Class-C
> address space 209.53.1.0/24 (not the actual address space), how do I set
> this up using IPPORTFW or IPFWADM? As far as I can tell, IPPORTFW doesn't
> allow for an input address range. Can I do this with some "-I" rules to
> IPFWADM?
i don't know about ipportfw and ipfwadm but with ipchains and ipmasqadm
you'd have to use ipchains to restrict incoming packets to just those
from the required address space and use ipmasqadm portfw to forward the
packets that get through: e.g.
# accept incoming packets on ports 21, 799, 1433 for a single address space
ipchains -A input -s 209.53.1.0/24 -d $extip 21 -j ACCEPT
ipchains -A input -s 209.53.1.0/24 -d $extip 799 -j ACCEPT
ipchains -A input -s 209.53.1.0/24 -d $extip 1433 -j ACCEPT
# exclude packets to those ports from all other sources
ipchains -A input -d $extip 21 -j DENY
ipchains -A input -d $extip 799 -j DENY
ipchains -A input -d $extip 1433 -j DENY
# set up masquerading (necessary for portfw)
ipchains -P forward DENY
ipchains -A forward -s $intnet -j MASQ
# forward ports 21, 799, 1433 to an internal host
ipmasqadm portfw -f
ipmasqadm portfw -a -P tcp -L $extip 21 -R $inthost 21
ipmasqadm portfw -a -P tcp -L $extip 799 -R $inthost 799
ipmasqadm portfw -a -P tcp -L $extip 1433 -R $inthost 1433
note: the above probably isn't sufficient for ftp but it's a start.
hopefully you can translate these commands into ipfwadm/ipportfw commands.
> Also, the SQL Server port number of 1433 is in the dynamic range of
> 1023-65535 (thanks to Microsoft), and I've read that this can end up being
> accepted because of the way that MASQ works. Any help here would be
> appreciated.
don't worry. masquerading uses ports 61000-65096 for masqueraded packets
so it won't interfere with port 1433.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
