Solved

NAT and FireWall samples

Posted on 2000-03-22
17
521 Views
Last Modified: 2010-03-18
I want some help with setting up my RedHat 6.1 server, so it does NAT and firewall.
0
Comment
Question by:rdno
  • 9
  • 4
  • 2
  • +2
17 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 200 total points
ID: 2646758
Have you looked at the howto docs? There's pretty good documentation on what you can do and how to do it in http://www.redhat.com/mirrors/LDP/HOWTO/IP-Masquerade-HOWTO.html and http://www.redhat.com/mirrors/LDP/HOWTO/IPCHAINS-HOWTO.html. Examples are fine but you really need to understand the basics to be able to adapt an example to your needs.
0
 
LVL 2

Expert Comment

by:mzehner
ID: 2647583
What do you want to do?  You could be looking to do one of the following 3 things.
1.  Are you asking to do IP masquerading so multiple computers behind your firewall can access an external network or the internet using one IP address?
2.  If you're talking about something beyond that and really doing NAT, you are probably looking into Virtual Private Networking (VPN) between two computers on a wide area network or across the internet.
3.  Are you looking into setting up a router with firewall rules set using ipchains.

If you want to do IP masquerading, here are some instructions.
1.  You first need IP Masquerading support in your kernel, which normally is in Redhat 6.1, but if you have a problem, check your kernel support.
2.  Create the following text and place it in a file "/etc/rc.d/rc.firewall". This will load your needed modules into your kernel and set up your basic firewall rules. If you copy the file from this page, be sure to remove carriage returns when you get it into Linux or it may not work properly.

# Needed to initially load modules
#
/sbin/depmod -a

# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp

# Supports the masquerading of RealAudio over UDP.  Without this module,
#  RealAudio WILL function but in TCP mode.  This can cause a reduction
#  in sound quality
#
#/sbin/modprobe ip_masq_raudio

# Supports the masquerading of IRC DCC file transfers
#
/sbin/modprobe ip_masq_irc

# Supports the masquerading of Quake and QuakeWorld by default.  This modules is
#   for for multiple users behind the Linux MASQ server.  If you are going to play
#   Quake I, II, and III, use the second example.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
# /sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960

# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme

#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive

#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
# Redhat Users:  you may try changing the options in /etc/sysconfig/network from:
#     FORWARD_IPV4=false
#            to
#     FORWARD_IPV4=true
echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users:
#
#   If you get your Internet IP address dynamically from SLIP, PPP, or DHCP, enable this following
#       option.  This enables dynamic-ip address hacking in IP MASQ, making the life
#       with DialD, PPPd, and similar programs much easier.
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# MASQ timeouts
#
#   2 hrs timeout for TCP session timeouts
#  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
#  160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
/sbin/ipchains -M -S 7200 10 160

# DHCP:  For people who receive their external IP address from either DHCP or BOOTP
#        such as ADSL or Cablemodem users, it is necessary to use the following
#        before the deny command.  The "bootp_client_net_if_name" should be replaced
#        the name of the link that the DHCP/BOOTP server will put an address on to?
#        This will be something like "eth0", "eth1", etc.
#
#        This example is currently commented out.
#
#
/sbin/ipchains -A input -j ACCEPT -i eth1 -s 0/0 67 -d 0/0 68 -p udp

# Enable simple IP forwarding and Masquerading
#
#  NOTE:  The following is an example for an internal LAN address in the 192.168.0.x
#         network with a 255.255.255.0 or a "24" bit subnet mask.
#
# Please change this network number and subnet mask to match your internal LAN setup
#
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ

Place the file in /etc/rc.d and call it rc.firewall.  Add the following line to the "/etc/rc.d/rc.local" file:
/etc/rc.d/rc.firewall.  Other than that it's a matter of setting any further ipchains rules you want.


0
 

Author Comment

by:rdno
ID: 2648645
can this sample do dynamic NAT?
And I have another problem, my dhcpd deamon runs, but no computer in my network get an IP....
I've been busy with the server for a week and if one thing works the other doesn't...
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2648911
By dynamic NAT are you referring to the case where you've got an outside pool of IP addresses and clients get assigned a unique outside IP for the lifetime of their connection? If so, then no, that example doesn't because it uses ipchains and ipchains can't do NAT. It does NPAT which is a many-to-one form of NAT. All of the inside computers use the same outside IP address.

If you need to do dynamic NAT to an outside pool of addresses you need ipfilters instead of ipchains. See http://cheops.anu.edu.au/~avalon/ip-filter.html for more information.

You may have a configuration error in you dhcp setup. Kill the dhcpd daemon and run it in debug mode from a shell (dhcpd -d) and you can see what it's doing.
0
 

Author Comment

by:rdno
ID: 2650471
can this sample do dynamic NAT?
And I have another problem, my dhcpd deamon runs, but no computer in my network get an IP....
I've been busy with the server for a week and if one thing works the other doesn't...
0
 
LVL 2

Expert Comment

by:mzehner
ID: 2651738
jlevie is correct.  IP masquerading translates the internal addresses of many computers to one address (it acts as an agent for the internal computers to communicate to the outside).
As far as your dhcp not working, check to be sure your server is receiving the dhcp requests.  Also there may be some information in your log files (/var/log) to indicate if your dhcp requests are being received.  Check your dhcp documentation to see what information is sent to the system logger.
0
 

Author Comment

by:rdno
ID: 2651854
Well the server gets the requests, when requesting an ip the leds on the switch indicate that a connection is made, it is a very strange problem cuz it'sa not consistent, once it gives an IP and 10 mins later it won't ....
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2651905
If you run dhcpd in debug mode it'll log every request and what it decided to to with the request to the screen. If it works sometimes and not others, you really need to see the debug trace to find out why.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:rdno
ID: 2652768
Well ran it in debug mode... the windows client requests came through and the RedHat server sent an ip back, but the client didn't reconize it as a given IP to him.... the clue is mentioned in the dhcp mini howto.
the last problem I have is that I have a rc.firewall, but when I run that script no traffic is possible inward and outward. the next message are the IP-Chains outputs:
0
 

Author Comment

by:rdno
ID: 2653006
Well I got the server to work, finally... It's not really the way I wanted, but till there's no real NAT support for linux I have to do it this way

tnx for your help!!!
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2653121
But there is real NAT support for Linux, just not with ipchains. If you use ipfilter you can do almost everything that a Ciso PIX firewall can do with respect NAT.
0
 
LVL 2

Expert Comment

by:mapc
ID: 2654807
jlevie: linux 2.2.x cannot use ipfilter. Just linux 2.0.x which most of people don't use anymore.
if you need real nat and you shall go with FreeBSD/NetBSD/OpenBSD/Solaris
0
 

Author Comment

by:rdno
ID: 2657970
Damn.....
The firewall seemed to work..... when I start the network everything is ok, I've written th rc.firewall script, with support for everything is needed, but after a while the network is going totally down, so at that point the linux computer isn't accessible at all, not from LAN or Internet, when I tell my linux server to restart network everything is doing 'OK' again, but after an hour it's the same problem, when I choose not to start firewall the linux computer keeps accesible.... tonight when I'm back home I'll post my rc.firewall here and maybe someone can tell me what's wrong with it, or maybe someone know's some diagnostic tools for my firewall...

tnx in regard of ANY answer...

Raymond
0
 

Author Comment

by:rdno
ID: 2659166
#!/bin/sh
#
#  /etc/rc.d/rc.firewall
#  Invoked from /etc/sysconfig/network-scripts/pump-done, or
#  from /etc/dhcpc/dhcpcd-eth0.exe, or
#  from /etc/sysconfig/network-scripts/ifdhcpc-done, or
#  from /etc/rc.d/rc.local.

echo "Starting firewalling... "

# Some definitions for easy maintenance.

# ----------------------------------------------------------------------------
#  EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="eth0"            # whichever you use
LOOPBACK_INTERFACE="lo"
LOCAL_INTERFACE_1="eth1"            # whichever you use

IPADDR="my.ip.address"
LOCALNET_1="local_IP/24"            # whatever private range you use

ANYWHERE="any/0"

DHCP_SERVER="Cablemodem_DHCP"
NAMESERVER_1="1st_ISP_DNS"
NAMESERVER_2="2nd_ISP_DNS"

SMTP_SERVER="smtp.anywhere.com/0"      # Your external server.  Your relay.
POP_SERVER="pop.brabant.chello.nl"      # Your external server.
POP_SERVER2=""      # Your 2ns external server.
POP_SERVER3=""            # Your 3rd external server.
NEWS_SERVER="news.anywhere.com"

LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"

# ----------------------------------------------------------------------------

# nameservers are originally from /etc/dhcpc/resolv.conf.
# The example ifdhcpc-done script updates these automatically and
# appends them to /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE or
# /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info.

#  The IP address, $IPADDR, is defined by dhcpc

if [ -f /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE ]; then
    . /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE
elif [ -f /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info ]; then
    . /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info
elif [ -f /etc/dhcpc/pump.info ]; then
    . /etc/dhcpc/pump.info
else
    echo "rc.firewall:  dhcp is not configured."
    ipchains -F
    ipchains -P input  DENY
    ipchains -P output DENY
    ipchains -P forward DENY
    ipchains -A input  -i $LOOPBACK_INTERFACE -j ACCEPT
    ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
    ipchains -A input  -i $LOCAL_INTERFACE_1 -j ACCEPT
    ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT
    exit 1
fi

# If using the example ifdhcpc-done script, the above NAMESERVER
# definitions will be overridden correctly here.

DHCP_SERVER=$DHCPSIADDR

# ----------------------------------------------------------------------------

NFS_PORT="2049"                        # (TCP/UDP) NFS
SOCKS_PORT="1080"                  # (TCP) Socks
OPENWINDOWS_PORT="2000"                  # (TCP) openwindows

# X Windows port allocation begins at 6000 and increments to 6063
# for each additional server running.
XWINDOW_PORTS="6000"                  # (TCP) X windows

# SSH starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
SSH_PORTS="1000:1023"                  # range for SSH privileged ports

# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections

    # Remove all existing rules belonging to this filter
    ipchains -F

    # Set the default policy of the filter to deny.
    ipchains -P input  ACCEPT
    ipchains -P output ACCEPT
    ipchains -P forward ACCEPT

    # set masquerade timeout to 10 hours for tcp connections
    ipchains -M -S 36000 0 0

    # Don't forward fragments. Assemble before forwarding.
    ipchains -A output -f -i $LOCAL_INTERFACE_1 -j DENY

# ----------------------------------------------------------------------------

    # Enable TCP SYN Cookie Protection
    echo 1 >/proc/sys/net/ipv4/tcp_syncookies

    # Enable IP spoofing protection
    # turn on Source Address Verification
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
    done

    # Disable ICMP Redirect Acceptance
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
    done

    # Disable Source Routed Packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
    done

    # These modules are necessary to masquerade their respective services.
    /sbin/modprobe ip_masq_ftp.o
    #/sbin/modprobe ip_masq_raudio.o ports=554,7070,7071,6970,6971
    #/sbin/modprobe ip_masq_irc.o
    #/sbin/modprobe/ip_masq_vdolive.o
    #/sbin/modprobe/ip_masq_cuseeme.o
    #/sbin/modprobe/ip_masq_quake.o

# ----------------------------------------------------------------------------
# LOOPBACK

    # Unlimited traffic on the loopback interface.
    ipchains -A input  -i $LOOPBACK_INTERFACE -j ACCEPT
    ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

# ----------------------------------------------------------------------------
# Network Ghouls
# Deny access to jerks

    # /etc/rc.d/rc.firewall.blocked contains a list of
    # ipchains -A input  -i $EXTERNAL_INTERFACE -s address -j DENY
    # rules to block from any access.

    # Refuse any connection from problem sites
    if [ -f /etc/rc.d/rc.firewall.blocked ]; then
        . /etc/rc.d/rc.firewall.blocked
    fi

# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.

    # Refuse spoofed packets pretending to be from the external address.
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l

    # Refuse packets claiming to be to or from a Class A private network
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l
    ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l

    # Refuse packets claiming to be to or from a Class B private network
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l
    ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l

    # Refuse packets claiming to be to or from a Class C private network
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l
    ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l

    # Refuse packets claiming to be from the loopback interface
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l

    # Refuse broadcast address SOURCE packets
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l

    # Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)
    # Multicast is illegal as a source address.
    # Multicast uses UDP.
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l

    # Refuse Class E reserved IP  addresses
    ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l

    # refuse addresses defined as reserved by the IANA
    # 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
    # 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
    # 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l

    #65: 01000001    - /3 includes 64 - need 65-79 spelled out
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l

    #80: 01010000   - /4 masks 80-95
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l

    # 96: 01100000    - /4 makses 96-111
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l

    #126: 01111110    - /3 includes 127 - need 112-126 spelled out
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l

    #217: 11011001    - /5 includes 216 - need 217-219 spelled out
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l

    #223: 11011111    - /6 masks 220-223
    ipchains -A input  -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l

# ----------------------------------------------------------------------------
# ICMP

    #    To prevent denial of service attacks based on ICMP bombs, filter
    #    incoming Redirect (5) and outgoing Destination Unreachable (3).
    #    Note, however, disabling Destination Unreachable (3) is not
    #    advisable, as it is used to negotiate packet fragment size.

    # For bi-directional ping.
    #     Message Types:  Echo_Reply (0),  Echo_Request (8)
    #     To prevent attacks, limit the src addresses to your ISP range.
    #
    # For outgoing traceroute.
    #     Message Types:  INCOMING Dest_Unreachable (3), Time_Exceeded (11)
    #     default UDP base: 33434 to base+nhops-1
    #
    # For incoming traceroute.
    #     Message Types:  OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
    #     To block this, deny OUTGOING 3 and 11

    #  0: echo-reply (pong)
    #  3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
    #  4: source-quench
    #  5: redirect
    #  8: echo-request (ping)
    # 11: time-exceeded
    # 12: parameter-problem

    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 0 -d $IPADDR -j ACCEPT
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 3 -d $IPADDR -j ACCEPT
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 4 -d $IPADDR -j ACCEPT
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 8 -d $IPADDR -j ACCEPT
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 11 -d $IPADDR -j ACCEPT
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 12 -d $IPADDR -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 0 -d $ANYWHERE -j ACCEPT
    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 3 -d $ANYWHERE -j ACCEPT
    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 4 -d $ANYWHERE -j ACCEPT
    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 8 -d $ANYWHERE -j ACCEPT
    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 11 -d $ANYWHERE -j ACCEPT
    ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
             -s $IPADDR 12 -d $ANYWHERE -j ACCEPT

# ----------------------------------------------------------------------------
# Disallow certain outgoing traffic to protect yourself from mistakes.

    # openwindows: establishing a connection
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
             -s $IPADDR \
             -d $ANYWHERE $OPENWINDOWS_PORT -j REJECT

    # Xwindows: establishing a connection
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
             -s $IPADDR \
             -d $ANYWHERE $XWINDOW_PORTS -j REJECT

    # SOCKS: establishing a connection
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
             -s $IPADDR \
             -d $ANYWHERE $SOCKS_PORT -j REJECT

# ----------------------------------------------------------------------------
# NOTE:
#      The symbolic names used in /etc/services for the port numbers vary by
#      supplier.  Using them is less error prone and more meaningful, though.

# ----------------------------------------------------------------------------
# TCP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.

    # Deny access to the NFS, openwindows and X windows unpriveleged ports
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
             -d $IPADDR $NFS_PORT -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
             -d $IPADDR $OPENWINDOWS_PORT -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
             -d $IPADDR $XWINDOW_PORTS -j DENY -l

# ----------------------------------------------------------------------------
# UDP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -d $IPADDR $NFS_PORT -j DENY -l

# ----------------------------------------------------------------------------
    # DNS server
    # ----------

    # DNS forwarding, caching only nameserver (53)
    # --------------------------------------------

    # server to server query or response
    # Caching only name server only requires UDP, not TCP

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $NAMESERVER_1 53 \
             -d $IPADDR 53 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR 53 \
             -d $NAMESERVER_1 53 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $NAMESERVER_2 53 \
             -d $IPADDR 53 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR 53 \
             -d $NAMESERVER_2 53 -j ACCEPT

    # DNS client (53)
    # ---------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $NAMESERVER_1 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_1 53 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $NAMESERVER_1 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_1 53 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $NAMESERVER_2 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_2 53 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $NAMESERVER_2 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_2 53 -j ACCEPT

# ----------------------------------------------------------------------------
    # TCP accept only on selected ports
    # ---------------------------------
    # ------------------------------------------------------------------

    # SSH server (22)
    # ---------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 22 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 22 \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $SSH_PORTS \
             -d $IPADDR 22 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 22 \
             -d $ANYWHERE $SSH_PORTS -j ACCEPT

    # SSH client (22)
    # ---------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 22 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 22 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 22 \
             -d $IPADDR $SSH_PORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $SSH_PORTS \
             -d $ANYWHERE 22 -j ACCEPT

    # ------------------------------------------------------------------

    # TELNET server (23)
    # ------------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 23 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 23 \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    # TELNET client (23)
    # ------------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 23 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 23 -j ACCEPT

    # ------------------------------------------------------------------

    # HTTP server (80)
    # ----------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 80 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 80 \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    # HTTP client (80)
    # ----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 80 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 80 -j ACCEPT

    # ------------------------------------------------------------------

    # HTTPS client (443)
    # ------------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 443 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 443 -j ACCEPT

    # ------------------------------------------------------------------

    # POP client (110)
    # ----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $POP_SERVER 110 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $POP_SERVER 110 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $POP_SERVER2 110 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $POP_SERVER2 110 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $POP_SERVER3 110 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $POP_SERVER3 110 -j ACCEPT

    # ------------------------------------------------------------------

    # NNTP NEWS client (119)
    # ----------------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $NEWS_SERVER 119 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $NEWS_SERVER 119 -j ACCEPT

    # ------------------------------------------------------------------

    # FINGER client (79)
    # ------------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 79 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 79 -j ACCEPT

    # ------------------------------------------------------------------

    # AUTH server (113)
    # -----------------

    # Accept incoming connections to identd but disable in.identd in inetd.conf.

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 113 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 113 \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    # AUTH client (113)
    # -----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 113 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 113 -j ACCEPT

    # ------------------------------------------------------------------

    # SMTP client (25)
    # ----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $SMTP_SERVER 25 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $SMTP_SERVER 25 -j ACCEPT

    # ------------------------------------------------------------------

    # SOCKS5 server (1080)
    # --------------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s martijn $UNPRIVPORTS \
             -d $IPADDR 1080 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 1080 \
             -d martijn $UNPRIVPORTS -j ACCEPT

    # ------------------------------------------------------------------

    # IRC client (6667)
    # -----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 6667 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 6667 -j ACCEPT

    # ------------------------------------------------------------------

    # ICQ client (4000)
    # -----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 2000:4000 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 2000:4000 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $ANYWHERE 4000 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 4000 -j ACCEPT

    # ------------------------------------------------------------------

    # FTP server (20, 21)
    # -------------------

    # incoming request

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 21 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR 21 \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    # PORT MODE data channel responses
    #
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
            -s $ANYWHERE $UNPRIVPORTS \
            -d $IPADDR 20 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
            -s $IPADDR 20 \
            -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    # PASSIVE MODE data channel responses

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    # FTP client (20, 21)
    # -------------------

    # outgoing request
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 21 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 21 -j ACCEPT

    # NORMAL mode data channel
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
            -s $ANYWHERE 20 \
            -d $IPADDR $UNPRIVPORTS -j ACCEPT

    # NORMAL mode data channel responses
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
            -s $IPADDR $UNPRIVPORTS \
            -d $ANYWHERE 20 -j ACCEPT

    # PASSIVE mode data channel creation
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
            -s $IPADDR $UNPRIVPORTS \
            -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    # PASSIVE mode data channel responses
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
            -s $ANYWHERE $UNPRIVPORTS \
            -d $IPADDR $UNPRIVPORTS -j ACCEPT

    # ------------------------------------------------------------------

    # RealAudio / QuickTime client
    # ----------------------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 554 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 554 -j ACCEPT


    # TCP is a more secure method:  7070:7071

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 7070:7071 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 7070:7071 -j ACCEPT


    # UDP is the preferred method:  6970:6999
    # For LAN machines, UDP requires the RealAudio masquerading module and
    # the ipmasqadm third-party software.

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 6970:6999 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    # ------------------------------------------------------------------

    # WHOIS client (43)
    # -----------------
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s $ANYWHERE 43 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
             -s $IPADDR $UNPRIVPORTS \
             -d $ANYWHERE 43 -j ACCEPT

# ----------------------------------------------------------------------------
# UDP accept only on selected ports
# ---------------------------------

    # DHCP client (67, 68)
    # --------------------

    # allow dhcp server (67) to connect to dhcp client (68)
    # Note: the DHCP server is the only externel source of broadcast
    #       messages we should see, ever.

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $DHCP_SERVER 67 \
             -d $IPADDR 68 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR 68 \
             -d $DHCP_SERVER 67 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $DHCP_SERVER 67 \
             -d $BROADCAST_DEST 68 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $BROADCAST_SRC 68 \
             -d $DHCP_SERVER 67 -j ACCEPT

    # Getting renumbered
    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $BROADCAST_SRC 67 \
             -d $BROADCAST_DEST 68 -j ACCEPT

    # REBINDING: Lease time expired. Fall back to INIT.
    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $BROADCAST_SRC 68 \
             -d $BROADCAST_DEST 67 -j ACCEPT

    # As a result of the above, we're supposed to change our IP address with
    # this message, which is addressed to our new address before the dhcp
    # client has received the update.

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $DHCP_SERVER 67 \
             -d $ANYWHERE 68 -j ACCEPT

    # log any other dhcp server (67) to connect to dhcp client (68)
    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
             -s $ANYWHERE 67 \
             -d $IPADDR 68 -j DENY

    # ------------------------------------------------------------------

    # OUTGOING TRACEROUTE
    # -------------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
             -s $IPADDR $TRACEROUTE_SRC_PORTS \
             -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT

# ----------------------------------------------------------------------------
# Unlimited traffic within the local network.

    # All internal machines have access to the fireall machine.

    ipchains -A input  -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT
    ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT

# ----------------------------------------------------------------------------
# Masquerade internal traffic.

    # All internal traffic is masqueraded externally.

    ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ


# ----------------------------------------------------------------------------
# Enable logging for selected denied packets

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -d $IPADDR -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp -d $IPADDR $PRIVPORTS -j DENY -l

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp -d $IPADDR $UNPRIVPORTS -j DENY -l


    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 5 -d $IPADDR -j DENY -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -p icmp \
             -s $ANYWHERE 13:255 -d $IPADDR -j DENY -l

# ----------------------------------------------------------------------------

echo "done"

exit 0
0
 

Expert Comment

by:lugnut1221
ID: 2662243
ok first use linuxconf and under routing and default gateways .check the enable routing option.  

Next in the rc.local file add the following two lines


/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s XX.XX.XX.XX/ZZ -j MASQ

XX.XX.XX.XX should be the ips you want to forward. for example if you iped your pc 10.10.10.1, 10.10.10.2, 10.10.10.3 ........you would use XX.XX.XX.XX= 10.10.10.0 and ZZ=24

Just make the default gateway for the internal computers the ip of the Linux box (internal address not the ips address)  just also make sure the linux box can reach the outside and you should be fine
0
 

Author Comment

by:rdno
ID: 2681967
This is an answer with the information mentioned above.... the things you say to do are already in the script, and default gateway is set by dhcpd (running). I can't accept this way of easy earning points by stealing data out of the comments
0
 

Author Comment

by:rdno
ID: 2681981
I think this is the most useable info. jlevie has helped me most so I think he earns the points.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now