I'm a relative newbie to using ipchains (as well as ipfwadm) for setting up masquerading and forwarding of packets from an internal network, via a gateway, to the internet in general.
To be specific, while I have gotten ipfwadm (and the associated rules) set up so that I can at least ftp to external sites, I have not had any luck in converting the ipfwadm commands/instructions to the ipchains format. As I do not wish to use the ipfwadm-convert script, I am trying to rewrite what few rules I have so that they conform to ipchains requirements. My internal network is simple, consisting of three systems, one of which is the gateway connecting the other two, via a cable-modem, to the internet. My distribution is Debian, with a combination of HAMM and SLINK installed. My setup is shown below. /|\ | 24.1.zz.ww <--- external gateway to internet /|\ | 24.1.xx.yy <--- external NIC | | gateway system (GS) | 192.168.52.1 <--- internal NIC /|\ / \ / \ / \ / \ 192.168.52.2 192.168.52.3 internal sys #1 internal sys #2 (IS1) (IS2) The ipfwadm rules on the GS system are: --------------------------------------- (With the exceptions as noted, everything listed below was automatically set up when I originally installed and configured the networking system) # deny incoming packets pretending to be from 127.0.0.1 ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 2>/dev/null || true ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 2>/dev/null || true ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 >/dev/null ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 >/dev/null # deny incoming packets pretending to be from our own system. # set your own IP address below (or use `hostname -i` to set it). my_ip=24.1.xx.yy (Changed to reflect my actual IP) ipfwadm -I -d deny -o -P all -S $my_ip -W eth0 -D 0/0 2>/dev/null || true ipfwadm -I -d deny -o -P all -S $my_ip -W eth1 -D 0/0 2>/dev/null || true ipfwadm -I -a deny -o -P all -S $my_ip -W eth0 -D 0/0 >/dev/null ipfwadm -I -a deny -o -P all -S $my_ip -W eth1 -D 0/0 >/dev/null ipfwadm -F -a accept -m -P tcp -S 192.168.52.0/24 (user added) ipfwadm -F -a accept -m -P udp -S 192.168.52.0/24 (user added) On each of the internal systems, the ipfwadm rules are: ------------------------------------------------------- # deny incoming packets pretending to be from 127.0.0.1 ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 2>/dev/null || true ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 2>/dev/null || true ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 >/dev/null ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 >/dev/null ============================================================================== The corresponding ipchain rules, which I have set up so far, are given below: On the GS system, they are: --------------------------- echo -n "Setting up IP spoofing protection..." ipchains -D input -j DENY -l -s 127.0.0.0/8 -i ! lo 2>/dev/null || true ipchains -A input -j DENY -l -s 127.0.0.0/8 -i ! lo # deny incoming packets pretending to be from our own system. # set your own IP address below (or use `hostname -i` to set it). my_ip=192.168.52.zz (changed to reflect my actual internal IP's) ipchains -D input -j DENY -l -s $my_ip -i ! lo 2>/dev/null || true ipchains -A input -j DENY -l -s $my_ip -i ! lo ipchains -A forward -p TCP -j MASQ -s 192.168.52.0/24 -d 0.0.0.0/0 (user added) ipchains -A forward -p UDP -j MASQ -s 192.168.52.0/24 -d 0.0.0.0/0 (user added) ===================== On the internal systems, the ipchain rules are: # deny incoming packets pretending to be from our own system. # set your own IP address below (or use `hostname -i` to set it). my_ip=24.1.xx.yy ipchains -D input -j DENY -l -s $my_ip -i ! lo 2>/dev/null || true ipchains -A input -j DENY -l -s $my_ip -i ! lo ipchains -D input -j DENY -l -s 127.0.0.0/8 -i ! lo 2>/dev/null || true ipchains -A input -j DENY -l -s 127.0.0.0/8 -i ! lo only. 'ipchains -L' on the GS shows: Chain input (policy ACCEPT): Chain forward (policy ACCEPT): target prot opt source destination ports MASQ tcp ------ johari.com/24 anywhere any -> any MASQ udp ------ johari.com/24 anywhere any -> any 'ipchains -L' on both of the internal systems shows: Chain input (policy ACCEPT): Chain forward (policy ACCEPT): Chain output (policy ACCEPT): ============================== The setup, despite the fact that I only have three systems (one of which is the gateway system), seems to be very complicated - especially for someone who is just starting to learn how to use masquerading and forwarding. My questions are: 1. Am I on the correct track for the rules on the gateway system? 2. Do I need rules forwarding packets from the internal NIC to the external NIC? 3. On the internal systems, do I need to specify where the packets are to be forwarded (using ipchains rules)? If so, what form do they take? 4. When using ipfwadm (on 2.0.xx kernels), I have the GS as an internal gate- way for the other two internal systems. Is this necessary for ipchains? Any help with this would be greatly appreciated. Thanks, Taren -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null