I am using the following script (on firewall machine) and having a bit
of trouble, setup is a bunch of windows boxes going to a samba
fileserver/router using ipmasq to move packets onto the firewall
subnet, which are then routed/forwarded to the internet via adsl
The script is from the Linux Network Toolkit book by Paul G. Sery
The problem I am encountering is that ftp and some d/l's via the web
won't work. I haven't tested any of the other protocols yet. For
example:
using my win98 box I surf over to netscapes d/l site and select the
40bit d/l for communicator or navigator 4.06, in metscape 4.05 I see in
the status bar that it is "contacting ftp.netscape.com", a few seconds
later it comes up with contacting host : ip address and port
and then just sits there and after a minute or so a dialogue box comes
up saying:
"There was no response. The server could be down or not responding. If
you are unable to connect again, please contact the servers
adminstrator"
This happens for any ftp site that I try, if I go to the
fileserver/router box and type ftp redhat.com, after a 10 second pause
I get the message "redhat.com no address associated with name"
is this another dns issue? do I have to setup the fileserver/router box
to use the isp's dns server? or what?
# Some definitions for easy maintenance.
# To obtain the dynamic PPP IP address, the output of ifconfig is piped
to
# grep which strips out all the lines except the one containing the
address
# and pipes it to awk which strips out the 2nd field containing the
address.
# The final step has sed eliminate the text string "addr:" leaving just
the
# IP address. There is probably a simpler way to do this but it works
for me.
ISP_IP=`ifconfig eth1 |grep 'inet addr'| awk '{print $2}'|sed -e
"s/addr\://"`
echo $ISP_IP
# My fixed addresses
ME="192.168.32.1"
FIRE_NET="192.168.32.0/24"
PRIV_NET="192.168.1.0/24"
ALLIP="0.0.0.0/0"
HIPORTS="1024:65535"
# Clear out whatever rules are still set
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
# Start by completely denying any network access.
ipfwadm -I -p deny
ipfwadm -O -p deny
ipfwadm -F -p deny
# Deny spoofed packets.
ipfwadm -I -a deny -V $ISP_IP \
-S $FIRE_NET \
-D $ALLIP
ipfwadm -I -a deny -V $ISP_IP \
-S $ISP_IP \
-D $ALLIP
# Allow unlimited traffic within the local network
# (All all traffic on the ethernet interface - attached to the
# Linux file/print server. This does not affect the behavior of
# the PPP/Internet connection.)
#
ipfwadm -I -a accept -V $ME \
-S $ALLIP \
-D $ALLIP
ipfwadm -O -a accept -V $ME \
-S $ALLIP \
-D $ALLIP
# Allow outgoing TCP packets for the specified protocols
# I use duplicate rules for both the specific PPP IP address (obtained
# from the first command line in this script) as well as the firewall
# subnet. The first rule allows you to access the Internet from the
firewall
# network since outgoing packets use the PPP connection IP as their
source
# address (Note that this is superfluous if you follow the instructions
# in chapter 11 that remove most network applications from the firewall
to
# increase security.) The second rule permits computers on the firewall
network
# and the private network to reach the Internet since they arrive at
the
# PPP interface with the source address of the Linux file/print server
which
# routes packets from the private network to the firewall network and
# masquerades them.
ipfwadm -O -a accept -P tcp \
-S $FIRE_NET $HIPORTS \
-D $ALLIP pop-3 smtp ftp ftp-data www telnet domain
ipfwadm -O -a accept -P tcp \
-S $ISP_IP $HIPORTS \
-D $ALLIP pop-3 smtp ftp ftp-data www telnet domain
# Allow outgoing UDP packets for the specified protocols (name service
here).
ipfwadm -O -a accept -P udp \
-S $FIRE_NET $HIPORTS \
-D $ALLIP domain
ipfwadm -O -a accept -P udp \
-S $ISP_IP $HIPORTS \
-D $ALLIP domain
# Allow the return packets of sessions originating internally for the
# specified protocols. The -k option allows only those packets with
their
# SYN bit set. When the SYN bit is set, it means that the packet is
being
# returned by a remote process after having originated locally.
ipfwadm -I -a accept -k -P tcp \
-S $ALLIP pop-3 smtp ftp www telnet domain \
-D $FIRE_NET $HIPORTS
ipfwadm -I -a accept -k -P tcp \
-S $ALLIP pop-3 smtp ftp www telnet domain \
-D $ISP_IP $HIPORTS
# Allow the remote ftp server to initiate a connection back to you.
This
# happens when you issue an ftp command like "dir" or "get" or "put",
etc.
# Note that this is not necessary if you use the ftp passive mode.
ipfwadm -I -a accept -P tcp \
-S $ALLIP ftp-data \
-D $FIRE_NET $HIPORTS
ipfwadm -I -a accept -P tcp \
-S $ALLIP ftp-data \
-D $ISP_IP $HIPORTS
#
ipfwadm -I -a accept -P udp \
-S $ALLIP domain \
-D $FIRE_NET $HIPORTS
ipfwadm -I -a accept -P udp \
-S $ALLIP domain \
-D $ISP_IP $HIPORTS
# Allow forwarding TCP packets from internal to external network
#ipfwadm -F -a accept -P tcp \
# -S $FIRE_NET $HIPORTS \
# -D $ALLIP ftp ftp-data www telnet domain
#ipfwadm -F -a accept -P tcp \
# -S $ISP_IP $HIPORTS \
# -D $ALLIP ftp ftp-data www telnet domain
# Allow forwarding TCP packets from external to internal network with
SYN bit set
#ipfwadm -F -a accept -k -P tcp \
# -S $ALLIP ftp www telnet domain \
# -D $FIRE_NET $HIPORTS
#ipfwadm -F -a accept -k -P tcp \
# -S $ALLIP ftp www telnet domain \
# -D $ISP_IP $HIPORTS
# Allow ...
#ipfwadm -F -a accept -P tcp \
# -S $ALLIP ftp-data -D $FIRE_NET $HIPORTS
# ipfwadm -F -a accept -P udp \
#
# Set masquarading rules. (The second rule is necessary if you do not
# set up masquerading on the router - in our case the Linux file/print
# server - between the private and firewall networks. If that is the
# case, you also have to add a route on the firewall server to point
# back to the private network. For example:
# route add -net 192.168.1.0 gw 192.168.32.254
#
ipfwadm -F -a masquerade -S $FIRE_NET -D 0.0.0.0/0
# ipfwadm -F -a masquerade -S $ISP_IP -D 0.0.0.0/0
Harondel J. Sibble
Sibble Computer Consulting
email >> [EMAIL PROTECTED]
website >> http://www.pdscc.com
pgp key >> available on request or from keyserver
(604) 739-3709 (voice/fax)
(604) 686-2253 (pager)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
