Re: simple firewall for masquerade

To: debian-alpha@lists.debian.org
Subject: Re: simple firewall for masquerade
From: Juhan Ernits <juhan@cc.ioc.ee>
Date: Fri, 21 Feb 2003 09:18:54 +0200 (EET)
Message-id: <[🔎] Pine.GSO.4.21.0302210902470.10175-100000@suhkur>
In-reply-to: <[🔎] Pine.LNX.4.44.0302201947520.2088-100000@octavia>

On Thu, 20 Feb 2003, Joakim Roubert wrote:

> Hi!
> 
> I have a laptop that I usually attach to my alpha, which is connected to
> the internet. Before (running RH) I had the most simple example script of
> a firewall that I could find in the HOWTO:s, since this did masquerade for
> me.
> 
> Now, running Debian, I have all thiss netconf with all the rules and
> everything. Well, I don't need a very advanced firewall or so, I just need
> the laptop to be masqueraded.
> 
> Does anybody have a hint on the easiest way to do this?

There are lots of howtos out there, but this is a version of such a
script, that works for me. Just fill in the GW ip address and the address
of the net where your laptop resides,
and appropriate interfaces ETHEXT and ETHINT.

(presuming you have kernel 2.4 and iptables installed)

This is not ideal, but should to the work,

Juhan Ernits

#!/bin/sh

## Gateway address (or the address of the external interface on your
## alpha)
GW=192.168.0.1
## the address of the net used for connecting the laptop and alpha 
INTERNAL=192.168.2.0/24

## internal and external devices
ETHEXT=eth0
ETHINT=ppp0

## location of iptables 
IPTABLES=/sbin/iptables

## clear all rules (-F) and added chains (-X) 
## we filter only forwarded packets
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT   ACCEPT
$IPTABLES -P OUTPUT  ACCEPT
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F  

#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks. (saab kasutada kui pole vaja
ebas<FC>mmeetrilist marsruutimist)
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts
#echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
#echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
#echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
#echo 0 > /proc/sys/net/ipv4/tcp_sack

/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp

# accept all connections to localhost
$IPTABLES -A INPUT  -i lo -j ACCEPT

# accept all packets that belong to already established connections
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# do forward forward new connections on internal interface for forwarding
#
$IPTABLES -A FORWARD -s $INTERNAL -m state --state NEW -j ACCEPT
# Do SNAT (fulfills the same goal as masquerading)
$IPTABLES -t nat -A POSTROUTING -s $INTERNAL -o $ETHEXT -j SNAT --to $GW

Reply to:

References:
- simple firewall for masquerade
  - From: Joakim Roubert <jokke@df.lth.se>

Prev by Date: seti@home for alpha
Next by Date: Re: seti@home for alpha
Previous by thread: simple firewall for masquerade
Next by thread: Re: simple firewall for masquerade
Index(es):
- Date
- Thread