<quote who="Crossfire">
> A minimum Masquerading ipchains ruleset can be built using:
>
> ipchains -F forward
> ipchains -P forward DENY
> ipchains -A forward -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQ
What Crossfire didn't mention was the 'ipmasq' package in Debian, which does
this, and a whole lot more for you. As NEAT-O things go in Debian, this one
is pretty cool.
Not only does the package come with a good set of basic rules (cutting out
spoofing, etc), but it's set up for 'drop in rules' of your own. Check this out
- tres cool. [1]
Plus, it will load the extra kernel modules you specify - they're sitting
there ready to uncomment.
Also, I strongly recommend you install 'snort', a great little packet
sniffer that is set up to detect network intrusions. It'll send you emails
reporting all the Chinese hackers portscanning Australia. ;)
For connection setup, 'pppconfig', which uses 'wvdial'. Very simple, does
everything like on demand, yada yada yada.
Great thing is, all these packages are set up and ready to roll, and it's
only personal preferences or esoterics that'll have you diving into
configuration files.
My little gateway is a 486, setup with all these things (plus a bit of other
stuff like OpenLDAP), and df -h looks like this:
Filesystem Size Used Avail Use% Mounted on
/dev/hda3 560M 112M 420M 21% /
/dev/hda1 9.0M 1.3M 7.2M 15% /boot
Sweet. :)
- Jeff
[1] Ah, bugger it. Here's what ipmasq does, no sweat, by default,
autodetecting everything, no human intervention required, YYY:
kylie:/etc/ipmasq# ipmasq --display
Interfaces found:
ppp0 x.x.x.x/255.255.255.255
eth0 10.0.0.32/255.255.0.0
eth1 10.1.0.32/255.255.0.0
/sbin/ipchains -P input DENY
/sbin/ipchains -P output DENY
/sbin/ipchains -P forward DENY
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
/sbin/ipchains -A forward -j ACCEPT -s 10.1.0.32/255.255.0.0 -d 10.0.0.32/255.255.0.0
/sbin/ipchains -A forward -j ACCEPT -s 10.0.0.32/255.255.0.0 -d 10.1.0.32/255.255.0.0
/sbin/ipchains -A input -j ACCEPT -i lo
/sbin/ipchains -A input -j DENY -i !lo -s 127.0.0.1/255.0.0.0 -l
/sbin/ipchains -A input -j ACCEPT -i eth0 -s 10.0.0.32/255.255.0.0
/sbin/ipchains -A input -j ACCEPT -i eth1 -s 10.1.0.32/255.255.0.0
/sbin/ipchains -A input -j DENY -i ppp0 -s 10.0.0.32/255.255.0.0 -l
/sbin/ipchains -A input -j DENY -i ppp0 -s 10.1.0.32/255.255.0.0 -l
/sbin/ipchains -A input -j ACCEPT -i ppp0 -d x.x.x.x/32
/sbin/ipchains -A forward -j MASQ -i ppp0 -s 10.0.0.32/255.255.0.0
/sbin/ipchains -A forward -j MASQ -i ppp0 -s 10.1.0.32/255.255.0.0
/sbin/ipchains -A output -j ACCEPT -i lo
/sbin/ipchains -A output -j ACCEPT -i eth0 -d 10.0.0.32/255.255.0.0
/sbin/ipchains -A output -j ACCEPT -i eth0 -d 224.0.0.0/240.0.0.0 -p ! tcp
/sbin/ipchains -A output -j ACCEPT -i eth1 -d 10.1.0.32/255.255.0.0
/sbin/ipchains -A output -j ACCEPT -i eth1 -d 224.0.0.0/240.0.0.0 -p ! tcp
/sbin/ipchains -A output -j DENY -i ppp0 -d 10.0.0.32/255.255.0.0 -l
/sbin/ipchains -A output -j DENY -i ppp0 -d 10.1.0.32/255.255.0.0 -l
/sbin/ipchains -A output -j ACCEPT -i ppp0 -s x.x.x.x/32
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
/sbin/ipchains -A output -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
/sbin/ipchains -A forward -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
(plus the ip_masq modules)
-- [EMAIL PROTECTED] ------------------------------- http://linux.conf.au/ --
The Unix Way: Everything is a file.
The Linux Way: Everything is a filesystem.
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
