This commit is contained in:
gferg 2002-10-21 13:00:52 +00:00
parent 44d8e1cb5f
commit e996394ce3
4 changed files with 323 additions and 161 deletions

View File

@ -1211,7 +1211,7 @@ that will improve the I/O performance of your Linux operating system. </Para>
IP-Masquerade-HOWTO</ULink>,
<CiteTitle>Linux IP Masquerade HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: April 2002</CiteTitle>.
<CiteTitle>Updated: October 2002</CiteTitle>.
How to enable the Linux IP Masquerade feature on a given Linux host. </Para>
</ListItem>
@ -2033,7 +2033,7 @@ Linux, using GNU CC and nlmconv(1) from GNU binutils. </Para>
Online-Troubleshooting-HOWTO</ULink>,
<CiteTitle>Online Troubleshooting Resources HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: March 2002</CiteTitle>.
<CiteTitle>Updated: October 2002</CiteTitle>.
Directs Linux users to resources available on the Internet that
provide access to a vast amount of Linux-related information useful
in troubleshooting problems. </Para>

View File

@ -213,7 +213,7 @@ and need help. </Para>
Online-Troubleshooting-HOWTO</ULink>,
<CiteTitle>Online Troubleshooting Resources HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: March 2002</CiteTitle>.
<CiteTitle>Updated: October 2002</CiteTitle>.
Directs Linux users to resources available on the Internet that
provide access to a vast amount of Linux-related information useful
in troubleshooting problems. </Para>

View File

@ -916,7 +916,7 @@ A beginning document for using Portslave with the Linux router. </Para>
IP-Masquerade-HOWTO</ULink>,
<CiteTitle>Linux IP Masquerade HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: April 2002</CiteTitle>.
<CiteTitle>Updated: October 2002</CiteTitle>.
How to enable the Linux IP Masquerade feature on a given Linux host. </Para>
</ListItem>

View File

@ -17,11 +17,12 @@
</affiliation>
</AUTHOR>
<pubdate>
v2.00.041902, April 19, 2002
</pubdate>
<Abstract>
<para>
v2.00.102002, October 20, 2002
</para>
<para>
This document describes how to enable the Linux IP Masquerade feature on a
given Linux host. IP Masquerade is a form of Network Address Translation or
@ -29,6 +30,7 @@ NAT which NAT allows internally connected computers that do not have one or more
registered Internet IP addresses to communicate to the Internet via the Linux
server's Internet IP address.
</para>
</Abstract>
</BookInfo>
@ -691,9 +693,9 @@ The new IPTABLES system is far more powerful (combines several functions into
one place like true NAT functionality), offers better security (stateful
inspection), and better performance with the new 2.4.x TCP/IP stack. But this
new suite of tools can be a bit complicated in comparison to older generation
kernels. Hopefully if you carefully follow along with this HOWTO it won't be
too bad. If you find anything unclear, downright wrong, etc. please email
David about it.
kernels. Hopefully, if you follow along with this HOWTO carefully, setting up
IPMASQ won't be too bad. If you find anything unclear, downright wrong, etc.
please email David about it.
</para>
<para>
@ -701,10 +703,16 @@ David about it.
IPFWADM, the new NetFilter tool has kernel modules that can actually
support older IPCHAINS and IPFWADM rulesets with minimal changes. So
re-writing your old MASQ or firewall ruleset scripts is not longer required.
Please keep in mind that there might be several benefits in performing a full
ruleset re-write to take advantage of the newer IPTABLES features like
stateful tracking, etc. but that is dependant upon how much time you have
to migrate your old rulesets.
<Emphasis role="strong">BUT..</Emphasis> with the 2.4.x kernels, you cannot
use the old 2.2.x MASQ modules like ip_masq_ftp, ip_masq_irc, etc.
<Emphasis role="strong">AND<</Emphasis> IPCHAINS is incompatible with the
new IPTABLES modules like ip_conntrack_ftp, etc. So, what does this mean?
It basically means that if you want to use IPMASQ under a 2.4.x kernel,
you shouldn't use IPCHAINS rules but IPTABLES ones instead. Please also keep
in mind that there might be several benefits in performing a full ruleset
re-write to take advantage of the newer IPTABLES features like stateful
tracking, etc. but that is dependant upon how much time you have to migrate
your old rulesets.
</para>
</listitem>
</ItemizedList>
@ -865,7 +873,7 @@ NotPorted ICQ Used for Instant messaging
NotPorted Quake Used for online Quake games
Beta Avail PPTP Allow for multiple clients to the same server
Ported PPTP Allow for multiple clients to the same server
NotPorted Real Audio Used for Streaming video / audio
@ -874,8 +882,8 @@ NotPorted VDO Live Used for Streaming audio?
<para>
Documentation on how to perform MASQ module porting is available at
<ULink URL="http://netfilter.filewatcher.org/unreliable-guides/netfilter-hacking-HOWTO-5.html">
http://netfilter.filewatcher.org/unreliable-guides/netfilter-hacking-HOWTO-5.html
<ULink URL="http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO.html">
http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO.html
</ULink>
<ULink URL="http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO/index.html">
(mirror at Samba.org)</ULink>,
@ -891,16 +899,16 @@ appreciated in porting these modules.
<para>
If you'd like to read up more on NetFilter and IPTables, please see:
<ULink URL="http://netfilter.filewatcher.org/unreliable-guides">
http://netfilter.filewatcher.org/unreliable-guides</ULink>
<ULink URL="http://www.netfilter.org/documentation/index.html#HOWTO">
http://www.netfilter.org/documentation/index.html#HOWTO</ULink>
<ULink
URL="http://netfilter.samba.org/unreliable-guides/">
(mirror at Samba.org)</ULink>,
and more
specifically <ULink
URL="http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/index.html">
http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/index.html</ULink>
URL="http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html">
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html</ULink>
</para>
@ -936,8 +944,8 @@ http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/index.html</ULink>
<listitem>
<para>
The program "iptables" version 1.2.4 or newer archive available from
<ULink URL="http://netfilter.filewatcher.org/">
http://netfilter.filewatcher.org/</ULink>
<ULink URL="http://www.netfilter.org/">
http://www.netfilter.org/</ULink>
<ULink URL="http://netfilter.samba.org">
(mirror at Samba.org)</ULink>,.
@ -962,7 +970,7 @@ http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/index.html</ULink>
makes use of additional MASQ modules like the FTP and IRC modules. Additional
information on version requirements for the newest IPTABLES howto, etc. is
located at the
<ULink URL="http://netfilter.filewatcher.org/">Unreliable IPTABLES HOWTOs</Ulink>
<ULink URL="http://www.netfilter.org/">Unreliable IPTABLES HOWTOs</Ulink>
page <ULink URL="http://netfilter.samba.org/"> (mirror at Samba.org)</ULink>.
</para>
</listitem>
@ -1137,13 +1145,13 @@ http://www.linuxdoc.org/HOWTO/DSL-HOWTO/index.html</ULink>
<listitem>
<para>
IP Chains 1.3.10 or newer are available from
<ULink URL="http://netfilter.filewatcher.org/ipchains/">
http://netfilter.filewatcher.org/ipchains/</ULink>
<ULink URL="http://www.netfilter.org/ipchains/">
http://www.netfilter.org/ipchains/</ULink>
<ULink URL="http://netfilter.samba.org/ipchains"> (mirror at Samba.org)</ULink>.
Additional information on
version requirements for the newest IPCHAINS HOWTO, etc is located at the
<ULink URL="http://netfilter.filewatcher.org/ipchains/"> Linux IP Chains
page</ULink> <ULink URL="http://netfilter.samba.org/ipchains"> (mirror at
<ULink URL="http://www.netfilter.org/ipchains/"> Linux IP Chains
page</ULink> <ULink URL="http://www.netfilter.org/ipchains"> (mirror at
Samba.org)</ULink>
</para>
</listitem>
@ -1543,7 +1551,7 @@ patches and more information:
</para>
<para>
<ULink URL="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">
<ULink URL="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">
John Hardin's VPN Masquerade forwarders</ULink> or the old patch for just
<ULink URL="http://ipmasq.cjb.net/ip_masq_pptp.patch.gz">PPTP Support</ULink>.
</para>
@ -3486,7 +3494,7 @@ SIMPLE ruleset:
#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.63
FWVER=0.70
#
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
# using IPTABLES.
@ -3499,6 +3507,9 @@ FWVER=0.63
#
#
# Log:
# 0.70 - Added commented option for IRC nat module
# - Added additional use of environment variables
# - Added additional formatting
# 0.63 - Added support for the IRC IPTABLES module
# 0.62 - Fixed a typo on the MASQ enable line that used eth0
# instead of $EXTIF
@ -3514,11 +3525,12 @@ FWVER=0.63
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
# The location of the 'iptables' program
# The location of the iptables and kernel module programs
#
# If your Linux distribution came with a copy of iptables, most
# likely it is located in /sbin. If you manually compiled
# iptables, the default location is in /usr/local/sbin
# If your Linux distribution came with a copy of iptables,
# most likely all the programs will be located in /sbin. If
# you manually compiled iptables, the default location will
# be in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
@ -3526,6 +3538,8 @@ echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
#
#IPTABLES=/sbin/iptables
IPTABLES=/usr/local/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
#Setting the EXTERNAL and INTERNAL interfaces for the network
@ -3560,7 +3574,7 @@ echo -en " loading modules: "
# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a
$DEPMOD -a
# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
@ -3580,13 +3594,15 @@ echo " - Verifying that all kernel modules are ok"
# modules are shown below but are commented out from loading.
# ===============================================================
echo "----------------------------------------------------------------------"
#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
/sbin/insmod ip_tables
$INSMOD ip_tables
#Load the IPTABLES filtering module - "iptable_filter"
@ -3605,7 +3621,7 @@ echo -en "ip_tables, "
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
/sbin/insmod ip_conntrack
$INSMOD ip_conntrack
#Load the FTP tracking mechanism for full FTP tracking
@ -3613,7 +3629,7 @@ echo -en "ip_conntrack, "
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
/sbin/insmod ip_conntrack_ftp
$INSMOD ip_conntrack_ftp
#Load the IRC tracking mechanism for full IRC tracking
@ -3621,7 +3637,7 @@ echo -en "ip_conntrack_ftp, "
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
/sbin/insmod ip_conntrack_irc
$INSMOD ip_conntrack_irc
#Load the general IPTABLES NAT code - "iptable_nat"
@ -3630,7 +3646,7 @@ echo -en "ip_conntrack_irc, "
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
/sbin/insmod iptable_nat
$INSMOD iptable_nat
#Loads the FTP NAT functionality into the core IPTABLES code
@ -3639,9 +3655,19 @@ echo -en "iptable_nat, "
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp, "
/sbin/insmod ip_nat_ftp
$INSMOD ip_nat_ftp
#Loads the IRC NAT functionality into the core IPTABLES code
# Require to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to activate
#
#echo -e "ip_nat_irc"
#$INSMOD ip_nat_irc
echo "----------------------------------------------------------------------"
# Just to be complete, here is a list of the remaining kernel modules
# and their function. Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
@ -4009,8 +4035,8 @@ need IP Masquerade.
<para>
Please see <XRef LinkEnd="rc.firewall-2.4.x-stronger"> for a detailed guide on
a strong IPTABLES ruleset example. For additional details on IPTABLES usage,
please refer to <ULink URL="http://netfilter.filewatcher.org/">
http://netfilter.filewatcher.org/</ULink>
please refer to <ULink URL="http://www.netfilter.org/">
http://www.netfilter.org/</ULink>
<ULink URL="http://netfilter.samba.org/"> (mirror at Samba.org)</ULink>
for the primary IPTABLES site.
</para>
@ -4040,7 +4066,6 @@ ruleset:
#!/bin/sh
#
# rc.firewall-2.2
FWVER="1.01"
#
# - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels
# using IPCHAINS.
@ -4049,8 +4074,32 @@ FWVER="1.01"
# ruleset, it is highly recommended to use a stronger
# IPTABLES ruleset either given later in this HOWTO or
# from another reputable resource.
FWVER="1.20"
#
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
# 1.20 - Updated the script to use environment vars
# 1.01 - Original version
echo -e "\n\nLoading simple rc.firewall-2.2 : version $FWVER..\n"
# The location of the ipchains and kernel module programs
#
# If your Linux distribution came with a copy of ipchains,
# most likely all the programs will be located in /sbin. If
# you manually compiled ipchains, the default location will
# be in /usr/local/sbin
#
# ** Please use the "whereis ipchains" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPCHAINS=/sbin/ipchains
#IPTABLES=/usr/local/sbin/ipchains
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
MODPROBE=/sbin/modprobe
#Setting the EXTERNAL and INTERNAL interfaces for the network
@ -4098,26 +4147,26 @@ echo " loading required IPMASQ kernel modules.."
# Needed to initially load modules
#
/sbin/depmod -a
$DEPMOD -a
echo -en " Loading modules: "
# Supports the proper masquerading of FTP file transfers using the PORT method
#
echo -en "FTP, "
/sbin/modprobe ip_masq_ftp
$MODPROBE ip_masq_ftp
# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
#echo -en "RealAudio, "
#/sbin/modprobe ip_masq_raudio
$MODPROBE ip_masq_raudio
# Supports the masquerading of IRC DCC file transfers
#
#echo -en "Irc, "
#/sbin/modprobe ip_masq_irc
#$MODPROBE ip_masq_irc
# Supports the masquerading of Quake and QuakeWorld by default. This modules is
@ -4129,21 +4178,21 @@ echo -en "FTP, "
#
#echo -en "Quake, "
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#$MODPROBE ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
#$MODPROBE ip_masq_quake 26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
#
#echo -en "CuSeeme, "
#/sbin/modprobe ip_masq_cuseeme
#$MODPROBE ip_masq_cuseeme
#Supports the masquerading of the VDO-live video conferencing software
#
#echo -en "VdoLive "
#/sbin/modprobe ip_masq_vdolive
#$MODPROBE ip_masq_vdolive
echo ". Done loading modules."
@ -4197,12 +4246,12 @@ echo "1" &#62; /proc/sys/net/ipv4/ip_always_defrag
# The default for FORWARD is REJECT
#
echo " clearing any existing rules and setting default policy.."
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward REJECT
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
$IPCHAINS -P input ACCEPT
$IPCHAINS -P output ACCEPT
$IPCHAINS -P forward REJECT
$IPCHAINS -F input
$IPCHAINS -F output
$IPCHAINS -F forward
# MASQ timeouts
@ -4212,7 +4261,7 @@ echo " clearing any existing rules and setting default policy.."
# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
echo " setting default timers.."
/sbin/ipchains -M -S 7200 10 160
$IPCHAINS -M -S 7200 10 160
# DHCP: For people who receive their external IP address from either DHCP or
@ -4222,7 +4271,7 @@ echo " setting default timers.."
# This example is currently commented out.
#
#
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -s 0/0 67 -d 0/0 68 -p udp
#$IPCHAINS -A input -j ACCEPT -i $EXTIF -s 0/0 67 -d 0/0 68 -p udp
# Enable simple IP forwarding and Masquerading
#
@ -4234,8 +4283,8 @@ echo " setting default timers.."
# ** connection interface name to match your internal LAN setup
#
echo " enabling IPMASQ functionality on $EXTIF"
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i $EXTIF -s $INTLAN -j MASQ
$IPCHAINS -P forward DENY
$IPCHAINS -A forward -i $EXTIF -s $INTLAN -j MASQ
echo -e "\nrc.firewall-2.2 v$FWVER done.\n"
</Screen>
@ -4299,7 +4348,7 @@ copy the following file into the /etc/rc.d/init.d directory:
# probe: true
# ----------------------------------------------------------------------------
# v02/09/02
# v08/29/02
#
# Part of the copyrighted and trademarked TrinityOS document.
# http://www.ecst.csuchico.edu/~dranch
@ -4341,7 +4390,7 @@ IPCHAINS=/sbin/ipchains
# See how we were called.
case "$1" in
start)
/etc/rc.d/rc.firewall-2.4
/etc/rc.d/rc.firewall-2.2
;;
stop)
@ -4457,9 +4506,9 @@ the /etc/rc.d/rc.firewall ruleset.
# ** Please change the network number, subnet mask, and the Internet
# ** connection interface name to match your internal LAN setup
#
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i $EXTIF -s 192.168.0.2/32 -j MASQ
/sbin/ipchains -A forward -i $EXTIF -s 192.168.0.8/32 -j MASQ
$IPCHAINS -P forward DENY
$IPCHAINS -A forward -i $EXTIF -s 192.168.0.2/32 -j MASQ
$IPCHAINS -A forward -i $EXTIF -s 192.168.0.8/32 -j MASQ
</Screen>
</para>
@ -4474,7 +4523,7 @@ first command:
<para>
<screen>
/sbin/ipchains -P forward masquerade
$IPCHAINS -P forward masquerade
</screen>
</para>
@ -4495,8 +4544,8 @@ need IP Masquerade.
Please see <XRef LinkEnd="rc.firewall-2.2.x-stronger"> for a detailed guide on
IPCHAINS and a strong IPCHAINS ruleset example. For additional details on
IPCHAINS usage, please refer to
<ULink URL="http://netfilter.filewatcher.org/ipchains/">
http://netfilter.filewatcher.org/ipchains/</ULink>
<ULink URL="http://www.netfilter.org/ipchains/">
http://www.netfilter.org/ipchains/</ULink>
<ULink URL="http://netfilter.samba.org/ipchains"> (mirror at Samba.org)</ULink>
for the primary IPCHAINS site or the
<ULink URL="http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html">
@ -6695,7 +6744,7 @@ ACCEPT all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
<para>
From an internal MASQed computer, now ping a static TCP/IP address (NOT a
machine by DNS name) out on the Internet (i.e. <Emphasis role="strong">ping
152.19.254.81</Emphasis> (this technically the DNS name "metalab.unc.edu" which
152.2.210.81</Emphasis> (this technically the DNS name "metalab.unc.edu" which
is home of MetaLabs' Linux Archive). If this works, it should look something
like the result below and this ultimately shows that ICMP Masquerading is
working properly. (hit Control-C to abort the ping):
@ -6704,15 +6753,15 @@ working properly. (hit Control-C to abort the ping):
<para>
<ProgramListing>
-------------------------------------
masq-client# ping 152.2.254.81
PING 12.13.14.15 (152.2.254.81): 56 data bytes
64 bytes from 152.2.254.81: icmp_seq=0 ttl=255 time=133.4 ms
64 bytes from 152.2.254.81: icmp_seq=1 ttl=255 time=132.5 ms
64 bytes from 152.2.254.81: icmp_seq=2 ttl=255 time=128.8 ms
64 bytes from 152.2.254.81: icmp_seq=3 ttl=255 time=132.2 ms
masq-client# ping 152.2.210.81
PING 12.13.14.15 (152.2.210.81): 56 data bytes
64 bytes from 152.2.210.81: icmp_seq=0 ttl=255 time=133.4 ms
64 bytes from 152.2.210.81: icmp_seq=1 ttl=255 time=132.5 ms
64 bytes from 152.2.210.81: icmp_seq=2 ttl=255 time=128.8 ms
64 bytes from 152.2.210.81: icmp_seq=3 ttl=255 time=132.2 ms
^C
--- 152.2.254.81 ping statistics ---
--- 152.2.210.81 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 128.8/131.7/133.4 ms
-------------------------------------
@ -6749,7 +6798,7 @@ interface.
<para>
Now try TELNETing to a remote IP address (i.e. <Emphasis role="strong">telnet
152.2.254.81</Emphasis> ( this is technically the DNS name "metalab.unc.edu").
152.2.210.81</Emphasis> ( this is technically the DNS name "metalab.unc.edu").
It might take a few seconds to get a login prompt since this is a VERY busy
server. Did you get a login prompt like shown below? If so, it means that
TCP Masquerading is running OK. If not, try TELNETing to some other hosts you
@ -6760,9 +6809,9 @@ the TELNET):
<ProgramListing>
--------------------------------
masq-client# telnet 152.2.254.81
Trying 152.2.254.81...
Connected to 152.2.254.81.
masq-client# telnet 152.2.210.81
Trying 152.2.210.81...
Connected to 152.2.210.81.
Escape character is '^]'.
@ -6801,7 +6850,7 @@ resolution
<para>
Now try TELNETing to a remote machine by DNS name (i.e. <Emphasis
role="strong">"telnet metalab.unc.edu"</Emphasis> (IP address 152.2.254.81).
role="strong">"telnet metalab.unc.edu"</Emphasis> (IP address 152.2.210.81).
If this works, the output should look like something below. With this test,
this shows that UDP-based DNS is working fine.
</para>
@ -6809,8 +6858,8 @@ this shows that UDP-based DNS is working fine.
<ProgramListing>
--------------------------------
masq-client# telnet MetaLab.unc.edu
Trying 152.2.254.81...
Connected to 152.2.254.81.
Trying 152.2.210.81...
Connected to 152.2.210.81.
Escape character is '^]'.
@ -7549,12 +7598,14 @@ Cannot work at present (it makes invalid assumptions about addresses).
#!/bin/sh
#
# rc.firewall-2.4-stronger
FWVER=0.73s
#
FWVER=0.74s-4
# An example of a stronger IPTABLES firewall with IP Masquerade
# support for 2.4.x kernels.
#
# Log:
# 0.74s - Changed the EXTIP command to work on NON-English distros
# 0.73s - Added comments in the output section that DHCPd is optional
# and changed the default settings to disabled
# 0.72s - Changed the filter from the INTNET to the INTIP to be
@ -7672,8 +7723,13 @@ echo " ---"
# Determine the external IP automatically:
# ----------------------------------------
#
EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | \
$SED -e 's/.*://'`"
# The following line will determine your external IP address. This
# line is somewhat complex and confusing but it will also work for
# all NON-English Linux distributions:
#
EXTIP="`$IFCONFIG $EXTIF | $AWK \
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
# For users who wish to use STATIC IP addresses:
#
@ -7988,7 +8044,7 @@ $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
# Allow any related traffic coming back to the MASQ server in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT
ESTABLISHED,RELATED -j ACCEPT
# ----- Begin OPTIONAL Section -----
@ -8003,7 +8059,7 @@ ESTABLISHED,RELATED -j ACCEPT
#
#echo -e " - Allowing EXTERNAL access to the WWW server"
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
#-p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
# -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
#
# ----- End OPTIONAL Section -----
@ -8051,11 +8107,12 @@ $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
#
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
# - Remove BOTH #s all the #s if you need this functionality.
#
#$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT
# -d 255.255.255.255 --dport 68 -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT
# -d 255.255.255.255 --dport 68 -j ACCEPT
#
# ----- End OPTIONAL Section -----
@ -8073,7 +8130,7 @@ echo -e " - Loading FORWARD rulesets"
echo " - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \
-j ACCEPT
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
@ -8169,7 +8226,7 @@ details.</Emphasis>
<para>
Lastly, if you are using a STATIC PPP IP address, change the
"ppp_ip="your.static.PPP.address"" line to reflect your address.
"EXTIF="your.static.PPP.address"" line to reflect your address.
</para>
<para>
@ -8181,11 +8238,36 @@ Lastly, if you are using a STATIC PPP IP address, change the
<screen>
#!/bin/sh
#
# /etc/rc.d/rc.firewall: An example of a Semi-Strong IPCHAINS firewall ruleset.
# /etc/rc.d/rc.firewall: An example of a Stronger IPCHAINS firewall
# ruleset for 2.2 kernels
#
FWVER=0.60s
#
# Log:
# 0.60s - Changed the EXTIP command to work on NON-English distros
# - Updated the CASE of some of the script variables
#
echo -e "\nLoading rc.firewall-2.2-stronger : version $FWVER..\n"
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# Global variables
# ----------------
# ALL PPP and DHCP users must set this for the correct EXTERNAL and
# INTERNAL interfaces names. Examples: eth0, ppp0, ippp0, etc.
#
EXTIF="ppp0"
INTIF="eth0"
# The INTERNAL IP address
#
INTNET="192.168.0.0/24"
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules
@ -8289,7 +8371,7 @@ echo "1" &#62; /proc/sys/net/ipv4/ip_always_defrag
# If you get your TCP/IP address via DHCP, **you will need ** to enable the
# #ed out command below underneath the PPP section AND replace the word
# "ppp0" with the name of your EXTERNAL Internet connection (eth0, eth1, etc)
# on the lines for "ppp-ip" and "extip". You should note that the
# on the lines for "ppp-ip" and "EXTIP". You should note that the
# DHCP server can change IP addresses on you. To fix this, users should
# configure their DHCP client to re-run the firewall ruleset everytime the
# DHCP lease is renewed.
@ -8328,22 +8410,19 @@ echo "1" &#62; /proc/sys/net/ipv4/ip_always_defrag
# * You then want to enable the #ed out shell command below *
#
#
# PPP and DHCP Users:
# -------------------
# Remove the # on the line below and place a # in front of the line after that.
# Determine the external IP automatically:
# ----------------------------------------
#
#extip="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
# For PPP users with STATIC IP addresses:
# The following line will determine your external IP address. This
# line is somewhat complex and confusing but it will also work for
# all NON-English Linux distributions.
#
extip="your.static.PPP.address"
# Make sure the EXTIF variable above is set to reflect the name
# of your Internet connection
#
EXTIP="`$IFCONFIG $EXTIF | $AWK \
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
# ALL PPP and DHCP users must set this for the correct EXTERNAL interface name
extint="ppp0"
# Assign the internal IP
intint="eth0"
intnet="192.168.0.0/24"
# MASQ timeouts
@ -8364,15 +8443,15 @@ ipchains -P input REJECT
# local interface, local machines, going anywhere is valid
#
ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT
ipchains -A input -i $INTIF -s $INTNET -d 0.0.0.0/0 -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
#
ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT
# remote interface, any source, going to permanent PPP address is valid
#
ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
ipchains -A input -i $EXTIF -s 0.0.0.0/0 -d $EXTIP/32 -j ACCEPT
# loopback interface is valid.
#
@ -8392,19 +8471,19 @@ ipchains -P output REJECT
# local interface, any source going to local net is valid
#
ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT
ipchains -A output -i $INTIF -s 0.0.0.0/0 -d $INTNET -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
#
ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT
ipchains -A output -i $EXTIF -s 0.0.0.0/0 -d $INTNET -l -j REJECT
# outgoing from local net on remote interface, stuffed masquerading, deny
#
ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
ipchains -A output -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT
# anything else outgoing on remote interface is valid
#
ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -i $EXTIF -s $EXTIP/32 -d 0.0.0.0/0 -j ACCEPT
# loopback interface is valid.
#
@ -8424,7 +8503,7 @@ ipchains -P forward DENY
# Masquerade from local net on local interface to anywhere.
#
ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ
ipchains -A forward -i $EXTIF -s $INTNET -d 0.0.0.0/0 -j MASQ
#
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
@ -8997,12 +9076,12 @@ rc.firewall ruleset next to the existing MASQ enable line, add the following:
<screen>
2.2.x kernels with IPCHAINS
#Enable internal interfaces to communication between each other
/sbin/ipchains -A forward -i eth1 -d 192.168.0.0/24 -j ACCEPT
/sbin/ipchains -A forward -i eth2 -d 192.168.1.0/24 -j ACCEPT
$IPCHAINS -A forward -i eth1 -d 192.168.0.0/24 -j ACCEPT
$IPCHAINS -A forward -i eth2 -d 192.168.1.0/24 -j ACCEPT
#Enable internal interfaces to MASQ out to the Internet
/sbin/ipchains -A forward -j MASQ -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0
/sbin/ipchains -A forward -j MASQ -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0
$IPCHAINS -A forward -j MASQ -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0
$IPCHAINS -A forward -j MASQ -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0
</screen>
</para>
</listitem>
@ -9283,10 +9362,10 @@ IP addresses. I'll give you a hint though: /etc/ppp/ip-up for PPP users.
PORTFWIP="192.168.0.10"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 \
-j DNAT --to $PORTFWIP:80
-j DNAT --to $PORTFWIP:80
</Screen>
@ -9300,35 +9379,38 @@ That's it! Just re-run your /etc/rc.d/rc.firewall-2.4 ruleset and test it out!
PORTFW FTP: If you have the "ip_conntrack_ftp" and "ip_nat_ftp" kernel
modules loaded into kernel space (as already done in the rc.firewall-2.4
script), the simple PREROUTING command like the one shown above changed for
for port "21" should do the trick. Much easier than the old 2.2.x / 2.0.x
ways!
for port "21" should do the trick. This is much easier than the configuration
for the old 2.2.x / 2.0.x kernels!
</para>
<para>
Please note, if you PORTFW to an internal FTP server that is running on,
say port 8021 and NOT running on port 21, you MUST tell the
"ip_conntrack_ftp" module about the new port. To do this, edit your
rc.firewall file and change the loading of the FTP module to look something
like this:
Please note, if you setup PORTFW to an internal FTP server that is running
on a NON-standard FTP port, say port 8021, you MUST tell the
"ip_conntrack_ftp" module about the new FTP port. The reason for this is
that FTP is not a NAT-friendly protocol. By telling the NAT module about this
new non-standard FTP port, the NAT module and do it's job again. To do this,
edit your rc.firewall file and change the loading of the FTP module to look
something like this:
<Screen>
/sbin/insmod ip_conntrack_ftp ports=21,8021
</Screen>
</para>
<para>
In the past, if users PORTFWed port 80 on their EXTERNAL IP to some internal
machine, only machines on the Internet would work properly. If you tried to
do this from an internal machine, it would fail. Fortunately, there is a
workaround for 2.2.x and 2.0.x kernels using the REDIR tool. Fortunately,
this is NOT required anymore for the 2.4.x kernels. To fix this, add
a line like the following ABOVE the "Catch all" FORWARDing rule in the
rc.firewall file. This example will REDIRECT internal WWW traffic to the
192.168.0.2 internal machine (please change this IP address to reflect your
configuration):
In the past, if users PORTFWed port 80 on their EXTERNAL IP address to some
internal machine, only machines out on the Internet would properly reach
this internal WWW server. If you tried to contact this internal WWW server
via the EXTERNAL address, it would fail. Fortunately, there is a workaround
for 2.2.x and 2.0.x kernels using the REDIR tool. Even better, the use of
the REDIR tool is NOT required for the 2.4.x kernels. To support redirection
like this from an internal host, add a line like the following ABOVE the
"Catch all" FORWARDing rule in the rc.firewall file. This example will
REDIRECT internal WWW traffic to the 192.168.0.2 internal machine (please
change the IP address to reflect your configuration):
<Screen>
$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 80 \
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.2
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.2
</Screen>
</para>
@ -10327,6 +10409,11 @@ Redhat v7.0 : YES - 2.2.16 based
</para>
</listitem>
<listitem>
<para>
Redhat v7.2 : YES - 2.4.7 based
</para>
</listitem>
<listitem>
<para>
Slackware v3.0 : ? - ?
@ -12280,13 +12367,13 @@ will also notice that once the listed ICMP masquerade entries timeout,
IPSEC (Linux SWAN) tunnels running through IP MASQ </Title>
<para>
This IS possible for specific modes. Specifically, both the 2.0.x and 2.2.x
kernels support patches to allow for both ONE or MULTIPLE PPTP users behind a
IPMASQ server to connect to the -same- PPTP server. The 2.4.x kernels
currently have a BETA version of a PPTP module available on the IPMASQ WWW
site. Please check out John
Hardin's
<ULink URL="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">PPTP Masq</ULink>
This IS possible for specific modes. Specifically, all of the kernel versions
(2.4.x, 2.2.x, and 2.0.x) support patches to allow for both ONE or MULTIPLE
PPTP users behind a IPMASQ server to connect to the -same- PPTP server. The
2.4.x kernels currently have a PPTP module now in the newest versions of
the IPTABLES program and there is another version available on the IPMASQ WWW
site. Please check out John Hardin's
<ULink URL="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">PPTP Masq</ULink>
page for details.
</para>
@ -12573,7 +12660,7 @@ HOWTO.
<listitem>
<para>
You should use <ULink URL="http://netfilter.filewatcher.org/ipchains/">ipchains</ULink>
You should use <ULink URL="http://www.netfilter.org/ipchains/">ipchains</ULink>
<ULink URL="http://netfilter.samba.org/ipchains"> (mirror at Samba.org)</ULink>
to manipulate IP Masq and firewalling rules.
</para>
@ -13069,8 +13156,8 @@ FAQ</ULink> has some general information
<listitem>
<para>
Paul Russel's <ULink URL="http://netfilter.filewatcher.org/ipchains/">
http://netfilter.filewatcher.org/ipchains/</ULink>
Paul Russel's <ULink URL="http://www.netfilter.org/ipchains/">
http://www.netfilter.org/ipchains/</ULink>
<ULink URL="http://netfilter.samba.org/ipchains"> (mirror at Samba.org)</ULink>
doc and its possibly older backup at
<ULink URL="http://www.linuxdocs.org/IPCHAINS-HOWTO.html">Linux IPCHAINS
@ -13528,13 +13615,6 @@ TO DO - WWW page:
<ItemizedList>
<listitem>
<para>
Update all PPTP urls from lowrent to
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
</para>
</listitem>
<listitem>
<para>
Update the PPTP patch on the masq site
@ -13555,8 +13635,90 @@ Update the portfw FTP patch
<!-- ChangeLOG -->
<para>
Changes from 01/05/02 to 02/09/02
Changes from 04/19/02 to 10/20/02
<ItemizedList>
<listitem>
<para>
09/29/02: Fixed a stray incorrect IP address pointing to metalab.unc.edu
</para>
</listitem>
<listitem>
<para>
08/29/02: Fixed a typo in the firewall-2.2 startup script which
was starting the 2.4 firewall and not the 2.2. version.
Thanks to Jean-Marc Vanel for catching this.
</para>
</listitem>
<listitem>
<para>
08/25/02: Updated the rc.firewall-2.2-stronger and rc.firewall-2.2
scripts to use shell environment variables.
</para>
</listitem>
<listitem>
<para>
07/09/02: Updated the FTP PORTFW section to be more readible
</para>
</listitem>
<listitem>
<para>
07/06/02: Replaced all the filewatcher.org URLs with netfilter.org
URLs
</para>
</listitem>
<listitem>
<para>
06/12/02: Changed some of the formatting to try and help newbies
better understand that the "\" character is used as a continuation
of the previous line.
</para>
</listitem>
<listitem>
<para>
06/12/02: Updated the IP address of metalab.unc.edu in Section 5.
Thanks to Pete Trachy for bringing this to my attention but please note
that even major sites like Metalab change their IPs, subnets, or even
ISPs from time to time.
</para>
</listitem>
<listitem>
<para>
06/02/02: Updated the rc.firewall-2.4 ruleset to include a commented
option for NATing IRC DCCs, added the use of more environment vars, and
added additional formatting.
</para>
</listitem>
<listitem>
<para>
05/18/02: Added some extra # lines the commented section of the the
rc.firewall-2.4-stronger ruleset to better serve Cut and Paste users.
</para>
</listitem>
<listitem>
<para>
05/04/02: - Updated the various PPTP MASQ links to point to a valid URL.
Also updated the HOWTO to reflect that PPTP is now supported on the 2.4.x
kernels.
</para>
</listitem>
<listitem>
<para>
05/03/02: - Updated the 2.4.x kernel requirements section to point out
that IPCHAINS compatibility under 2.4.x kernels isn't very good. If you
want to use IPMASQ under a 2.4.x kernel, you should use IPTABLES rules only.
</para>
</listitem>
</ItemizedList>
</para>
<para>
Changes from 01/05/02 to 04/19/02 - v2.00.041902 pubsished to the LDP
<ItemizedList>
<listitem>
<para>
@ -14398,7 +14560,7 @@ section to why this senario doesn't work properly.
<listitem>
<para>
Updated all of the IPCHAINS URLs to point to Paul Rusty's new site at
http://netfilter.filewatcher.org/ipchains/
http://www.netfilter.org/ipchains/
</para>
</listitem>