Re: tcp routing (suite)
> > Ne faut-il pas tout bonnement faire de la traduction d'adresses (NAT)
> > avec Iptables (Linux2.4.x) ou Ipchains (Linux2.2.x) ?
> Suis sur 2.2.19. J'avoue ne pas tres bien connaitre ipchains. Est-ce qu'il
> faut introduire une commande dans la chaine forward? Pour l'instant, la
> securite du cluster consiste a n'accepter que le proptocole ssh depuis
> l'exterieur, mais ipchains n'est pas encore configure correctement. J'ai
> aussi active les tcpwrappers, meme si je sais qu'ils sont moins performants
> et moins surs. Est-ce que qqun connait une page web ou on peux facilement
> apprendre a utiliser les ipchains?
Google "ipchains howto" m'a donné :
http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html
En pièce jointe, à titre d'exemple, un script de configuration de firewall
utilisant ipchains.
Vous devez pouvoir trouver plein d'autres exemples sur le Web.
--
Eric
#!/bin/sh
#
# /etc/rc.d/rc.firewall: An example of a Semi-Strong IPCHAINS firewall ruleset.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules
# are shown below but are commented from loading.
# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe -k ip_masq_ftp
# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
# /sbin/modprobe ip_masq_raudio
# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc
# Supports the masquerading of Quake and QuakeWorld by default. This modules is
# for for multiple users behind the Linux MASQ server. If you are going to
# play Quake I, II, and III, use the second example.
#
# NOTE: If you get ERRORs loading the QUAKE module, you are running an old
# ----- kernel that has bugs in it. Please upgrade to the newest kernel.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme
#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
# linuxconf fait deja ca
echo "1" > /proc/sys/net/ipv4/ip_forward
#CRITICAL: Enable automatic IP defragmenting since it is disabled by default
# in 2.2.x kernels
#
# This used to be a compile-time option but the behavior was changed
# in 2.2.12. It should also be noted that some distributions have
# removed this option from the /proc table. If this entry isn't
# present in your /proc, don't worry about it.
#
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this # following option. This enables dynamic-ip address hacking in IP MASQ,
# making the life with Diald and similar programs much easier.
#
# echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable the LooseUDP patch which some Internet-based games require
#
# If you are trying to get an Internet game to work through your IP MASQ box,
# and you have set it up to the best of your ability without it working, try
# enabling this option (delete the "#" character). This option is disabled
# by default due to possible internal machine UDP port scanning
# vunerabilities.
#
# echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
# Specify your Static IP address here.
#
# If you have a DYNAMIC IP address, you need to make this ruleset understand
# your IP address everytime you get a new IP. To do this, enable the
# following one-line script. (Please note that the different single and
# double quote characters MATTER).
#
#
# DHCP users:
# -----------
# If you get your TCP/IP address via DHCP, **you will need ** to enable the
# #ed out command below underneath the PPP section AND replace the word
# "ppp0" with the name of your EXTERNAL Internet connection (eth0, eth1, etc)
# on the lines for "ppp-ip" and "extip". It should be also noted that the
# DHCP server can change IP addresses on you. To fix this, users should
# configure their DHCP client to re-run the firewall ruleset everytime the
# DHCP lease is renewed.
#
# NOTE #1: Some DHCP clients like the original "pump" (the newer
# versions have been fixed) did NOT have the ability to run
# scripts after a lease-renew. Because of this, you need to
# replace it with something like "dhcpcd" or "dhclient".
#
# NOTE #2: The syntax for "dhcpcd" has changed in recent versions.
#
# Older versions used syntax like:
# dhcpcd -c /etc/rc.d/rc.firewall eth0
#
# Newer versions use syntax like:
# dhcpcd eth0 /etc/rc.d/rc.firewall
#
# NOTE #3: For Pump users, put the following line in /etc/pump.conf:
#
# script /etc/rc.d/rc.firewall
#
# PPP users:
# ----------
# If you aren't already aware, the /etc/ppp/ip-up script is always run when
# a PPP connection comes up. Because of this, we can make the ruleset go and
# get the new PPP IP address and update the strong firewall ruleset.
#
# If the /etc/ppp/ip-up file already exists, you should edit it and add a line
# containing "/etc/rc.d/rc.firewall" near the end of the file.
#
# If you don't already have a /etc/ppp/ip-up sccript, you need to create the
# following link to run the /etc/rc.d/rc.firewall script.
#
# ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
#
# * You then want to enable the #ed out shell command below *
#
# ALL PPP and DHCP users must set this for the correct EXTERNAL interface name
ppptunnel="ppp0"
#
# PPP and DHCP Users:
# -------------------
# Remove the # on the line below and place a # in front of the line after that.
#
export ppptunnel
# Check the IP from ifconfig.
getip() {
IP=`/sbin/ifconfig $ppptunnel | fgrep "inet ad" | cut -f2 -d":" | cut -f1 -d" "`
}
getip
extip=$IP
if [ -z "$extip" ]
then exit 1
fi
# For PPP users with STATIC IP addresses:
#
# extip="your.static.PPP.address"
# Assign the internal IP
inteth="eth0"
exteth="eth1"
intnet="192.168.0.0/24"
modem="10.0.0.138"
ip2modem="10.0.0.2"
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
#
# ipchains -M -S 7200 10 60
#############################################################################
# Incoming, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
# (moved at the end)
ipchains -P input ACCEPT
ipchains -F input
# tout ce qui vient du tunnel du modem est pris
ipchains -A input -i $exteth -s $modem/32 -d $ip2modem/32 -j ACCEPT
# local interface, local machines, going anywhere is valid
#
ipchains -A input -i $inteth -s $intnet -d 0.0.0.0/0 -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
#
ipchains -A input -i $ppptunnel -s $intnet -d 0.0.0.0/0 -l -j REJECT
# pas de telnet depuis l'exterieur (entrant sur ppp)
ipchains -A input -i $ppptunnel --protocol tcp --dport 23 -j REJECT
# remote interface, any source, going to permanent PPP address is valid
#
ipchains -A input -i $ppptunnel -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
# loopback interface is valid.
#
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
# ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
ipchains -P input REJECT
#############################################################################
# Outgoing, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -P output ACCEPT
ipchains -F output
# tout ce qui part sur le tunnel du modem peut sortir
ipchains -A output -i $exteth -s $ip2modem/32 -d $modem/32 -j ACCEPT
# local interface, any source going to local net is valid
#
ipchains -A output -i $inteth -s 0.0.0.0/0 -d $intnet -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
#
ipchains -A output -i $ppptunnel -s 0.0.0.0/0 -d $intnet -l -j REJECT
# outgoing from local net on remote interface, stuffed masquerading, deny
#
ipchains -A output -i $ppptunnel -s $intnet -d 0.0.0.0/0 -l -j REJECT
# anything else outgoing on remote interface is valid
#
ipchains -A output -i $ppptunnel -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
# loopback interface is valid.
#
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
# ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
ipchains -P output REJECT
#############################################################################
# Forwarding, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F forward
ipchains -P forward DENY
# Masquerade from local net on local interface to anywhere.
#
ipchains -A forward -i $ppptunnel -s $intnet -d 0.0.0.0/0 -j MASQ
#
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
# ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
#End of file.
Reply to: