1.0 Overview
Basic description of article scope - target audience, who this is for, what IP Masquerading is not2.0 Deployment
Description of the solution to be implemented in this article - one Linux router, one Windows 95 client
2.1 Linux Router Box Specification
2.2 Windows 95 Masquerading Client Box Specification3.0 How Your Network Should Look
This section is intended to give the reader an idea of how their network should currently look to be able to benefit from IP Masquerading.4.0 Linux Router Configuration
This section describes the configuration of the linux router to allow it to act as an IP Masquerading firewall.
4.1 Overview of Linux Router Configuration
4.1.1 - A Word on IP Addressing and Private Address Ranges
4.2 Assigning an IP Address to the Linux Network Interface Card
4.3 Assigning an IP Address to the Linux Network Interface Card At Boot Time
4.4 Configuring the PPP/Modem Dialup Connection
4.4.1 What Is A Domain Name Server Anyway?
4.4.2 Configuring The Linux Router To Use DNS
4.5 Installing The Masquerading Firewall
4.5.1 What Is A Masquerading Firewall Anyway?
4.5.2 What Is IPCHAINS?
4.5.3 Checking To See If IPCHAINS Is Installed
4.5.4 Installing IPCHAINS
4.5.5 Installing and Configuring The 'rc.firemasq' Script
4.5.6 Setting Up The 'rc.firemasq' script
4.5.7 Running The Script5.0 Configuring the Windows 95 Masquerading Client
This section describes the configuration of the Win95 machine to allow it to connect to the internet via the Linux router.
5.1 Installing TCP/IP On The Windows 95 Machine
5.2 Assigning A Static IP Address Of 192.168.0.10 To The Windows 95 Machine
5.3 Configuring The Masqueraded Windows 95 Machine To Use The Linux Router As A Gateway
5.4 Configuring The Masqueraded Windows 95 Machine To Use The External DNS Server6.0 Testing the IP Masquerading Setup
6.1 Bring Up The PPP Internet Connection On The Linux Router
6.2 Testing Connectivity From The Linux Router To The External Network/Internet
6.3 Test Connectivity From The Windows 95 Masqueraded Client To The Linux Router
6.4 Test Connectivity From The Windows 95 Masqueraded Client To The External Network/Internet7.0 Checking The Firemasq Logs
7.1 Configuring The Destination Of 'ipchains' Log Output
7.2 A Note On Creating Rules That Log When Matched
7.3 Viewing 'ipchains' Logs
7.4 A Tip On Monitoring Log Files8.0 Conclusion
Closing remarks and a note on getting help.Appendix A: Reference Section
A list of references used in this document and recommended reading.Appendix B: Original 'firemasq' Script
This text is aimed at the home LAN user who wants to use a single internet connection to allow more than one machine access to the internet at the same time. This is commonly called 'IP Masquerading'. We will deploy a linux masquerading firewall solution using ipchains to allow the internet connection from the linux router to the internet to be shared with one other machine on the Local Area Network (LAN).
Important
IP Masquerading is not IP Spoofing in the sense of hiding one's IP address in order to deceive a target host for matters of becoming anonymous. IP Masquerading simply allows more than one machine to share the same IP address - the machines which are not allocated the single IP address are the Masqueraded Clients, they use Masqueraded IP Addresses to communicate to the external network or internet.
The method of deployment we shall describe is as follows:
2.1 Linux Router Specification
One P166 32MB 1.6GB HDD, configured as a Linux router with support for Firewalling and IP Masquerading:
This machine will be built using Linux Mandrake release 7.1 (helium), Kernel 2.2.15-4mdk. Support for firewalling and IP masquerading will be implemented using the 'ipchains' TCP/IP packet filter. The router will be connected to the internet via a Point-to-Point Protocol (PPP) connection using a US Robotics 56k modem. In turn the router will be connected to the Windows 95 client via an Ethernet connection using a Compaq Netelligent 10/100 Network Interface Card (NIC).The NIC will be assigned an IP address of 192.168.0.1 (the connection to the Win95 client) and the external/PPP interface will be assigned an IP address dynamically on each successful 'dialup' to the ISP.
Note: Any Linux distribution will suffice - provided that the kernel has built in support for IP Masquerading.
2.2 Windows 95 Masquerading Client Specification
One P166 48MB 20GB HDD, configured as a Windows 95 Masqueraded Client:
This machine will be built simply with Windows 95 OSR2. This machine will be the masqueraded client, the machine which will share the connection to the internet with the Linux machine. The client will be connected to the router via an ethernet interface using a 3com 3c509 NIC.The client will be assigned a static IP address of 192.168.0.10.
Please take the time to have a quick look at the following ascii art diagram. It shows a very basic network structure:one machine connected to the other by a network cable (ETH0) in the diagram below) and one machine connected to the internet via a modem (PPP0 in the diagram below).
_________________________________________ | __________ LAN _______________ | _/\__/\_ | | | | | | | | | | Firewall | | Masqueraded | | / Internet \--(PPP0)--| System |--(ETH0)--| Workstation/s | | \_ _ _ _/ | |__________| |_______________| | \/ \/ \/ |_________________________________________|
This is how the network should look from a basic connectivity point of view. The firewall/router machine has the connection to the internet (via a PPP) and the masqueraded client(s) are connected on a LAN to the firewall/router using TCP/IP. In the following sections we will discuss the configuration of the network in more depth - for now you should be happy if you're network resembles the diagram above!
Important
For the Configuration of the Linux Router you should be logged in suid=0 (ie a login with root privileges - logging in as root works best;).
Our diagram at the end of the last section showed the status of our network so far:
_________________________________________ | __________ LAN _______________ | _/\__/\_ | | | | | | | | | | Firewall | | Masqueraded | | / Internet \--(PPP0)--| System |--(ETH0)--| Workstation/s | | \_ _ _ _/ | |__________| |_______________| | \/ \/ \/ |_________________________________________|
We will now concentrate on configuring the Linux/Firewall routing machine. The following diagram shows in more detail how the Linux router's network interfaces will be configured:
__________ (ppp0, dyn. IP) | | (eth0, 192.168.0.1) \| Firewall |/ to internet<-----| System |-----> to win95 box |__________|
We see in the diagram that the NIC connecting the Linux router to the masqueraded client (eth0) will be assigned the address '192.168.0.1' and the PPP/dialup interface connecting the Linux router to the internet (ppp0), will be assigned an IP address dynamically.
This section covers the following:
- 4.1 - Assigning an IP Address to the Linux Network Interface Card
- 4.2 - Configuring the PPP/modem dialup connection
- 4.3 - Configuring which nameserver the router should use
- 4.4 - Installing the firewall / packet filter 'ipchains'
- 4.5 - Installing a script 'rc.firemasq' which will create the ipchains rule-set allowing us to use the machine as a masquerading firewall router
4.1 -Assigning an IP Address to the Linux Network Interface Card
One of the stock tools used in configuring networking under Linux is 'ifconfig'. 'ifconfig' is short for 'Network Interface Configuration'. A network interface in Linux is a device which allows network communication through it.
For example, the first network card/interface is named eth0, the second NIC eth1 and so on. Similarly, the first PPP or dialup interface is named ppp0 etc. A very useful interface in Linux is the Loopback Interface, named lo in Linux - the 'lo' interface allows us to test servers/daemons which we may have running by connecting to our own machine using the 'lo' interface.
By assigning an IP address to the network interface, we give the machine an address on the local network, an address which will allow the masqueraded client (the win95 machine) to connect to the router for the purposes of sharing the internet connection.
Section 4.1.1 - A Word on IP Addressing and Private Address Ranges
We will use the private address range 192.168.0.0 to 192.168.0.255 (or 192.168.0.0/24) for our LAN; all addresses within this range are private and cannot be assigned to machines for communication on the internet - hence it is perfectly fine for LAN machines to be assigned addresses from this range (for more information see RFC1918: Address Allocation for Private Internets).
Important
If you already have an IP address assigned to your Network Interface card and are happy with your setup, please feel free to use it - obviously however you will need to substitute your address range/IP addresses for those used here (192.168.0.0/24).We will assign the address '192.168.0.1' to the network interface card, eth0; this should be the network card that connects your linux machine to the windows 95 client - if not, replace 'eth0' for the device which connects your linux machine to the win95 machine.
To do so we need to use ifconfig, issuing the command 'ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up' at the bash command line:
[root@localhost /root]# ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up eepro100.c: $Revision: 1.20.2.3 $ 2000/03/02 Modified by Andrey V. Savochkin and others
This configures the first NIC to use the address 192.168.0.1 with a network mask of 255.255.255.0 and brings the interface up (ignore the netmask and up parts if you like - ifconfig defaults to a netmask of 255.255.255.0 and assumes you want to bring the interface up if you don't specify 'up' as an argument).
Important
Note the line:eepro100.c: $Revision: 1.20.2.3 $ 2000/03/02 Modified by Andrey V. Savochkin and others
.
This means that Linux is using the driver/module 'eepro100.c' for my network card - you must ensure the correct modules are installed for your network card - See the 'Net3-HOWTO' for further details.
We can check that the Network Card eth0 has been assigned the address correctly now using ifconfig without any arguments:
[root@localhost /root]# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:08:C7:BB:75:79 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:10 Base address:0x6000
The important part here is that pertaining to 'eth0' of course. We see the address 192.168.0.1 has been assigned correctly, with various other very useful details (which aren't actually useful to us here!=). If you have trouble assigning the address to eth0 at this point, I suggest you read the NET-HOWTO and Ethernet-HOWTO - see reference section for further details.
4.2 Assigning the IP Address to the Network Card At Boot Time
To assign the IP address to the network card at boot, you will need to use the 'netconf' utility (Linux Mandrake, though there should be a similar configuration tool for most other Linux distributions;). 'netconf' basically modifies various startup scripts located within '/etc/rc.d' and it's subdirectories so that each time the machine is booted, the IP address you specify for eth0 in 'netconf' is allocated to eth0.
'netconf' is pretty straightforward under Linux Mandrake, so I won't go into massive detail here - a brief overview:
- Run 'netconf' from the command line.
- Select 'Basic Host Information'.
- Under 'Adaptor 1', change 'IP Address' to '192.168.0.1' and change 'Net device' to 'eth0'(providing your network cards kernel modules have been installed, the correct kernel module should be selected for you).
- Select 'Accept' and when prompted to activate the changes, do so. (Check to see what modifications have been made if you like;-).
If all is well, when issuing the command 'ifconfig' you should see the interface 'eth0' assigned the address '192.168.0.1' and after rebooting the eth0 interface should automatically be assigned the address.
4.3 Configuring the PPP/Modem Dialup Connection.
The Point-to-Point Protocol connection can be tricky to set up for the uninitiated user - my advise is to set aside a good few hours, get a bucket of coffee, print out the 'PPP-HOWTO' and read, play, read, play, etc...
We will use 'netconf' again to set up and configure our PPP connection. 'netconf' really does take the work out of setting up your network, although I highly recommend you attempt to understand fully what files netconf modifies and the way in which your network is initiated - again please read the relevant HOWTO's mentioned in this article.
- Run 'netconf' from the command line.
- Select 'PPP/SLIP/PLIP' from the netconf menu.
- Select 'Add' to add a PPP device.
- When prompted to select a type of interface, choose 'PPP' and then 'Accept'.
- Complete the details 'Phone Number', 'Login Name' and 'Password' for your login to your ISP's server. Also make sure you select the correct modem port, 'ttyS0' being the DOS equivalent of 'COM1', 'ttyS1'==COM2, etc... Unless you know you use PAP to authenticate, leave the PAP checkbox alone - you can always come back later and change it. When you're done, select 'Accept'.
- Select 'Quit' to exit the PPP configuration box.
- Select 'Quit' to exit 'netconf'.
That's it! Your PPP connection should now be configured correctly. If all is well you should be able to connect to the internet now via your modem by issuing 'ifup ppp0' from the command line. If you are unable to connect from the linux router to the internet at this point, you should consult the PPP-HOWTO for full details on initiating a PPP connection. Please see the References section for full details on obtaining help before contacting me or others for help;-).
4.4 Configuring Which Nameserver The Router Should Use.
4.4.1 What Is A Domain Name Server Anyway?
Currently we should be able to make a connection to the internet okay, but we will be unable to do anything productive. For example, attempting to view a website 'www.asite.com' on the internet will result in failure - this is because our machine has no way of finding out where exactly 'www.asite.com' is located on the internet - our machine has no way of resolving 'www.asite.com' (the fully qualified domain name or FQDN) into it's associated IP address (of the form 'w.x.y.z (ie 213.1.23.233)).
To be able to correctly resolve FQDN's to their corresponding IP addresses, our machine must use a DNS Nameserver.
You should be able to obtain the IP address of your nearest DNS nameserver from your ISP. If this isn't feasible for whatever reason, there are various ways of determining what DNS server you should use. We will cover one method here involving the use of an internet connected windows machine:
- Using a Win95 machine, dialup to the internet.
- After connecting and authenticating, run the command 'winipcfg.exe' from the 'Run' item on the 'Start' menu. 'winipcfg.exe' is a very simple but useful tool installed as part of Microsoft's implementation of the TCP/IP protocol suite (other useful tools installed with MS TCP/IP include 'netstat.exe', 'ping.exe', 'arp.exe', 'route.exe', 'telnet.exe', 'snmp.exe' and 'ftp.exe').
- Click on the 'More Info' button in the 'winipcfg' dialog box.
- The DNS server allocated to you by your ISP should be listed in the 'DNS Server' section! Make a note of this address for further reference.
4.4.2 Configuring The Linux Router To Use DNS
Now we have the IP address of the DNS server, we will move on to discuss configuring our Linux router to use that DNS server for name resolution:
- Run 'netconf' from the command-line.
- Select 'Nameserver specification (DNS)'.
- Check the checkbox next to 'DNS is required for normal operation'.
- For 'default domain', just put in the top level domain of your ISP (ie 'lineone.net' for me, 'rr.com', 'aol.com', 'microshoft.com' etc).
- For 'IP of nameserver 1' you need to put the IP address of a nameserver that's authoritative for your ISP (as located above).
- Leave the rest, unless you wish to add another nameserver for the sake of redundancy (just in case the first nameserver falls down!).
Just out of interest, the above procedure simply adds a couple of lines to the file
/etc/resolv.conf
file:domain lineone.net nameserver 194.72.6.51
Note, this is my name server and at a pinch anyone could use it, anywhere in the world! However it's not advisable since if you live in Australia a great deal of time would be wasted using the same NS as me, halfway around the world!
If you have any problems with the configuration of either of the interfaces eth0 or ppp0, or your LAN in general, you must consult the relevant HOWTO's before mailing me or asking others for help. People don't mind helping, as long as you're in a position to understand what it is you need help with.
I highly recommend reading all the relevant HOWTO's before asking for help - namely the Ethernet-HOWTO (for finding out if your ethernet network card is supported and what the relevant kernel modules are), the NET3-HOWTO (for information on setting up your LAN) and the PPP-HOWTO (for information on setting up PPP, surprise surprise;-). See the Reference Section at the end of this article for full details.
4.5 Installing The Masquerading Firewall
4.5.1 What Is A Masquerading Firewall Anyway?
A masquerading firewall is simply an application/kernel modification that acts as a go-between for the masqueraded machines (the winbox in our case) and the internet. It receives requests from the masqueraded client(s) and forwards those requests on to the internet address of the target machine. In this way, a masquerading firewall is a packet filter - it filters network traffic based on information contained in the headers of network packets.
4.5.2 What Is IPCHAINS?
'ipchains' is a network packet filter as described above. It works closely with the Linux kernel to handle all network traffic arriving and departing from a given network interface (or interfaces).
'ipchains' is initialized with just three rules or 'chains', input, output and forward. When a packet arrives at a network interface it's fate is determined by the input chain; if the packet is accepted by the input chain, the kernel forwards the packet according to the destination address. If the destination address is another machine on the LAN, then the forward and output chains determine the fate of the packet and if the packet is acceptable to these chains, it is routed to the destination machine.
Each of these input, output and forward 'chains' are simply sets of one or more rules which can be built up - one rule at a time. Each rule examines the header information of the packet, and if the information concerns the rule, the rule jumps to accept, reject or deny the packet. If the packet doesn't concern the rule, then the next rule in the chain is checked in the same way. Finally if no rules are relevant to the packet, a default action would usually be set by the sysadmin to deny or reject the packet on the grounds that no rules exist to determine the packet's fate (otherwise potentially harmful packets would be allowed through).
For a masquerading firewall, it makes sense to create three sets of custom chains: one for packets arriving from the internet/external network, one for packets departing to the internet/external network and one for packets which are to be forwarded from the router to the masqueraded clients. This is the approach that we will take, using an incoming chain (inet-in), an outgoing chain (inet-out) and the built in forwarding chain set (forward).
4.5.3 Checking To See If IPCHAINS Is Installed
It's likely that 'ipchains' is already installed on your system (although having said that my 'vanilla' install of mandrake 7.1 doesn't include ipchains;-).
To check whether or not you have ipchains installed, issue 'whereis ipchains' at the command line:
[root@munkbox /etc/rc.d/init.d]# whereis ipchains ipchains:
We see on my box that ipchains is not installed (if it were we would see something like: ipchains: /usr/bin/ipchains <some path to man pages>:=).
If ipchains is installed on your machine, please feel free to skip ahead to section 4.5.5.
4.5.4 Installing IPCHAINS
Right, lets install it (this assumes installing from the mandrake installation cdrom using the 'rpm' installer - for other distributions installation should be straightforward).
From the command line, issue the command 'rpm -i /mnt/cdrom/Mandrake/RPMS/ipchain*' (modifying the location as required for your system).
We can confirm the installation of ipchains by issuing the command 'whereis ipchains' again:
[root@munkbox /etc/rc.d/init.d]# whereis ipchains ipchains: /sbin/ipchains /usr/man/man8/ipchains.8.bz2
The fact that the whereis utility has located the ipchains binary and it's man page let's us know that ipchains was installed successfully.
4.5.5 Installing and Configuring the 'rc.firemasq' Script
Time for the fun part! We have the physical network setup and configured; now all that remains is to create a set of rules which will allow the Linux router to forward network traffic to/from the win95 machine and the external network/internet. Rather than create each rule one by one at the command-line (which we could do each time), we will place all the commands for bringing up the firewall into one single script, rc.firemasq.
Essentially the rc.firemasq script works as follows:
- ipchains is initialised by first flushing any existing chains/rules
- we create new chains for incoming, outgoing and forwarding packets
- we assign rules to these chains dictating how packets will be handled
- we have the script execute every time a new connection to the internet is made by the linux router
Rather than reinvent the wheel, we will use a script created by Dr. Teeth aptly called 'firemasq'.
In the following section, we will cover the the action of each line of the script - in this way you will be able to modify the script to cater for your own LAN requirements, understanding (hopefully;^=) how the script works.
I'll paste the full-script at the end of this article in it's entirety - there are some very useful comments made by Dr. Teeth within the original version of the script - many thanks go to Dr Teeth.
4.5.6 Setting up the 'rc.firemasq' script
We now create a script that will bring the firewall up every time a connection is made to the internet by the linux router.
Paste everything that follows (from ###### START OF SCRIPT to ###### END OF SCRIPT) into a file called '/etc/rc.d/rc.firemasq' (make sure you understand the script first!). The '/etc/rc.d' directory is the standard location on Linux systems for custom scripts created after installation intended for bringing services up after booting.
Set the file permissions on
'/etc/rc.d/rc.firemasq'
to make the file executable -'chmod +x /etc/rc.d/rc.firemasq'
will do the trick.####### START OF SCRIPT!
#!/bin/sh
# Change IPCHAINS to the correct path for your system
IPCHAINS=/sbin/ipchains
# Change INETDEV to the network device connceted to the Internet (ppp0/eth0)
# This is ppp0 by default for dial-up connections. Most cable modem users
# will probably want eth0 or possibly eth1. When in doubt look at the command
# 'ifconfig'.
INETDEV="ppp0"
# Change LAN to the correct network address and network mask for your LAN
# this can be found by using ifconfig from one of the clients
LAN="192.168.0.0/24"
# Change LANDEV to the network device connected to your LAN
LANDEV="eth0"
# There should be no need to change this: you may need to play with it a little.
# If you have problems, try the command on the command-line, substituing $LANDEV
#for 'eth0' (or 'eth1', etc if you're a cable user).
LOCALIP=`ifconfig $LANDEV | grep inet | cut -d : -f 2 | cut -d B -f 1`
echo ""
echo "FireMasq version 0.7 by Dr. Teeth (2000)"
echo "Rehashed(!) by munk (2001) for http://black.box.sk
echo "---------------------------------------------------------"
echo "Local Network Device: $LANDEV"
echo "Local IP: $LOCALIP"
echo "Local Network Address: $LAN"
echo "External Network Device: $INETDEV"
echo "---------------------------------------------------------"
echo ""
echo "========================================================="
echo " IMPORTANT!"
echo "========================================================="
echo "= If you get an error regarding IP Forwarding not being
echo "= enabled, please check your documentation for details"
echo "= "
echo "=On some distributions you will be required to issue"
echo "=the command:"
echo "=
echo "1" > /proc/sys/net/ipv4/ip_forward"
echo "= to enable ip forwarding (ie redhat/mandrake),
echo "= whilst on others a flag may need setting in "
ech0 "= 'etc/rc.d/rc.config' (SuSe I think). On other systems"
ech0 "= the process for enabling forwarding my be different"
ech0 "= yet again. Please check the documentation"
ech0 "= for your distribution."
echo "========================================================="
echo ""
#Set default chain policy
echo -n "Setting default chain policies..."
$IPCHAINS -P input DENY
$IPCHAINS -P forward DENY
$IPCHAINS -P output ACCEPT
echo " Done!"
#Flush all chains: start fresh
echo -n "Flushing chains..."
$IPCHAINS -F
$IPCHAINS -X
echo " Done!"
#Add custom chains
echo -n "Adding custom chains..."
$IPCHAINS -N inet-in # incoming from internet
$IPCHAINS -N inet-out # outgoing onto internet
echo " Done!"
#Set input rules
echo -n "Setting rules for input chain..."
#Any LAN address to any other LAN address is ok:
$IPCHAINS -A input -s $LAN -d $LAN -j ACCEPT
#Loopback interface comms all ok:
$IPCHAINS -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -i lo -j ACCEPT
#Any LAN address to anywhere (including internet) is ok:
$IPCHAINS -A input -s $LAN -d 0.0.0.0/0 -j ACCEPT
#Any comms on the internet interface should be handled by the 'inet-in' chain:
$IPCHAINS -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -i $INETDEV -j inet-in
echo " Done!"
#Set forward rules
echo -n "Setting rules for forward chain..."
#Forwarding LAN TO LAN ok:
$IPCHAINS -A forward -s $LAN -d $LAN -j ACCEPT
#Forwarding LAN to internet ok:
$IPCHAINS -A forward -s $LOCALIP -d 0.0.0.0/0 -j ACCEPT
echo " Done!"
#Activate masquerade
echo -n "Activating masquerade..."
$IPCHAINS -A forward -s $LAN -d 0.0.0.0/0 -j MASQ
#If you have trouble with timeouts, change this line:
$IPCHAINS -M -S 7200 10 60
echo " Done!"
#Set output rules
echo -n "Setting rules for output chain..."
$IPCHAINS -A output -s $LAN -d $LAN -j ACCEPT
$IPCHAINS -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -i lo -j ACCEPT
$IPCHAINS -A output -s $LAN -d 0.0.0.0/0 -j ACCEPT
$IPCHAINS -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -i $INETDEV -j inet-out
echo " Done!"
#Set inet-in rules
echo "Setting rules for internet device incoming chain:"
echo -n " Setup port blocking on vulnerable ports..."
#These ports don't have to be blocked, but as they are
#these rules let you know when you're being attacked on
#the corresponding ports by logging the attack to /var/log/messages
#(or wherever your ipchains logging is done).
#Block NFS
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -j DENY -l
#Block postgres
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 postgres -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 postgres -j DENY -l
#Block X
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 5999:6003 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 5999:6003 -j DENY -l
#Block XFS
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 7100 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 7100 -j DENY -l
#Block Back Orifice
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 31337 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 31337 -j DENY -l
#Block netbus
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 12345:12346 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 12345:12346 -j DENY -l
echo " Done!"
echo -n " Allowing ssh, dns, and icmp (ping/traceroute) traffic..."
#Vital for basic communications
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 ssh -d 0.0.0.0/0 -j ACCEPT
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 ssh -j ACCEPT
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 auth -j ACCEPT
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1023:65535 -j ACCEPT
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 1023:65535 -j ACCEPT
$IPCHAINS -A inet-in -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
echo " Done!"
echo -n " Setting default input to DENY..."
#This is a 'catchall' rule. If ipchains finds an incoming packet
#NOT covered by the above rules, it will stop the packetand log it
$IPCHAINS -A inet-in -s 0.0.0.0/0 -d 0.0.0.0/0 -j DENY -l
echo " Done!"
#Set inet-out rules
echo "Setting rules for internet device outgoing chain:"
echo -n " Setting TOS flags for www, telnet, ssh, and ftp..."
#TOS flags affect how ipchains prioritizes packets:
#From the IPCHAINS-HOWTO:
#TOS Name Value Typical Uses
#"Minimum Delay" 0x01 0x10 www, ftp, telnet, ssh
#"Maximum Throughput" 0x01 0x08 ftp-data
#"Maximum Reliability" 0x01 0x04 snmp
#"Minimum Cost" 0x01 0x02 nntp
$IPCHAINS -A inet-out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 www -t 0x01 0x10
$IPCHAINS -A inet-out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 telnet -t 0x01 0x10
$IPCHAINS -A inet-out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 ssh -t 0x01 0x10
$IPCHAINS -A inet-out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 ftp -t 0x01 0x10
$IPCHAINS -A inet-out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 ftp-data -t 0x01 0x08
echo " Done!"
####### END OF SCRIPT!
4.5.7 Running the script
By now you should have saved the script to a file called '/etc/rc.d/rc.firemasq' and made it executable by issuing 'chmod +x /etc/rc.d/rc.firemasq'. You now need to ensure that the script is run every time your PPP interface is brought up.
The method you use to bring up the firewall every time your machine attachs to the internet will differ from distribution to disrtibution. Ideally on systems that use the '
pppd
' PPP daemon for initiating a PPP connection, the best place to execute code every time a PPP connection is made is by adding the code to the file '/etc/ppp/ip-up
'.Place the line
'/etc/rc.d/rc.firemasq&'
on a line by itself in the file '/etc/ppp/ip-up
', preferably near the top of the ip-up script; here is a snippet from my '/etc/ppp/ip-up
' file:
#!/bin/bash
LOGDEVICE=$6
REALDEVICE=$1
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
#Bring up the firemasq in background:
/etc/rc.d/rc.firemasq&
Important
Make sure that you run the '/etc/rc.d/rc.firemasq
' in the background, otherwise the execution of other commands in the '/etc/ppp/ip-up
' may not occur!
In this section we will install and configure TPC/IP on the Windows 95 machine. The following sections assume you do not already have TCP/IP installed on the Windows 95 machine; if you already have TCP/IP installed on your machine, check to make sure that it is configured as specified here.
This section is broken down as follows:
- 5.1 Installing TCP/IP on the Windows 95 machine
- 5.2 Assigning a static IP address of 192.168.0.10 to the Windows 95 machine
- 5.3 Configuring the masqueraded Windows 95 machine to use the Linux router as a gateway (specifying '192.168.0.1' as a Gateway), and
- 5.4 Configuring the masqueraded Windows 95 machine to use the external DNS server (as covered above)
5.1 Installing TCP/IP On The Windows 95 Masqueraded Client
- In Control Panel, open the 'Network' applet.
- Ensure your network interface card drivers have been installed correctly (if so they will likely be bound to the NetBEUI and IPX/SPX protocols) - if not, install drivers as required.
- Click 'Add' and in the following dialog box, select to add the Microsoft TCP/IP Protocol.
- Check to make sure that TCP/IP has been bound to the Network Interface card - you can do this by checking the 'Bindings' tab of the properties for the network card.
- Remove all other protocols and services which are not necessary - for the purposes of this article, the only protocol required is TCP/IP - no services are required.
- You should now see only two items in the Network dialog box, one for your Network Interface Card, and the other for TCP/IP.
5.2 Assigning A Static IP Address To The Windows 95 Masqueraded Client
- Open the properties dialog for the TCP/IP Protocol.
- Select the 'IP Address' tab.
- Select the radio 'Assign Static IP Address'.
- Enter a static IP address of '192.168.0.10.
- Enter '255.255.255.0' as the netmask.
5.3 Configuring The Win95 Machine To Use The Linux Router As A Gateway
- Select the 'Gateway' tab in the TCP/IP properties dialog.
- Enter '192.168.0.1' as the default gateway.
5.4 Configuring The Win95 Machine To Use The External DNS Server
- Select the 'DNS' tab.
- Enter the IP address of your DNS server.
Finally, apply the changes to the TCP/IP Protocol settings by clicking 'OK' in the TCP/IP Dialog box, and finally apply the new network settings by click 'OK' in the Network Applet dialog box.
In this section we will test the configuration of the masqueraded network.
This section covers:
- 6.1 Bring Up The PPP Internet Connection On The Linux Router
- 6.2 Testing Connectivity From The Linux Router To The External Network/Internet
- 6.3 Test Connectivity From The Windows 95 Masqueraded Client To The Linux Router
- 6.4 Test Connectivity From The Windows 95 Masqueraded Client To The External Network/Internet
6.1 Bringing Up the PPP Internet Connection on the Linux Router
Using the preferred method for your distribution, bring up the PPP interface on the linux router. Under Linux Mandrake we use
ifup ppp0
from the command-line, or perhaps run 'kppp' from X windows. As mentioned above bringing PPP is worthy of an article in itself, please do see the References section for details (the PPP-HOWTO).From the command-line, run
ifconfig
. In the output you should see something similar to this:ppp0 Link encap:Point-Point Protocol inet addr:10.144.153.104 P-t-P:10.144.153.51 Mask:255.255.255.0 UP POINTOPOINT RUNNING MTU:552 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 TX packets:0 errors:0 dropped:0 overruns:0
If you are unable to get to this point, you should consult the 'PPP-HOWTO'.
6.2 Testing Connectivity From The Linux Router To The External Network/Internet
To test connectivity from the linux router to the external network/internet, issue
'ping -c 4 <NAME OF DNS SERVER>'
, obviously replacing <NAME OF DNS SERVER> with the address of your DNS Server. The '-c 4' switch simply tells the ping command to send 4 ping requests and then exit.If all is well, you should see something like the following output:
[root@gateway /etc]# ping -c 4 194.72.6.57 PING 194.72.6.57 (194.72.6.57): 56 octets data 64 octets from 194.72.6.57: icmp_seq=0 ttl=128 time=0.9 ms 64 octets from 194.72.6.57: icmp_seq=1 ttl=128 time=0.8 ms 64 octets from 194.72.6.57: icmp_seq=2 ttl=128 time=0.8 ms 64 octets from 194.72.6.57: icmp_seq=3 ttl=128 time=0.8 ms
If you receive timeout messages, even though you are connected to the external network/internet successfully, this usually indicates that the linux router is unable to communicate with the external network/internet due to name resolution problems. In this case you should check your
'/etc/resolv.conf'
file to ensure that the linux router is using the DNS server it should be. See the 'Networking-HOWTO' for full details.
6.3 Testing Connectivity From The Win95 Client To The Linux Router
On the Windows 95 masqueraded client, open a DOS box and issue the command
'ping 192.168.0.1'
.If all is well you should see something like the following output:
C:\WINDOWS\DESKTOP>ping 192.168.0.1 Pinging 192.168.0.1 with 32 bytes of data: Reply from 192.168.0.1: bytes=32 time=1ms TTL=255 Reply from 192.168.0.1: bytes=32 time=1ms TTL=255 Reply from 192.168.0.1: bytes=32 time<10ms TTL=255 Reply from 192.168.0.1: bytes=32 time<10ms TTL=255 Ping statistics for 192.168.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms
If you have trouble at this point, you should check the network card and TCP/IP settings on the Windows 95 machine, ensuring the network card is installed correctly (using 'Device Manager') and ensuring TCP/IP has been installed and configured correctly (see above).
6.4 Testing Connectivity From The Win95 Client To The External Network/Internet
On the Windows 95 masqueraded client, open a DOS box and issue the command
'ping <NAME OF DNS SERVER>'
, obviously replacing <NAME OF DNS SERVER> with the IP address of your DNS Server.If all is well, similar to the above, you should see something like the following output:
C:\WINDOWS\DESKTOP>ping 194.72.6.57 Pinging 194.72.6.57 with 32 bytes of data: Reply from 194.72.6.57: bytes=32 time=1ms TTL=255 Reply from 194.72.6.57: bytes=32 time=1ms TTL=255 Reply from 194.72.6.57: bytes=32 time<10ms TTL=255 Reply from 194.72.6.57: bytes=32 time<10ms TTL=255 Ping statistics for 194.72.6.57: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms
If you have trouble at this point then you should check the TCP/IP settings on the Windows 95 machine, particularly ensuring that the default Gateway is correctly set to '192.168.0.1' see above.
In this section we will look briefly at the logging functionality of '
ipchains
'.This section will cover the following:
- 7.1 Configuring The Destination Of 'ipchains' Log Output
- 7.2 A Note On Creating Rules That Log When Matched
- 7.3 Viewing 'ipchains' Logs
- 7.4 A Tip On Monitoring Log Files
7.1 Configuring The Destination Of 'ipchains' Log Output
Straight from the '
IPCHAINS-HOWTO
':
On standard Linux systems, this kernel output is captured by klogd
(the kernel logging daemon) which hands it to syslogd (the system
logging daemon). The `/etc/syslog.conf' controls the behaviour of
syslogd, by specifying a destination for each `facility' (in our case,
the facility is "kernel") and `level' (for ipchains, the level used is
"info").For example, my (Debian) /etc/syslog.conf contains two lines which
match `kern.info':kern.* -/var/log/kern.log
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messagesThese mean that the messags are duplicated in `/var/log/kern.log' and
`/var/log/messages'. For more details, see `man syslog.conf'.
The upshot of this is that the output from ipchains rules which are set to log when they are matched is usually sent to '/var/log/messages' by the
syslogd
system logging daemon, but you should make sure and check '/etc/syslog.conf
' just to make sure.
7.2 A Note On Creating Rules That Log When Matched
To create rules that log details when they are matched, use the '-l' switch at the end of the rule. If you look at the '
/etc/rc.d/rc.firemasq
' you created earlier, you will find various rules which utilise the logging functionality of ipchains:
#Block Back Orifice
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 31337 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 31337 -j DENY -lHere we see a rule assigned to deny all incoming packets bound for the local port '31337', the port used by the 'Back Orifice' trojan horse server to communicate with remote clients. This logs any attempt to connect to this port, due to the fact that the '-l' switch is specified at the end of the rule.
Note: the logging of attempts to connect to ports used by trojan horses may seem odd since trojan horses such as Back Orifice do not apply to Linux - even if a masquerading client did have the Back Orifice trojan horse server on it, a remote BO client would be unable to connect to it through the firewall. However sometimes it is nice to have a record of such attempts, and since ipchains logging comes with very little to no overheard, it might as well be used in instances which might be deemed 'offensive' (such as a probe for a trojan server).
7.3 Viewing 'ipchains' Logs
Presuming that you have checked your '
/etc/syslog.conf
' file and know that 'ipchains
' is logging to '/var/log/messages
', viewing the log file is as simple as using your favourite pager or editor to view '/var/log/messages
', ie issuing 'less /var/log/messages
' at the command-line.You will need to scroll to the end of the log file to find the most recent details logged by ipchains. With this in mind, the following tip can be very useful in monitoring ipchains rule matching.
7.4 A Tip On Monitoring Log Files
Rather than open up '
/var/log/messages
' and then scroll to the end of the file to see the most recent ipchains logging output, a nice way of constantly monitoring the default log file is to 'tail
' the output from the '/var/log/messages
' with the '-f' switch:
[root@gateway ~]# tail -f /var/log/messages
Feb 28 20:10:00 gateway CROND[961]: (root) CMD ( /sbin/rmmod -as)
Feb 28 20:17:39 gateway PAM_unix[768]: (system-auth) session opened for user
munk by LOGIN(uid=0)
Feb 28 20:17:39 gateway -- munk[768]: LOGIN ON tty2 BY munk
Feb 28 20:18:29 gateway kernel: Packet log: inet-in DENY ppp0 PROTO=17
207.71.92.221:137 62.6.89.183:137 L=78 S=0x00 I=37898 F=0x0000 T=112 (#19)
Feb 28 20:18:30 gateway kernel: Packet log: inet-in DENY ppp0 PROTO=17
207.71.92.221:137 62.6.89.183:137 L=78 S=0x00 I=38143 F=0x0000 T=112 (#19)The '-f' switch used with '
tail
' causes the file viewed by tail to be monitored in real time; so, as soon as a new log message is created by any process which uses the syslogd daemon, it will be output to the screen by 'tail -f /var/log/messages
'. For the extremely security conscious and the paranoid in general(!), a good idea is to dedicate a virtual console to viewing the output from '/var/log/messages
' by using the command 'tail -f /var/log/messages
'.
Congratulations! If you have managed to get this far then you should now be able to successfully share the single internet connection between your two (or more) machines, safe in the knowledge that all incoming and outgoing connections from/to your LAN are being monitored. The script we have used to setup the masquerading firewall is not overly strict and should only be used as a foundation for building your own personalized script, one which will cater better for your own LAN needs.
I hope you have found the information in this article useful and concise. Please feel free to send me comments on the article (abuse>/dev/null please!) and let me know how you got on. On this note, PLEASE make sure you read the following first!!!
Trouble-shooting most linux system configurations can at best be difficult and at worst a nightmare, but in terms of reliability and security there is no alternative. I have attempted to make the steps required in configuring your network for IP Masquerading as concise as possible, however it is inevitable that problems will need to be overcome before your setup is complete and fully functioning.
Approximately(!) %100 of linux problems are resoluable by the user, you and me, given the time and more importantly the patience! There is no substitute for reading. Reading gives rise to knowledge and as we all know, knowledge is power; hence it follows that reading empowers the reader. This is undoubtably true with Linux.
The knowledge I pass onto you in this document has come courtesy of almost inumerable sources, coffee being second only to Documentation. Many thanks to all the authors of the excellent Linux HOWTO's out there, not to mention good friends, man pages, books, internet material, and so on and so forth.
The following Reference section should cover just about every area discussed in this article. Before attempting to get help from anyone else, please do read the relevant documents below.
Linux HOWTOS
First off, check to see if you have the Linux HOWTO's installed on your system by issuing the command '
find / -iname "*howto*"
' at the command-line. Check the output and hopefully you'll find that the HOWTO's are already installed on your system.If the HOWTO's are not installed on your system you have two options: either you can view the HOWTO's online or you can download them and install them on your system. The latter option is preferable! You can find the linux HOWTO's at the Linux Documentation Project (LDP) website, http://www.linuxdoc.org.
The HOWTO's specific to this document are:
Networking-Overview-HOWTO - a good document for beginners to networking using linux.
The Linux Network Administrator's Guide (NAG) - not really a HOWTO, but located at the LDP site; another excellent introduction to networking on linux for beginners and intermediate users.
Net-HOWTO - the reference for setting up your network under linux.
Ethernet-HOWTO - lists ethernet cards supported by linux and their associated drivers; useful if you have problems setting up your network card(s).
Firewall-HOWTO - provides advice for various firewalling scenarios.
IP-Masquerade-HOWTO - specific to masquerading firewall's.
IPCHAINS-HOWTO - by the creator of the ipchains packet filter; good for obtaining deeper knowledge of how chains and rules work.
ISP-Hookup-HOWTO - step by step guide to dialling up to your ISP; good if you have trouble connecting to internet.
PPP-HOWTO - essential reading if you have problems connecting to internet via PPP.
Online Linux Firewall / Security Sites
There are numerous sources of help for setting up your firewall under linux, whether for masquerading or otherwise.
The Original Firemasq Site - the home of the original 'firemasq' script used in this article.
The Linux IP Masquerade Resource - the home of IP Masquerading on the internet!
FAQ: Firewall Forensics (What am I seeing?) - a good site on interpreting your firewall logs.
Linux Security Administrator's Guide - similar to the NAG, but with emphasis on general security - worth a skim read at least.
Total Simplicity Security Scan - test your firewall setup with this online scanner.
Here is the original 'firemasq' script in it's entirety:
#!/bin/sh
# Masqueraing Firewall
# Script for IPChains on Linux 2.2.14 kernel
# Released under the GNU GPL (http://www.fsf.org/copyleft/gpl.html)
# Copyleft 2000 by Dr. Teeth (this is open source, hack away...)
# drteeth@northernlights.bizland.com
# Check http://northernlights.bizland.com for new versions of this program
# and for other computer security related tools and information.
# This is a script for any box running ipchains on a Linux 2.2.x kernel
# (RedHat 6.x, Mandrake 7.x, etc). In particular, this script is for a box
# with a dial-up internet connection; it will turn the box into a firewall
# with masquerading services. All clients that connect to the firewall
# via a local network can simultaneously connect to the Internet, or any
# other network segment the firewall is connected to. This script can also
# be used for today's "high speed internet access" enabled machines, for
# example machines connected to cable modems and dsl routers.
# If you do not need masquerading servives, but you still want to setup a
# firewall for a dial-up, dsl, cable modem, or ethernet connection on a
# single computer, you can download the script "firedog" from the Northern
# Lights Group's site at http://northernlights.bizland.com.
# All denied packets are logged via the kernel's packet logging facilities.
# Check '/var/log/messages' on most systems for a log of denied traffic...
# Any clients using masquerading will "borrow" the IP address of the firewall
# router, so outside machines will always see the firewall, not any of the
# clients on the LAN. This is actually a nice side effect of masquerading, as
# outsiders can't easily get a picture of what's on the inside of the firewall
# if they never see the LAN clients' IP addresses.
# Remember that most dial-up connections have a unique IP address with every
# connection. While you could manually start and stop the firewall, I
# would highly suggest storing this executable in '/sbin' and then starting
# it by adding the line '/sbin/firemasq' to the end of '/etc/ppp/ip-up' (at
# the next-to-last line, before the line 'exit 0'). This will automatically
# start the firewall with the correct IP on every connection, even when the
# connection is lost and it redials.
# Copy the script 'firemasq.down' to '/sbin' as well, then you can deactivate
# the firewall with a simple 'firemasq.down' command if needed.
# This script sets up more than adaquate protection for a dial-up connection.
# Most services are blocked from the outside but not from the inside. For
# example, you can still telnet, ftp, etc. the firewall from the LAN, but hosts
# on the Internet cannot. You may want to add more sections to block the known
# cable modem nets in your area (think script kiddie protection).
# There is a further layer of protection for LAN clients who use IP's from the
# "private" ranges '10.x.x.x', '172.16.x.x - 172.31.x.x', and
# '192.168.0.x - 192.168.255.x'. These clients are in the Internet's
# "blackhole", and routers are not capable of directing traffic to these
# "private" hosts.
# You will need to edit settings for your network, changing the network
# addresses and devices if needed. The path for ipchains is probablly okay,
# but you can change it if nessesary. You only have to change this information
# in the beginning of the script (below). The script will take care of the
# rest.
# You can stop a certain line or section from executing by adding a pound '#'
# character to the begginning of the line...
# Advanced users already know they can add lines with '$IPCHAINS [options]'.
# run 'man ipchains' for more info...
# Change IPCHAINS to the correct path for your system
IPCHAINS=/sbin/ipchains
# Change INETDEV to the network device connceted to the Internet (ppp0/eth0)
# This is ppp0 by default for dial-up connections. Most cable modem users
# will probably want eth0 or possibly eth1. When in doubt look at the command
# 'ifconfig'.
INETDEV="ppp0"
# Change LAN to the correct network address and network mask for your LAN
# this can be found by using ifconfig from one of the clients
LAN="192.168.0.0/24"
# Change LANDEV to the network device connected to your LAN
LANDEV="eth0"
# There should be no need to change this
#LOCALIP=`ifconfig $LANDEV | grep inet | cut -d : -f 2 | cut -d \ -f 1`
LOCALIP=`ifconfig $LANDEV | grep inet | cut -d : -f 2 | cut -d B -f 1`
echo ""
echo "FireMasq version 0.7 by Dr. Teeth (2000)"
echo "---------------------------------------------------------"
echo "Local Network Device: $LANDEV"
echo "Local IP: $LOCALIP"
echo "Local Network Address: $LAN"
echo "External Network Device: $INETDEV"
echo "---------------------------------------------------------"
echo ""
echo "========================================================="
echo "= IMPORTANT! ="
echo "========================================================="
echo "= Make sure that IP Forwarding is on for your network ="
echo "= by checking the file '/etc/sysconfig/network' for ="
echo "= 'FORWARD_IPV4=true' ="
echo "= ="
echo "= This script will not work otherwise! ="
echo "========================================================="
echo ""
#Set default chain policy
echo -n "Setting default chain policies..."
$IPCHAINS -P input DENY
$IPCHAINS -P forward DENY
$IPCHAINS -P output ACCEPT
echo " Done!"
#Flush all chains
echo -n "Flushing chains..."
$IPCHAINS -F
$IPCHAINS -X
echo " Done!"
#Add custom chains
echo -n "Adding custom chains..."
$IPCHAINS -N inet-in
$IPCHAINS -N inet-out
echo " Done!"
#Set input rules
echo -n "Setting rules for input chain..."
$IPCHAINS -A input -s $LAN -d $LAN -j ACCEPT
$IPCHAINS -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -i lo -j ACCEPT
$IPCHAINS -A input -s $LAN -d 0.0.0.0/0 -j ACCEPT
$IPCHAINS -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -i $INETDEV -j inet-in
echo " Done!"
#Set forward rules
echo -n "Setting rules for forward chain..."
$IPCHAINS -A forward -s $LAN -d $LAN -j ACCEPT
$IPCHAINS -A forward -s $LOCALIP -d 0.0.0.0/0 -j ACCEPT
echo " Done!"
#Activate masquerade
echo -n "Activating masquerade..."
$IPCHAINS -A forward -s $LAN -d 0.0.0.0/0 -j MASQ
$IPCHAINS -M -S 7200 10 60
echo " Done!"
#Set output rules
echo -n "Setting rules for output chain..."
$IPCHAINS -A output -s $LAN -d $LAN -j ACCEPT
$IPCHAINS -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -i lo -j ACCEPT
$IPCHAINS -A output -s $LAN -d 0.0.0.0/0 -j ACCEPT
$IPCHAINS -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -i $INETDEV -j inet-out
echo " Done!"
#Set inet-in rules
echo "Setting rules for internet device incoming chain:"
echo -n " Setup port blocking on vulnerable ports..."
#Block NFS
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -j DENY -l
#Block postgres
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 postgres -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 postgres -j DENY -l
#Block X
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 5999:6003 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 5999:6003 -j DENY -l
#Block XFS
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 7100 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 7100 -j DENY -l
#Block Back Orifice
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 31337 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 31337 -j DENY -l
#Block netbus
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 12345:12346 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 12345:12346 -j DENY -l
echo " Done!"
echo -n " Allowing ssh, dns, and icmp (ping/traceroute) traffic..."
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 ssh -d 0.0.0.0/0 -j ACCEPT
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 ssh -j ACCEPT
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 auth -j ACCEPT
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1023:65535 -j ACCEPT
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 1023:65535 -j ACCEPT
$IPCHAINS -A inet-in -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
echo " Done!"
echo -n " Setting default input to DENY..."
$IPCHAINS -A inet-in -s 0.0.0.0/0 -d 0.0.0.0/0 -j DENY -l
echo " Done!"
#Set inet-out rules
echo "Setting rules for internet device outgoing chain:"
echo -n " Setting TOS flags for www, telnet, ssh, and ftp..."
$IPCHAINS -A inet-out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 www -t 0x01 0x10
$IPCHAINS -A inet-out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 telnet -t 0x01 0x10
$IPCHAINS -A inet-out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 ssh -t 0x01 0x10
$IPCHAINS -A inet-out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 ftp -t 0x01 0x10
$IPCHAINS -A inet-out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 ftp-data -t 0x01 0x08
echo " Done!"