Brandon Yu wrote:
>
> I am new to Linux and IP Masquerade, please bear with me, your help is
> greatly appreciated. My problem is that I can't connect to my news server
> but can surf web, download/sendmail and ftp. I read over man pages and HOW
> TO's on how to modify firewall and have tried numerous things but nothing
> seems to work. If you could look over this setup, I welcome your pointers.
> Also, what setting should I have on my client PC for pointing to the correct
> news server, the internal linux box or the external news server?.
>
> Here is my current script for firewall. If you have a script that works, I
> would welcome email as well.
>
> Thanks for your help on this.
> Brandon Yu
>
> /sbin/ipfwadm -F -p deny
>
> # 3 following commands flush system
> /sbin/ipfwadm -F -f
> /sbin/ipfwadm -I -f
> /sbin/ipfwadm -O -f
>
> # forward internal traffic
> /sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
>
> # Forward DNS traffic
> /sbin/ipfwadm -F -a masquerate -b -P udp -S 0.0.0.0/0 53 -D 192.168.1.0/24
>
> # Forward News
> /sbin/ipfwadm -F -a accept -b -P tcp -S 192.168.1.0/24 1024:65535 -D
> 0.0.0.0/0 119
> /sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 119 -D 192.168.1.0/0
> 1024:65535
>
Why not just do this:
/sbin/ipfwadm -F -
/sbin/ipfwadm -F -a masquerade -S $LOCAL_NET -D $ANYWHERE
If you want to limit anything in or out of your network do it with the
-I and -O options.
Is this your compleate script? If it is you might want to do something
like this:
#!/bin/sh
# simple IP-masquerading and forwarding
# Change these variables to match your setup
MASQ_DEVICE=ppp0
ETHERNET_DEVICE=eth0
LOCAL_NETWORK=192.168.1.0/24
ANYWHERE=0.0.0.0.0/0
#
# we are all paranoid arn't we?
# set all default policys to deny
/sbin/ipfwadm -I -p deny
/sbin/ipfwadm -O -p deny
/sbin/ipfwadm -F -p deny
# flush all rules
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
/sbin/ipfwadm -F -f
# set input rules default policy to accept everything
/sbin/ipfwadm -I -p deny
# local network is ok
/sbin/ipfwadm -I -a accept -W $ETHERNET_DEVICE -S $LOCAL_NETWORK -D
$ANYWHERE
# loopback is ok
/sbin/ipfwadm -I -a accept -W lo
# No ip spoofing and log it
/sbin/ipfwadm -I -a deny -W ppp0 -S $LOCAL_NETWORK -D $ANYWHERE -o
# Deny everything else and log
/sbin/ipfwadm -I -a deny -S $ANYWHERE -D $ANYWHERE -o
# set output rules default policy to accept everything
/sbin/ipfwadm -O -p accept
# if it comes from the local network to MASQ_DEVICE then forward it.
/sbin/ipfwadm -F -a masquerade -W MASQ_DEVICE -S $LOCAL_NETWORK -D
$ANYWHERE
# deny everything else and log (not really neded)
/sbin/ipfwadm -F -a deny -S $ANYWHERE -D $ANYWHERE -o
#
You can add rules to the -I and -O to allow stuff in or out of your
network. Mine is much more
complex and I am still working out a few bugs.
Ronald Austin
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
