Hi again everybody,
To refresh your memory I'll explain once again my situation.
I have a dahstein cd box with 3 ethernet cards (eth0,eth1,eth2) in it.
for now as I'm still doing experiment, eth0 will only be bound with 2 legal
ip#, but if I succeed, I expect to bound many more ip# in eth0.
right now each legal ip# in eth0 is open only for 3 services which are 25,80
and 110.
I want to do port forwarding for those services to my servers in DMZ network
(eth2).
eth1 will be used as gateway by my internal network to communicate with the
outside world.
the folling is my network.conf file, please correct me if i'm doing wrong
with it. and thank you in advance.
############################################################################
###
# Extended firewall configruation scripts
# By Charles Steinkuehler
# Version 1.3.2
# September 29, 2001
############################################################################
###
# Brief instructions for this file
############################################################################
###
#
# VERBOSE=(YES/NO) Default: Yes
# Be verbose about settings.
#
# MAX_LOOP=(int) Default: 10
# Maximum number of incrementable entries to search for.
# IE: If you create a DNS7=, and MAX_LOOP=7, it will not be reached.
# (DNS0 - DNS7 == 8 entires)
# Setting this value too high will decrease the speed of the configuation
# system.
#
# IPFWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO
# Enable IP forwarding in the kernel. FILTER_ON means forwarding will
# only happen when IP filtering rules are loaded
#
# IPALWAYSDEFRAG_KERNEL=(YES/NO) Default: NO
# Enable IP Global defragmentation in the kernel.
#
# **WARNING** - If this was turned on everywhere in a network of routers,
# it can result in TCP connections failing and TCP connection resets.
#
# ONLY turn this on if the box is a firewall or the single point of
# entry for a network, or an endpoint for port forwarding or a load
# balancer for a WWW server farm. DO NOT turn this on if the box is a
# conventional router as it breaks the TCP/IP RFCes. This option is
# needed when using IP NAT, IP masquerading, IP autofw, IP portfw,
# transperent proxying or other kernel operations that intercept a
# packet flow and redirect it.
#
# It is a usful tool when using a packet filtering router to protect
# directly attached ethernet networks of servers as it stops fragment
# attacks on the servers in behind the router. Another use is packet
# filtering router to protect dial-in Internet users on NASes
# (Portmasters, TC racks etc) from various SMB and fragment attacks
# and to redirect all WWW connections into a WWW proxy-caching server.
#
# CONFIG_HOSTNAME=(YES/NO) Default: NO
# Create /etc/hostname file using HOSTNAME entry.
# Any current hostname file will be **OVERWRITTEN**
#
# CONFIG_HOSTSFILE=(YES/NO) Default: NO
# Create /etc/hosts file using HOSTSx entries.
# Any current hosts file will be **OVERWRITTEN**
#
# CONFIG_DNS=(YES/NO) Default: NO
# Create /etc/resolv.conf file using DOMAINS and DNSx entries.
# Any current resolv.conf file will be **OVERWRITTEN**
#
# IF_LIST Default: "$IF_AUTO"
# A space seperated list of interfaces that can be ACTIVE on this machine
# This controls which interfaces can be brought up and down manually.
#
# IF_AUTO Default: "eth0"
# A space seperated list of interfaces that get started on boot. Tunneling
# interfaces like CIPE should be after the raw interfaces they depend on.
# The interfaces are started in the order they occur on the list, and are
# shutdown in the reverse order of IF_LIST.
#
# IPFILTER_SWITCH=(none|router|firewall) Default: "none"
# Selects the basic IP filtering/firewalling setup of the router. "None"
# is used for a straight through router, "router" for a filtering router
with
# IP spoof protection and Martian protection and "firewall" for a basic IP
# masquerading/NAT firewall. The basic filter types are provided in
# /etc/ipfilter.conf. If you want more than what is provided read the man
# pages for ipchains or ipfwadm and BE CAREFUL when you edit this!
#
############################################################################
###
# General Settings
############################################################################
###
VERBOSE=YES
MAX_LOOP=10
IPFWDING_KERNEL=FILTER_ON
IPALWAYSDEFRAG_KERNEL=YES
CONFIG_HOSTNAME=YES
CONFIG_HOSTSFILE=YES
CONFIG_DNS=YES
############################################################################
###
# Interfaces
############################################################################
###
# Start pppd PPP interfaces first as pppd's use of DNS can delay startup.
#
# Interfaces to start on boot go here - ie "ppp0 eth0"
# Do NOT include interfaces configured by dhcp!
IF_AUTO="eth0 eth1 eth2"
# List of all configured interfaces, manual start and boot start
IF_LIST="$IF_AUTO"
# Accept ICMP Redirects on ALL interfaces, also depends on /proc
# per interface IP forwarding flag. - YES/NO
ALLIF_ACCEPT_REDIRECTS=NO
# Need these both for interfaces run by daemons - ie PPP, CIPE, some
# WAN interfaces
# IP spoofing protection by default for interfaces - YES/NO
DEF_IP_SPOOF=YES
# Kernel logging of spoofed packets by default for interfaces - YES/NO
DEF_IP_KRNL_LOGMARTIANS=YES
# Bridge Setup - Global stuff
#
# Enable bridging - YES/NO
BRG_SWITCH=NO
# Exempt ethernet protocol types - type "brcfg list" to find out allowed
# values
BRG_EXEMPT_PROTOS=""
############################################################################
###
eth0_IPADDR=202.149.81.61
eth0_MASKLEN=28
eth0_BROADCAST=202.149.81.63
# Use this to set the default route if required - ONLY one to be set.
# routed or gated could be used to set this so only use if not running
these.
eth0_DEFAULT_GW=202.149.81.49
# Secondary IP addresses/networks on same wire - add them here
eth0_IP_EXTRA_ADDRS="202.149.81.55/28"
# Additional routes for this interface, if any
# Space seperated list: <PREFIX>[_<more ip route options>]
#eth0_ROUTES="1.1.1.13 2.2.2.0/24_via_1.1.1.18"
# IP spoofing protection on this interface - YES/NO
eth0_IP_SPOOF=YES
# Kernel logging of spoofed packets on this interface - YES/NO
eth0_IP_KRNL_LOGMARTIANS=YES
# This setting affects the processing of ICMP redirects. Setting it to NO
# makes this more secure. Don't turn this off if you have two IP
# networks/subnets on the same media - YES/NO
eth0_IP_SHARED_MEDIA=NO
# Bridge this interface - YES/NO
eth0_BRIDGE=NO
# Proxy-arp from this interface, no other config required to turn on proxy
ARP!
# - YES/NO
eth0_PROXY_ARP=NO
# Simple QoS/fair queueing support
# Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO
eth0_FAIRQ=NO
# Ethernet Transmit Queue Length
# eth0_TXQLEN=100
# Complex QoS - Enable all of these + above to turn it on
#eth0_BNDWIDTH=10Mbit # Device bandwidth
#eth0_HNDL=2 # Queue Handle - must be unique
#eth0_IABURST=100 # Interactive Burst
#eth0_IARATE=1Mbit # Interactive Rate
#eth0_PXMTU=1514 # Physical MTU - includes Link Layer header
############################################################################
###
eth1_IPADDR=192.168.1.250
eth1_MASKLEN=24
eth1_BROADCAST=+
eth1_IP_SPOOF=YES
eth1_IP_KRNL_LOGMARTIANS=YES
eth1_IP_SHARED_MEDIA=NO
eth1_BRIDGE=NO
eth1_PROXY_ARP=NO
eth1_FAIRQ=NO
############################################################################
###
eth2_IPADDR=192.168.15.5
eth2_MASKLEN=24
eth2_BROADCAST=+
#eth2_ROUTES=
#eth2_IP_SPOOF=YES
#eth2_IP_KRNL_LOGMARTIANS=YES
#eth2_IP_SHARED_MEDIA=NO
#eth2_BRIDGE=NO
#eth2_PROXY_ARP=
#eth2_FAIRQ=NO
############################################################################
###
# NAT 'virtual' interface (optional: required only for static-NAT DMZ
systems)
############################################################################
###
# Configured as an interface to allow flexible handling of bringing the
# routing rules up/down in conjunction with the physical interfaces
# interface spec is an indexed list of IP address pairs and a base priority
# number for ip rule creation
nat0_BASE_PRI=100 # Unique base value for ip rules
# Indexed list: <public IP> <private DMZ IP>
nat0_PAIR0="202.149.81.61 192.168.15.16"
nat0_PAIR1="202.149.81.61 192.168.15.25"
nat0_PAIR2="202.149.81.55 192.168.15.200"
# Sangoma FR example
#fr498_IPADDR=10.0.10.1
#fr498_PTPADDR=10.0.10.2
#fr498_IP_SPOOF=YES
#fr498_IP_KRNL_LOGMARTIANS=YES
# Simple QoS support
#fr498_FAIRQ=YES
#fr498_TXQLEN=50
# Complex FR QoS - Enable ALL of these + above to turn it on
#fr498_FRBURST=960Kbit # FR Burst capacity (a rate)
#fr498_BULKRATE=320Kbit # Usually you set this to the CIR
#fr498_BULKBURST=50 # Number of packets that can burst in bulk class
#fr498_BNDWIDTH=1920Kbit # The bandwidth of the interface
#fr498_IABURST=512 # No of Interactive Burst packets
#fr498_IARATE=640Kbit # Burst capicity bandwith between
# BURST and CIR
#fr498_HNDL=2 # The queue handle - must be unique Dialup PPP is 1000+
#fr498_PXMTU=1508 # The Physical MTU of the interface (data + MAC header)
# PPP interface stuff - these apply to all ASYNC ppp interfaces, options
# same as ethernet above.
#ppp_BNDWIDTH=30Kbit
#ppp_FAIRQ=YES
#ppp_TXQLEN=30
#ppp_IABURST=20
#ppp_IARATE=10Kbit
#ppp_PXMTU=1500
############################################################################
###
# IP Filter setup - can pull in settings from above
############################################################################
###
# Set up the basic type of filtering. Can be one of (none|router|firewall)
# You must load the ip_masq_* modules to enable full IP masquerading, and
# ip_masq_portfw if you want to forward external ports pop-3, mtp, www
# to internal machines below.
IPFILTER_SWITCH=firewall
# This set of variables is used with both sets of filters
SNMP_BLOCK=YES # Block all SNMP (YES/NO)
# List of IP Nos used for SNMP management
#SNMP_MANAGER_IPS="10.100.1.2"
# Fair Queuing support
# List of Mark values
MRK_CRIT=1 # Critical traffic, routing, DNS
MRK_IA=2 # Interactive traffic - telnet, ssh, IRC
# List of traffic types and maps to mark values
# Setting this variable turns on the
# fairq chain
CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route
${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain
${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh"
# NOTE: Do NOT turn on the DMZ network or ANY external port masquerading/
# port forwarding when EXTERN_DYNADDR is on because some security
# leaks will result. You may also want to limit the external open
# ports to domain (UDP) for DNS. Anyhow, these features are not that
# usable unless you have a static external address
#
EXTERN_IF="eth0" # External Interface
# Added for DHCP support
# Setting this to YES causes the dhcp client to try to configure the
# interfaces listed in IF_DHCP, and causes EXTERN_IP to be read directly
# from the interfaceB
EXTERN_DHCP=NO # YES/NO
# The interface(s) to configure via dhcp
IF_DHCP=$EXTERN_IF
# If YES, your firewall filters use 0/0 for your IP address, instead of your
# actual IP address. Set this to NO for typical ethernet setups, even if
you
# are using DHCP
EXTERN_DYNADDR=NO # YES/NO
# - or -
# External Interface IP number...the default should be fine for most folks
eval EXTERN_IP=\"\${"$EXTERN_IF"_IPADDR:-""}\"
# Set EXTERN_IP to "DYNAMIC" if you need the rules to read the IP from the
# interface, but you arn't using DHCP (ie PPPoE and dialup users)
#EXTERN_IP=DYNAMIC
# If external interface IP is dynamic, read the configured IP address
# This should probably be moved to the init.d network script, but I put it
# here for now, as it is more obvious what it is doing, in case it
# messes something else up.
if [ "$EXTERN_DHCP" = "YES" -o \
"$EXTERN_DHCP" = "Yes" -o \
"$EXTERN_DHCP" = "yes" -o \
"$EXTERN_IP" = "DYNAMIC" ] ; then
# This computes the IP address of $EXTERN_IF
EXTERN_IP=`ip addr list label $EXTERN_IF | \
grep inet | sed '1!d' | \
sed 's/^[^.0-9]*\([.0-9]*\).*$/\1/'`
# If the external address is not configured, use a bogus address for the
# external interface to prevent a bunch of (harmless) errors that spit out
# when the IPCHAINS script is called.
if [ x$EXTERN_IP = x ]; then
EXTERN_IP=192.168.254.254
fi
fi
# Traffic to completely ignore...define here to prevent filling your logs
# Space seperated list: protocol_srcip[/mask][_dstport]
#SILENT_DENY="udp_207.235.84.1_route udp_207.235.84.0/24_37"
# Extra rule scripts added by Charles Steinkuehler to more easily support
# non-standard extentions of the pre-configured ipchains rules
IPCH_IN=/etc/ipchains.input
IPCH_FWD=/etc/ipchains.forward
IPCH_OUT=/etc/ipchains.output
# ICMP types to open
# Indexed list: "SrcAddr/Mask type [ DestAddr[/DestMask] ]"
#EXTERN_ICMP_PORT0="0/0 : 1.1.1.12"
## UDP Services open to outside world
# Space seperated list: srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
#EXTERN_UDP_PORTS="0/0_domain"
# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_UDP_PORT0="0/0 domain"
#EXTERN_UDP_PORT1="5.6.7.8 500 1.1.1.12"
# TCP services open to outside world
# Space seperated list: srcip/mask_dstport
EXTERN_TCP_PORTS="202.149.81.55/28_25 202.149.81.55/28_www
202.149.81.55/28_110 202.149.81.61/28_25 202.149.81.61/28_www
202.149.81.61/28_110"
# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_TCP_PORT0="5.6.7.8 domain 1.1.1.12"
#EXTERN_TCP_PORT1="0/0 www"
# Generic Services open to outside world
# Space seperated list: protocol_srcip/mask_dstport
#EXTERN_PORTS="50_5.6.7.8 51_5.6.7.8"
# -or-
# Indexed list: "Protocol SrcAddr/Mask [ DestAddr[/DestMask] ]"
#EXTERN_PROTO0="50 5.6.7.8/32"
#EXTERN_PROTO1="51 5.6.7.8/32"
############################################################################
###
# Internal Interface
############################################################################
###
# Comment 3 settings below for no internal network (DMZ only configuration)
INTERN_IF="eth1" # Internal Interface
INTERN_NET=192.168.1.0/24 # One (or more) Internal network(s)
INTERN_IP=192.168.1.250 # IP number of Internal Interface
# (to allow forwarding to external IP)
MASQ_SWITCH=YES # Masquerade internal network to outside
# world - YES/NO
# These services are not masqueraded from int to ext/DMZ, preventing access
# Space seperated list: proto_destIP/mask_port
#NOMASQ_DEST="tcp_0/0_ssh"
# Override for above...only the listed dest IP's can be accessed
# Space seperated list: proto_destIP/mask_port
#NOMASQ_DEST_BYPASS="tcp_10.0.0.1_ssh"
############################################################################
###
# Port Forwarding
############################################################################
###
# Remember to open appropriate holes in the firewall rules, above
# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
# <protocol>_<local-ip>_<local-port>_<remote-ip>_<remote-port>
INTERN_SERVERS="tcp_202.149.81.61_80_192.168.15.25_80
tcp_202.149.81.61_smtp_192.168.15.16_smtp
tcp_202.149.81.61_110_192.168.15.16_110
tcp_202.149.81.55_80_192.168.15.200_80
tcp_202.149.81.55_smtp_192.168.15.200_smtp
tcp_202.149.81.55_110_192.168.15.200_110"
# These lines use the primary external IP address...if you need to
port-forward
# an aliased IP address, use the INTERN_SERVERS setting above
#INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available
#INTERN_WWW_SERVER=192.168.15.200 # Internal WWW server to make available
#INTERN_SMTP_SERVER=192.168.15.200 # Internal SMTP server to make available
#INTERN_POP3_SERVER=192.168.15.200 # Internal POP3 server to make available
#INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available
#INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available
#EXTERN_SSH_PORT=24 # External port to use for internal SSH access
# Advanced settings: parameters passed directly to portfw and autofw
# Indexed list: "<ipmasqadm portfw options>"
#INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]"
#INTERN_SERVER1=""
# Indexed list: "<ipmasqadm autofw options>"
#INTERN_AUTOFW0="-A -r tcp 20000 20050 -h 192.168.1.1"
#INTERN_AUTOFW1=""
############################################################################
###
# DMZ setup (optional)
############################################################################
###
# Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)
DMZ_SWITCH=YES
DMZ_IF="eth2"
DMZ_NET=192.168.15.0/24
# DMZ switches for all flavors except PRIVATE
############################################################################
###
# For NAT DMZ's:
# DMZ_NET, above is likely a private IP range...DMZ_SRC should encompass the
# public IP range being NAT'd to DMZ_NET. Any systems
DMZ_SRC=202.149.81.48/28
# For Proxy-Arp or NAT DMZ's only:
# For security, any IP's within the DMZ_NET (PROXY) or DMZ_SRC (NAT)
# specification, above, that are NOT remote systems reached via DMZ_IF must
# be listed here. This potentially includes IP's of this LRP system, your
# gateway, and systems connected to your external interface.
DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $EXTERN_IP 202.149.81.48/28"
## Both of the following should be used together - ie if you turn on
## DMZ_HIGH_TCP_CONNECT - DO specify DMZ_CLOSED_DEST!
# Allows inbound connections to high tcp ports (>1023)
# You can also allow to specific machines using 1024: (or a smaller range)
# as the dest port range in DMZ_OPEN_DEST (RECOMMENDED)
DMZ_HIGH_TCP_CONNECT=NO
## 3306 MySQL, 6000 X, 2049 NFS, 7100 xfs
DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100"
# Inbound services to allow to the DMZ
# <protocol>_<destination IP/network>_<destination port or range>
DMZ_OPEN_DEST="tcp_${DMZ_NET}_www
tcp_${DMZ_NET}_smtp
icmp_${DMZ_NET}_:
tcp_${DMZ_NET}_110"
# PRIVATE DMZ switches
############################################################################
###
# Services port-forwarded to the DMZ network
# Indexed list: "Protocol LocalIP LocalPort RemoteIP [ RemotePort ]"
DMZ_SERVER0="tcp 202.149.81.55 www 192.168.15.200 www"
DMZ_SERVER1="tcp 202.149.81.55 110 192.168.15.200 110"
DMZ_SERVER2="tcp 202.149.81.55_IP 25 192.168.15.200 25"
DMZ_SERVER3="tcp 202.149.81.61 smtp 192.168.15.16 smtp"
DMZ_SERVER4="tcp 202.149.81.61 www 192.168.15.25 www"
DMZ_SERVER5="tcp 202.149.81.61 110 192.168.15.16 110"
# Allow all outbound traffic from DMZ (YES)
# or just traffic from port-forwarded servers (NO)
DMZ_OUTBOUND_ALL=NO
############################################################################
###
# Interface activation/deactivation functions
# Here so that special interface commands can be called and daemons started
#
# Arps can be set up here, network/host routes and so forth.
#
# This appears to be a little messy but is needed to achieve maximum
# functionality and flexibility.
#
############################################################################
###
echo_rtepfx () {
------ cut------
regards,
Gregor
+Gregor Gede W.
+CENTER FOR INFORMATION SYSTEM
+ATMA JAYA YOGYAKARTA UNIVERSITY
[EMAIL PROTECTED]
+62 81 2271 0583
+62 81 7467 518
WATCHOUT! 3RD INTERNATIONAL SEMINAR ON SUSTAINABLE ENVIRONTMENTAL
ARCHITECTURE + DIGITAL ARCHITECTURE, 9-10 MARCH 2002, YOGYAKARTA
http://senvar.virtue.nu or http://senvar.uajy.web.id
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
