updated

2003-01-17 14:04:33 +00:00 · 2003-01-17 14:04:33 +00:00 · 35e2b474fe
parent ec09eeb7b2
commit 35e2b474fe
1 changed files with 104 additions and 46 deletions
--- a/LDP/howto/docbook/IP-Masquerade-HOWTO.sgml
+++ b/LDP/howto/docbook/IP-Masquerade-HOWTO.sgml
@ -20,7 +20,7 @@
 <Abstract>

 <para>
-v2.00.011303, January 13, 2003
+v2.00.011703, January 17, 2003
 </para>

 <para>
@ -1199,7 +1199,7 @@ mirrir</ULink>, or his old
    <ItemizedList>
     <listitem>
      <para>
-      <ULink URL="http://members.tripod.com/~djsf/masq-icq/">Andrew Deryabin's ICQ 
+      <ULink URL="http://djsf.narod.ru/masq-icq">Andrew Deryabin's ICQ 
 MASQ module</ULink> for 2.2.x and 2.0.x kernels
      </para>
     </listitem>
@ -1530,7 +1530,7 @@ Masquerade related options.
   <ItemizedList>
    <listitem>
     <para>
-     <ULink URL="http://members.tripod.com/~djsf/masq-icq/">Andrew Deryabin's ICQ 
+     <ULink URL="http://djsf.narod.ru/masq-icqf/">Andrew Deryabin's ICQ 
     MASQ module </ULink> for 2.2.x and 2.0.x kernels
     </para>
    </listitem>
@ -3510,7 +3510,7 @@ SIMPLE ruleset:
 #!/bin/sh
 #
 # rc.firewall-2.4
-FWVER=0.71
+FWVER=0.72
 #
 #               Initial SIMPLE IP Masquerade test for 2.4.x kernels
 #               using IPTABLES.  
@ -3523,6 +3523,7 @@ FWVER=0.71
 #
 #
 # Log:
+#       0.72 - Changed the default block behavior to REJECT not DROP
 #       0.71 - Added clarification that PPPoE users need to use
 #              "ppp0" instead of "eth0" for their external interface
 #       0.70 - Added commented option for IRC nat module
@ -3772,14 +3773,14 @@ echo "1" > /proc/sys/net/ipv4/ip_dynaddr
 #Clearing any previous configuration
 #
 #  Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
-#    The default for FORWARD is DROP
+#    The default for FORWARD is REJECT
 #
 echo "   clearing any existing rules and setting default policy.."
 $IPTABLES -P INPUT ACCEPT
 $IPTABLES -F INPUT 
 $IPTABLES -P OUTPUT ACCEPT
 $IPTABLES -F OUTPUT 
-$IPTABLES -P FORWARD DROP
+$IPTABLES -P FORWARD REJECT
 $IPTABLES -F FORWARD 
 $IPTABLES -t nat -F

@ -7668,13 +7669,14 @@ Cannot work at present (it makes invalid assumptions about addresses).
 #
 # rc.firewall-2.4-stronger
 #
-FWVER=0.76s
+FWVER=0.77s

 #          An example of a stronger IPTABLES firewall with IP Masquerade 
 #          support for 2.4.x kernels.  
 #
 # Log:
 #
+#   0.77s - Changed the default block behavior to REJECT not DROP
 #   0.76s - Added a comment about the OPTIONAL WWW ruleset and a comment
 #           where to put optional PORTFW commands
 #   0.75s - Added clarification that PPPoE users need to use
@ -8032,18 +8034,18 @@ echo "  ---"

 #Clearing any previous configuration
 #
-#  Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP.
+#  Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to REJECT
 #
 #    You CANNOT change this to REJECT as it isn't a vaild setting for a
 #    policy.  If you want REJECT, you must explictly REJECT at the end
 #    of a giving INPUT, OUTPUT, or FORWARD chain
 #
-echo "  Clearing any existing rules and setting default policy to DROP.."
-$IPTABLES -P INPUT DROP  
+echo "  Clearing any existing rules and setting default policy to REJECT.."
+$IPTABLES -P INPUT REJECT
 $IPTABLES -F INPUT 
-$IPTABLES -P OUTPUT DROP  
+$IPTABLES -P OUTPUT REJECT
 $IPTABLES -F OUTPUT 
-$IPTABLES -P FORWARD DROP  
+$IPTABLES -P FORWARD REJECT
 $IPTABLES -F FORWARD 
 $IPTABLES -F -t nat

@ -8077,7 +8079,7 @@ $IPTABLES -Z
 echo "  Creating a DROP chain.."
 $IPTABLES -N drop-and-log-it
 $IPTABLES -A drop-and-log-it -j LOG --log-level info 
-$IPTABLES -A drop-and-log-it -j DROP
+$IPTABLES -A drop-and-log-it -j REJECT

 echo -e "\n   - Loading INPUT rulesets"

@ -8324,9 +8326,11 @@ Lastly, if you are using a STATIC PPP IP address, change the
 # /etc/rc.d/rc.firewall: An example of a Stronger IPCHAINS firewall 
 #                        ruleset for 2.2 kernels
 #
-FWVER=0.65s
+FWVER=0.70s
 #
 # Log:
+#  0.70s - Added missing execution variables
+#        - fixed a missing -p tcp for the commented HTTPd section
 #  0.65s - Added comments HTTPd rules to the INPUT and OUTPUT section
 #        - Added a comment where to insert IPPORTFW commands
 #  0.60s - Changed the EXTIP command to work on NON-English distros
@ -8335,6 +8339,27 @@ FWVER=0.65s

 echo -e "\nLoading rc.firewall-2.2-stronger : version $FWVER..\n"

+
+# The location of various iptables and other shell programs
+#
+#   If your Linux distribution came with a copy of iptables, most
+#   likely it is located in /sbin.  If you manually compiled 
+#   iptables, the default location is in /usr/local/sbin
+#
+# ** Please use the "whereis iptables" command to figure out 
+# ** where your copy is and change the path below to reflect 
+# ** your setup
+#
+IPCHAINS=/sbin/ipchains
+LSMOD=/sbin/lsmod
+DEPMOD=/sbin/depmod
+INSMOD=/sbin/insmod
+MODPROBE=/sbin/modprobe
+GREP=/bin/grep
+AWK=/bin/awk
+SED=/bin/sed
+IFCONFIG=/sbin/ifconfig
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin


@ -8360,21 +8385,21 @@ INTNET="192.168.0.0/24"

 # Needed to initially load modules
 #
-/sbin/depmod -a
+$DEPMOD -a

 # Supports the proper masquerading of FTP file transfers using the PORT method
 #
-/sbin/modprobe ip_masq_ftp
+$MODPROBE ip_masq_ftp

 # Supports the masquerading of RealAudio over UDP.  Without this module,
 #       RealAudio WILL function but in TCP mode.  This can cause a reduction
 #       in sound quality
 #
-/sbin/modprobe ip_masq_raudio
+$MODPROBE ip_masq_raudio

 # Supports the masquerading of IRC DCC file transfers
 #
-#/sbin/modprobe ip_masq_irc
+#$MODPROBE ip_masq_irc


 # Supports the masquerading of Quake and QuakeWorld by default.  These modules are
@ -8385,19 +8410,19 @@ INTNET="192.168.0.0/24"
 #   -----  kernel that has bugs in it.  Please upgrade to the newest kernel.
 #
 #Quake I / QuakeWorld (ports 26000 and 27000)
-#/sbin/modprobe ip_masq_quake
+#$MODPROBE ip_masq_quake
 #
 #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
-#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
+#$MODPROBE ip_masq_quake 26000,27000,27910,27960


 # Supports the masquerading of the CuSeeme video conferencing software
 #
-#/sbin/modprobe ip_masq_cuseeme
+#$MODPROBE ip_masq_cuseeme

 #Supports the masquerading of the VDO-live video conferencing software
 #
-#/sbin/modprobe ip_masq_vdolive
+#$MODPROBE ip_masq_vdolive


 #CRITICAL:  Enable IP forwarding since it is disabled by default
@ -8517,30 +8542,30 @@ EXTIP="`$IFCONFIG $EXTIF | $AWK \
 #  60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec 
 #     firewall timeout in ICQ itself)
 #
-ipchains -M -S 7200 10 60
+$IPCHAINS -M -S 7200 10 60

 #############################################################################
 # Incoming, flush and set default policy of reject. Actually the default policy
 # is irrelevant because there is a catch all rule with deny and log.
 #
-ipchains -F input
-ipchains -P input REJECT
+$IPCHAINS -F input
+$IPCHAINS -P input REJECT

 # local interface, local machines, going anywhere is valid
 #
-ipchains -A input -i $INTIF -s $INTNET -d 0.0.0.0/0 -j ACCEPT
+$IPCHAINS -A input -i $INTIF -s $INTNET -d 0.0.0.0/0 -j ACCEPT

 # remote interface, claiming to be local machines, IP spoofing, get lost
 #
-ipchains -A input -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT
+$IPCHAINS -A input -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT

 # remote interface, any source, going to permanent PPP address is valid
 #
-ipchains -A input -i $EXTIF -s 0.0.0.0/0 -d $EXTIP/32 -j ACCEPT
+$IPCHAINS -A input -i $EXTIF -s 0.0.0.0/0 -d $EXTIP/32 -j ACCEPT

 # loopback interface is valid.
 #
-ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
+$IPCHAINS -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT


 # ----- Begin OPTIONAL INPUT Section -----
@ -8550,7 +8575,7 @@ ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
 #         the IPMASQ server -OR- plan on PORTFW'ing HTTP traffic to
 #         an internal WWW server
 #
-#ipchains -A input -i $EXTIF -s 0.0.0.0/0 -d $EXTIP 80 -j ACCEPT
+#$IPCHAINS -A input -i $EXTIF -p tcp -s 0.0.0.0/0 -d $EXTIP 80 -j ACCEPT

 #
 # ----- End OPTIONAL INPUT Section -----
@ -8559,34 +8584,34 @@ ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
 # catch all rule, all other incoming is denied and logged. pity there is no
 # log option on the policy but this does the job instead.
 #
-ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
+$IPCHAINS -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

 #############################################################################
 # Outgoing, flush and set default policy of reject. Actually the default policy
 # is irrelevant because there is a catch all rule with deny and log.
 #
-ipchains -F output
-ipchains -P output REJECT
+$IPCHAINS -F output
+$IPCHAINS -P output REJECT

 # local interface, any source going to local net is valid
 #
-ipchains -A output -i $INTIF -s 0.0.0.0/0 -d $INTNET -j ACCEPT
+$IPCHAINS -A output -i $INTIF -s 0.0.0.0/0 -d $INTNET -j ACCEPT

 # outgoing to local net on remote interface, stuffed routing, deny
 #
-ipchains -A output -i $EXTIF -s 0.0.0.0/0 -d $INTNET -l -j REJECT
+$IPCHAINS -A output -i $EXTIF -s 0.0.0.0/0 -d $INTNET -l -j REJECT

 # outgoing from local net on remote interface, stuffed masquerading, deny
 #
-ipchains -A output -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT
+$IPCHAINS -A output -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT

 # anything else outgoing on remote interface is valid
 #
-ipchains -A output -i $EXTIF -s $EXTIP/32 -d 0.0.0.0/0 -j ACCEPT
+$IPCHAINS -A output -i $EXTIF -s $EXTIP/32 -d 0.0.0.0/0 -j ACCEPT

 # loopback interface is valid.
 #
-ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
+$IPCHAINS -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT


 # ----- Begin OPTIONAL OUTPUT Section -----
@ -8596,7 +8621,7 @@ ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
 #         the IPMASQ server -OR- plan on PORTFW'ing HTTP traffic to
 #         an internal WWW server
 #
-#ipchains -A outut -i $EXTIF -s $EXTIP 80 -d 0.0.0.0/0 -j ACCEPT
+#$IPCHAINS -A output -i $EXTIF -p tcp -s $EXTIP 80 -d 0.0.0.0/0 -j ACCEPT

 #
 # ----- End OPTIONAL OUTPUT Section -----
@ -8604,14 +8629,14 @@ ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
 # catch all rule, all other outgoing is denied and logged. pity there is no
 # log option on the policy but this does the job instead.
 #
-ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
+$IPCHAINS -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

 #############################################################################
 # Forwarding, flush and set default policy of deny. Actually the default policy
 # is irrelevant because there is a catch all rule with deny and log.
 #
-ipchains -F forward
-ipchains -P forward DENY
+$IPCHAINS -F forward
+$IPCHAINS -P forward DENY


 # ----- Begin OPTIONAL FORWARD Section -----
@ -8621,12 +8646,12 @@ ipchains -P forward DENY

 # Masquerade from local net on local interface to anywhere.
 #
-ipchains -A forward -i $EXTIF -s $INTNET -d 0.0.0.0/0 -j MASQ
+$IPCHAINS -A forward -i $EXTIF -s $INTNET -d 0.0.0.0/0 -j MASQ
 #
 # catch all rule, all other forwarding is denied and logged. pity there is no
 # log option on the policy but this does the job instead.
 #
-ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
+$IPCHAINS -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

 #End of file.
 </screen>
@ -9043,7 +9068,7 @@ ppp_ip="your.static.PPP.address"
 # is irrelevant because there is a catch all rule with deny and log.
 #
 /sbin/ipfwadm -F -f
-/sbin/ipfwadm -F -p deny
+/sbin/ipfwadm -F -p reject

 # Masquerade from local net on local interface to anywhere.
 #
@ -13924,8 +13949,41 @@ Update the portfw FTP patch
 <!-- ChangeLOG -->

 <para>
-Changes from 01/12/03 to 01/13/03
+Changes from 01/12/03 to 01/17/03
 <ItemizedList>
+ <listitem>
+  <para>
+  01/17/03: Fixed a major issue where the rc.firewall-2.2-stronger ruleset
+  was referencing missing executable variables.  This was taken from the
+  2.4-stronger ruleset but I guess I forgot to finish it off.  Fixed.
+  Thanks to Samuel Kim for catching this!
+  </para>
+ </listitem>
+ <listitem>
+  <para>
+  01/17/03: Fixed an issue where the rc.firewall-2.2-stronger's commented 
+  HTTP section was missing the "-p tcp" option.
+  Thanks to Samuel Kim for catching this!
+  </para>
+ </listitem>
+ <listitem>
+  <para>
+  01/16/03: Updated the URL for DJSF's ICQ module
+  </para>
+ </listitem>
+ <listitem>
+  <para>
+  01/16/03: Changed the default policy and drop chain from DENY to REJECT
+  on both IPTABLES rulesets and on the advanced IPFWADM rulset. 
+  Thanks to Jonathan Hutchins for bringing this to my attention.
+  </para>
+ </listitem>
+ <listitem>
+  <para>
+  01/16/03: Fixed a typo in the commented out HTTPd OUTPUT section of the 
+  rc.firewall-2.2-s ruleset 
+  </para>
+ </listitem>
 <listitem>
  <para>
  01/13/03: Updated the IPMASQ www site URL from ipmasq.cjb.net to