ipchains config problems
I'm a relative newbie to using ipchains (as well as ipfwadm) for setting up
masquerading and forwarding of packets from an internal network, via a gateway,
to the internet in general.
To be specific, while I have gotten ipfwadm (and the associated rules) set up
so that I can at least ftp to external sites, I have not had any luck in
converting the ipfwadm commands/instructions to the ipchains format. As I do
not wish to use the ipfwadm-convert script, I am trying to rewrite what few
rules I have so that they conform to ipchains requirements.
My internal network is simple, consisting of three systems, one of which is
the gateway connecting the other two, via a cable-modem, to the internet.
My distribution is Debian, with a combination of HAMM and SLINK installed.
My setup is shown below.
/|\
|
24.1.zz.ww <--- external gateway to internet
/|\
|
24.1.xx.yy <--- external NIC
|
| gateway system (GS)
|
192.168.52.1 <--- internal NIC
/|\
/ \
/ \
/ \
/ \
192.168.52.2 192.168.52.3
internal sys #1 internal sys #2
(IS1) (IS2)
The ipfwadm rules on the GS system are:
---------------------------------------
(With the exceptions as noted, everything listed below was automatically set
up when I originally installed and configured the networking system)
# deny incoming packets pretending to be from 127.0.0.1
ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 2>/dev/null || true
ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 2>/dev/null || true
ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 >/dev/null
ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 >/dev/null
# deny incoming packets pretending to be from our own system.
# set your own IP address below (or use `hostname -i` to set it).
my_ip=24.1.xx.yy (Changed to reflect my actual IP)
ipfwadm -I -d deny -o -P all -S $my_ip -W eth0 -D 0/0 2>/dev/null || true
ipfwadm -I -d deny -o -P all -S $my_ip -W eth1 -D 0/0 2>/dev/null || true
ipfwadm -I -a deny -o -P all -S $my_ip -W eth0 -D 0/0 >/dev/null
ipfwadm -I -a deny -o -P all -S $my_ip -W eth1 -D 0/0 >/dev/null
ipfwadm -F -a accept -m -P tcp -S 192.168.52.0/24 (user added)
ipfwadm -F -a accept -m -P udp -S 192.168.52.0/24 (user added)
On each of the internal systems, the ipfwadm rules are:
-------------------------------------------------------
# deny incoming packets pretending to be from 127.0.0.1
ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 2>/dev/null || true
ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 2>/dev/null || true
ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 >/dev/null
ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 >/dev/null
==============================================================================
The corresponding ipchain rules, which I have set up so far, are given below:
On the GS system, they are:
---------------------------
echo -n "Setting up IP spoofing protection..."
ipchains -D input -j DENY -l -s 127.0.0.0/8 -i ! lo 2>/dev/null || true
ipchains -A input -j DENY -l -s 127.0.0.0/8 -i ! lo
# deny incoming packets pretending to be from our own system.
# set your own IP address below (or use `hostname -i` to set it).
my_ip=192.168.52.zz (changed to reflect my actual internal IP's)
ipchains -D input -j DENY -l -s $my_ip -i ! lo 2>/dev/null || true
ipchains -A input -j DENY -l -s $my_ip -i ! lo
ipchains -A forward -p TCP -j MASQ -s 192.168.52.0/24 -d 0.0.0.0/0 (user added)
ipchains -A forward -p UDP -j MASQ -s 192.168.52.0/24 -d 0.0.0.0/0 (user added)
=====================
On the internal systems, the ipchain rules are:
# deny incoming packets pretending to be from our own system.
# set your own IP address below (or use `hostname -i` to set it).
my_ip=24.1.xx.yy
ipchains -D input -j DENY -l -s $my_ip -i ! lo 2>/dev/null || true
ipchains -A input -j DENY -l -s $my_ip -i ! lo
ipchains -D input -j DENY -l -s 127.0.0.0/8 -i ! lo 2>/dev/null || true
ipchains -A input -j DENY -l -s 127.0.0.0/8 -i ! lo
only.
'ipchains -L' on the GS shows:
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
target prot opt source destination ports
MASQ tcp ------ johari.com/24 anywhere any -> any
MASQ udp ------ johari.com/24 anywhere any -> any
'ipchains -L' on both of the internal systems shows:
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
==============================
The setup, despite the fact that I only have three systems (one of which is
the gateway system), seems to be very complicated - especially for someone
who is just starting to learn how to use masquerading and forwarding.
My questions are:
1. Am I on the correct track for the rules on the gateway system?
2. Do I need rules forwarding packets from the internal NIC to the external
NIC?
3. On the internal systems, do I need to specify where the packets are to be
forwarded (using ipchains rules)? If so, what form do they take?
4. When using ipfwadm (on 2.0.xx kernels), I have the GS as an internal gate-
way for the other two internal systems. Is this necessary for ipchains?
Any help with this would be greatly appreciated.
Thanks,
Taren
--
Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
Reply to: