From: Franki (franki@gshop.com.au)
Date: Mon May 21 2001 - 20:33:12 PDT
Hi all,
I have an unusual situation in that I need to use ipchains to make port 80
of an internal machine, apprear to be port 80 on the gateway machine, (the
internal machine is a win2000 server (shudder))
Is this possible???
or do I need to use some form of routing?? (the internal server has a
private IP address, so I am guessing port forwarding is the way to go.)
IS this difficult with IPchains?
can someone give me an example chain rule?
any help would be most seriously appreciated...
kindest regard
Frank
-----Original Message-----
From: owner-pmfirewall@pointman.org
[mailto:owner-pmfirewall@pointman.org]On Behalf Of Greg Stewart
Sent: Tuesday, 22 May 2001 11:04 AM
To: pmfirewall@pointman.org
Subject: Re: [pmfirewall] Problem with SSH AND SAMBA when using
pmfirewall
Do you have Masquerading setup and working? If so, ssh should be working on
the inside network without a problem.
Your ssh rule has a conflict with your networks: 192.168.x.x is already
blocked by the script's standard rules, and is not even a valid $OUTERNET
address. Typically OUTERNET & REMOTENET can be considered either 0.0.0.0/0
or your ISP's network (where your external address exists). The following is
how your external rule should look to allow shh connections:
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 22 -j ACCEPT
Samba (port 137) should be blocked the outside world entirely with a similar
DENY rule.
Somewhere in your masq'ing ruleset must be where the block on your
$INTERNALNET addresses. When masquerading is configured correctly,
pmfirewall.conf should assign the interal IP to its local variables, and
pmfirewall.rules.masq will use these to set up your rules to accept internal
traffic.
Are there other services/connections that are not working when you activate
the firewall rules?
--Greg
----- Original Message -----
From: "Subzero" <subzero123_80@yahoo.com>
>
> I am trying to allow access to ssh and samba inside the network. I
want
> to block the external net from getting in. I may want to allow ssh to
> anybody but I am not sure. Here is my line from rules.local.. Another
> question what is this line doing $IPCHAINS -A output -p tcp -d 0/0 22 -t
> 0x01 0x10 telnet. Thanks for the help..
> #SSH
> $IPCHAINS -A input -p tcp -s 192.168.1.2 -d $OUTERNET 22 -j ACCEPT
> #NETBIOS
> $IPCHAINS -A input -p tcp -s 192.168.1.0/24 -d $REMOTENET 137:139 -i
> $OUTERIF -j ACCEPT
> $IPCHAINS -A input -p udp -s 192.168.1.0/24 -d $REMOTENET 137:139 -i
> $OUTERIF -j ACCEPT
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
****************************************************************************
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe
pmfirewall"
> * in the message body to majordomo@pointman.org. Please direct other
> * questions, comments, or problems to pmfirewall-owner@pointman.org.
> *
> * Need answers fast? Check the list archive located at:
> * http://www.pointman.org/PMFirewall/list-archive/
> *
____________________________________________________________________________
__
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:41:38 PDT