--- Reply to a message --- By: Jools Smyth ->: a Mail :>: [voyager] Re: Genesis setting.
> WinRoute is kinda good also, but commercial. Redhat does it for free with this script #!/bin/sh # # Configure safe networking practices for Linux 2.4 # # chkconfig: - 06 90 # description: Setup firewalling and network security # This assumes your Internet is on a PPP connection # and the local (trusted) LAN is eth0. # # To install this on a Red Hat 6.x system, save this script as # /etc/rc.d/init.d/securenet, then run the commands # # chmod 755 /etc/rc.d/init.d/securenet # /sbin/chkconfig --add securenet # /sbin/chkconfig --level 2345 securenet on # # The "iptables" command is available from http://netfilter.kernelnotes.org/ # An rpm-package is available from Red Hat's contrib-section # # Henrik St�rner, [EMAIL PROTECTED] # PATH=/bin:/sbin:/usr/bin:/usr/sbin ######################################### # First setup some of the kernel features ######################################### # Disable forwarding - this is for a standalone system. # (For masquerading, see below). echo "0" >/proc/sys/net/ipv4/ip_forward # Enable syn-cookies (syn-flooding attacks) echo "1" >/proc/sys/net/ipv4/tcp_syncookies # Disable ICMP echo-request to broadcast addresses (Smurf amplifier) echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Shut off source-routing and enable IP spoof detection # It seems that this must be done for all network interfaces for f in /proc/sys/net/ipv4/conf/*; do # Drop all source-routed packets echo "0" >$f/accept_source_route # Enable source-address verification (anti spoofing). # The value 2 means use Ingress filtering as per RFC 1812. # Overhead is a little more than the simple routing check # (enabled with 1) but it negligible for most home users. echo "2" >$f/rp_filter done ###################### # Setup IP firewalling ###################### # Default policies iptables -P INPUT DROP # iptables -P INPUT ACCEPT iptables -P FORWARD DROP # iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # flush them iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT # Create a common chain for the INPUT and FORWARD handling # iptables -N block # iptables -F block # Allow traffic on established connections # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow new connections if not from the outside # iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT # Allow new connections to our public http service # For home users there are normally none # # How to do this depends on whether the service is running on the # firewall host itself, or on another system "behind" the firewall # (on the internal LAN, or a separate network segment - so called DMZ). # # The following command is needed in both cases: # iptables -A block -m state --protocol tcp --state NEW --destination-port http -j ACCEPT # If the service is running on another host (here: 192.168.11.22), you must # do "port forwarding" like this (no need for ipmasqadm anymore): # iptables -t nat -A PREROUTING --protocol tcp --destination-port http -j DNAT --to 192.168.11.22 # iptables -t nat -A PREROUTING --protocol tcp --destination-port ircd -j DNAT --to 192.168.1.2 # Block anything else # iptables -A block -j LOG # Activate the new chain # iptables -A INPUT -j block # iptables -A FORWARD -j block #################### # Setup Masquerading #################### # Setup NAT for outgoing connections from the local network ### NB: This is disabled by default. If you want to use ### ### masquerading, just remove the "###" comment-markers ### ### from the lines below. ### iptables -t nat -F POSTROUTING iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # enable hacks modprobe ip_conntrack_ftp modprobe ip_conntrack_irc modprobe ip_nat_ftp modprobe ip_nat_irc # now irc and ftp works :-) # # NB: On Red Hat systems, forwarding is controlled in /etc/sysctl.conf ! # You need to set net.ipv4.ip_forward=1 in this file, or the # command below will have no effect. # echo "1" >/proc/sys/net/ipv4/ip_forward -- Benny Pedersen http://xpoint.ldnet.dk/ icq:36248146 � Have a happy Christmas ! 8) ...Injustice anywhere is a threat to justice everywhere. _____________________________________________________________________ Voyager Mailing List - http://v3.vapor.com/ Voyager FAQ....: http://faq.vapor.com/voyager/ Listserver Help: mailto:[EMAIL PROTECTED]?Subject=HELP Unsubscribe....: mailto:[EMAIL PROTECTED]?Subject=UNSUBSCRIBE
