Jeremy Sudderth wrote:
> Agreed,
>
> That is what I was striving for any way. So how would you set it all up. I
> have access to any and everything need, I just need some suggestions on the
> best configuration.
>
> Thanks,
>
> Jeremy
>
I don't have any experiences with proxying, but I can give you advice on SMB
(Windows file serving), IP Masquerade, packet filtering with 2.2.x kernel (2.4
kernel has a completely revised system that I haven't used yet), and DHCP.
One route is to find scripts and GUI's to do these tasks for you. Mandrake
already has a GUI to help you out with almost all of these tasks. Also there
are scripts like pmfirewall to help out with setting up your firewall
configuration.
The fun way is to put things together by hand. For IP Masquerade and packet
filtering look into IPChains. For DHCP look into DHCPd. For SMB look into
Samba.
Here is an example script if you are looking into building a packet filtering
masq box (look for the x's and substitute):
#!/bin/bash
# This script is by Jason Snyder
# This is meant to be a semi generic Packet Filtering and IP Masquerading
script.
# This is designed to run under Linux on a 2.2.x kernel.
# Tested under RedHat 6.0 and Mandrake 6.1.
# Declare environment variables
REALIP=x.x.x.x
FAKEIP=x.x.x.x
FAKESUBNET=x.x.x.0/24
FAKENETWORK=x.x.0.0/16
IDEV=eth1 #Device connected to the Internet
LDEV=eth0 #Device connected to the Local Network
#load all necessary patches to allow ip masq support
/sbin/depmod -a
/sbin/modprobe /lib/modules/2.2.x/ipv4/ip_masq_portfw.o
/sbin/modprobe /lib/modules/2.2.x/ipv4/ip_masq_autofw.o
/sbin/modprobe /lib/modules/2.2.x/ipv4/ip_masq_ftp.o ports=21
/sbin/modprobe /lib/modules/2.2.x/ipv4/ip_masq_irc.o
ports=6667,6668,6669,700,1024,1025,1026,1027,1028,1029
# Flush all ipchains
/sbin/ipchains -F input
/sbin/ipchains -F forward
/sbin/ipchains -F output
# Default to DENY
/sbin/ipchains -P input DENY
/sbin/ipchains -P forward DENY
# Allow from intranet to internet for tcp and udp
/sbin/ipchains -A input -p tcp -i $LDEV -j ACCEPT
/sbin/ipchains -A input -p udp -i $LDEV -j ACCEPT
# Allow all local connections
/sbin/ipchains -A input -s 127.0.0.1/32 -d 0/0 -j ACCEPT
# Allow return connections from internet to intranet on high port numbers
# exclude 6000-6010 - these may be used for X
/sbin/ipchains -A input -p tcp -i $IDEV -d 0/0 1024:5999 -j ACCEPT
/sbin/ipchains -A input -p tcp -i $IDEV -d 0/0 6011:65535 -j ACCEPT
/sbin/ipchains -A input -p udp -i $IDEV -d 0/0 1024:5999 -j ACCEPT
/sbin/ipchains -A input -p udp -i $IDEV -d 0/0 6011:65535 -j ACCEPT
# Limit ICMP traffic
/sbin/ipchains -A input -s $FAKENETWORK -i $LDEV -p icmp -j ACCEPT
/sbin/ipchains -A input -i $IDEV -p icmp -s 0/0 0 -d $REALIP -j ACCEPT
/sbin/ipchains -A input -i $IDEV -p icmp -s 0/0 3 -d $REALIP -j ACCEPT
/sbin/ipchains -A input -i $IDEV -p icmp -s 0/0 11 -d $REALIP -j ACCEPT
/sbin/ipchains -A input -i $IDEV -p icmp -d 0/0 -j DENY
# Limit All internet TCP/UDP traffic to certain ports
/sbin/ipchains -A input -p tcp -i $IDEV -d 0/0 1:20 -j DENY
/sbin/ipchains -A input -p udp -i $IDEV -d 0/0 1:20 -j DENY
# Allow ssh2 and ftp to pass.
/sbin/ipchains -A input -p tcp -i $IDEV -d 0/0 23:52 -j DENY
/sbin/ipchains -A input -p udp -i $IDEV -d 0/0 23:52 -j DENY
# Allow DNS to pass
/sbin/ipchains -A input -p tcp -i $IDEV -d 0/0 54:79 -j DENY
/sbin/ipchains -A input -p udp -i $IDEV -d 0/0 54:79 -j DENY
#Allow http to pass
/sbin/ipchains -A input -p tcp -i $IDEV -d 0/0 81:112 -j DENY
/sbin/ipchains -A input -p udp -i $IDEV -d 0/0 81:112 -j DENY
#Allow IDENT to pass
/sbin/ipchains -A input -p tcp -i $IDEV -d 0/0 114 -j DENY
/sbin/ipchains -A input -p udp -i $IDEV -d 0/0 114 -j DENY
#Allow sftp (secure ftp) to pass
/sbin/ipchains -A input -p tcp -i $IDEV -d 0/0 116:1023 -j DENY
/sbin/ipchains -A input -p udp -i $IDEV -d 0/0 116:1023 -j DENY
#If non of these rules apply then allow on ports 1:1023
/sbin/ipchains -A input -p tcp -i $IDEV -d 0/0 1:1023 -j ACCEPT
/sbin/ipchains -A input -p udp -i $IDEV -d 0/0 1:1023 -j ACCEPT
# Turn on IP Masquerading for intranet to internet
# Put in an extra Line in the hopes of catching Spoof attacks
/sbin/ipchains -A forward -i $LDEV -s $FAKESUBNET -l -j DENY
/sbin/ipchains -A forward -i $IDEV -s $FAKESUBNET -j MASQ
echo Done Here
Here are a few pointers when if you manually put together /etc/smb.conf on a
machine with two NICs:
1. Specify the interface to attach to. (ex. interfaces = x.x.x.0/24)
2. Specify the IP address range(s) that can access the server (ex. hosts allow
= x.x.x.)
3. Use encryped passwords.
With Samba you should be able to hook into NT domains if you wish, but I have
not done that yet. Most of my experience is with using user level permissions
on a lone Linux box.
Here is an example dhcpd.conf file on a machine with two interfaces (one
internet, one intranet):
option subnet-mask 255.255.255.0;
option broadcast-address x.x.x.255;
option routers x.x.x.1;
option domain-name-servers x.x.x.x, x.x.x.x;
option domain-name "mydomain";
#Example of static assignment of IP address
host myHost {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address x.x.x.x;
}
#Example of dynamic assignment of IP address range
subnet x.x.x.0 netmask 255.255.255.0 {
range x.x.x.101 x.x.x.254;
}
subnet x.x.x.0 netmask 255.255.255.0 {
}
I Hope this helps.
