/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
I've had the toughest time getting ip masquerading to work with my 2.4.6 kernel using
the iptables command. But, I finally got it working, but I think my methods of doing
so is rather convoluted. Here's my attempt at a "strong" ruleset (this has been
boiled down from the HowTo and from Bastille-Linux's stuff):
**Begin File**
#!/bin/sh
#
# rc.firewall - v1.00
#
# Initial Strong IP Masquerade for 2.4.x kernels
# using IPTABLES
#
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
# modules are shown below but are commented out from loading.
echo -e "\n\nIPMASQ Chris's Strong rc.firewall ruleset - v1.00\n"
# The location of the 'iptables' program
#
# If your Linux distribution came with a copy of iptables, most
# likely it is located in /sbin. If you manually compiled
# iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
#IPTABLES=/sbin/iptables
IPTABLES=/usr/local/sbin/iptables
# Your internal ip, internal network, internal interface, and
# external interface
INTERNAL_IP=192.168.0.5
INTERNAL_NET=192.168.0.0/24
INTERNAL_DEV=eth1
EXTERNAL_DEV=eth0
# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
#
echo " - Enabling dynamic addressing measures"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Flush all tables
$IPTABLES -F
$IPTABLES -t nat -F
# Set default policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING DROP
# Kill spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Anything coming from our internal network should have only our address!
$IPTABLES -A FORWARD -i $INTERNAL_DEV -s ! $INTERNAL_NET -j DROP
# Anything coming from the Internet should have a real Internet address
$IPTABLES -A FORWARD -i $EXTERNAL_DEV -s 192.168.0.0/16 -j DROP
$IPTABLES -A FORWARD -i $EXTERNAL_DEV -s 172.16.0.0/12 -j DROP
#$IPTABLES -A FORWARD -i $EXTERNAL_DEV -s 10.0.0.0/8 -j DROP
# Anything coming from the Internet should be destined for an internal
# address (so we don't provide masquerading services to the world).
$IPTABLES -A FORWARD -i $EXTERNAL_DEV -d ! $INTERNAL_NET -j DROP
# Note: There are a few more "reserved" networks, but these are the
# classical ones
# Block incoming syslog, lpr, rsh, rexec...
$IPTABLES -A FORWARD -i $EXTERNAL_DEV -p udp --dport syslog -j DROP
$IPTABLES -A FORWARD -i $EXTERNAL_DEV -p tcp --dport 515 -j DROP
$IPTABLES -A FORWARD -i $EXTERNAL_DEV -p tcp --dport 514 -j DROP
$IPTABLES -A FORWARD -i $EXTERNAL_DEV -p tcp --dport 512 -j DROP
# Enable IPMasquerading
echo " - Enabling SNAT (IPMASQ) functionality on $EXTERNAL_DEV"
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_DEV -j MASQUERADE
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " - Enabling packet forwarding in the kernel"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo -e "\nDone.\n"
**End File**
The thing I'm worried about here specifically, is that if I put the default policy on
the FORWARD chain to deny, IP Masquerading does not work--contrary to what I've read
in the howto and elsewhere. Any ideas why? Also, if anyone who know iptables well
could take a look at this and tell me if it's reasonably secure, it would be much
appreciated!
Thanks.
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
