Please wrap your lines to 72 characters... On Fri, 5 May 2000, Stefan Srdic wrote: > > I've recently attempted to write my own IP routing script (IPchains and >IPmasquerading). I have some minor problems with my initial script and need some help >from an > experienced Linux user. > > First off, I have a cable modem for a receiving internet connection with an IP >address that is provided via DHCP, second, I want my machine to serve as an outgoing >DHCP > server for the other machines on my network. The client machines will be using a >class "C" network address and the DHCP server will only allow a fixed amount of >clients to > exist on the network for security reasons! For DHCP, try adding ... # Configuration line for DHCP configured server /sbin/ipchains -A input -i eth0 -p udp -s 0/0 67 -d 0/0 68 -j ACCEPT > I wrote a script using several resources on the web, I have yet to read the >IPMasquerading HOW-TO and the IPChains HOW-TO but plan to in the near future. >Currently I am > trying to figure out how in the hell to enable to outgoing DHCP server on my >computer! I have tested out this script with no success! What should I add or change >in order to > make it work? IP port forwading is enabled in the kernel and this script is executed >at boot up. > > Here is my script: rc.firewall > > #!/bin/sh > # rc.firewall - IPChains and IPMasquerading, internet firewall/routing script > # > echo -n "Setting IP Chains..." add... # Load all required IP MASQ modules # Note: only load required modules that you need # # Needed to initially load modules /sbin/depmod -a > # modules for IPMasquerading > /sbin/modprobe ip_masq_ftp > /sbin/modprobe ip_masq_raudio change to... # Supports the masquerading of RealAudio over UDP. Without this module, # Real Audio WILL function but in TCP mode. This can cause # a reduction in sound quality. /sbin/modprobe ip_masq_raudio ports=554,7070,7071,6970,6971 > /sbin/modprobe ip_masq_irc > /sbin/modprobe ip_vdolive disable irc and vdolive (vide conferencing) if you don't use them. > # execute IP Forwading > echo "1" > /proc/sys/net/ipv4/ip_forward > # enable host DHCP > echo "1" > /proc/sys/net/ipv4/ip_dynaddr Use this... # ---------------------------------------------------------------------------- # Enable IP Forwarding, if it isn't already echo 1 > /proc/sys/net/ipv4/ip_forward # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Enable always defragging Protection echo 1 > /proc/sys/net/ipv4/ip_always_defrag # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Enable bad error message Protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Enable IP spoofing protection # turn on Source Address Verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # Log Spoofed Packets, Source Routed Packets, Redirect Packets for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done # ---------------------------------------------------------------------------- > # IPChains routing information > /sbin/ipchains -M -S 7200 10 160 > /sbin/ipchains -P forward DENY > /sbin/ipchains -A forward -s 192.168.0.1/24 -d 192.168.0.1/24 -j ACCEPT > /sbin/ipchains -A forward -s 192.168.0.1/24 -d 192.168.0.2/32 -j MASQ > /sbin/ipchains -A forward -s 192.168.0.1/24 -d 192.168.0.3/32 -j MASQ or simply use this for local network... /sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ # local network and then I add lines here to start PortSentry upon bootup (http://www.psionic.com) > echo "Done!" > > > BTW, I did not write any firewall rules as of yet, I know basically how to and which >ports to block secure and I will do so once the Masquerading issue is solved! Hope that helps. Thanks... Dan.
Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.