On Tue, 24 Jul 2001, int27h wrote:
> Dear Experts,
>
> Here is my testing lab
>
> [192.168.0.147]
> |
> |
> [192.168.0.8]
> [192.168.1.1]
> |
> |
> [192.168.1.10]
>
>
> I installed my RH71 for firewall study. I installed it as Server security
> High. As the first installation, Fresh without any changes..just startup IP
> configuration.
>
> I try to block the ping from 192.168.1.10 to 192.168.0.8. I'm tried to do it
> by using
> echo "0" > /proc/sys/net/ipv4/ip_forward
> but it seems just I'm still able to do the ping command
>
> the second one is I try to fwd the ping command from 192.168.1.10 to
> 192.168.147 but the message is Request timed out ('though I set ip_forward
> into "1")
>
> hhhhh this is the second days I got frustated :-)
>
> Could you guys, the firewall expert help me out from this dungeon...God
> knows me coz I'm dumb :-(
>
> Muchas Gratias
I need to mess with your diagram a bit:
192.168.0.147 ('protected' behind firewall)
|
|
192.168.0.8 (eth1)
192.168.1.1 (eth0)
|
|
192.168.1.10 (simulated evil dude)
You should never be able to ping the 'protected' machine from outside. To
allow the protected machine to ping the 'evil dude' do the:
echo "1" > /proc/sys/net/ipv4/ip_forward
(or edit /etc/sysctl.conf and change it there)
and change/add these line to /etc/sysconfig/ipchains:
:forward DENY (policy, deny all forwarding)
-A input -i eth1 -j ACCEPT (trust all traffic entering eth1)
-A forward -i eth0 -j MASQ (masquerade traffic out to eth0)
And then issue the command: service ipchains restart
Before I get flamed for explaining ipchains rules, he mentioned he is
using the lokkit firewall built into the installer, and it uses ipchains.
I haven't mastered iptables yet myself, but I know it is a matter of time
until I have to.
--
Chris Kloiber, RHCE
Enterprise Support - Red Hat, Inc.
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
