Gowator Posted May 11, 2004 Report Share Posted May 11, 2004 Yep its not easy but .... Theres a LDP howto ... Masquerading Made simple HOWTO... 8 pages ... including the basic text for it/ Anyway it will make the rules then the webmin module reads em and once they are in place they look a bit easier to understand ..... Quote Link to comment Share on other sites More sharing options...
phunni Posted May 11, 2004 Author Report Share Posted May 11, 2004 (edited) OK - using the iptables tutorial mentioned elsewhere and another firewall script I found, I have put together the following: #!/bin/sh # # /etc/rc.d/firewall: start/stop firewall # IPTABLES='/usr/sbin/iptables' EXTIF='eth0' INTIF='eth1' if [ "$1" = "start" ]; then /usr/sbin/iptables -F /usr/sbin/iptables -P OUTPUT ACCEPT /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -A INPUT -i eth0 -m state \ --state ESTABLISHED,RELATED -j ACCEPT #forward LAN traffic from $INTIF to internet interface $EXTIF $IPTABLES -A forward -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED-j ACCEPT #enable ip forwarding /bin/echo 1 > /proc/sys/net/ipv4/ip_forward #enable masquerading $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE elif [ "$1" = "stop" ]; then #flush rules and delete chains $IPTABLES -F $IPTABLES -X killall -q /usr/sbin/iptables else echo "usage: $0 start|stop" fi #End of file Can anyone confirm that it will work how I expect it to? i.e. 100% trusting anything from eth1 and doing ip forwarding masquerading etc... but only allowing "solicited" connections to eth0? I'd like someone to chekc my script before I use it as my firewalling script... Edit: also - is any of the above script redundant? Edited May 11, 2004 by phunni Quote Link to comment Share on other sites More sharing options...
phunni Posted May 12, 2004 Author Report Share Posted May 12, 2004 no iptables gurus out there who can help me...? Quote Link to comment Share on other sites More sharing options...
Gowator Posted May 12, 2004 Report Share Posted May 12, 2004 sorry phunni I use webmin andi started from the simple quick start.... if you run your script and start up then open webmin it should read what you did..... then it kinda makes a bit more sense. Quote Link to comment Share on other sites More sharing options...
phunni Posted May 12, 2004 Author Report Share Posted May 12, 2004 OK - I tried my script just to and it doesn't do what I want - eth1 is not trusted enough I couldn't log in via ssh anymore, I didn't check to see if I still had internet access, but not being able to log in is already to strict... Quote Link to comment Share on other sites More sharing options...
Gowator Posted May 12, 2004 Report Share Posted May 12, 2004 can u use webmin ??? will it let you ? Honestly ill try when I get home but all Ill do is look it up in linux firewall. you can actually clear the iptables.... with a single command iof things get hairy. Quote Link to comment Share on other sites More sharing options...
phunni Posted May 12, 2004 Author Report Share Posted May 12, 2004 I can't install webmin - I tried but it doesn't like arch... Quote Link to comment Share on other sites More sharing options...
Gowator Posted May 12, 2004 Report Share Posted May 12, 2004 (edited) All from HOWTO (Masq made simple) Assuming external internet card is eth0, and external IP is 123.12.23.43 and the internal network card is eth1, then: $> modprobe ipt_MASQUERADE # If this fails, try continuing anyway $> iptables −F; iptables −t nat −F; iptables −t mangle −F $> iptables −t nat −A POSTROUTING −o eth0 −j SNAT −−to 123.12.23.43 $> echo 1 > /proc/sys/net/ipv4/ip_forward Then to secure it: $> iptables −A INPUT −m state −−state ESTABLISHED,RELATED −j ACCEPT $> iptables −A INPUT −m state −−state NEW −i ! eth0 −j ACCEPT $> iptables −P INPUT DROP #only if the first two are succesful $> iptables −A FORWARD −i eth0 −o eth0 −j REJECT And thats it! To view the rules do "iptables −t nat −L" edits except the vertical lie is MEANT to be a minus !!!!! Edited May 12, 2004 by Gowator Quote Link to comment Share on other sites More sharing options...
phunni Posted May 12, 2004 Author Report Share Posted May 12, 2004 OK - that looks pretty good, can you explain some of the lines in the second bit of code so I can see exactly what I'm doing? Quote Link to comment Share on other sites More sharing options...
phunni Posted May 12, 2004 Author Report Share Posted May 12, 2004 OK, never mind - I tried it and it seems to work almost perfectly. I appear to now have a very secure system :D I had my system tested by using this and it gave me a perfect pass! The only problem now is that certain things are painfully slow - most notably picking up any email. How do I specify that certain hosts are trusted? Quote Link to comment Share on other sites More sharing options...
jlc Posted May 12, 2004 Report Share Posted May 12, 2004 Your Internet port 139 does not appear to exist! One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion. Unable to connect with NetBIOS to your computer. All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet. Hum, wonder why that is Quote Link to comment Share on other sites More sharing options...
Gowator Posted May 12, 2004 Report Share Posted May 12, 2004 sorry phunni work lost internet access for a few hours LOL Quote Link to comment Share on other sites More sharing options...
phunni Posted May 12, 2004 Author Report Share Posted May 12, 2004 come on - just one line... How do I specify a trustd host that can connect to me so that I can pick up my mail with out having to wait for a minute for each account...? Quote Link to comment Share on other sites More sharing options...
jlc Posted May 12, 2004 Report Share Posted May 12, 2004 check these out phunni: Iptabels Part I Iptables part II part II will have what you are looking for. Quote Link to comment Share on other sites More sharing options...
phunni Posted May 12, 2004 Author Report Share Posted May 12, 2004 (edited) AAARRRGGHHH! This is sooo frustrating! I tried to use some of the script in that tutorial and just got loads of errors (too many to try and figure out what was going on) So I then reverted back to my original script - only this time it doesn't work, I don't know why though... So I am now right back to the script that anon recommended - which is ok, but it does return pings. I don't really get much of the iptables syntax at all, I'm getting more and more confused and less and less secure - all I want is a simple firewall which trusts my internale network and blocks anything I didn't ask for - but allows things like email etc.. through without having to wait an age for it It seems to me like, unless you can figure out iptables (which I can't - and now I feel stupid to cap it all off), it's just about impossible to get a simple, but effective firewall going in linux, unless you are happy to use a GUI - which I'm not as I don;t want X running on my server Edit: actually - despite a couple of unexplained errors - my firewall script does still seem to work, so I'm back to figuring out how to allow a host to be trusted so I can pick up my mail in reasonable time... Edited May 12, 2004 by phunni Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.