Re: Masquerading

Sat, 1 Jan 2000 13:30:02 -0800 


> > ipchains -F forward
> > ipchains -A forward -s 192.168.100.0/24 -i eth0 -d x.x.x.x/x -j ACCEPT
> > ipchains -A forward -s 192.168.100.0/24 -i eth0 -j MASQ
> > ipchains -A forward -j DENY -l
> > where x.x.x.x/x is the registered network.

> I've done something like this once, and I forgot to let the packets from
> x.x.x.x/x back through, like I think you did here. Or am I still under
> influence from the party last night? :)

Excuse my ignorance but, don't you just need ;

ipchains -A forward -s 192.168.100.0/24 -i eth0 -d x.x.x.x/x -j ACCEPT
ipchains -P forward DENY

default policy is DENY any packets comming from the
192.168.100 subnet and going to <destination> will be masq'd. You don't
need to accept packets and the masq them in a separate rule. I didn't
catch the full thread but, maybe my firewall script will help. I'm very
interested in firewalling, i'm just learning but mail me if you get stuck.

Andy
-----------------------------------
#!/bin/bash

# Flush All Existing Rules and Create Default Policys
ipchains -F input
ipchains -P input DENY
ipchains -F output
ipchains -P output DENY
ipchains -F forward
ipchains -P forward DENY

# Prevent *any* data comming over the ppp connection claiming a local IP
ipchains -A input -j DENY -i ppp0 -s 10.0.0.0/8 -d 0.0.0.0/0 -l
ipchains -A input -j DENY -i ppp0 -s 172.16.0.0/12 -d 0.0.0.0/0 -l
ipchains -A input -j DENY -i ppp0 -s 192.168.0.0/16 -d 0.0.0.0/0 -l

# Open up *valid* ports to remote connection, DNS, HTTP, FTP
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 7
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 9
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 13
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 20
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 21
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 53
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 80
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 7
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 9
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 13
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 20
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 21
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 53
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 80
ipchains -A input -j ACCEPT -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 518

# Open up SMTP port only to ISP's Mail Punts
ipchains -A input -j ACCEPT -p tcp -i ppp0 -s 194.217.242.0/24 -d 0.0.0.0/0 25

# Deny any remote source from using unauthorised ports
ipchains -A input -j DENY -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 1:1023 -l
ipchains -A input -j DENY -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -l
ipchains -A input -j DENY -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 8080 -l
ipchains -A input -j DENY -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 8081 -l
ipchains -A input -j DENY -p tcp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 901 -l
ipchains -A input -j DENY -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 1:1023 -l
ipchains -A input -j DENY -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -l
ipchains -A input -j DENY -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 8080 -l
ipchains -A input -j DENY -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 8081 -l
ipchains -A input -j DENY -p udp -i ppp0 -s 0.0.0.0/0 -d 0.0.0.0/0 901 -l

# Allow any remote connections to the PPP address
ipchains -A input -j ACCEPT -i ppp0 -s 0.0.0.0/0 -d 194.222.168.226

# Stop Outbound packets from PPP going to Local Net (Routing Problems)
ipchains -A output -j DENY -i ppp0 -s 0.0.0.0/0 -d 192.168.0.0/16 -l

# Stop Outbound packets from Local Net going across PPP (Masquarding Problems)
ipchains -A output -j DENY -i ppp0 -s 192.168.0.0/16 -d 0.0.0.0/0 -l

# Stop Outbound packets going to Banner Sites
ipchains -A output -j DENY -i ppp0 -s 0.0.0.0/0 -d 206.253.217.6 -l

# All other outbound traffice is fine
ipchains -A output -j ACCEPT -i ppp0 -s 194.222.168.226 -d 0.0.0.0/0

# All local to local traffic is fine (Two network card setup, YMMV)
ipchains -A input -j ACCEPT -i eth0 -s 192.168.0.0/16 -d 0.0.0.0/0
ipchains -A output -j ACCEPT -i eth0 -s 0.0.0.0/0 -d 192.168.0.0/16
ipchains -A input -j ACCEPT -i eth1 -s 192.168.0.0/16 -d 0.0.0.0/0
ipchains -A output -j ACCEPT -i eth1 -s 0.0.0.0/0 -d 192.168.0.0/16

# All loopback traffic is fine
ipchains -A input -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0
ipchains -A output -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0

# Stop netbios traffic from bringing up dial-on-demand 
# (Win9x Client browsing SAMBA shares)
ipchains -A forward -j DENY -p tcp -s 0.0.0.0/0 137:139
ipchains -A forward -j DENY -p udp -s 0.0.0.0/0 137:139

# No Masquarding between local computers
ipchains -A forward -j ACCEPT -s 192.168.0.0/16 -d 192.168.0.0/16
ipchains -A forward -j MASQ -s 192.168.0.0/16 -d 0.0.0.0/0

# Safety Net for all other rules, catch them and log them
ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
ipchains -A output -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
ipchains -A forward -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l

# Local Stuff for Testing
ipchains -A output -j ACCEPT -s 0.0.0.0/0 -d 224.0.0.0/0 -l

# By Andrew Taylor ([EMAIL PROTECTED]). 1999


-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]

Reply via email to