diff --git a/LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml b/LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml
index 7a60e8dc..5be99fef 100644
--- a/LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml
+++ b/LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml
@@ -1937,7 +1937,7 @@ chains software for Linux, and some ideas on how you might use them.
IP-Masquerade-HOWTO,
Linux IP Masquerade HOWTO
-Updated: Nov 2003.
+Updated: Apr 2005.
How to enable the Linux IP Masquerade feature on a given Linux host.
diff --git a/LDP/howto/docbook/HOWTO-INDEX/networkingSect.sgml b/LDP/howto/docbook/HOWTO-INDEX/networkingSect.sgml
index ffcc6871..70603e7c 100644
--- a/LDP/howto/docbook/HOWTO-INDEX/networkingSect.sgml
+++ b/LDP/howto/docbook/HOWTO-INDEX/networkingSect.sgml
@@ -984,7 +984,7 @@ A beginning document for using Portslave with the Linux router.
IP-Masquerade-HOWTO,
Linux IP Masquerade HOWTO
-Updated: Nov 2003.
+Updated: Apr 2005.
How to enable the Linux IP Masquerade feature on a given Linux host.
diff --git a/LDP/howto/docbook/IP-Masquerade-HOWTO.sgml b/LDP/howto/docbook/IP-Masquerade-HOWTO.sgml
index 065f5407..e720ae39 100644
--- a/LDP/howto/docbook/IP-Masquerade-HOWTO.sgml
+++ b/LDP/howto/docbook/IP-Masquerade-HOWTO.sgml
@@ -16,9 +16,13 @@
-v2.00.110903, 2003-11-09
+April 30, 2005
+
+April 30, 2005
+
+
This document describes how to enable the Linux IP Masquerade feature on a
given Linux host. IP Masquerade is a form of Network Address Translation or
@@ -26,6 +30,7 @@ NAT which NAT allows internally connected computers that do not have one or more
registered Internet IP addresses to communicate to the Internet via the Linux
server's Internet IP address.
+
@@ -1187,9 +1192,8 @@ Masquerade related options.
- IP PortForwarding (IPMASQADM)
-- RECOMMENDED, IPMASQADM
-mirror.
+ IP PortForwarding (IPMASQADM)
+- RECOMMENDED - mirror
@@ -1549,9 +1553,9 @@ someone from the Internet to possibly get into your internal network.
Once you have IP MASQ functioning, it is HIGHLY recommended for the user to
implement a STRONG IPFWADM/IPCHAINS firewall ruleset. Please see
- ,
- and
- located below for more details.
+ ,
+ and
+ located below for more details.
@@ -3592,10 +3596,10 @@ bare minimum firewall ruleset to get IP Masquerading working.
Once IP MASQ has been successfully tested (as described later in this HOWTO),
please refer to the Stronger IPTABLES ruleset for 2.4.x kernels in
-, the Stronger IPCHAINS ruleset
-for 2.2.x kernels in , and
+, the Stronger IPCHAINS ruleset
+for 2.2.x kernels in , and
the Stronger IPFWADM ruleset for 2.0.x kernels in
-. Please note that these
+. Please note that these
stronger firewall rulesets are more of a template than anythingelse.
For truly secure firewall rulesets, check out the the requirements section
of the HOWTO ( 2.4.x - , 2.2.x -
@@ -3613,13 +3617,13 @@ URL="http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/examples/rc.firewall-exam
download an archive of all of these rc.firewall files.
-
-Configuring IP Masquerade on Linux 2.4.x Kernels
+
+Configuring IP Masquerade on Linux 2.6.x and 2.4.x Kernels
Please note that IPCHAINS is no longer the primary
-firewall configuration tool for the 2.4.x kernels. The new
-kernels now use the IPTABLES toolkit though the new 2.4.x kernels CAN
+firewall configuration tool for the 2.6.x and 2.4.x kernels. The
+new kernels now use the IPTABLES toolkit though the new 2.4.x kernels CAN
still run most old IPCHAINS or IPFWADM rulesets via a compatiblity
module. It should be noted that when in this mode, NO IPTABLES modules
can be loaded. It should also be noted that none of the 2.2.x IPMASQ
@@ -3636,20 +3640,20 @@ file would contain very secure firewall rulesets as well.
-Anyway, create the file /etc/rc.d/rc.firewall-2.4 with the following initial
-SIMPLE ruleset:
+Anyway, create the file /etc/rc.d/rc.firewall-iptables with the following
+initial SIMPLE ruleset:
-<rc.firewall-2.4 START>
+<rc.firewall-iptables START>
#!/bin/sh
#
-# rc.firewall-2.4
-FWVER=0.75
+# rc.firewall-iptables
+FWVER=0.76
#
-# Initial SIMPLE IP Masquerade test for 2.4.x kernels
+# Initial SIMPLE IP Masquerade test for 2.6 / 2.4 kernels
# using IPTABLES.
#
# Once IP Masquerading has been tested, with this simple
@@ -3660,6 +3664,7 @@ FWVER=0.75
#
#
# Log:
+# 0.76 - Added comments on why the default policy is ACCEPT
# 0.75 - Added more kernel modules to the comments section
# 0.74 - the ruleset now uses modprobe vs. insmod
# 0.73 - REJECT is not a legal policy yet; back to DROP
@@ -3924,6 +3929,12 @@ echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP (REJECT is not a valid policy)
#
+# Isn't ACCEPT insecure? To some degree, YES, but this is our testing
+# phase. Once we know that IPMASQ is working well, I recommend you run
+# the rc.firewall-*-stronger rulesets which set the defaults to DROP but
+# also include the critical additional rulesets to still let you connect to
+# the IPMASQ server, etc.
+#
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
@@ -3941,15 +3952,15 @@ $IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
-echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
+echo -e "\nrc.firewall-iptables v$FWVER done.\n"
-<rc.firewall-2.4 STOP>
+<rc.firewall-iptables STOP>
Once you are finished with editing the /etc/rc.d/rc.firewall ruleset, make it
-executable by typing in chmod 700 /etc/rc.d/rc.firewall-2.4
+executable by typing in chmod 700 /etc/rc.d/rc.firewall-iptables
@@ -3973,7 +3984,7 @@ you have to do is add the line:
echo "Loading the rc.firewall ruleset.. "
-/etc/rc.d/rc.firewall-2.4
+/etc/rc.d/rc.firewall-iptables
@@ -3990,17 +4001,17 @@ copy the following file into the /etc/rc.d/init.d directory:
-<firewall-2.4 START>
+<firewall-iptables START>
#!/bin/sh
#
# chkconfig: 2345 11 89
#
-# description: Loads the rc.firewall-2.4 ruleset.
+# description: Loads the rc.firewall-iptables ruleset.
#
-# processname: firewall-2.4
+# processname: firewall-iptables
# pidfile: /var/run/firewall.pid
-# config: /etc/rc.d/rc.firewall-2.4
+# config: /etc/rc.d/rc.firewall-iptables
# probe: true
# ----------------------------------------------------------------------------
@@ -4044,7 +4055,7 @@ IPTABLES=/usr/local/sbin/iptables
# See how we were called.
case "$1" in
start)
- /etc/rc.d/rc.firewall-2.4
+ /etc/rc.d/rc.firewall-iptables
;;
stop)
@@ -4078,21 +4089,41 @@ case "$1" in
;;
*)
- echo "Usage: firewall-2.4 {start|stop|status|mlist}"
+ echo "Usage: firewall-iptables {start|stop|status|mlist}"
exit 1
esac
exit 0
-<firewall-2.4 STOP>
+<firewall-iptables STOP>
-With this script in place, run the command:
+With this script in place, all you need to do now is make it executable and
+then make it load upon reboot. First, make it executable by running:
-chkconfig --level=345 firewall-2.4 on
+#Redhat-style
+#
+chmod 700 /etc/rc.d/init.d/firewall-iptables
+
+Now, make the ruleset load upon reboot:
+
+#Redhat style
+#
+chkconfig --level=345 firewall-iptables on
+
+That's it! Now upon boot, the firewall will be loaded automatically. Just
+to make sure, run the command to see that the firewall should start upon
+reboot by running the command:
+
+#Redhat style
+#
+chkconfig --list firewall-iptables
+
+#The output should look like:
+#
+firewall-iptables 0:off 1:off 2:off 3:on 4:on 5:on 6:off
-That's it! Now upon boot, the firewall will be loaded automatically.
@@ -4116,7 +4147,7 @@ to do is add the line:
echo "Loading the rc.firewall ruleset.."
-/etc/rc.d/rc.firewall-2.4
+/etc/rc.d/rc.firewall-iptables
@@ -4145,7 +4176,7 @@ Internet and NOT any of the other internal machines. I would change the in the
#!/bin/sh
#
-# Partial 2.4.x config to enable simple IP forwarding and Masquerading
+# Partial IPTABLES config to enable simple IP forwarding and Masquerading
# v0.61
#
# NOTE: The following is an example to allow only IP Masquerading for the
@@ -4201,7 +4232,7 @@ need IP Masquerade.
-Please see for a detailed guide on
+Please see for a detailed guide on
a strong IPTABLES ruleset example. For additional details on IPTABLES usage,
please refer to
http://www.netfilter.org/ for the primary IPTABLES site.
@@ -4211,7 +4242,7 @@ http://www.netfilter.org/ for the primary IPTABLES site.
-
+
Configuring IP Masquerade on Linux 2.2.x Kernels
@@ -4222,16 +4253,16 @@ detailed reason for this change, please see .
-Create the file /etc/rc.d/rc.firewall-2.2 with the following initial SIMPLE
+Create the file /etc/rc.d/rc.firewall-ipchains with the following initial SIMPLE
ruleset:
-<rc.firewall-2.2 START>
+<rc.firewall-ipchains START>
#!/bin/sh
#
-# rc.firewall-2.2
+# rc.firewall-ipchains
#
# - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels
# using IPCHAINS.
@@ -4241,8 +4272,9 @@ ruleset:
# IPTABLES ruleset either given later in this HOWTO or
# from another reputable resource.
-FWVER="1.22"
+FWVER="1.23"
#
+# 1.23 - Added comments on why the default policy is ACCEPT
# 1.22 - ruleset now uses modprobe instead of insmod
# 1.21 - Added clarification that PPPoE users need to use
# "ppp0" instead of "eth0" for their external interface
@@ -4250,7 +4282,7 @@ FWVER="1.22"
# 1.01 - Original version
-echo -e "\n\nLoading simple rc.firewall-2.2 : version $FWVER..\n"
+echo -e "\n\nLoading simple rc.firewall-ipchains : version $FWVER..\n"
# The location of the ipchains and kernel module programs
@@ -4413,6 +4445,12 @@ echo "1" > /proc/sys/net/ipv4/ip_always_defrag
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is REJECT
#
+# Isn't ACCEPT insecure? To some degree, YES, but this is our testing
+# phase. Once we know that IPMASQ is working well, I recommend you run
+# the rc.firewall-*-stronger rulesets which set the defaults to DROP but
+# also include the critical additional rulesets to still let you connect to
+# the IPMASQ server, etc.
+#
echo " clearing any existing rules and setting default policy.."
$IPCHAINS -P input ACCEPT
$IPCHAINS -P output ACCEPT
@@ -4454,15 +4492,15 @@ echo " enabling IPMASQ functionality on $EXTIF"
$IPCHAINS -P forward DENY
$IPCHAINS -A forward -i $EXTIF -s $INTLAN -j MASQ
-echo -e "\nrc.firewall-2.2 v$FWVER done.\n"
+echo -e "\nrc.firewall-ipchains v$FWVER done.\n"
-<rc.firewall-2.2 STOP>
+<rc.firewall-ipchains STOP>
Once you are finished with editing the /etc/rc.d/rc.firewall ruleset, make it
-executable by typing in chmod 700 /etc/rc.d/rc.firewall
+executable by typing in chmod 700 /etc/rc.d/rc.firewall-ipchains
@@ -4486,7 +4524,7 @@ you have to do is add the line:
echo "Loading the rc.firewall ruleset.."
-/etc/rc.d/rc.firewall-2.2
+/etc/rc.d/rc.firewall-ipchains
@@ -4502,17 +4540,17 @@ copy the following file into the /etc/rc.d/init.d directory:
-<firewall-2.2 START>
+<firewall-ipchains START>
#!/bin/sh
#
# chkconfig: 2345 11 89
#
-# description: Loads the rc.firewall-2.2 ruleset.
+# description: Loads the rc.firewall-ipchains ruleset.
#
-# processname: firewall-2.2
+# processname: firewall-ipchains
# pidfile: /var/run/firewall.pid
-# config: /etc/rc.d/rc.firewall-2.2
+# config: /etc/rc.d/rc.firewall-ipchains
# probe: true
# ----------------------------------------------------------------------------
@@ -4558,7 +4596,7 @@ IPCHAINS=/sbin/ipchains
# See how we were called.
case "$1" in
start)
- /etc/rc.d/rc.firewall-2.2
+ /etc/rc.d/rc.firewall-ipchains
;;
stop)
@@ -4587,23 +4625,42 @@ case "$1" in
;;
*)
- echo "Usage: firewall-2.2 {start|stop|status|mlist}"
+ echo "Usage: firewall-ipchains {start|stop|status|mlist}"
exit 1
esac
exit 0
-<firewall-2.2 STOP>
+<firewall-ipchains STOP>
-With this script in place, run the command:
+With this script in place, all you need to do now is make it executable and
+then make it load upon reboot. First, make it executable by running:
-chkconfig --level=345 firewall-2.2 on
+#Redhat-style
+#
+chmod 700 /etc/rc.d/init.d/firewall-ipchains
-That's it! Now upon boot, the firewall will be loaded automatically.
-
+Now, make the ruleset load upon reboot:
+
+#Redhat style
+#
+chkconfig --level=345 firewall-ipchains on
+
+That's it! Now upon boot, the firewall will be loaded automatically. Just
+to make sure, run the command to see that the firewall should start upon
+reboot by running the command:
+
+#Redhat style
+#
+chkconfig --list firewall-ipchains
+#The output should look like:
+#
+firewall-ipchains 0:off 1:off 2:off 3:on 4:on 5:on 6:off
+
+
@@ -4625,7 +4682,7 @@ to do is add the line:
echo "Loading the rc.firewall ruleset.."
-/etc/rc.d/rc.firewall-2.2
+/etc/rc.d/rc.firewall-ipchains
@@ -4709,7 +4766,7 @@ need IP Masquerade.
-Please see for a detailed guide on
+Please see for a detailed guide on
IPCHAINS and a strong IPCHAINS ruleset example. For additional details on
IPCHAINS usage, please refer to
@@ -4721,23 +4778,24 @@ Linux IP CHAINS HOWTO Backup site
-
+
Configuring IP Masquerade on Linux 2.0.x Kernels
Create the file /etc/rc.d/rc.firewall with the following initial SIMPLE
ruleset:
-<rc.firewall-2.0 START>
+<rc.firewall-ipfwadm START>
#!/bin/sh
#
-# rc.firewall-2.0
+# rc.firewall-ipfwadm
#
# A Initial SIMPLE IP Masquerade setup for 2.0.x kernels using IPFWADM
#
-FWVER="2.02"
+FWVER="2.03"
#
+# 2.03 - Added comments on why the default policy is ACCEPT
# 2.02 - Added clarification that PPPoE users need to use
# "ppp0" instead of "eth0" for their external interface
#
@@ -4878,6 +4936,12 @@ echo "1" > /proc/sys/net/ipv4/ip_always_defrag
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is REJECT
#
+# Isn't ACCEPT insecure? To some degree, YES, but this is our testing
+# phase. Once we know that IPMASQ is working well, I recommend you run
+# the rc.firewall-*-stronger rulesets which set the defaults to DROP but
+# also include the critical additional rulesets to still let you connect to
+# the IPMASQ server, etc.
+#
echo " clearing any existing rules and setting default policy.."
/sbin/ipfwadm -I -p accept
/sbin/ipfwadm -O -p accept
@@ -4920,9 +4984,9 @@ echo " enabling IPMASQ functionality on $EXTIF"
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -W $EXTIF -S $INTLAN -D 0.0.0.0/0
-echo -e "\nrc.firewall-2.0 v$FWVER done.\n"
+echo -e "\nrc.firewall-ipfwadm v$FWVER done.\n"
-<rc.firewall-2.0 STOP>
+<rc.firewall-ipfwadm STOP>
@@ -4965,17 +5029,17 @@ copy the following file into the /etc/rc.d/init.d directory:
-<firewall-2.0 START>
+<firewall-ipfwadm START>
#!/bin/sh
#
# chkconfig: 2345 11 89
#
-# description: Loads the rc.firewall-2.0 ruleset.
+# description: Loads the rc.firewall-ipfwadm ruleset.
#
-# processname: firewall-2.0
+# processname: firewall-ipfwadm
# pidfile: /var/run/firewall.pid
-# config: /etc/rc.d/rc.firewall-2.0
+# config: /etc/rc.d/rc.firewall-ipfwadm
# probe: true
# ----------------------------------------------------------------------------
@@ -5021,7 +5085,7 @@ IPFWADM=/sbin/ipfwadm
# See how we were called.
case "$1" in
start)
- /etc/rc.d/rc.firewall-2.0
+ /etc/rc.d/rc.firewall-ipfwadm
;;
stop)
@@ -5050,21 +5114,41 @@ case "$1" in
;;
*)
- echo "Usage: firewall-2.0 {start|stop|status|mlist}"
+ echo "Usage: firewall-ipfwadm {start|stop|status|mlist}"
exit 1
esac
exit 0
-<firewall-2.0 STOP>
+<firewall-ipfwadm STOP>
-With this script in place, run the command:
+With this script in place, all you need to do now is make it executable and
+then make it load upon reboot. First, make it executable by running:
-chkconfig --level=345 firewall-2.0 on
+#Redhat-style
+#
+chmod 700 /etc/rc.d/init.d/firewall-ipfwadm
+
+Now, make the ruleset load upon reboot:
+
+#Redhat style
+#
+chkconfig --level=345 firewall-ipfwadm on
+
+That's it! Now upon boot, the firewall will be loaded automatically. Just
+to make sure, run the command to see that the firewall should start upon
+reboot by running the command:
+
+#Redhat style
+#
+chkconfig --list firewall-ipfwadm
+
+#The output should look like:
+#
+firewall-ipfwadm 0:off 1:off 2:off 3:on 4:on 5:on 6:off
-That's it! Now upon boot, the firewall will be loaded automatically.
@@ -5088,7 +5172,7 @@ is the easiest. All you have to do is add the line:
echo "Loading the rc.firewall ruleset.."
-/etc/rc.d/rc.firewall-2.0
+/etc/rc.d/rc.firewall-ipfwadm
@@ -5168,8 +5252,8 @@ every time you need IP Masquerade.
-Please see and
-for a detailed guide and stronger
+Please see and
+for a detailed guide and stronger
examples of IPCHAINS and IPFWADM ruleset examples.
@@ -6967,7 +7051,7 @@ ACCEPT all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
From an internal MASQed computer, ping a static TCP/IP address (NOT a
machine by DNS name) out on the Internet (i.e. ping
-152.2.210.81 (this technically the DNS name "metalab.unc.edu" which
+152.2.210.80 (this technically the DNS name "metalab.unc.edu" which
is home of MetaLabs' Linux Archive). If this works, it should look something
like the result below and this ultimately shows that ICMP Masquerading is
working properly. (hit Control-C to abort the ping):
@@ -6976,16 +7060,16 @@ working properly. (hit Control-C to abort the ping):
-------------------------------------
-masq-client# ping 152.2.210.81
+masq-client# ping 152.2.210.80
-PING 12.13.14.15 (152.2.210.81): 56 data bytes
-64 bytes from 152.2.210.81: icmp_seq=0 ttl=255 time=133.4 ms
-64 bytes from 152.2.210.81: icmp_seq=1 ttl=255 time=132.5 ms
-64 bytes from 152.2.210.81: icmp_seq=2 ttl=255 time=128.8 ms
-64 bytes from 152.2.210.81: icmp_seq=3 ttl=255 time=132.2 ms
+PING 12.13.14.15 (152.2.210.80): 56 data bytes
+64 bytes from 152.2.210.80: icmp_seq=0 ttl=255 time=133.4 ms
+64 bytes from 152.2.210.80: icmp_seq=1 ttl=255 time=132.5 ms
+64 bytes from 152.2.210.80: icmp_seq=2 ttl=255 time=128.8 ms
+64 bytes from 152.2.210.80: icmp_seq=3 ttl=255 time=132.2 ms
^C
---- 152.2.210.81 ping statistics ---
+--- 152.2.210.80 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 128.8/131.7/133.4 ms
-------------------------------------
@@ -7037,9 +7121,9 @@ the TELNET):
--------------------------------
-masq-client# telnet 152.2.210.81
-Trying 152.2.210.81...
-Connected to 152.2.210.81.
+masq-client# telnet 152.2.210.80
+Trying 152.2.210.80...
+Connected to 152.2.210.80.
Escape character is '^]'.
@@ -7086,8 +7170,8 @@ this shows that UDP-based DNS is working fine.
--------------------------------
masq-client# telnet MetaLab.unc.edu
-Trying 152.2.210.81...
-Connected to 152.2.210.81.
+Trying 152.2.210.80...
+Connected to 152.2.210.80.
Escape character is '^]'.
@@ -7241,7 +7325,7 @@ Masquerade Resource.
-
+
Supported Client Software and Other Setup Notes
@@ -7677,7 +7761,7 @@ Works right out of the box but requires the
one Quake I/II/III player behind a MASQ box. Also, this module only supports
Quake I and QuakeWorld by default. If you need to support Quake II or
non-default server ports, please see the module install section of
- and
+ and
rulesets.
@@ -7817,23 +7901,36 @@ Cannot work at present (it makes invalid assumptions about addresses).
Stronger firewall rulesets to run after initial testing
-
+
Stronger IP Firewall (IPTABLES) rulesets
-<rc.firewall-2.4-stronger START>
+<rc.firewall-iptables-stronger START>
#!/bin/sh
#
-# rc.firewall-2.4-stronger
+# rc.firewall-iptables-stronger
#
-FWVER=0.80s
+FWVER=0.85s
# An example of a stronger IPTABLES firewall with IP Masquerade
# support for 2.4.x kernels.
#
# Log:
#
+# 0.85s - renamed from rc.firewall-2.4-stronger to rc.firewall-iptables-
+# stronger to reflect this script works for all IPTABLES enabled
+# platforms including 2.6.x kernels
+# - fixed an incorrect /24 netmask for the INTIP variable
+# - removed the unneeded SED variable
+# 0.84s - Changed the defaults from 192.168.1.0 to 192.168.0.x to align
+# with the rest of the IPMASQ howto
+# 0.83s - Added additional comments to make PORTFW configs more obvious
+# 0.82s - Added a special ICMP filter to work around a Netfilter security
+# issue
+# - renamed the drop-and-log-it rule to reject-and-log-it
+# 0.81s - Added an additional comment in the INPUT section for NOT
+# allowing all traffic in, but only select traffic
# 0.80s - Added a DISABLED ip_nat_irc kernel module section, changed the
# default of the ip_conntrack_irc to NOT load by default, and
# added additional kernel module comments
@@ -7877,7 +7974,6 @@ DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
-SED=/bin/sed
IFCONFIG=/sbin/ifconfig
@@ -7980,8 +8076,8 @@ echo " ---"
# Assign the internal TCP/IP network and IP address
-INTNET="192.168.1.0/24"
-INTIP="192.168.1.1/24"
+INTNET="192.168.0.0/24"
+INTIP="192.168.0.1/32"
echo " Internal Network: $INTNET"
echo " Internal IP: $INTIP"
echo " ---"
@@ -8207,14 +8303,13 @@ echo " ---"
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal LAN address in the
-# 192.168.1.x network with a 255.255.255.0 or a "24" bit subnet
+# 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet
# mask connecting to the Internet on external interface "eth0".
# This example will MASQ internal traffic out to the Internet
# but not allow non-initiated traffic into your internal network.
#
#
# ** Please change the above network numbers, subnet mask, and your
-# *** Internet connection interface name to match your setup
#
#Clearing any previous configuration
@@ -8262,9 +8357,9 @@ $IPTABLES -Z
# pain.
#
echo " Creating a DROP chain.."
-$IPTABLES -N drop-and-log-it
-$IPTABLES -A drop-and-log-it -j LOG --log-level info
-$IPTABLES -A drop-and-log-it -j REJECT
+$IPTABLES -N reject-and-log-it
+$IPTABLES -A reject-and-log-it -j LOG --log-level info
+$IPTABLES -A reject-and-log-it -j REJECT
echo -e "\n - Loading INPUT rulesets"
@@ -8286,7 +8381,7 @@ $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
#
-$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
+$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j reject-and-log-it
# external interface, from any source, for ICMP traffic is valid
@@ -8297,12 +8392,23 @@ $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
#$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
-# remote interface, any source, going to permanent PPP address is valid
+# remote interface, any source, going to the MASQ servers IP address is valid
+#
+# ENABLE this line if you want ALL Internet traffic to connect to your
+# the various servers running on the MASQ server. This includes
+# web servers, ssh servers, dns servers, etc.
+#
+# I DON'T recommend you enable this rule. Instead, only enable specific
+# access to select server ports under the "OPTIONAL INPUT Section".
+# An example of enabling HTTP (WWW) has been given below:
+#
#
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
-# Allow any related traffic coming back to the MASQ server in
+# Allow any related traffic coming back to the MASQ server in.
+#
+# STATEFULLY TRACKED
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT
@@ -8329,12 +8435,14 @@ $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
# ----- End OPTIONAL INPUT Section -----
-
# Catch all rule, all other incoming is denied and logged.
#
-$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
+$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it
+
+; ---------------------------------------------------------------------
+
echo -e " - Loading OUTPUT rulesets"
#######################################################################
@@ -8342,6 +8450,11 @@ echo -e " - Loading OUTPUT rulesets"
# already flushed and set to a default policy of DROP.
#
+# Workaround bug in netfilter
+# See http://www.netfilter.org/security/2002-04-02-icmp-dnat.html
+#
+$IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP
+
# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
@@ -8352,14 +8465,14 @@ $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
-# local interface, any source going to local net is valid
+# local interface, MASQ server source going to the local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
#
-$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
+$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j reject-and-log-it
# anything else outgoing on remote interface is valid
@@ -8384,7 +8497,7 @@ $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
#
-$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
+$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it
echo -e " - Loading FORWARD rulesets"
@@ -8395,6 +8508,8 @@ echo -e " - Loading FORWARD rulesets"
# ----- Begin OPTIONAL FORWARD Section -----
#
+# Put PORTFW commands here
+#
# ----- End OPTIONAL FORWARD Section -----
@@ -8405,7 +8520,7 @@ $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
#
-$IPTABLES -A FORWARD -j drop-and-log-it
+$IPTABLES -A FORWARD -j reject-and-log-it
echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
@@ -8418,21 +8533,21 @@ $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
#######################################################################
-echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"
+echo -e "\nrc.firewall-iptables-stronger $FWVER done.\n"
-<rc.firewall-2.4-stronger STOP>
+<rc.firewall-iptables-stronger STOP>
To automatically start this stronger firewall ruleset at the proper time,
-please see the end of the section for
-full details. Please make sure you make the correct "rc.firewall-2.4" to
-"rc.firewall-2.4-stronger" substitutions!!
+please see the end of the section for
+full details. Please make sure you make the correct "rc.firewall-iptables" to
+"rc.firewall-iptables-stronger" substitutions!!
-
+
Stronger IP Firewall (IPCHAINS) rulesets
@@ -8504,16 +8619,27 @@ Lastly, if you are using a STATIC PPP IP address, change the
-<rc.firewall-2.2-stronger START>
+<rc.firewall-ipchains-stronger START>
#!/bin/sh
#
# /etc/rc.d/rc.firewall: An example of a Stronger IPCHAINS firewall
# ruleset for 2.2 kernels
#
-FWVER=0.71s
+FWVER=0.74s
#
# Log:
+# 0.74s - renamed from rc.firewall-2.2-stronger to
+# rc.firewall-ipchains-stronger to better reflect that this ruleset can
+# can run on different major kernel versions
+# - removed unused SED variable
+# 0.73s - Added additional comments to make PORTFW configs more obvious
+# 0.72s - #ed out the rule that would allow all traffic destined for the
+# MASQ server itself to be accepted. Use the OPTIONAL INPUT
+# section to only allow explicit services.
+# - Fixed an INTLAN rule that was allowing traffic from ANY IP address
+# instead of the proper INTIP IP address only. This aligns the
+# IPCHAINS ruleset with the IPTABLES and IPFWADM ruleset examples
# 0.71s - ruleset now uses modprobe instead of insmod
# 0.70s - Added missing execution variables
# - fixed a missing -p tcp for the commented HTTPd section
@@ -8523,7 +8649,7 @@ FWVER=0.71s
# - Updated the CASE of some of the script variables
#
-echo -e "\nLoading rc.firewall-2.2-stronger : version $FWVER..\n"
+echo -e "\nLoading rc.firewall-ipchains-stronger : version $FWVER..\n"
# The location of various iptables and other shell programs
@@ -8542,7 +8668,6 @@ DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
-SED=/bin/sed
IFCONFIG=/sbin/ifconfig
PATH=/sbin:/bin:/usr/sbin:/usr/bin
@@ -8559,7 +8684,10 @@ INTIF="eth0"
# The INTERNAL IP address
#
+INTIP="192.168.0.1/32"
INTNET="192.168.0.0/24"
+echo " Internal IP: $INTIP"
+echo " Internal Network: $INTNET"
@@ -8744,9 +8872,20 @@ $IPCHAINS -A input -i $INTIF -s $INTNET -d 0.0.0.0/0 -j ACCEPT
#
$IPCHAINS -A input -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT
-# remote interface, any source, going to permanent PPP address is valid
+
+# remote interface, any source, going to the MASQ servers IP address is valid
#
-$IPCHAINS -A input -i $EXTIF -s 0.0.0.0/0 -d $EXTIP/32 -j ACCEPT
+# ENABLE this line if you want ALL Internet traffic to connect to your
+# the various servers running on the MASQ server. This includes
+# web servers, ssh servers, dns servers, etc.
+#
+# I DON'T recommend you enable this rule. Instead, only enable specific
+# access to select server ports under the "OPTIONAL INPUT Section".
+# An example of enabling HTTP (WWW) has been given below:
+#
+#
+#$IPCHAINS -A input -i $EXTIF -s 0.0.0.0/0 -d $EXTIP/32 -j ACCEPT
+
# loopback interface is valid.
#
@@ -8778,9 +8917,9 @@ $IPCHAINS -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
$IPCHAINS -F output
$IPCHAINS -P output REJECT
-# local interface, any source going to local net is valid
+# local interface, MASQ server source going to the local net is valid
#
-$IPCHAINS -A output -i $INTIF -s 0.0.0.0/0 -d $INTNET -j ACCEPT
+$IPCHAINS -A output -i $INTIF -s $INTIP -d $INTNET -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
#
@@ -8826,6 +8965,8 @@ $IPCHAINS -P forward DENY
# ----- Begin OPTIONAL FORWARD Section -----
#
+# Put PORTFW commands here
+#
# ----- End OPTIONAL FORWARD Section -----
@@ -8840,14 +8981,14 @@ $IPCHAINS -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
#End of file.
-<rc.firewall-2.2-stronger STOP>
+<rc.firewall-ipchains-stronger STOP>
To automatically start this stronger firewall ruleset at the proper time,
-please see the end of the section for
-full details. Please make sure you make the correct "rc.firewall-2.2" to
-"rc.firewall-2.2-stronger" substitutions!!
+please see the end of the section for
+full details. Please make sure you make the correct "rc.firewall-ipchains" to
+"rc.firewall-ipchains-stronger" substitutions!!
@@ -8956,7 +9097,7 @@ interface name and "-V" for the interface's IP address.
-
+
Stronger IP Firewall (IPFWADM) Rulesets
@@ -9014,12 +9155,23 @@ Lastly, if you are using a STATIC PPP IP address, change the
-<rc.firewall-2.0-stronger START>
+<rc.firewall-ipfwadm-stronger START>
#!/bin/sh
#
# /etc/rc.d/rc.firewall: An example of a semi-STRONG IPFWADM firewall ruleset
+# for 2.0 kernels
#
+FWVER=0.73s
+#
+# Log:
+# 0.73s - renamed from rc.firewall-2.0-stronger to
+# rc.firewall-ipfwadm-stronger
+#
+# 0.72s - #ed out the rule that would allow all traffic destined for the
+# MASQ server itself to be accepted. Use the OPTIONAL INPUT
+# section to only allow explicit services.
+
PATH=/sbin:/bin:/usr/sbin:/usr/bin
@@ -9201,14 +9353,26 @@ ppp_ip="your.static.PPP.address"
#
/sbin/ipfwadm -I -a reject -V $ppp_ip -S 192.168.0.0/24 -D 0.0.0.0/0 -o
-# remote interface, any source, going to permanent PPP address is valid
+
+# remote interface, any source, going to the MASQ servers IP address is valid
#
-/sbin/ipfwadm -I -a accept -V $ppp_ip -S 0.0.0.0/0 -D $ppp_ip/32
+# ENABLE this line if you want ALL Internet traffic to connect to your
+# the various servers running on the MASQ server. This includes
+# web servers, ssh servers, dns servers, etc.
+#
+# I DON'T recommend you enable this rule. Instead, only enable specific
+# access to select server ports under the "OPTIONAL INPUT Section".
+# An example of enabling HTTP (WWW) has been given below:
+#
+#
+#/sbin/ipfwadm -I -a accept -V $ppp_ip -S 0.0.0.0/0 -D $ppp_ip/32
+
# loopback interface is valid.
#
/sbin/ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
+
# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
@@ -9222,7 +9386,7 @@ ppp_ip="your.static.PPP.address"
/sbin/ipfwadm -O -f
/sbin/ipfwadm -O -p reject
-# local interface, any source going to local net is valid
+# local interface, MASQ server source going to the local net is valid
#
/sbin/ipfwadm -O -a accept -V 192.168.0.1 -S 0.0.0.0/0 -D 192.168.0.0/24
@@ -9270,14 +9434,14 @@ ppp_ip="your.static.PPP.address"
#End of file.
-<rc.firewall-2.0-stronger STOP>
+<rc.firewall-ipfwadm-stronger STOP>
To automatically start this stronger firewall ruleset at the proper time,
-please see the end of the section for
-full details. Please make sure you make the correct "rc.firewall-2.0" to
-"rc.firewall-2.0-stronger" substitutions!!
+please see the end of the section for
+full details. Please make sure you make the correct "rc.firewall-ipfwadm" to
+"rc.firewall-ipfwadm-stronger" substitutions!!
@@ -9394,18 +9558,45 @@ interfaces and to be MASQed to the Internet.
Next, you need to enable Masquerading on the INTERNAL interfaces. This
-example uses a total of THREE interfaces: eth0 is the EXTERNAL connection to
-the Internet, eth1 is the 192.168.0.0 network, and eth2 is the 192.168.1.0
-network. Both eth1 and eth2 will be MASQed out of interface eth0. In your
-rc.firewall ruleset next to the existing MASQ enable line, add the following:
+example uses a total of THREE interfaces: EXTIF stands for the eth0 interface
+which is the EXTERNAL connection to the Internet. INTIF stands for the eth1 interface
+and is the 192.168.0.0 network. Finally, INTIF2 stands for the eth2 interface and
+is the 192.168.1.0 network. Both INTIF and INTIF2 will be MASQed out of
+interface eth0 or EXTIF. In your rc.firewall ruleset next to the existing MASQ
+at the very end of the ruleset, add the following:
-
+
+iptables support for multiple internal lans
-
-
-
-
+
+
+
+
+2.6.x and 2.4.x kernels with IPTABLES
+ #Enable internal interfaces to communication between each other
+
+ $IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED \
+ -j ACCEPT
+ $IPTABLES -A FORWARD -i $INTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED \
+ -j ACCEPT
+ $IPTABLES -A FORWARD -i $INTIF2 -o $INTIF -m state --state ESTABLISHED,RELATED \
+ -j ACCEPT
+
+ $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
+
+
+
+
+
+
+
+ipchains support for multiple internal lans
+
+
+
+
+
2.2.x kernels with IPCHAINS
#Enable internal interfaces to communication between each other
$IPCHAINS -A forward -i eth1 -d 192.168.0.0/24 -j ACCEPT
@@ -9414,13 +9605,19 @@ rc.firewall ruleset next to the existing MASQ enable line, add the following:
#Enable internal interfaces to MASQ out to the Internet
$IPCHAINS -A forward -j MASQ -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0
$IPCHAINS -A forward -j MASQ -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0
-
-
-
+
+
+
+
+
-
-
-
+
+ipfwadm support for multiple internal lans
+
+
+
+
+
2.0.x kernels with IPFWADM
#Enable internal interfaces to communication between each other
/sbin/ipfwadm -F -a accept -V 192.168.0.1 -D 192.168.1.0/24
@@ -9429,20 +9626,18 @@ rc.firewall ruleset next to the existing MASQ enable line, add the following:
#Enable internal interfaces to MASQ out to the Internet
/sbin/ipfwadm -F -a masq -W eth0 -S 192.168.0.0/24 -D 0.0.0.0/0
/sbin/ipfwadm -F -a masq -W eth0 -S 192.168.1.0/24 -D 0.0.0.0/0
-
-
-
-
-
-
-
+
+
+
+
-Please note that it is CORRECT to have "eth0" specified multiple times for the
-exmples shown above. The reason for this is the Linux kernel needs to know
-which interface is used for OUTGOING traffic. Since eth0 in the above examples
+Please note that it is CORRECT to have "eth0" specified multiple times for the
+exmples shown above. The reason for this is the Linux kernel needs to know
+which interface is used for OUTGOING traffic. Since eth0 in the above examples
is the Internet connection, it is listed for each internal interface.
-
+
+
@@ -9500,7 +9695,6 @@ kernel option to help with this initial setup.
-
@@ -9615,42 +9809,44 @@ resource if you so wish.
With this said, it's important to have a strong firewall ruleset. Please see
-,
-,
- and for more details on getting
+,
+,
+ and for more details on getting
strong rulesets.
-
-
-
+
+
+
2.4.x kernels users should be ready to go for PORTFW functionality. 2.2.x and
2.0.x kernel kernel users will need to re-compile the Linux kernel to support
PORTFW. It should be noted that some Linux distribution kernels might have
this already done for you.
-
-
+
+
-
-
+
+
Modern 2.2.x kernel users will already have the PORTFW kernel option available
to them via the normal kernel "make" procedures.
-
-
+
+
-
-
+
+
2.0.x users will need to apply a simple kernel option patch to have access to
then enable this via the normal kernel "make" procedures.
-
-
+
+
-
+
+
2.4.x PORTFWD'ing: Using IPTABLE's PREROUTING option for 2.4.x kernels
+
Unlike ALL previous Linux kernels, the 2.4.x series now allows for full
PORTFW, PORTFW FTP, and PORTFW REDIR functionality within the "iptables"
@@ -9670,7 +9866,7 @@ To enable port forwarding on a 2.4.x kernel:
- Edit the /etc/rc.d/rc.firewall-2.4 ruleset and place the lines
+ Edit the /etc/rc.d/rc.firewall-iptables ruleset and place the lines
shown below just ABOVE the "FWD: Allow all
connections OUT and only existing and related ones IN"
line (in the "Optional FORWARD section"). Please
@@ -9682,25 +9878,27 @@ To enable port forwarding on a 2.4.x kernel:
NOTE: Unlike the 2.2.x and 2.0.x kernels, PORTFWed traffic does
*not* traverse the INPUT or OUTPUT rules. It only traverses the
FORWARD rule.
-
+
-
+
+
NOTE: If you use get a DYNAMIC TCP/IP
address from your ISP (PPP, ADSL, Cablemodems, etc.), you will NEED to make
your /etc/rc.d/rc.firewall ruleset more intelligent. To do this, please see
- from above or
+ from above or
TrinityOS - Section 10 for more details on strong rulesets and Dynamic
IP addresses. I'll give you a hint though: /etc/ppp/ip-up for PPP users.
-
-
+
+
+
+
-
/etc/rc.d/rc.firewall
#echo "Enabling PORTFW Redirection on the external LAN.."
@@ -9714,11 +9912,11 @@ IP addresses. I'll give you a hint though: /etc/ppp/ip-up for PPP users.
PORTFWIP="192.168.0.10"
-# NOTE: If you are using the basic rc.firewall-2.4 ruleset, you
+# NOTE: If you are using the basic rc.firewall-iptables ruleset, you
# will need to enable the following EXTIP option. Users of the
-# rc.firewall-2.4-stronger ruleset already have this defined.
+# rc.firewall-iptables-stronger ruleset already have this defined.
#
-# *PLEASE* look over the rc.firewall-2.4-stronger ruleset for more
+# *PLEASE* look over the rc.firewall-iptables-stronger ruleset for more
# specific issues regarding dynamic vs. static IP addresses
#
#
@@ -9744,13 +9942,12 @@ $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
#
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 \
-j DNAT --to $PORTFWIP:80
-
-That's it! Just re-run your /etc/rc.d/rc.firewall-2.4 ruleset and test it out!
+That's it! Just re-run your /etc/rc.d/rc.firewall-iptables ruleset and test it out!
@@ -9758,7 +9955,7 @@ That's it! Just re-run your /etc/rc.d/rc.firewall-2.4 ruleset and test it out!
-Running the rc.firewall-2.4-stronger ruleset? Good for you! To get PORTFW
+Running the rc.firewall-iptables-stronger ruleset? Good for you! To get PORTFW
running with this ruleset, it's very easy. The following example is for HTTP
(WWW) traffic to be PORTFWed to the IP address indicated by the $PORTFWIP
variable:
@@ -9780,7 +9977,7 @@ variable:
PORTFW FTP: If you have the
"ip_conntrack_ftp" and "ip_nat_ftp" kernel modules loaded into kernel space
-(as already done in the rc.firewall-2.4 script), the simple PREROUTING command
+(as already done in the rc.firewall-iptables script), the simple PREROUTING command
like the one shown above changed for for port "21" should do the trick. This
is much easier than the configuration for the old 2.2.x / 2.0.x kernels!
@@ -9803,8 +10000,8 @@ something like this:
PORTFW Redirection of Internal requests:
-
+
In the past, if users PORTFWed port 80 on their EXTERNAL IP address to some
internal machine, only machines out on the Internet would properly reach
@@ -9912,14 +10109,13 @@ Anyway, to enable port forwarding for HTTPd:
NOTE: If you use get a DYNAMIC TCP/IP
address from your ISP (PPP, ADSL, Cablemodems, etc.), you will NEED to make your
/etc/rc.d/rc.firewall ruleset more intelligent. To do this, please see
- from above or
+ from above or
TrinityOS - Section 10 for more details on strong rulesets and Dynamic
IP addresses. I'll give you a hint though: /etc/ppp/ip-up for PPP users.
-
/etc/rc.d/rc.firewall
#echo "Enabling IPPORTFW Redirection on the external LAN.."
@@ -10037,7 +10233,6 @@ not present.
Now, copy the IPPORTFW patch (subs-patch-x.gz) into the Linux directory
-
cp /usr/src/subs-patch-1.37.gz /usr/src/linux
@@ -10045,7 +10240,6 @@ Now, copy the IPPORTFW patch (subs-patch-x.gz) into the Linux directory
Next, apply the kernel patch to create the IPPORTFW kernel option:
-
cd /usr/src/linux
zcat subs-patch-1.3x.gz | patch -p1
@@ -10062,7 +10256,6 @@ complete and you have rebooted, return to this section.
Now with a newly compiled kernel, please compile and install the actual
"IPPORTFW" program
-
cd /usr/src
gcc ipportfw.c -o ipportfw
@@ -10098,7 +10291,7 @@ replace the word "$extip" with your Internet IP address.
NOTE: If you use get a DYNAMIC TCP/IP
address from your ISP (PPP, ADSL, Cablemodems, etc.), you will NEED to make
your /etc/rc.d/rc.firewall ruleset more intelligent. To do this, please see
-from above or
+from above or
TrinityOS - Section 10 for more details on strong rulesets and Dynamic
IP addresses. I'll give you a hint though: /etc/ppp/ip-up for PPP users.
@@ -10157,51 +10350,48 @@ So, to get the 2.0.x patch working, you need to:
-
-
-
-
+
+
+
FIRST, apply the IPPORTFW kernel patch as shown earlier in this section.
-
-
+
+
-
-
+
+
Download the "msqsrv-patch-36" from Fred Viles's FTP server in
and put it into /usr/src/linux.
-
-
+
+
-
-
+
+
Patch the kernel with this new code by running "cat msqsrv-patch-36 |
patch -p1"
-
-
+
+
-
-
+
+
Next, replace the original "ip_masq_ftp.c"
kernel module with the new one
-
+
-
+
mv /usr/src/linux/net/ipv4/ip_masq_ftp.c /usr/src/linux/net/ipv4/ip_masq_ftp.c.orig
-
+
-
+
mv /usr/src/linux/ip_masq_ftp.c /usr/src/linux/net/ipv4/ip_masq_ftp.c
-
-
+
+
-
-
+
+
Lastly, build and install the kernel with this new code in place.
-
-
-
-
-
+
+
+
@@ -10478,8 +10668,9 @@ done
seconds BUT many users have found that ICQ becomes unreliable. It has been
found that ICQ is more reliable with its stock timeout setting (don't
enable that ICQ option) and simply change MASQ's timeout to 160 seconds.
- You can see how to change this timeout in
- and rulesets. Finally, click on Next
+ You can see how to change this timeout in
+ and rulesets. Finally, click on Next
and configure ICQ to "Use the following TCP listen ports.." from "2000" to
"2020". Now click done.
@@ -10619,8 +10810,8 @@ In the /etc/rc.d/rc.firewall script, goto the BOTTOM of the file and find the
LooseUDP section. Change the "0" in the line:
echo "0" > /proc/sys/net/ipv4/ip_masq_udp_dloose
to a "1" and re-run the rc.firewall ruleset. An example of this is given in
-both example and
- example.
+both example and
+ example.
@@ -10933,6 +11124,12 @@ Redhat v8.0 : YES - 2.4.18? based
+
+
+Redhat v9.0 : YES - 2.4.20 based
+
+
+
Slackware v3.0 : ? - ?
@@ -11431,7 +11628,7 @@ have any thoughts on which ones are good/bad/ugly, please email David.
-John Hardin's IPFWADM Dot
+John Hardin's IPFWADM Dot
file generator - a IPCHAINS version is in the works
@@ -11749,7 +11946,7 @@ nasty MTU problem:
For those users who use PPPoE clients for (DSL / Cablemodem) or PPP (Dialup),
- you're Internet connection is NOT "eth0" (for example) but usually "ppp0".
+ your Internet connection is NOT "eth0" (for example) but usually "ppp0".
In addition to this, your Internet link's MTU or Maximum Transmission Unit
(largest packet you can transmit over the Internet) isn't 1500 bytes but
1492. The 1492 byte MTU comes from the link size of Ethernet (1518 bytes) -
@@ -11790,10 +11987,10 @@ nasty MTU problem:
As mentioned above for PPPoE users, some ISPs and WWW sites filter critical
ICMP packets like MTU Path Discovery. Because of this, many users might find
- mosr Internet sites work but others hang or work poorly. Fortunately,
+ more Internet sites work but others hang or work poorly. Fortunately,
recent IPTABLES have added PMTU Clamping support which should help you. If
your using IPTABLES and think you're hitting this issue, try adding the
- following line to the end of your rc.firewall-2.4 ruleset. It should be noted
+ following line to the end of your rc.firewall-iptables ruleset. It should be noted
that there is no PMTU clamping support in IPCHAINS.
@@ -11803,7 +12000,7 @@ nasty MTU problem:
- If this line causes an error when you re-run the rc.firewall-2.4* firewall
+ If this line causes an error when you re-run the rc.firewall-iptables* firewall
rulesets, you might need to upgrade your version of IPTABLES which includes
the "TCPMSS" IPTABLES module.
@@ -12469,10 +12666,10 @@ This is a common problem which is explained in in
Basically, say your domain, acme.com, has an external IP address is 1.2.3.4
and you are PORTFWing all WWW traffic to an internal machine, say,
-192.168.1.20. Then as an /internal/ user, you are trying to contact
+192.168.0.20. Then as an /internal/ user, you are trying to contact
to http://www.acme.com and expect things to work. Well, that isn't correct.
Basically, http://www.acme.com is being resolved to the IP of http://1.2.3.4.
-What you really should doing is contacting http://192.168.1.20.
+What you really should doing is contacting http://192.168.0.20.
@@ -12482,10 +12679,10 @@ See the difference?
The proper solution to this is to setup a SPLIT DNS server. Internal users
would be configured to use the /internal/ DNS server which would reply with
-the 192.168.1.20 address when asked for www.acme.com. All external users
+the 192.168.0.20 address when asked for www.acme.com. All external users
will get a reply from the /external/ server resolving to the the 1.2.3.4 IP
address. From there, IPTABLES/IPCHAINS/IPFWADM would then PORTFW the traffic
-to the 192.168.1.20 server like normal.
+to the 192.168.0.20 server like normal.
@@ -12496,7 +12693,7 @@ That entry would basically look like:
-www.acme.com 192.168.1.20
+www.acme.com 192.168.0.20
@@ -12524,7 +12721,7 @@ the use of REDIR. If you need help with REDIR, send me an email.
# server
#
# $INTLAN - this is the network of your internal MASQed
-# network. e.g. 192.168.1.0/24
+# network. e.g. 192.168.0.0/24
#
# $INTIP - this is the internal IP address of the
# MASQ server
@@ -13611,12 +13808,12 @@ Internal LAN ----------> official IP
LAN #1 External IP #1
-192.168.1.x --> 123.123.123.11
+192.168.0.x --> 123.123.123.11
LAN #2 External IP #2
-192.168.2.x --> 123.123.123.12
+192.168.1.x --> 123.123.123.12
@@ -13639,8 +13836,8 @@ IPFWADM/IPCHAINS and/or Masq features.
Anyways, for the example case shown above, you will need to persuade the routing
-system to direct packets from 192.168.1.x via 123.123.1233.11 and packets from
-192.168.2.x via 123.123.123.12. That is the hardest part and adding Masq on
+system to direct packets from 192.168.0.x via 123.123.1233.11 and packets from
+192.168.1.x via 123.123.123.12. That is the hardest part and adding Masq on
top of correct routing is easy.
@@ -13664,12 +13861,12 @@ help. This function has NOTHING to do with IP Masquerading.
- The following would be integrated into the END of your rc.firewall-2.4 ruleset
+ The following would be integrated into the END of your rc.firewall-iptables ruleset
EXTIF="eth0"
- INTNET1="192.168.1.0/24"
- INTNET2="192.168.2.0/24"
+ INTNET1="192.168.0.0/24"
+ INTNET2="192.168.1.0/24"
EXTIP1="123.123.123.11"
EXTIP2="123.123.123.12"
@@ -14316,10 +14513,8 @@ Will have all the current information for setting up IP Masquerade on 2.0.x,
-Juan Jose Ciarlante's WWW site
-who is one of the current Linux IP Masquerade maintainers. A mirror can be
-fount at
-ipmasq.webhop.net/juanjox
+Juan Jose Ciarlante's WWW site
+(mirror) who is one of the current Linux IP Masquerade maintainers.
@@ -14851,6 +15046,141 @@ Update the portfw FTP patch
+
+Changes from 03/19/04 to 04/17/05
+
+
+
+ 04/30/05 - Updated the IP address for unc.metalab.org and published the
+HOWTO to the web.
+
+
+
+
+
+ 12/18/04 - Added some comments in the IPTABLES, IPCHAINS, and IPFWADM
+rulesets why the default policy is ACCEPT and not something like DROP.
+
+
+
+
+
+ 07/24/04: Renamed the rc.firewall-2.4/2.2/2.0-* rulesets to
+rc.firewall-iptables/ipchains/ipfwadm-*. This change better reflects that
+these rulesets can run on different kernel versions (such as 2.6.x). Updated
+the rc.firewall-iptables-stronger ruleset to 0.85s to fix an improper /24
+netmask for the INTIP variable.
+
+
+
+
+
+ 04/10/04: Updated the rc.firewall-2.4-stronger ruleset to use the 192.16.0.x
+network instead of 192.168.1.x network to better align with the rest of the
+HOWTO
+
+
+
+
+
+ 04/04/04: Added that Redhat9 supports IPMASQ
+
+
+
+
+
+
+Changes from 11/10/03 to 03/18/04
+
+
+
+ 03/18/04: Added a sub-section for supporting multiple internal networks for
+IPTABLES
+
+
+
+
+
+ 02/02/04: Updated some old jhardin rubyriver to impsec.org URLs
+
+
+
+
+
+ 01/10/04: Updated the rc.firewall-2.4-stronger and 2.2 rulesets to make
+placement of PORTFW configs more obvious
+
+
+
+
+
+ 01/01/04: Some systems require that the /etc/rc.d/init.d/firewall-2.* files
+be executable. Fixed. Thanks to Chris Carter and others for the nudge.
+
+
+
+
+
+ 01/01/04: Some systems require that the /etc/rc.d/init.d/firewall-2.* files
+be executable. Fixed. Thanks to Chris Carter and others for the nudge.
+
+
+
+
+
+ 01/01/04: Added an additional chkconfig check on Redhat systems to make sure
+that the firewall will load upon init level change. Thanks to Chris Carter
+for the idea.
+
+
+
+
+
+ 12/19/03: Updated the rc.firewall-2.4-stronger ruleset to 0.82. This
+new ruleset has a special ICMP filter to work around a Netfilter bug.
+Also, the drop-and-log-it chain has been renamed to reject-and-log-it
+since that's actually what it's doing. Thanks to Bart Martens for the
+recommendations.
+
+
+
+
+
+ 12/13/03: Fixed some minor grammar issues. Thanks to Lawrence Berlinsk
+for pointing them out.
+
+
+
+
+
+ 11/30/03: Updated the rc.firewall-2.4-stronger ruleset to 0.81s, the
+rc-firewall-2.2-stronger ruleset to 0.72s, and updated the
+rc.firewall-2.0-stronger ruleset to 0.72s (never had a version # before).
+These changes reflect either the ruleset not having strong enough comments
+or allowing all traffic destined to the MASQ server itself from being
+protected. It's recommend that if you want to enable access to servers running
+on the MASQ server itself (http, ssh, etc.), selectively enable them under the
+OPTIONAL INPUT section.
+
+
+
+
+
+ 11/03/03: Updated the rc.firewall-2.2-stronger ruleset where an INTLAN rule
+that was allowing traffic from ANY IP address instead of the proper INTIP IP
+address only. This aligns the IPCHAINS ruleset with the IPTABLES and IPFWADM
+ruleset examples
+
+
+
+
+
+ 11/10/03: Deleted all kernelnotes.org URLS (juanjox URLs)
+
+
+
+
+
Changes from 06/22/03 to 11/09/03