[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IP Masq and Cable Modem: I Got It!

To: "INTERNET:members@xxxxxxxxxxxxxxxxxx" <members@xxxxxxxxxxxxxxxxxx>
Subject: IP Masq and Cable Modem: I Got It!
From: Daniel Szalay <DSzalay@xxxxxxxxxxxxxx>
Date: Fri, 1 Dec 2000 00:01:12 -0500
Sender: Daniel Szalay <DSzalay@xxxxxxxxxxxxxx>

I found an error in the script that was preventing IP Masq from
functioning. It now works great! Thanks to all who offered suggestions.

I'm posting my rc.firewall script for all to scrutinize. I'm looking for
suggestions on how to lockdown my server. This basic script was copied from
the IP MASQ HOWTO. After reading that and the IPCHAINS HOWTO, I see there
are a lot of options available which can (if not used properly) leave a lot
of holes in a firewall. So I'm looking for suggestions from anyone who is
knowledgeable in IPCHAINS and IP MASQ. I'm really nervous about leaving my
server connected 24/7. I'm just surfing the net, so I won't have any
inbound traffic. Here it is...


#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x
kernels 
#               using IPCHAINS
#
# Load all required IP MASQ modules
#
#   NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ
modules
#          are shown below but are commented out from loading.


# Needed to initially load modules
#
/sbin/depmod -a


# Supports the proper masquerading of FTP file transfers using the PORT
method
#
/sbin/modprobe ip_masq_ftp


# Supports the masquerading of RealAudio over UDP.  Without this module,
#       RealAudio WILL function but in TCP mode.  This can cause a reductio
#       in sound quality
#
/sbin/modprobe ip_masq_raudio


# Supports the masquerading of IRC DCC file transfer
#
#/sbin/modprobe ip_masq_irc


# Supports the masquerading of Quake and QuakeWorld by default.  This
modules is
#   for for multiple users behind the Linux MASQ server.  If you are going
to 
#   play Quake I, II, and III, use the second example.
#
#   NOTE:  If you get ERRORs loading the QUAKE module, you are running an
old
#   -----  kernel that has bugs in it.  Please upgrade to the newest
kernel.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960


# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme


#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive


#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in 
#                          /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward


#CRITICAL:  Enable automatic IP defragmenting since it is disabled by
default 
#           in 2.2.x kernels.  This used to be a compile-time option but
the 
#           behavior was changed in 2.2.12
#
echo "1" > /proc/sys/net/ipv4/ip_always_defrag


# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP, enable
this #   following option.  This enables dynamic-ip address hacking in IP
MASQ, 
#   making the life with Diald and similar programs much easier.
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr


# Enable the LooseUDP patch which some Internet-based games require
#
#  If you are trying to get an Internet game to work through your IP MASQ
box,
#  and you have set it up to the best of your ability without it working,
try
#  enabling this option (delete the "#" character).  This option is
disabled
#  by default due to possible internal machine UDP port scanning 
#  vunerabilities.
#
#echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose


# MASQ timeouts
#
#   2 hrs timeout for TCP session timeouts
#  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
#  160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) 
#
/sbin/ipchains -M -S 7200 10 160


# DHCP:  For people who receive their external IP address from either DHCP
or 
#        BOOTP such as ADSL or Cablemodem users, it is necessary to use the

#        following before the deny command.  The "bootp_client_net_if_name"

#        should be replaced the name of the link that the DHCP/BOOTP server

#        will put an address on to?  This will be something like "eth0", 
#        "eth1", etc.
#
#        This example is currently commented out.
#
#
/sbin/ipchains -F input
/sbin/ipchains -A input -j ACCEPT -i eth1 -s 0/0 67 -d 0/0 68 -p udp


# Enable simple IP forwarding and Masquerading
#
#  NOTE:  The following is an example for an internal LAN address in the 
#         192.168.0.x network with a 255.255.255.0 or a "24" bit subnet
mask
#         connecting to the Internet on interface eth0.
#
#         ** Please change this network number, subnet mask, and your
Internet
#         ** connection interface name to match your internal LAN setup
#
/sbin/ipchains -F forward
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ


Thanks in advance!!!
Dan

Prev by Date: KLUG Meeting Notes - 11/28/2000
Next by Date: Hotmail scripts
Prev by thread: KLUG Meeting Notes - 11/28/2000
Next by thread: Hotmail scripts
Index(es):
- Date
- Thread