mirror of https://github.com/tLDP/LDP
updated
This commit is contained in:
parent
44d8e1cb5f
commit
e996394ce3
|
@ -1211,7 +1211,7 @@ that will improve the I/O performance of your Linux operating system. </Para>
|
|||
IP-Masquerade-HOWTO</ULink>,
|
||||
<CiteTitle>Linux IP Masquerade HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>Updated: April 2002</CiteTitle>.
|
||||
<CiteTitle>Updated: October 2002</CiteTitle>.
|
||||
How to enable the Linux IP Masquerade feature on a given Linux host. </Para>
|
||||
</ListItem>
|
||||
|
||||
|
@ -2033,7 +2033,7 @@ Linux, using GNU CC and nlmconv(1) from GNU binutils. </Para>
|
|||
Online-Troubleshooting-HOWTO</ULink>,
|
||||
<CiteTitle>Online Troubleshooting Resources HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>Updated: March 2002</CiteTitle>.
|
||||
<CiteTitle>Updated: October 2002</CiteTitle>.
|
||||
Directs Linux users to resources available on the Internet that
|
||||
provide access to a vast amount of Linux-related information useful
|
||||
in troubleshooting problems. </Para>
|
||||
|
|
|
@ -213,7 +213,7 @@ and need help. </Para>
|
|||
Online-Troubleshooting-HOWTO</ULink>,
|
||||
<CiteTitle>Online Troubleshooting Resources HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>Updated: March 2002</CiteTitle>.
|
||||
<CiteTitle>Updated: October 2002</CiteTitle>.
|
||||
Directs Linux users to resources available on the Internet that
|
||||
provide access to a vast amount of Linux-related information useful
|
||||
in troubleshooting problems. </Para>
|
||||
|
|
|
@ -916,7 +916,7 @@ A beginning document for using Portslave with the Linux router. </Para>
|
|||
IP-Masquerade-HOWTO</ULink>,
|
||||
<CiteTitle>Linux IP Masquerade HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>Updated: April 2002</CiteTitle>.
|
||||
<CiteTitle>Updated: October 2002</CiteTitle>.
|
||||
How to enable the Linux IP Masquerade feature on a given Linux host. </Para>
|
||||
</ListItem>
|
||||
|
||||
|
|
|
@ -17,11 +17,12 @@
|
|||
</affiliation>
|
||||
</AUTHOR>
|
||||
|
||||
<pubdate>
|
||||
v2.00.041902, April 19, 2002
|
||||
</pubdate>
|
||||
|
||||
<Abstract>
|
||||
|
||||
<para>
|
||||
v2.00.102002, October 20, 2002
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This document describes how to enable the Linux IP Masquerade feature on a
|
||||
given Linux host. IP Masquerade is a form of Network Address Translation or
|
||||
|
@ -29,6 +30,7 @@ NAT which NAT allows internally connected computers that do not have one or more
|
|||
registered Internet IP addresses to communicate to the Internet via the Linux
|
||||
server's Internet IP address.
|
||||
</para>
|
||||
|
||||
</Abstract>
|
||||
|
||||
</BookInfo>
|
||||
|
@ -691,9 +693,9 @@ The new IPTABLES system is far more powerful (combines several functions into
|
|||
one place like true NAT functionality), offers better security (stateful
|
||||
inspection), and better performance with the new 2.4.x TCP/IP stack. But this
|
||||
new suite of tools can be a bit complicated in comparison to older generation
|
||||
kernels. Hopefully if you carefully follow along with this HOWTO it won't be
|
||||
too bad. If you find anything unclear, downright wrong, etc. please email
|
||||
David about it.
|
||||
kernels. Hopefully, if you follow along with this HOWTO carefully, setting up
|
||||
IPMASQ won't be too bad. If you find anything unclear, downright wrong, etc.
|
||||
please email David about it.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
|
@ -701,10 +703,16 @@ David about it.
|
|||
IPFWADM, the new NetFilter tool has kernel modules that can actually
|
||||
support older IPCHAINS and IPFWADM rulesets with minimal changes. So
|
||||
re-writing your old MASQ or firewall ruleset scripts is not longer required.
|
||||
Please keep in mind that there might be several benefits in performing a full
|
||||
ruleset re-write to take advantage of the newer IPTABLES features like
|
||||
stateful tracking, etc. but that is dependant upon how much time you have
|
||||
to migrate your old rulesets.
|
||||
<Emphasis role="strong">BUT..</Emphasis> with the 2.4.x kernels, you cannot
|
||||
use the old 2.2.x MASQ modules like ip_masq_ftp, ip_masq_irc, etc.
|
||||
<Emphasis role="strong">AND<</Emphasis> IPCHAINS is incompatible with the
|
||||
new IPTABLES modules like ip_conntrack_ftp, etc. So, what does this mean?
|
||||
It basically means that if you want to use IPMASQ under a 2.4.x kernel,
|
||||
you shouldn't use IPCHAINS rules but IPTABLES ones instead. Please also keep
|
||||
in mind that there might be several benefits in performing a full ruleset
|
||||
re-write to take advantage of the newer IPTABLES features like stateful
|
||||
tracking, etc. but that is dependant upon how much time you have to migrate
|
||||
your old rulesets.
|
||||
</para>
|
||||
</listitem>
|
||||
</ItemizedList>
|
||||
|
@ -865,7 +873,7 @@ NotPorted ICQ Used for Instant messaging
|
|||
|
||||
NotPorted Quake Used for online Quake games
|
||||
|
||||
Beta Avail PPTP Allow for multiple clients to the same server
|
||||
Ported PPTP Allow for multiple clients to the same server
|
||||
|
||||
NotPorted Real Audio Used for Streaming video / audio
|
||||
|
||||
|
@ -874,8 +882,8 @@ NotPorted VDO Live Used for Streaming audio?
|
|||
|
||||
<para>
|
||||
Documentation on how to perform MASQ module porting is available at
|
||||
<ULink URL="http://netfilter.filewatcher.org/unreliable-guides/netfilter-hacking-HOWTO-5.html">
|
||||
http://netfilter.filewatcher.org/unreliable-guides/netfilter-hacking-HOWTO-5.html
|
||||
<ULink URL="http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO.html">
|
||||
http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO.html
|
||||
</ULink>
|
||||
<ULink URL="http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/index.html">
|
||||
(mirror at Samba.org)</ULink>,
|
||||
|
@ -891,16 +899,16 @@ appreciated in porting these modules.
|
|||
|
||||
<para>
|
||||
If you'd like to read up more on NetFilter and IPTables, please see:
|
||||
<ULink URL="http://netfilter.filewatcher.org/unreliable-guides">
|
||||
http://netfilter.filewatcher.org/unreliable-guides</ULink>
|
||||
<ULink URL="http://www.netfilter.org/documentation/index.html#HOWTO">
|
||||
http://www.netfilter.org/documentation/index.html#HOWTO</ULink>
|
||||
<ULink
|
||||
URL="http://netfilter.samba.org/unreliable-guides/">
|
||||
(mirror at Samba.org)</ULink>,
|
||||
|
||||
and more
|
||||
specifically <ULink
|
||||
URL="http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/index.html">
|
||||
http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/index.html</ULink>
|
||||
URL="http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html">
|
||||
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html</ULink>
|
||||
</para>
|
||||
|
||||
|
||||
|
@ -936,8 +944,8 @@ http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/index.html</ULink>
|
|||
<listitem>
|
||||
<para>
|
||||
The program "iptables" version 1.2.4 or newer archive available from
|
||||
<ULink URL="http://netfilter.filewatcher.org/">
|
||||
http://netfilter.filewatcher.org/</ULink>
|
||||
<ULink URL="http://www.netfilter.org/">
|
||||
http://www.netfilter.org/</ULink>
|
||||
<ULink URL="http://netfilter.samba.org">
|
||||
(mirror at Samba.org)</ULink>,.
|
||||
|
||||
|
@ -962,7 +970,7 @@ http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/index.html</ULink>
|
|||
makes use of additional MASQ modules like the FTP and IRC modules. Additional
|
||||
information on version requirements for the newest IPTABLES howto, etc. is
|
||||
located at the
|
||||
<ULink URL="http://netfilter.filewatcher.org/">Unreliable IPTABLES HOWTOs</Ulink>
|
||||
<ULink URL="http://www.netfilter.org/">Unreliable IPTABLES HOWTOs</Ulink>
|
||||
page <ULink URL="http://netfilter.samba.org/"> (mirror at Samba.org)</ULink>.
|
||||
</para>
|
||||
</listitem>
|
||||
|
@ -1137,13 +1145,13 @@ http://www.linuxdoc.org/HOWTO/DSL-HOWTO/index.html</ULink>
|
|||
<listitem>
|
||||
<para>
|
||||
IP Chains 1.3.10 or newer are available from
|
||||
<ULink URL="http://netfilter.filewatcher.org/ipchains/">
|
||||
http://netfilter.filewatcher.org/ipchains/</ULink>
|
||||
<ULink URL="http://www.netfilter.org/ipchains/">
|
||||
http://www.netfilter.org/ipchains/</ULink>
|
||||
<ULink URL="http://netfilter.samba.org/ipchains"> (mirror at Samba.org)</ULink>.
|
||||
Additional information on
|
||||
version requirements for the newest IPCHAINS HOWTO, etc is located at the
|
||||
<ULink URL="http://netfilter.filewatcher.org/ipchains/"> Linux IP Chains
|
||||
page</ULink> <ULink URL="http://netfilter.samba.org/ipchains"> (mirror at
|
||||
<ULink URL="http://www.netfilter.org/ipchains/"> Linux IP Chains
|
||||
page</ULink> <ULink URL="http://www.netfilter.org/ipchains"> (mirror at
|
||||
Samba.org)</ULink>
|
||||
</para>
|
||||
</listitem>
|
||||
|
@ -1543,7 +1551,7 @@ patches and more information:
|
|||
</para>
|
||||
|
||||
<para>
|
||||
<ULink URL="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">
|
||||
<ULink URL="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">
|
||||
John Hardin's VPN Masquerade forwarders</ULink> or the old patch for just
|
||||
<ULink URL="http://ipmasq.cjb.net/ip_masq_pptp.patch.gz">PPTP Support</ULink>.
|
||||
</para>
|
||||
|
@ -3486,7 +3494,7 @@ SIMPLE ruleset:
|
|||
#!/bin/sh
|
||||
#
|
||||
# rc.firewall-2.4
|
||||
FWVER=0.63
|
||||
FWVER=0.70
|
||||
#
|
||||
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
|
||||
# using IPTABLES.
|
||||
|
@ -3499,6 +3507,9 @@ FWVER=0.63
|
|||
#
|
||||
#
|
||||
# Log:
|
||||
# 0.70 - Added commented option for IRC nat module
|
||||
# - Added additional use of environment variables
|
||||
# - Added additional formatting
|
||||
# 0.63 - Added support for the IRC IPTABLES module
|
||||
# 0.62 - Fixed a typo on the MASQ enable line that used eth0
|
||||
# instead of $EXTIF
|
||||
|
@ -3514,11 +3525,12 @@ FWVER=0.63
|
|||
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
|
||||
|
||||
|
||||
# The location of the 'iptables' program
|
||||
# The location of the iptables and kernel module programs
|
||||
#
|
||||
# If your Linux distribution came with a copy of iptables, most
|
||||
# likely it is located in /sbin. If you manually compiled
|
||||
# iptables, the default location is in /usr/local/sbin
|
||||
# If your Linux distribution came with a copy of iptables,
|
||||
# most likely all the programs will be located in /sbin. If
|
||||
# you manually compiled iptables, the default location will
|
||||
# be in /usr/local/sbin
|
||||
#
|
||||
# ** Please use the "whereis iptables" command to figure out
|
||||
# ** where your copy is and change the path below to reflect
|
||||
|
@ -3526,6 +3538,8 @@ echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
|
|||
#
|
||||
#IPTABLES=/sbin/iptables
|
||||
IPTABLES=/usr/local/sbin/iptables
|
||||
DEPMOD=/sbin/depmod
|
||||
INSMOD=/sbin/insmod
|
||||
|
||||
|
||||
#Setting the EXTERNAL and INTERNAL interfaces for the network
|
||||
|
@ -3560,7 +3574,7 @@ echo -en " loading modules: "
|
|||
# Need to verify that all modules have all required dependencies
|
||||
#
|
||||
echo " - Verifying that all kernel modules are ok"
|
||||
/sbin/depmod -a
|
||||
$DEPMOD -a
|
||||
|
||||
# With the new IPTABLES code, the core MASQ functionality is now either
|
||||
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
|
||||
|
@ -3580,13 +3594,15 @@ echo " - Verifying that all kernel modules are ok"
|
|||
# modules are shown below but are commented out from loading.
|
||||
# ===============================================================
|
||||
|
||||
echo "----------------------------------------------------------------------"
|
||||
|
||||
#Load the main body of the IPTABLES module - "iptable"
|
||||
# - Loaded automatically when the "iptables" command is invoked
|
||||
#
|
||||
# - Loaded manually to clean up kernel auto-loading timing issues
|
||||
#
|
||||
echo -en "ip_tables, "
|
||||
/sbin/insmod ip_tables
|
||||
$INSMOD ip_tables
|
||||
|
||||
|
||||
#Load the IPTABLES filtering module - "iptable_filter"
|
||||
|
@ -3605,7 +3621,7 @@ echo -en "ip_tables, "
|
|||
# - Loaded manually to clean up kernel auto-loading timing issues
|
||||
#
|
||||
echo -en "ip_conntrack, "
|
||||
/sbin/insmod ip_conntrack
|
||||
$INSMOD ip_conntrack
|
||||
|
||||
|
||||
#Load the FTP tracking mechanism for full FTP tracking
|
||||
|
@ -3613,7 +3629,7 @@ echo -en "ip_conntrack, "
|
|||
# Enabled by default -- insert a "#" on the next line to deactivate
|
||||
#
|
||||
echo -en "ip_conntrack_ftp, "
|
||||
/sbin/insmod ip_conntrack_ftp
|
||||
$INSMOD ip_conntrack_ftp
|
||||
|
||||
|
||||
#Load the IRC tracking mechanism for full IRC tracking
|
||||
|
@ -3621,7 +3637,7 @@ echo -en "ip_conntrack_ftp, "
|
|||
# Enabled by default -- insert a "#" on the next line to deactivate
|
||||
#
|
||||
echo -en "ip_conntrack_irc, "
|
||||
/sbin/insmod ip_conntrack_irc
|
||||
$INSMOD ip_conntrack_irc
|
||||
|
||||
|
||||
#Load the general IPTABLES NAT code - "iptable_nat"
|
||||
|
@ -3630,7 +3646,7 @@ echo -en "ip_conntrack_irc, "
|
|||
# - Loaded manually to clean up kernel auto-loading timing issues
|
||||
#
|
||||
echo -en "iptable_nat, "
|
||||
/sbin/insmod iptable_nat
|
||||
$INSMOD iptable_nat
|
||||
|
||||
|
||||
#Loads the FTP NAT functionality into the core IPTABLES code
|
||||
|
@ -3639,9 +3655,19 @@ echo -en "iptable_nat, "
|
|||
# Enabled by default -- insert a "#" on the next line to deactivate
|
||||
#
|
||||
echo -en "ip_nat_ftp, "
|
||||
/sbin/insmod ip_nat_ftp
|
||||
$INSMOD ip_nat_ftp
|
||||
|
||||
|
||||
#Loads the IRC NAT functionality into the core IPTABLES code
|
||||
# Require to support NAT of IRC DCC requests
|
||||
#
|
||||
# Disabled by default -- remove the "#" on the next line to activate
|
||||
#
|
||||
#echo -e "ip_nat_irc"
|
||||
#$INSMOD ip_nat_irc
|
||||
|
||||
echo "----------------------------------------------------------------------"
|
||||
|
||||
# Just to be complete, here is a list of the remaining kernel modules
|
||||
# and their function. Please note that several modules should be only
|
||||
# loaded by the correct master kernel module for proper operation.
|
||||
|
@ -4009,8 +4035,8 @@ need IP Masquerade.
|
|||
<para>
|
||||
Please see <XRef LinkEnd="rc.firewall-2.4.x-stronger"> for a detailed guide on
|
||||
a strong IPTABLES ruleset example. For additional details on IPTABLES usage,
|
||||
please refer to <ULink URL="http://netfilter.filewatcher.org/">
|
||||
http://netfilter.filewatcher.org/</ULink>
|
||||
please refer to <ULink URL="http://www.netfilter.org/">
|
||||
http://www.netfilter.org/</ULink>
|
||||
<ULink URL="http://netfilter.samba.org/"> (mirror at Samba.org)</ULink>
|
||||
for the primary IPTABLES site.
|
||||
</para>
|
||||
|
@ -4040,7 +4066,6 @@ ruleset:
|
|||
#!/bin/sh
|
||||
#
|
||||
# rc.firewall-2.2
|
||||
FWVER="1.01"
|
||||
#
|
||||
# - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels
|
||||
# using IPCHAINS.
|
||||
|
@ -4049,8 +4074,32 @@ FWVER="1.01"
|
|||
# ruleset, it is highly recommended to use a stronger
|
||||
# IPTABLES ruleset either given later in this HOWTO or
|
||||
# from another reputable resource.
|
||||
|
||||
FWVER="1.20"
|
||||
#
|
||||
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
|
||||
# 1.20 - Updated the script to use environment vars
|
||||
# 1.01 - Original version
|
||||
|
||||
|
||||
echo -e "\n\nLoading simple rc.firewall-2.2 : version $FWVER..\n"
|
||||
|
||||
|
||||
# The location of the ipchains and kernel module programs
|
||||
#
|
||||
# If your Linux distribution came with a copy of ipchains,
|
||||
# most likely all the programs will be located in /sbin. If
|
||||
# you manually compiled ipchains, the default location will
|
||||
# be in /usr/local/sbin
|
||||
#
|
||||
# ** Please use the "whereis ipchains" command to figure out
|
||||
# ** where your copy is and change the path below to reflect
|
||||
# ** your setup
|
||||
#
|
||||
IPCHAINS=/sbin/ipchains
|
||||
#IPTABLES=/usr/local/sbin/ipchains
|
||||
DEPMOD=/sbin/depmod
|
||||
INSMOD=/sbin/insmod
|
||||
MODPROBE=/sbin/modprobe
|
||||
|
||||
|
||||
#Setting the EXTERNAL and INTERNAL interfaces for the network
|
||||
|
@ -4098,26 +4147,26 @@ echo " loading required IPMASQ kernel modules.."
|
|||
|
||||
# Needed to initially load modules
|
||||
#
|
||||
/sbin/depmod -a
|
||||
$DEPMOD -a
|
||||
|
||||
echo -en " Loading modules: "
|
||||
|
||||
# Supports the proper masquerading of FTP file transfers using the PORT method
|
||||
#
|
||||
echo -en "FTP, "
|
||||
/sbin/modprobe ip_masq_ftp
|
||||
$MODPROBE ip_masq_ftp
|
||||
|
||||
# Supports the masquerading of RealAudio over UDP. Without this module,
|
||||
# RealAudio WILL function but in TCP mode. This can cause a reduction
|
||||
# in sound quality
|
||||
#
|
||||
#echo -en "RealAudio, "
|
||||
#/sbin/modprobe ip_masq_raudio
|
||||
$MODPROBE ip_masq_raudio
|
||||
|
||||
# Supports the masquerading of IRC DCC file transfers
|
||||
#
|
||||
#echo -en "Irc, "
|
||||
#/sbin/modprobe ip_masq_irc
|
||||
#$MODPROBE ip_masq_irc
|
||||
|
||||
|
||||
# Supports the masquerading of Quake and QuakeWorld by default. This modules is
|
||||
|
@ -4129,21 +4178,21 @@ echo -en "FTP, "
|
|||
#
|
||||
#echo -en "Quake, "
|
||||
#Quake I / QuakeWorld (ports 26000 and 27000)
|
||||
#/sbin/modprobe ip_masq_quake
|
||||
#$MODPROBE ip_masq_quake
|
||||
#
|
||||
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
|
||||
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
|
||||
#$MODPROBE ip_masq_quake 26000,27000,27910,27960
|
||||
|
||||
|
||||
# Supports the masquerading of the CuSeeme video conferencing software
|
||||
#
|
||||
#echo -en "CuSeeme, "
|
||||
#/sbin/modprobe ip_masq_cuseeme
|
||||
#$MODPROBE ip_masq_cuseeme
|
||||
|
||||
#Supports the masquerading of the VDO-live video conferencing software
|
||||
#
|
||||
#echo -en "VdoLive "
|
||||
#/sbin/modprobe ip_masq_vdolive
|
||||
#$MODPROBE ip_masq_vdolive
|
||||
|
||||
echo ". Done loading modules."
|
||||
|
||||
|
@ -4197,12 +4246,12 @@ echo "1" > /proc/sys/net/ipv4/ip_always_defrag
|
|||
# The default for FORWARD is REJECT
|
||||
#
|
||||
echo " clearing any existing rules and setting default policy.."
|
||||
/sbin/ipchains -P input ACCEPT
|
||||
/sbin/ipchains -P output ACCEPT
|
||||
/sbin/ipchains -P forward REJECT
|
||||
/sbin/ipchains -F input
|
||||
/sbin/ipchains -F output
|
||||
/sbin/ipchains -F forward
|
||||
$IPCHAINS -P input ACCEPT
|
||||
$IPCHAINS -P output ACCEPT
|
||||
$IPCHAINS -P forward REJECT
|
||||
$IPCHAINS -F input
|
||||
$IPCHAINS -F output
|
||||
$IPCHAINS -F forward
|
||||
|
||||
|
||||
# MASQ timeouts
|
||||
|
@ -4212,7 +4261,7 @@ echo " clearing any existing rules and setting default policy.."
|
|||
# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
|
||||
#
|
||||
echo " setting default timers.."
|
||||
/sbin/ipchains -M -S 7200 10 160
|
||||
$IPCHAINS -M -S 7200 10 160
|
||||
|
||||
|
||||
# DHCP: For people who receive their external IP address from either DHCP or
|
||||
|
@ -4222,7 +4271,7 @@ echo " setting default timers.."
|
|||
# This example is currently commented out.
|
||||
#
|
||||
#
|
||||
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -s 0/0 67 -d 0/0 68 -p udp
|
||||
#$IPCHAINS -A input -j ACCEPT -i $EXTIF -s 0/0 67 -d 0/0 68 -p udp
|
||||
|
||||
# Enable simple IP forwarding and Masquerading
|
||||
#
|
||||
|
@ -4234,8 +4283,8 @@ echo " setting default timers.."
|
|||
# ** connection interface name to match your internal LAN setup
|
||||
#
|
||||
echo " enabling IPMASQ functionality on $EXTIF"
|
||||
/sbin/ipchains -P forward DENY
|
||||
/sbin/ipchains -A forward -i $EXTIF -s $INTLAN -j MASQ
|
||||
$IPCHAINS -P forward DENY
|
||||
$IPCHAINS -A forward -i $EXTIF -s $INTLAN -j MASQ
|
||||
|
||||
echo -e "\nrc.firewall-2.2 v$FWVER done.\n"
|
||||
</Screen>
|
||||
|
@ -4299,7 +4348,7 @@ copy the following file into the /etc/rc.d/init.d directory:
|
|||
# probe: true
|
||||
|
||||
# ----------------------------------------------------------------------------
|
||||
# v02/09/02
|
||||
# v08/29/02
|
||||
#
|
||||
# Part of the copyrighted and trademarked TrinityOS document.
|
||||
# http://www.ecst.csuchico.edu/~dranch
|
||||
|
@ -4341,7 +4390,7 @@ IPCHAINS=/sbin/ipchains
|
|||
# See how we were called.
|
||||
case "$1" in
|
||||
start)
|
||||
/etc/rc.d/rc.firewall-2.4
|
||||
/etc/rc.d/rc.firewall-2.2
|
||||
;;
|
||||
|
||||
stop)
|
||||
|
@ -4457,9 +4506,9 @@ the /etc/rc.d/rc.firewall ruleset.
|
|||
# ** Please change the network number, subnet mask, and the Internet
|
||||
# ** connection interface name to match your internal LAN setup
|
||||
#
|
||||
/sbin/ipchains -P forward DENY
|
||||
/sbin/ipchains -A forward -i $EXTIF -s 192.168.0.2/32 -j MASQ
|
||||
/sbin/ipchains -A forward -i $EXTIF -s 192.168.0.8/32 -j MASQ
|
||||
$IPCHAINS -P forward DENY
|
||||
$IPCHAINS -A forward -i $EXTIF -s 192.168.0.2/32 -j MASQ
|
||||
$IPCHAINS -A forward -i $EXTIF -s 192.168.0.8/32 -j MASQ
|
||||
</Screen>
|
||||
</para>
|
||||
|
||||
|
@ -4474,7 +4523,7 @@ first command:
|
|||
|
||||
<para>
|
||||
<screen>
|
||||
/sbin/ipchains -P forward masquerade
|
||||
$IPCHAINS -P forward masquerade
|
||||
</screen>
|
||||
</para>
|
||||
|
||||
|
@ -4495,8 +4544,8 @@ need IP Masquerade.
|
|||
Please see <XRef LinkEnd="rc.firewall-2.2.x-stronger"> for a detailed guide on
|
||||
IPCHAINS and a strong IPCHAINS ruleset example. For additional details on
|
||||
IPCHAINS usage, please refer to
|
||||
<ULink URL="http://netfilter.filewatcher.org/ipchains/">
|
||||
http://netfilter.filewatcher.org/ipchains/</ULink>
|
||||
<ULink URL="http://www.netfilter.org/ipchains/">
|
||||
http://www.netfilter.org/ipchains/</ULink>
|
||||
<ULink URL="http://netfilter.samba.org/ipchains"> (mirror at Samba.org)</ULink>
|
||||
for the primary IPCHAINS site or the
|
||||
<ULink URL="http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html">
|
||||
|
@ -6695,7 +6744,7 @@ ACCEPT all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
|
|||
<para>
|
||||
From an internal MASQed computer, now ping a static TCP/IP address (NOT a
|
||||
machine by DNS name) out on the Internet (i.e. <Emphasis role="strong">ping
|
||||
152.19.254.81</Emphasis> (this technically the DNS name "metalab.unc.edu" which
|
||||
152.2.210.81</Emphasis> (this technically the DNS name "metalab.unc.edu" which
|
||||
is home of MetaLabs' Linux Archive). If this works, it should look something
|
||||
like the result below and this ultimately shows that ICMP Masquerading is
|
||||
working properly. (hit Control-C to abort the ping):
|
||||
|
@ -6704,15 +6753,15 @@ working properly. (hit Control-C to abort the ping):
|
|||
<para>
|
||||
<ProgramListing>
|
||||
-------------------------------------
|
||||
masq-client# ping 152.2.254.81
|
||||
PING 12.13.14.15 (152.2.254.81): 56 data bytes
|
||||
64 bytes from 152.2.254.81: icmp_seq=0 ttl=255 time=133.4 ms
|
||||
64 bytes from 152.2.254.81: icmp_seq=1 ttl=255 time=132.5 ms
|
||||
64 bytes from 152.2.254.81: icmp_seq=2 ttl=255 time=128.8 ms
|
||||
64 bytes from 152.2.254.81: icmp_seq=3 ttl=255 time=132.2 ms
|
||||
masq-client# ping 152.2.210.81
|
||||
PING 12.13.14.15 (152.2.210.81): 56 data bytes
|
||||
64 bytes from 152.2.210.81: icmp_seq=0 ttl=255 time=133.4 ms
|
||||
64 bytes from 152.2.210.81: icmp_seq=1 ttl=255 time=132.5 ms
|
||||
64 bytes from 152.2.210.81: icmp_seq=2 ttl=255 time=128.8 ms
|
||||
64 bytes from 152.2.210.81: icmp_seq=3 ttl=255 time=132.2 ms
|
||||
^C
|
||||
|
||||
--- 152.2.254.81 ping statistics ---
|
||||
--- 152.2.210.81 ping statistics ---
|
||||
4 packets transmitted, 4 packets received, 0% packet loss
|
||||
round-trip min/avg/max = 128.8/131.7/133.4 ms
|
||||
-------------------------------------
|
||||
|
@ -6749,7 +6798,7 @@ interface.
|
|||
|
||||
<para>
|
||||
Now try TELNETing to a remote IP address (i.e. <Emphasis role="strong">telnet
|
||||
152.2.254.81</Emphasis> ( this is technically the DNS name "metalab.unc.edu").
|
||||
152.2.210.81</Emphasis> ( this is technically the DNS name "metalab.unc.edu").
|
||||
It might take a few seconds to get a login prompt since this is a VERY busy
|
||||
server. Did you get a login prompt like shown below? If so, it means that
|
||||
TCP Masquerading is running OK. If not, try TELNETing to some other hosts you
|
||||
|
@ -6760,9 +6809,9 @@ the TELNET):
|
|||
|
||||
<ProgramListing>
|
||||
--------------------------------
|
||||
masq-client# telnet 152.2.254.81
|
||||
Trying 152.2.254.81...
|
||||
Connected to 152.2.254.81.
|
||||
masq-client# telnet 152.2.210.81
|
||||
Trying 152.2.210.81...
|
||||
Connected to 152.2.210.81.
|
||||
Escape character is '^]'.
|
||||
|
||||
|
||||
|
@ -6801,7 +6850,7 @@ resolution
|
|||
|
||||
<para>
|
||||
Now try TELNETing to a remote machine by DNS name (i.e. <Emphasis
|
||||
role="strong">"telnet metalab.unc.edu"</Emphasis> (IP address 152.2.254.81).
|
||||
role="strong">"telnet metalab.unc.edu"</Emphasis> (IP address 152.2.210.81).
|
||||
If this works, the output should look like something below. With this test,
|
||||
this shows that UDP-based DNS is working fine.
|
||||
</para>
|
||||
|
@ -6809,8 +6858,8 @@ this shows that UDP-based DNS is working fine.
|
|||
<ProgramListing>
|
||||
--------------------------------
|
||||
masq-client# telnet MetaLab.unc.edu
|
||||
Trying 152.2.254.81...
|
||||
Connected to 152.2.254.81.
|
||||
Trying 152.2.210.81...
|
||||
Connected to 152.2.210.81.
|
||||
Escape character is '^]'.
|
||||
|
||||
|
||||
|
@ -7549,12 +7598,14 @@ Cannot work at present (it makes invalid assumptions about addresses).
|
|||
#!/bin/sh
|
||||
#
|
||||
# rc.firewall-2.4-stronger
|
||||
FWVER=0.73s
|
||||
#
|
||||
FWVER=0.74s-4
|
||||
|
||||
# An example of a stronger IPTABLES firewall with IP Masquerade
|
||||
# support for 2.4.x kernels.
|
||||
#
|
||||
# Log:
|
||||
# 0.74s - Changed the EXTIP command to work on NON-English distros
|
||||
# 0.73s - Added comments in the output section that DHCPd is optional
|
||||
# and changed the default settings to disabled
|
||||
# 0.72s - Changed the filter from the INTNET to the INTIP to be
|
||||
|
@ -7672,8 +7723,13 @@ echo " ---"
|
|||
# Determine the external IP automatically:
|
||||
# ----------------------------------------
|
||||
#
|
||||
EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | \
|
||||
$SED -e 's/.*://'`"
|
||||
# The following line will determine your external IP address. This
|
||||
# line is somewhat complex and confusing but it will also work for
|
||||
# all NON-English Linux distributions:
|
||||
#
|
||||
EXTIP="`$IFCONFIG $EXTIF | $AWK \
|
||||
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
|
||||
|
||||
|
||||
# For users who wish to use STATIC IP addresses:
|
||||
#
|
||||
|
@ -7988,7 +8044,7 @@ $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
|
|||
# Allow any related traffic coming back to the MASQ server in
|
||||
#
|
||||
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
|
||||
ESTABLISHED,RELATED -j ACCEPT
|
||||
ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
|
||||
# ----- Begin OPTIONAL Section -----
|
||||
|
@ -8003,7 +8059,7 @@ ESTABLISHED,RELATED -j ACCEPT
|
|||
#
|
||||
#echo -e " - Allowing EXTERNAL access to the WWW server"
|
||||
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
|
||||
#-p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
|
||||
# -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
|
||||
|
||||
#
|
||||
# ----- End OPTIONAL Section -----
|
||||
|
@ -8051,11 +8107,12 @@ $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
|
|||
#
|
||||
|
||||
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
|
||||
# - Remove BOTH #s all the #s if you need this functionality.
|
||||
#
|
||||
#$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
|
||||
-d 255.255.255.255 --dport 68 -j ACCEPT
|
||||
# -d 255.255.255.255 --dport 68 -j ACCEPT
|
||||
#$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
|
||||
-d 255.255.255.255 --dport 68 -j ACCEPT
|
||||
# -d 255.255.255.255 --dport 68 -j ACCEPT
|
||||
|
||||
#
|
||||
# ----- End OPTIONAL Section -----
|
||||
|
@ -8073,7 +8130,7 @@ echo -e " - Loading FORWARD rulesets"
|
|||
|
||||
echo " - FWD: Allow all connections OUT and only existing/related IN"
|
||||
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \
|
||||
-j ACCEPT
|
||||
-j ACCEPT
|
||||
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
|
||||
|
||||
# Catch all rule, all other forwarding is denied and logged.
|
||||
|
@ -8169,7 +8226,7 @@ details.</Emphasis>
|
|||
|
||||
<para>
|
||||
Lastly, if you are using a STATIC PPP IP address, change the
|
||||
"ppp_ip="your.static.PPP.address"" line to reflect your address.
|
||||
"EXTIF="your.static.PPP.address"" line to reflect your address.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
|
@ -8181,11 +8238,36 @@ Lastly, if you are using a STATIC PPP IP address, change the
|
|||
<screen>
|
||||
#!/bin/sh
|
||||
#
|
||||
# /etc/rc.d/rc.firewall: An example of a Semi-Strong IPCHAINS firewall ruleset.
|
||||
# /etc/rc.d/rc.firewall: An example of a Stronger IPCHAINS firewall
|
||||
# ruleset for 2.2 kernels
|
||||
#
|
||||
FWVER=0.60s
|
||||
#
|
||||
# Log:
|
||||
# 0.60s - Changed the EXTIP command to work on NON-English distros
|
||||
# - Updated the CASE of some of the script variables
|
||||
#
|
||||
|
||||
echo -e "\nLoading rc.firewall-2.2-stronger : version $FWVER..\n"
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
|
||||
# Global variables
|
||||
# ----------------
|
||||
|
||||
# ALL PPP and DHCP users must set this for the correct EXTERNAL and
|
||||
# INTERNAL interfaces names. Examples: eth0, ppp0, ippp0, etc.
|
||||
#
|
||||
EXTIF="ppp0"
|
||||
INTIF="eth0"
|
||||
|
||||
# The INTERNAL IP address
|
||||
#
|
||||
INTNET="192.168.0.0/24"
|
||||
|
||||
|
||||
|
||||
# Load all required IP MASQ modules
|
||||
#
|
||||
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules
|
||||
|
@ -8289,7 +8371,7 @@ echo "1" > /proc/sys/net/ipv4/ip_always_defrag
|
|||
# If you get your TCP/IP address via DHCP, **you will need ** to enable the
|
||||
# #ed out command below underneath the PPP section AND replace the word
|
||||
# "ppp0" with the name of your EXTERNAL Internet connection (eth0, eth1, etc)
|
||||
# on the lines for "ppp-ip" and "extip". You should note that the
|
||||
# on the lines for "ppp-ip" and "EXTIP". You should note that the
|
||||
# DHCP server can change IP addresses on you. To fix this, users should
|
||||
# configure their DHCP client to re-run the firewall ruleset everytime the
|
||||
# DHCP lease is renewed.
|
||||
|
@ -8328,22 +8410,19 @@ echo "1" > /proc/sys/net/ipv4/ip_always_defrag
|
|||
# * You then want to enable the #ed out shell command below *
|
||||
#
|
||||
#
|
||||
# PPP and DHCP Users:
|
||||
# -------------------
|
||||
# Remove the # on the line below and place a # in front of the line after that.
|
||||
# Determine the external IP automatically:
|
||||
# ----------------------------------------
|
||||
#
|
||||
#extip="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
|
||||
|
||||
# For PPP users with STATIC IP addresses:
|
||||
# The following line will determine your external IP address. This
|
||||
# line is somewhat complex and confusing but it will also work for
|
||||
# all NON-English Linux distributions.
|
||||
#
|
||||
extip="your.static.PPP.address"
|
||||
# Make sure the EXTIF variable above is set to reflect the name
|
||||
# of your Internet connection
|
||||
#
|
||||
EXTIP="`$IFCONFIG $EXTIF | $AWK \
|
||||
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
|
||||
|
||||
# ALL PPP and DHCP users must set this for the correct EXTERNAL interface name
|
||||
extint="ppp0"
|
||||
|
||||
# Assign the internal IP
|
||||
intint="eth0"
|
||||
intnet="192.168.0.0/24"
|
||||
|
||||
|
||||
# MASQ timeouts
|
||||
|
@ -8364,15 +8443,15 @@ ipchains -P input REJECT
|
|||
|
||||
# local interface, local machines, going anywhere is valid
|
||||
#
|
||||
ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT
|
||||
ipchains -A input -i $INTIF -s $INTNET -d 0.0.0.0/0 -j ACCEPT
|
||||
|
||||
# remote interface, claiming to be local machines, IP spoofing, get lost
|
||||
#
|
||||
ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
|
||||
ipchains -A input -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT
|
||||
|
||||
# remote interface, any source, going to permanent PPP address is valid
|
||||
#
|
||||
ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
|
||||
ipchains -A input -i $EXTIF -s 0.0.0.0/0 -d $EXTIP/32 -j ACCEPT
|
||||
|
||||
# loopback interface is valid.
|
||||
#
|
||||
|
@ -8392,19 +8471,19 @@ ipchains -P output REJECT
|
|||
|
||||
# local interface, any source going to local net is valid
|
||||
#
|
||||
ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT
|
||||
ipchains -A output -i $INTIF -s 0.0.0.0/0 -d $INTNET -j ACCEPT
|
||||
|
||||
# outgoing to local net on remote interface, stuffed routing, deny
|
||||
#
|
||||
ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT
|
||||
ipchains -A output -i $EXTIF -s 0.0.0.0/0 -d $INTNET -l -j REJECT
|
||||
|
||||
# outgoing from local net on remote interface, stuffed masquerading, deny
|
||||
#
|
||||
ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
|
||||
ipchains -A output -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT
|
||||
|
||||
# anything else outgoing on remote interface is valid
|
||||
#
|
||||
ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
|
||||
ipchains -A output -i $EXTIF -s $EXTIP/32 -d 0.0.0.0/0 -j ACCEPT
|
||||
|
||||
# loopback interface is valid.
|
||||
#
|
||||
|
@ -8424,7 +8503,7 @@ ipchains -P forward DENY
|
|||
|
||||
# Masquerade from local net on local interface to anywhere.
|
||||
#
|
||||
ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ
|
||||
ipchains -A forward -i $EXTIF -s $INTNET -d 0.0.0.0/0 -j MASQ
|
||||
#
|
||||
# catch all rule, all other forwarding is denied and logged. pity there is no
|
||||
# log option on the policy but this does the job instead.
|
||||
|
@ -8997,12 +9076,12 @@ rc.firewall ruleset next to the existing MASQ enable line, add the following:
|
|||
<screen>
|
||||
2.2.x kernels with IPCHAINS
|
||||
#Enable internal interfaces to communication between each other
|
||||
/sbin/ipchains -A forward -i eth1 -d 192.168.0.0/24 -j ACCEPT
|
||||
/sbin/ipchains -A forward -i eth2 -d 192.168.1.0/24 -j ACCEPT
|
||||
$IPCHAINS -A forward -i eth1 -d 192.168.0.0/24 -j ACCEPT
|
||||
$IPCHAINS -A forward -i eth2 -d 192.168.1.0/24 -j ACCEPT
|
||||
|
||||
#Enable internal interfaces to MASQ out to the Internet
|
||||
/sbin/ipchains -A forward -j MASQ -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0
|
||||
/sbin/ipchains -A forward -j MASQ -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0
|
||||
$IPCHAINS -A forward -j MASQ -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0
|
||||
$IPCHAINS -A forward -j MASQ -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0
|
||||
</screen>
|
||||
</para>
|
||||
</listitem>
|
||||
|
@ -9283,10 +9362,10 @@ IP addresses. I'll give you a hint though: /etc/ppp/ip-up for PPP users.
|
|||
PORTFWIP="192.168.0.10"
|
||||
|
||||
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
|
||||
--state NEW,ESTABLISHED,RELATED -j ACCEPT
|
||||
--state NEW,ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 \
|
||||
-j DNAT --to $PORTFWIP:80
|
||||
-j DNAT --to $PORTFWIP:80
|
||||
|
||||
</Screen>
|
||||
|
||||
|
@ -9300,35 +9379,38 @@ That's it! Just re-run your /etc/rc.d/rc.firewall-2.4 ruleset and test it out!
|
|||
PORTFW FTP: If you have the "ip_conntrack_ftp" and "ip_nat_ftp" kernel
|
||||
modules loaded into kernel space (as already done in the rc.firewall-2.4
|
||||
script), the simple PREROUTING command like the one shown above changed for
|
||||
for port "21" should do the trick. Much easier than the old 2.2.x / 2.0.x
|
||||
ways!
|
||||
for port "21" should do the trick. This is much easier than the configuration
|
||||
for the old 2.2.x / 2.0.x kernels!
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Please note, if you PORTFW to an internal FTP server that is running on,
|
||||
say port 8021 and NOT running on port 21, you MUST tell the
|
||||
"ip_conntrack_ftp" module about the new port. To do this, edit your
|
||||
rc.firewall file and change the loading of the FTP module to look something
|
||||
like this:
|
||||
Please note, if you setup PORTFW to an internal FTP server that is running
|
||||
on a NON-standard FTP port, say port 8021, you MUST tell the
|
||||
"ip_conntrack_ftp" module about the new FTP port. The reason for this is
|
||||
that FTP is not a NAT-friendly protocol. By telling the NAT module about this
|
||||
new non-standard FTP port, the NAT module and do it's job again. To do this,
|
||||
edit your rc.firewall file and change the loading of the FTP module to look
|
||||
something like this:
|
||||
<Screen>
|
||||
/sbin/insmod ip_conntrack_ftp ports=21,8021
|
||||
</Screen>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In the past, if users PORTFWed port 80 on their EXTERNAL IP to some internal
|
||||
machine, only machines on the Internet would work properly. If you tried to
|
||||
do this from an internal machine, it would fail. Fortunately, there is a
|
||||
workaround for 2.2.x and 2.0.x kernels using the REDIR tool. Fortunately,
|
||||
this is NOT required anymore for the 2.4.x kernels. To fix this, add
|
||||
a line like the following ABOVE the "Catch all" FORWARDing rule in the
|
||||
rc.firewall file. This example will REDIRECT internal WWW traffic to the
|
||||
192.168.0.2 internal machine (please change this IP address to reflect your
|
||||
configuration):
|
||||
In the past, if users PORTFWed port 80 on their EXTERNAL IP address to some
|
||||
internal machine, only machines out on the Internet would properly reach
|
||||
this internal WWW server. If you tried to contact this internal WWW server
|
||||
via the EXTERNAL address, it would fail. Fortunately, there is a workaround
|
||||
for 2.2.x and 2.0.x kernels using the REDIR tool. Even better, the use of
|
||||
the REDIR tool is NOT required for the 2.4.x kernels. To support redirection
|
||||
like this from an internal host, add a line like the following ABOVE the
|
||||
"Catch all" FORWARDing rule in the rc.firewall file. This example will
|
||||
REDIRECT internal WWW traffic to the 192.168.0.2 internal machine (please
|
||||
change the IP address to reflect your configuration):
|
||||
|
||||
<Screen>
|
||||
$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 80 \
|
||||
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.2
|
||||
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.2
|
||||
</Screen>
|
||||
</para>
|
||||
|
||||
|
@ -10327,6 +10409,11 @@ Redhat v7.0 : YES - 2.2.16 based
|
|||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>
|
||||
Redhat v7.2 : YES - 2.4.7 based
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Slackware v3.0 : ? - ?
|
||||
|
@ -12280,13 +12367,13 @@ will also notice that once the listed ICMP masquerade entries timeout,
|
|||
IPSEC (Linux SWAN) tunnels running through IP MASQ </Title>
|
||||
|
||||
<para>
|
||||
This IS possible for specific modes. Specifically, both the 2.0.x and 2.2.x
|
||||
kernels support patches to allow for both ONE or MULTIPLE PPTP users behind a
|
||||
IPMASQ server to connect to the -same- PPTP server. The 2.4.x kernels
|
||||
currently have a BETA version of a PPTP module available on the IPMASQ WWW
|
||||
site. Please check out John
|
||||
Hardin's
|
||||
<ULink URL="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">PPTP Masq</ULink>
|
||||
This IS possible for specific modes. Specifically, all of the kernel versions
|
||||
(2.4.x, 2.2.x, and 2.0.x) support patches to allow for both ONE or MULTIPLE
|
||||
PPTP users behind a IPMASQ server to connect to the -same- PPTP server. The
|
||||
2.4.x kernels currently have a PPTP module now in the newest versions of
|
||||
the IPTABLES program and there is another version available on the IPMASQ WWW
|
||||
site. Please check out John Hardin's
|
||||
<ULink URL="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">PPTP Masq</ULink>
|
||||
page for details.
|
||||
</para>
|
||||
|
||||
|
@ -12573,7 +12660,7 @@ HOWTO.
|
|||
|
||||
<listitem>
|
||||
<para>
|
||||
You should use <ULink URL="http://netfilter.filewatcher.org/ipchains/">ipchains</ULink>
|
||||
You should use <ULink URL="http://www.netfilter.org/ipchains/">ipchains</ULink>
|
||||
<ULink URL="http://netfilter.samba.org/ipchains"> (mirror at Samba.org)</ULink>
|
||||
to manipulate IP Masq and firewalling rules.
|
||||
</para>
|
||||
|
@ -13069,8 +13156,8 @@ FAQ</ULink> has some general information
|
|||
|
||||
<listitem>
|
||||
<para>
|
||||
Paul Russel's <ULink URL="http://netfilter.filewatcher.org/ipchains/">
|
||||
http://netfilter.filewatcher.org/ipchains/</ULink>
|
||||
Paul Russel's <ULink URL="http://www.netfilter.org/ipchains/">
|
||||
http://www.netfilter.org/ipchains/</ULink>
|
||||
<ULink URL="http://netfilter.samba.org/ipchains"> (mirror at Samba.org)</ULink>
|
||||
doc and its possibly older backup at
|
||||
<ULink URL="http://www.linuxdocs.org/IPCHAINS-HOWTO.html">Linux IPCHAINS
|
||||
|
@ -13528,13 +13615,6 @@ TO DO - WWW page:
|
|||
|
||||
<ItemizedList>
|
||||
|
||||
<listitem>
|
||||
<para>
|
||||
Update all PPTP urls from lowrent to
|
||||
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>
|
||||
Update the PPTP patch on the masq site
|
||||
|
@ -13555,8 +13635,90 @@ Update the portfw FTP patch
|
|||
|
||||
<!-- ChangeLOG -->
|
||||
|
||||
|
||||
|
||||
<para>
|
||||
Changes from 01/05/02 to 02/09/02
|
||||
Changes from 04/19/02 to 10/20/02
|
||||
<ItemizedList>
|
||||
<listitem>
|
||||
<para>
|
||||
09/29/02: Fixed a stray incorrect IP address pointing to metalab.unc.edu
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
08/29/02: Fixed a typo in the firewall-2.2 startup script which
|
||||
was starting the 2.4 firewall and not the 2.2. version.
|
||||
Thanks to Jean-Marc Vanel for catching this.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
08/25/02: Updated the rc.firewall-2.2-stronger and rc.firewall-2.2
|
||||
scripts to use shell environment variables.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
07/09/02: Updated the FTP PORTFW section to be more readible
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
07/06/02: Replaced all the filewatcher.org URLs with netfilter.org
|
||||
URLs
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>
|
||||
06/12/02: Changed some of the formatting to try and help newbies
|
||||
better understand that the "\" character is used as a continuation
|
||||
of the previous line.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
06/12/02: Updated the IP address of metalab.unc.edu in Section 5.
|
||||
Thanks to Pete Trachy for bringing this to my attention but please note
|
||||
that even major sites like Metalab change their IPs, subnets, or even
|
||||
ISPs from time to time.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
06/02/02: Updated the rc.firewall-2.4 ruleset to include a commented
|
||||
option for NATing IRC DCCs, added the use of more environment vars, and
|
||||
added additional formatting.
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>
|
||||
05/18/02: Added some extra # lines the commented section of the the
|
||||
rc.firewall-2.4-stronger ruleset to better serve Cut and Paste users.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
05/04/02: - Updated the various PPTP MASQ links to point to a valid URL.
|
||||
Also updated the HOWTO to reflect that PPTP is now supported on the 2.4.x
|
||||
kernels.
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>
|
||||
05/03/02: - Updated the 2.4.x kernel requirements section to point out
|
||||
that IPCHAINS compatibility under 2.4.x kernels isn't very good. If you
|
||||
want to use IPMASQ under a 2.4.x kernel, you should use IPTABLES rules only.
|
||||
</para>
|
||||
</listitem>
|
||||
</ItemizedList>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Changes from 01/05/02 to 04/19/02 - v2.00.041902 pubsished to the LDP
|
||||
<ItemizedList>
|
||||
<listitem>
|
||||
<para>
|
||||
|
@ -14398,7 +14560,7 @@ section to why this senario doesn't work properly.
|
|||
<listitem>
|
||||
<para>
|
||||
Updated all of the IPCHAINS URLs to point to Paul Rusty's new site at
|
||||
http://netfilter.filewatcher.org/ipchains/
|
||||
http://www.netfilter.org/ipchains/
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
|
|
Loading…
Reference in New Issue