LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity

updated

This commit is contained in:
gferg 2003-11-09 22:43:56 +00:00
parent 3024fefa1c
commit 01553d771d
3 changed files with 211 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml
View File

@ -1913,7 +1913,7 @@ chains software for Linux, and some ideas on how you might use them. </Para>
IP-Masquerade-HOWTO</ULink>,
<CiteTitle>Linux IP Masquerade HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: Jun 2003</CiteTitle>.
<CiteTitle>Updated: Nov 2003</CiteTitle>.
How to enable the Linux IP Masquerade feature on a given Linux host. </Para>
</ListItem>

2
LDP/howto/docbook/HOWTO-INDEX/networkingSect.sgml
View File

@ -965,7 +965,7 @@ A beginning document for using Portslave with the Linux router. </Para>
IP-Masquerade-HOWTO</ULink>,
<CiteTitle>Linux IP Masquerade HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: Jun 2003</CiteTitle>.
<CiteTitle>Updated: Nov 2003</CiteTitle>.
How to enable the Linux IP Masquerade feature on a given Linux host. </Para>
</ListItem>

264
LDP/howto/docbook/IP-Masquerade-HOWTO.sgml
View File

@ -16,13 +16,9 @@
</AUTHOR>
<pubdate>
v2.00.062203, June 22, 2003
v2.00.110903, 2003-11-09
</pubdate>
<Abstract>
<para>
v2.00.062203, June 22, 2003
</para>
<para>
This document describes how to enable the Linux IP Masquerade feature on a
given Linux host. IP Masquerade is a form of Network Address Translation or
@ -30,7 +26,6 @@ NAT which NAT allows internally connected computers that do not have one or more
registered Internet IP addresses to communicate to the Internet via the Linux
server's Internet IP address.
</para>
</Abstract>
</BookInfo>
@ -490,7 +485,7 @@ The second system (which does not need to be Linux) connects into the
Linux #1 box and starts its network traffic to the Internet. This second
machine does NOT have a publicly assigned IP address from the Internet, so it
uses an
<ULink URL="http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1918.html">
<ULink URL="http://www.ietf.org/rfc/rfc1918.txt?number=1918">
RFC1918 private address</ULink>, say 192.168.0.100. (see below for more info)
</para>
@ -717,7 +712,7 @@ Please also keep in mind that there might be several benefits in performing a
full ruleset re-write to take advantage of the newer IPTABLES features like
stateful tracking, etc. but that is dependant upon how much time you have to
migrate your old rulesets. Please see <XRef LinkEnd="ipchains-on-2.4.x"> for
addutional details.
additional details.
</para>
</listitem>
</ItemizedList>
@ -3652,7 +3647,7 @@ SIMPLE ruleset:
#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.74
FWVER=0.75
#
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
# using IPTABLES.
@ -3665,6 +3660,7 @@ FWVER=0.74
#
#
# Log:
# 0.75 - Added more kernel modules to the comments section
# 0.74 - the ruleset now uses modprobe vs. insmod
# 0.73 - REJECT is not a legal policy yet; back to DROP
# 0.72 - Changed the default block behavior to REJECT not DROP
@ -3824,7 +3820,7 @@ $MODPROBE ip_nat_ftp
#Loads the IRC NAT functionality into the core IPTABLES code
# Require to support NAT of IRC DCC requests
# Required to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to activate
#
@ -3833,11 +3829,22 @@ $MODPROBE ip_nat_ftp
echo "----------------------------------------------------------------------"
# Just to be complete, here is a list of the remaining kernel modules
# and their function. Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
# Just to be complete, here is a partial list of some of the other
# IPTABLES kernel modules and their function. Please note that most
# of these modules (the ipt ones) are automatically loaded by the
# master kernel module for proper operation and don't need to be
# manually loaded.
# --------------------------------------------------------------------
#
# ip_nat_snmp_basic - this module allows for proper NATing of some
# SNMP traffic
#
# iptable_mangle - this target allows for packets to be
# manipulated for things like the TCPMSS
# option, etc.
#
# --
#
# ipt_mark - this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
#
@ -3868,8 +3875,6 @@ echo "----------------------------------------------------------------------"
# a configurable ICMP packet back to the
# sender.
#
# iptable_mangle - this target allows for packets to be manipulated
# for things like the TCPMSS option, etc.
echo -e " Done loading modules.\n"
@ -6407,7 +6412,7 @@ running properly:
<Title>Loading up the rc.firewall ruleset</Title>
<para>
Ok, run the command "/etc/rc.d/rc.firewall".
Step One: run the command "/etc/rc.d/rc.firewall".
</para>
<para>
@ -6500,7 +6505,7 @@ invalid IO or IRQ parameters
<ItemizedList>
<listitem>
<para>
<Emphasis role="strong">Step One: Testing internal MASQ client PC connectivity
<Emphasis role="strong">Step Two: Testing internal MASQ client PC connectivity
</Emphasis>
</para>
@ -6547,7 +6552,7 @@ round-trip min/avg/max = 0.4/0.5/0.8 ms
<listitem>
<para>
<Emphasis role="strong">Step Two: Testing internal MASQ client to MASQ server
<Emphasis role="strong">Step Three: Testing internal MASQ client to MASQ server
connectivity</Emphasis>
</para>
@ -6613,7 +6618,7 @@ caused them all kinds of grief.
<listitem>
<para>
<Emphasis role="strong">Step Three: Testing internal MASQ server connectivity
<Emphasis role="strong">Step Four: Testing internal MASQ server connectivity
</Emphasis>
</para>
@ -6660,7 +6665,7 @@ round-trip min/avg/max = 0.4/0.5/0.8 ms
<listitem>
<para>
<Emphasis role="strong">Step Four: Testing internal MASQ server to MASQ client
<Emphasis role="strong">Step Five: Testing internal MASQ server to MASQ client
connectivity</Emphasis>
</para>
@ -6701,13 +6706,13 @@ round-trip min/avg/max = 0.4/0.5/0.8 ms
<Sect1 id="testing-masq-server-external">
<Title>Testing External Internet connectivity</Title>
<Title>Testing External MASQ server Internet connectivity</Title>
<ItemizedList>
<listitem>
<para>
<Emphasis role="strong">Step Five: Testing External MASQ server Intenret Linux
<Emphasis role="strong">Step Six: Testing external MASQ server to Internet
connectivity</Emphasis
</para>
@ -6820,7 +6825,7 @@ your
<listitem>
<para>
<Emphasis role="strong">Step Six: Testing internal MASQ client to external MASQ
<Emphasis role="strong">Step Seven: Testing internal MASQ client to external MASQ
server connectivity</Emphasis>
</para>
@ -6956,7 +6961,7 @@ ACCEPT all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
<listitem>
<para>
<Emphasis role="strong">Step Seven: Testing external MASQ ICMP forwarding</Emphasis>
<Emphasis role="strong">Step Eight: Testing external MASQ ICMP forwarding</Emphasis>
</para>
<para>
@ -7016,7 +7021,7 @@ like "eth0".
<listitem>
<para>
<Emphasis role="strong">Step Eight: Testing MASQ functionality without DNS</Emphasis>
<Emphasis role="strong">Step Nine: Testing MASQ functionality without DNS</Emphasis>
</para>
<para>
@ -7066,7 +7071,7 @@ login: Connection closed by foreign host.
<ItemizedList>
<listitem>
<para>
<Emphasis role="strong">Step Nine: Testing MASQ functionality with DNS
<Emphasis role="strong">Step Ten: Testing MASQ functionality with DNS
resolution
</Emphasis>
</para>
@ -7124,7 +7129,7 @@ servers but this is beyond the scope of this HOWTO.
<listitem>
<para>
<Emphasis role="strong">Step Ten: Testing more MASQ functionality with DNS</Emphasis>
<Emphasis role="strong">Step Eleven: Testing more MASQ functionality with DNS</Emphasis>
</para>
<para>
@ -7167,7 +7172,7 @@ a given IP MASQ module).
<ItemizedList>
<listitem>
<para>
<Emphasis role="strong">Step Eleven: Any remaining functional, performance,
<Emphasis role="strong">Step Twelve: Any remaining functional, performance,
etc. issues...</Emphasis>
</para>
@ -7822,13 +7827,16 @@ Cannot work at present (it makes invalid assumptions about addresses).
#
# rc.firewall-2.4-stronger
#
FWVER=0.79s
FWVER=0.80s
# An example of a stronger IPTABLES firewall with IP Masquerade
# support for 2.4.x kernels.
#
# Log:
#
# 0.80s - Added a DISABLED ip_nat_irc kernel module section, changed the
# default of the ip_conntrack_irc to NOT load by default, and
# added additional kernel module comments
# 0.79s - ruleset now uses modprobe instead of insmod
# 0.78s - REJECT is not a legal policy yet; back to DROP
# 0.77s - Changed the default block behavior to REJECT not DROP
@ -8067,15 +8075,15 @@ fi
#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
# Disabled by default -- insert a "#" on the next few lines to activate
#
echo -en " ip_conntrack_irc, "
# echo -en " ip_conntrack_irc, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack_irc
fi
# if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
# $MODPROBE ip_conntrack_irc
# fi
#Load the general IPTABLES NAT code - "iptable_nat"
@ -8105,13 +8113,38 @@ if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
$MODPROBE ip_nat_ftp
fi
#Loads the IRC NAT functionality (for DCC) into the core IPTABLES code
#
# DISABLED by default -- delete the "#" on the next few lines to activate
#
# echo -e "ip_nat_irc"
#
#Verify the module isn't loaded. If it is, skip it
#
# if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} `" ]; then
# $MODPROBE ip_nat_irc
# fi
echo " ---"
# Just to be complete, here is a list of the remaining kernel modules
# and their function. Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
# Just to be complete, here is a partial list of some of the other
# IPTABLES kernel modules and their function. Please note that most
# of these modules (the ipt ones) are automatically loaded by the
# master kernel module for proper operation and don't need to be
# manually loaded.
# --------------------------------------------------------------------
#
# ip_nat_snmp_basic - this module allows for proper NATing of some
# SNMP traffic
#
# iptable_mangle - this target allows for packets to be
# manipulated for things like the TCPMSS
# option, etc.
#
# --
#
# ipt_mark - this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
#
@ -8141,9 +8174,6 @@ echo " ---"
# ipt_REJECT - this target DROPs the packet and returns
# a configurable ICMP packet back to the
# sender.
#
# iptable_mangle - this target allows for packets to be manipulated
# for things like the TCPMSS option, etc.
#CRITICAL: Enable IP forwarding since it is disabled by default since
@ -10703,6 +10733,12 @@ Debian v2.2 : YES - 2.2.15 based
</para>
</listitem>
<listitem>
<para>
Debian v3.0 : YES - 2.4.18 based
</para>
</listitem>
<listitem>
<para>
DLX Linux v? : ? - ?
@ -11726,10 +11762,10 @@ nasty MTU problem:
<para>
You can find more info about this topic on the web. Specifically, here is
good presentaion on the topic:
<ULink URL="http://www.trust-factory.com/mss-talk.pdf">mss-talk presentation
<ULink URL="http://www.phildev.net/mss/mss-talk.pdf">mss-talk presentation
(PDF)</ULink>. Here is the entire
<ULink URL=" http://www.trust-factory.com/van_den_berg-lisa02.pdf">Write
up (PDF)</ULink>
<ULink URL="http://www.phildev.net/mss/lisa.html">Write
up and other good info</ULink>
</para>
<para>
@ -12516,20 +12552,20 @@ There is probably a few common things that you are going to see:
<ItemizedList>
<listitem>
<para>
<Emphasis role="strong">MASQ: Failed TCP Checksum error:</Emphasis> You will
see this error when a packet coming from the Internet gets corrupt in the data
section of the packet but the rest of it "seems" ok. When the Linux box
receives this packet, it will calculate the CRC of the packet and determine
that its corrupt. On most machines running OSes like Microsoft Windows, they
just silently drop the packets but Linux IP MASQ reports it. If you get a LOT
of them over your PPP link, first follow the FAQ entry above for "(Performance)
- Masq seems is slow".
<Emphasis role="strong">MASQ: Failed TCP Checksum error:</Emphasis> You
might see this error when a packet coming from the Internet gets corrupt in
the data section of the packet but the rest of it "seems" ok. When the Linux
box receives this packet, it will calculate the CRC of the packet and
determine that its corrupt. On most machines running OSes like Microsoft
Windows, they just silently drop the packets but Linux IP MASQ reports it. If
you get a LOT of them over your PPP link, first follow the FAQ entry above for
"(Performance) - Masq seems is slow".
</para>
<para>
If the (Performance) FAQ tips don't help and you run PPP over dialup or PPPoE,
you might try adding the line "-vj" to your /etc/ppp/options file and restart
the PPPd connection.
you might try adding the line "-vj" (disabled VanJacobson header compression) to
your /etc/ppp/options file and restart the PPPd connection.
</para>
</listitem>
@ -12539,13 +12575,17 @@ the PPPd connection.
Internet with a decent firewall, you will be surprised with the number of users
trying to penetrate your Linux box! So what do all these firewall logs mean?
</para>
<para>
More so, if they are filling your logs, see the next FAQ entry on thoughts
<Emphasis>how to reduce</Emphasis> all these log entries.
</para>
</listitem>
<listitem>
<para>
From the
The following details are from the
<ULink URL="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#TrinityOS">TrinityOS - Section 10</ULink>
doc:
documentation I also wrote:
</para>
<para>
@ -12815,6 +12855,79 @@ read this.
</Sect1>
<Sect1 id="reducing-masq-logs">
<Title>( Log Reduction ) - My logs are filling up with packet hits due to the
new "stronger" rulesets. How can I fix this? </Title>
<para>
So your realizing that a good firewall is catching a LOT of bad Internet
traffic. That's a good thing but it's also filling up your logs to the point
that you won't read them; that's bad.
What to do?
</para>
<para>
What you need to figure out is what traffic you DON"T want to log, explicitly
match those packets in the firewall, and NOT log the packets when you drop
them.
</para>
<para>
For example, the TrinityOS firewall ruleset in section 10.7 (this would be a
"strongest" ruleset in IPMASQ speak) gives some ideas:
<ULink
URL="http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c-10.html">
TrinityOS - Section 10.7</Ulink>
</para>
<para>
Things I recommend to filter:
<ItemizedList>
<listitem>
<para>All RFC1918 address space (TCP/IP address ranges: 10.x.y.z/8,
172.16-31.y.z/12, and 192.168.y.x/16). You should /never/ receive these
packets from an Internet connection. If you do, they are most likely spoofed
packets</para>
</listitem>
<listitem>
<para>Windows File and Print Sharing (Samba or CIFS): ports 137, 138, 139,
and 445. Windows machines like to talk a lot though most computers don't care
what they're saying.</para>
</listitem>
<listitem>
<para>Class-D Multicast addresses (if you don't use Multicast): 224.0.0.0/4
</para>
</listitem>
<listitem>
<para>Class-E and F "future" addresses: 240.0.0.0/5 and 248.0.0.0/5
</para>
</listitem>
</ItemizedList>
</para>
<para>
To a much lesser extent, you might want to filter other packets. I recommend
that you verify that you are receiving these specific packet types before
you filter them out.
<ItemizedList>
<listitem>
<para>RIP (the routing protocol): port 520</para>
</listitem>
<listitem>
<para>Some specific forms of ICMP packets - NOT all of them (that will
break your machine and IPMASQ in general)</para>
</listitem>
</ItemizedList>
</para>
<para>
Finally, you'll probably find that some individual TCP/IP address out on the
Internet always seem to attack your IP. So, in addition to filtering various
PORTS like above, you might want to also filter by specific SOURCE IP address
too. After all, it is *YOUR* firewall.
</para>
</Sect1>
<Sect1 id="masq-host-security">
<Title>( MASQ Security ) - Can I configure IP MASQ to allow Internet users to
directly contact internal MASQed servers?</Title>
@ -14738,6 +14851,47 @@ Update the portfw FTP patch
<!-- Blah -->
<!-- ChangeLOG -->
<para>
Changes from 06/22/03 to 11/09/03
<ItemizedList>
<listitem>
<para>
10/25/03: Fixed a dead RFC1918 URL in section 3.3. Thanks to Mark Sobell for the report.
</para>
</listitem>
<listitem>
<para>
07/07/03: Added the "reducing-masq-log" FAQ entry to help people reduce the
size of their firewall logs.
</para>
</listitem>
<listitem>
<para>
06/27/03: Updated the rc.firewall-2.4-stronger ruleset to 0.80s. Added a
DISABLED ip_nat_irc kernel module section, changed the default of the
ip_conntrack_irc to NOT load by default, and added additional kernel module
comments.
</para>
</listitem
<listitem>
<para>
06/27/03: Updated the rc.firewall-2.4 ruleset to 0.75. Added additional
iptables kernel module comments.
</para>
</listitem
<listitem>
<para>
06/24/03: Added Debian 3.0 to the supported distro list
</para>
</listitem
<listitem>
<para>
06/23/03: Change the PMTU URLs to point to Phil's primary www site
</para>
</listitem
</ItemizedList
</para
<para>
Changes from 05/26/03 to 06/22/03
<ItemizedList>