Re: activating ipchains & ip masqurading ...
Jamin W. Collins wrote: > On Tue, 28 May 2002 15:30:04 +0200 > "Marcus Przyklink" <[EMAIL PROTECTED]> wrote: > > > Jamin W. Collins wrote: > > > On Tue, 28 May 2002 15:02:24 +0200 > > > "Marcus Przyklink" <[EMAIL PROTECTED]> wrote: > > > > wotan:~ # cat masquerading > > > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > > > echo 1 >/proc/sys/net/ipv4/ip_forward > > > > > > I trust you understand just how insecure that script is, right? > > > > I think for a home-LAN, say a trusted LAN, it's ok, and I've understood > > that the question was for such a LAN to connect to the internet. > > If I got something wrong, one way or the other, please correct me. > > I believe you understood both questions, and the posted script will > provide the basic functionality. However, the insecurities that I'm > referring to are not concerning how the script behaves with your internal > (aka trusted) segment so much as the external (aka untrusted) segment. > > With the above script, you've left all policies at their defaults of > "ACCEPT". Thus, the NAT'ing box is fully exposed to the internet. Unless > you've taken other steps to limit/eliminated unused services, this box is > most likely open in one way or another. Don't get me wrong, I'm aware > that a box without a firewall at all can be just as secure (possibly even > more so) than one with one. However, if you are already using the > firewall tool to provide NAT'ing for your network, you might want to > consider using it's other features to add another layer of protection to > your network. Ah, now I understand what you mean. Well, the box connected to the internet has online SMTP and SSH Ports open, so I think it's pretty secure. The MTA is qmail without relaying or so activated. Sure, it would be more secure to accept only ssh-connections from the LAN to the box, but sometimes I want friends be able to connect to the box via ssh over the internet. Because of this reasons I don't have a firewall running. Allowing only some IPs to connect to ssh won't work, my friends have no static IP. -- There are only two ways to live your life. One is as though nothing is a miracle. The other is as though everything ist. [Albert Einstein] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: activating ipchains & ip masqurading ...
On Tue, 28 May 2002 15:30:04 +0200 "Marcus Przyklink" <[EMAIL PROTECTED]> wrote: > Jamin W. Collins wrote: > > On Tue, 28 May 2002 15:02:24 +0200 > > "Marcus Przyklink" <[EMAIL PROTECTED]> wrote: > > > wotan:~ # cat masquerading > > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > > echo 1 >/proc/sys/net/ipv4/ip_forward > > > > I trust you understand just how insecure that script is, right? > > I think for a home-LAN, say a trusted LAN, it's ok, and I've understood > that the question was for such a LAN to connect to the internet. > If I got something wrong, one way or the other, please correct me. I believe you understood both questions, and the posted script will provide the basic functionality. However, the insecurities that I'm referring to are not concerning how the script behaves with your internal (aka trusted) segment so much as the external (aka untrusted) segment. With the above script, you've left all policies at their defaults of "ACCEPT". Thus, the NAT'ing box is fully exposed to the internet. Unless you've taken other steps to limit/eliminated unused services, this box is most likely open in one way or another. Don't get me wrong, I'm aware that a box without a firewall at all can be just as secure (possibly even more so) than one with one. However, if you are already using the firewall tool to provide NAT'ing for your network, you might want to consider using it's other features to add another layer of protection to your network. -- Jamin W. Collins -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: activating ipchains & ip masqurading ...
Jamin W. Collins wrote: > On Tue, 28 May 2002 15:02:24 +0200 > "Marcus Przyklink" <[EMAIL PROTECTED]> wrote: > > > Well, seems that he wants just ip-masquerading, then i would recommend > > install a newer kernel (2.4.x) and do it with iptables. I have a simple > > script to activate ip-masquerading and let the LAN connect to the > > internet: > > > > wotan:~ # cat masquerading > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > echo 1 >/proc/sys/net/ipv4/ip_forward > > I trust you understand just how insecure that script is, right? I think for a home-LAN, say a trusted LAN, it's ok, and I've understood that the question was for such a LAN to connect to the internet. If I got something wrong, one way or the other, please correct me. -- There are only two ways to live your life. One is as though nothing is a miracle. The other is as though everything ist. [Albert Einstein] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: activating ipchains & ip masqurading ...
On 2002.05.28 09:02 Marcus Przyklink wrote: Cam Ellison wrote: > * faisal gillani ([EMAIL PROTECTED]) wrote: > > i have installed debian 2.2 in my server now i want to > > activete ipchains & ip masqurading on it ... > > how should i do this ? > > > > > In a phrase, RTFM. Want more detail? Firewall HOWTO: > /usr/share/doc/HOWTO/en-html/Firewall-HOWTO.html Well, seems that he wants just ip-masquerading, then i would recommend install a newer kernel (2.4.x) and do it with iptables. I have a simple script to activate ip-masquerading and let the LAN connect to the internet: The IP Masquerade HOWTO[1] contains information for setting up IP Masquerading under 2.0, 2.2 and 2.4 kernels. The Linux IP Masquerade Resource Web site[2] contains even more information. HTH, Ian 1. http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html 2. http://ipmasq.cjb.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: activating ipchains & ip masqurading ...
On Tue, 28 May 2002 15:02:24 +0200 "Marcus Przyklink" <[EMAIL PROTECTED]> wrote: > Well, seems that he wants just ip-masquerading, then i would recommend > install a newer kernel (2.4.x) and do it with iptables. I have a simple > script to activate ip-masquerading and let the LAN connect to the > internet: > > wotan:~ # cat masquerading > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > echo 1 >/proc/sys/net/ipv4/ip_forward I trust you understand just how insecure that script is, right? -- Jamin W. Collins -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: activating ipchains & ip masqurading ...
Cam Ellison wrote: > * faisal gillani ([EMAIL PROTECTED]) wrote: > > i have installed debian 2.2 in my server now i want to > > activete ipchains & ip masqurading on it ... > > how should i do this ? > > > > > In a phrase, RTFM. Want more detail? Firewall HOWTO: > /usr/share/doc/HOWTO/en-html/Firewall-HOWTO.html Well, seems that he wants just ip-masquerading, then i would recommend install a newer kernel (2.4.x) and do it with iptables. I have a simple script to activate ip-masquerading and let the LAN connect to the internet: wotan:~ # cat masquerading iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE echo 1 >/proc/sys/net/ipv4/ip_forward If I understood him false and he wants more than just IP-Masquerading, then the firewall-HOWTO should be helpful -- Viele denken, sie sind frei, weil sie machen koennen, was sie wollen, und merken doch nicht, dass sie ihre Diktatur in sich tragen. [Ernesto Cardenal] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: activating ipchains & ip masqurading ...
Hi, first of all you must have enabled ip masquerading within the kernel. If you have done this is your next step to generate a script within all your ipchains rules. For detailed information take a look in /usr/share/doc or the manpages for ipchains. To activate masquerading you also have to put the following line into your script: echo 1 > /proc/sys/net/ipv4/ip_forward chmod your script executable and make a softlink in /etc/rc2.d/ to bring the script every boot automatically up. That's the way I did it. Frank -- $ Hello World! $ I am [Ff]rank ;) 1024D/EC4CE5CC 2002-05-14 Frank Brodbeck <[EMAIL PROTECTED]> fingerprint = 193D 62EC 03A5 1066 A951 4DA3 947A D578 EC4C E5CC pgpqTzpsgh7o5.pgp Description: PGP signature
Re: activating ipchains & ip masqurading ...
Isn't it just a simple 'apt-get install ipmasq'? It's been a while since I did this on Debian 2.2, but I thought that was a lot easier than following the HOWTOs. One of those wonderful 'just works' packages. -- James Cameron ([EMAIL PROTECTED]) http://quozl.linux.org.au/ (or) http://quozl.netrek.org/ signature.asc Description: This is a digitally signed message part
RE: activating ipchains & ip masqurading ...
> i have installed debian 2.2 in my server now i want to > activete ipchains & ip masqurading on it ... > how should i do this ? Personally i would install shorewall. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: activating ipchains & ip masqurading ...
* faisal gillani ([EMAIL PROTECTED]) wrote: > i have installed debian 2.2 in my server now i want to > activete ipchains & ip masqurading on it ... > how should i do this ? > > In a phrase, RTFM. Want more detail? Firewall HOWTO: /usr/share/doc/HOWTO/en-html/Firewall-HOWTO.html Cam -- Cam Ellison Ph.D. R.Psych. From Roberts Creek on B.C.'s incomparable Sunshine Coast [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]