From: Alex Boag-Munroe (ajbm@ntlworld.com)
Date: Fri Nov 24 2000 - 09:14:02 PST
To check if your kernel has IP Masqing enabled, go to
/usr/src/linux
Type make xconfig and hit enter (You will need make and the kernel sources
installed)
Then click on Networking Options and just have a look to see if it is enabled.
Once enabled, do a recompile.
Thanks
Alex
On Thursday 23 November 2000 18:11, you wrote:
> Alex Boag-Munroe wrote:
> > Hold on a minute...
> >
> > No distribution of Linux is designed to be one thing or another, its all
> > Linux! If Red Hat isn't supposed to be a server, then how come CNN use
> > it as such?
> >
> > Katpete: Send us your pmfirewall configs.
>
> OK, here they are:
>
> #!/bin/sh
> # pmfirewall.conf - used by pmfirewall package
> IPCHAINS=/sbin/ipchains
> ATBOOT=1
> CONFIG_DIR=/usr/local/pmfirewall
> OUTERIF=eth0
> REMOTENET=0/0
> OUTERIP=`ifconfig $OUTERIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
> OUTERMASK=`ifconfig $OUTERIF | grep Mas | cut -d : -f 4`
> OUTERNET=$OUTERIP/$OUTERMASK
> INTERNALIF=eth1
> INTERNALIP=`ifconfig $INTERNALIF | grep inet | cut -d : -f 2 | cut -d \ -f
> 1` INTERNALMASK=`ifconfig $INTERNALIF | grep Mas | cut -d : -f 4`
> INTERNALNET=$INTERNALIP/$INTERNALMASK
>
>
>
> #!/bin/sh
> # pmfirewall.rules.1 used by pmfirewall package
> #
> #### Start Firewall ####
>
> ## Allow loopback interface
> $IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
> $IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
>
> # Allow packets with ack bit set, they are from an established connection.
> $IPCHAINS -A input ! -y -p tcp -s $REMOTENET -d $OUTERNET -j ACCEPT
>
> # Block incoming IP Spoofing
>
> # Turn on Source Address Verification
>
> if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
> then
> for f in /proc/sys/net/ipv4/conf/*/rp_filter
> do
> echo 1 > $f
> done
> fi
>
> #Turn on SYN COOKIES PROTECTION (Thanks Holger!)
> if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
> then
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> fi
>
> # Now read pmfirewall.rules.local
>
>
> #!/bin/sh
> # pmfirewall.rules.local
> # ver.PM1 (do not remove this line)
>
> ### BEGIN SYSTEM DEFAULTS ###
>
> # Block Nonroutable IP's from entering on the External Interface
> $IPCHAINS -A input -j DENY -s 10.0.0.0/8 -d $OUTERNET -i $OUTERIF
> $IPCHAINS -A input -j DENY -s 127.0.0.0/8 -d $OUTERNET -i $OUTERIF
> $IPCHAINS -A input -j DENY -s 172.16.0.0/12 -d $OUTERNET -i $OUTERIF
> $IPCHAINS -A input -j DENY -s 192.168.0.0/16 -d $OUTERNET -i $OUTERIF
>
>
> # - Specific port blocks on the external interface -
> # This section blocks off ports/services to the outside that have
> # vulnerabilities. This will not affect the ability to use these services
> # within your network.
> #
>
> # Back Orifice (logged)
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 31337 -j DENY -l
> $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 31337 -j DENY -l
>
> # NetBus (logged)
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 12345:12346 -j DENY -l
> $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 12345:12346 -j DENY -l
>
> # Trin00 (logged)
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1524 -j DENY -l
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 27665 -j DENY -l
> $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 27444 -j DENY -l
> $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 31335 -j DENY -l
>
> # Multicast
> $IPCHAINS -A input -s 224.0.0.0/8 -d $REMOTENET -j DENY
> $IPCHAINS -A input -s $REMOTENET -d 224.0.0.0/8 -j DENY
>
>
> ### END SYSTEM DEFAULTS ###
>
>
> #### EXAMPLES ###
>
>
> ### ALLOWED NETWORKS
> # Add in any rules to specifically allow connections from hosts/nets that
> # would otherwise be blocked.
> #$IPCHAINS -A input -s [trusted host/net] -d $OUTERNET <ports> -j ACCEPT
>
> ### BLOCKED NETWORKS
> # Add in any rules to specifically block connections from hosts/nets that
> # have been known to cause problems. These packets are logged.
> #$IPCHAINS -A input -s [banned host/net] -d $OUTERNET <ports> -j DENY -l
>
> ### BLOCK ICMP ATTACKS
> #
> #$IPCHAINS -A input -b -i $OUTERIF -p icmp -s [host/net] -d $OUTERNET -j
> DENY -l
>
>
>
> #### END OF EXAMPLES ###
>
>
>
> ### AUTOMATICALLY GENERATED BY THE INSTALL SCRIPT ###
>
> #UNRESTRICTED ACCESS
> $IPCHAINS -A input -s 192.168.1.1/24 -d $REMOTENET -j ACCEPT
> #DHCP CLIENT ALLOW
> $IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 67:68 -i $OUTERIF -j
> ACCEPT
> #FTP
> $IPCHAINS -A input -p tcp -s 192.168.1.1/24 -d $OUTERNET 20 -j ACCEPT
> $IPCHAINS -A input -p tcp -s 192.168.1.1/24 -d $OUTERNET 21 -j ACCEPT
> #SSH
> $IPCHAINS -A input -p tcp -s 192.168.1.1/24 -d $OUTERNET 22 -j ACCEPT
> #TELNET
> $IPCHAINS -A input -p tcp -s 192.168.1.1/24 -d $OUTERNET 23 -j ACCEPT
> #HTTPD
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 80 -j ACCEPT
> #IDENTD
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 113 -j REJECT
> $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 113 -j REJECT
> #NETBIOS
> $IPCHAINS -A input -p tcp -s 192.168.1.1/24 -d $REMOTENET 137:139 -i
> $OUTERIF -j ACCEPT
> $IPCHAINS -A input -p udp -s 192.168.1.1/24 -d $REMOTENET 137:139 -i
> $OUTERIF -j ACCEPT
> #SSL
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 443 -j ACCEPT
> #RIP
> $IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 520 -i $OUTERIF -j
> REJECT #NFS
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 2049 -i $OUTERIF -j
> DENY -l
> $IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 2049 -i $OUTERIF -j
> DENY -l
> #XSERVER
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 5999:6003 -i $OUTERIF
> -j DENY
> $IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 5999:6003 -i $OUTERIF
> -j DENY
> #DCHP SERVER
> $IPCHAINS -A input -p udp -s $REMOTENET 67 -i $INTERNALIF -j ACCEPT
> $IPCHAINS -A input -p udp -s $REMOTENET 68 -i $INTERNALIF -j ACCEPT
>
>
> #!/bin/sh
> #pmfirewall.rules.masq - used by pmfirewall package
> #
>
> ## Masquerading
>
> ## Modules to help certain services
>
> /sbin/depmod -a >/dev/null 2>&1
> /sbin/modprobe ip_masq_ftp >/dev/null 2>&1
> /sbin/modprobe ip_masq_raudio >/dev/null 2>&1
> /sbin/modprobe ip_masq_irc >/dev/null 2>&1
> /sbin/modprobe ip_masq_icq >/dev/null 2>&1
> /sbin/modprobe ip_masq_quake >/dev/null 2>&1
> /sbin/modprobe ip_masq_user >/dev/null 2>&1
> /sbin/modprobe ip_masq_vdolive >/dev/null 2>&1
>
> ## Masquerading firewall timeouts: tcp conns 8hrs, tcp after fin pkt 60s,
> udp 10min
> $IPCHAINS -M -S 14400 60 600
>
> ## Set up kernel to enable IP masquerading
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> ## Set up kernel to handle dynamic IP masquerading
> echo 1 > /proc/sys/net/ipv4/ip_dynaddr
>
> ## Don't Masquerade internal-internal traffic
> $IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT
>
> ## Don't Masquerade external interface direct
> $IPCHAINS -A forward -s $OUTERNET -d $REMOTENET -j ACCEPT
>
> ## Masquerade all internal IP's going outside
> $IPCHAINS -A forward -s $INTERNALNET -d $REMOTENET -j MASQ
>
> ## Set Default rule on MASQ chain to Deny
> $IPCHAINS -P forward DENY
>
> ## Allow all connections from the network to the outside
> $IPCHAINS -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT
> $IPCHAINS -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT
>
> # This section manipulates the Type Of Service (TOS) bits of the
> # packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
> # in your kernel
>
> # Set telnet, www, smtp, pop3 and FTP for minimum delay
> $IPCHAINS -A output -p tcp -d 0/0 80 -t 0x01 0x10
> $IPCHAINS -A output -p tcp -d 0/0 22 -t 0x01 0x10
> $IPCHAINS -A output -p tcp -d 0/0 23 -t 0x01 0x10
> $IPCHAINS -A output -p tcp -d 0/0 21 -t 0x01 0x10
> $IPCHAINS -A output -p tcp -d 0/0 110 -t 0x01 0x10
> $IPCHAINS -A output -p tcp -d 0/0 25 -t 0x01 0x10
>
> # Set ftp-data for maximum throughput
> $IPCHAINS -A output -p tcp -d 0/0 20 -t 0x01 0x08
>
> # Allow outgoing ICMP
> $IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
>
> > Also, make sure you have IPMasquerading enabled in your kernel (For info
> > on recompiling the kernel, see the Kernel Howto on www.linuxdoc.org ).
>
> I thought that redhat 6.2 has ipmasq'ing in the kernel. Is there any way
> to tell if there is something wrong with my kernel, or do I just have to
> recomplie it?
>
> > Then ensure that IPChains is installed. To do this:
> >
> > As root type rpm -qa | grep -i ipchain
>
> The response is:
> ipchains-1.3.9-5
>
> > And hit return.
> >
> > HTH
> >
> > Alex
>
> Thanks,
>
> Pete
>
>
> ***************************************************************************
>* * To UNSUBSCRIBE from the list, send a message with "unsubscribe
> pmfirewall" * in the message body to majordomo@pointman.org. Please direct
> other * questions, comments, or problems to pmfirewall-owner@pointman.org.
> *
> * Need answers fast? Check the list archive located at:
> * http://www.pointman.org/PMFirewall/list-archive/
> *
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:38:02 PDT