On Wed, Jan 09, 2002 at 09:58:49AM +0100, Florian Friesdorf wrote: > On Wed, Jan 09, 2002 at 04:00:31AM +0200, Tzafrir Cohen wrote: > > On Wed, 9 Jan 2002, Florian Friesdorf wrote: > > > > > On Tue, Jan 08, 2002 at 02:36:40PM -0500, Jason Stechschulte wrote: > > > > My question: > > > > Is ipmasq really worth using? It almost seems more difficult keeping > > > > track of multiple .rul files, plus ipmasq has many .def files that seem > > > > to set up rules also. From the looks of it, it seems like it may be > > > > easier to just set it all up manually myself and have full control over > > > > everything rather than having to learn to do things the ipmasq way. > > > > > > That's exactly my experience with ipmasq. > > > My personal favourite is now ferm (apt-cache show ferm) > > > It's a language of its own, relatively powerful, which translates either > > > to iptables, ipchains or ipfwadm (not fully supported iirc) commands > > > which are executed. > > > > > > > Does it produce a good iptables ruleset? > > > > For instance: does it use basic iptables-only features such as stateful > > filtering? > > It's up to you what ruleset it produces and whether you'd like to use > stateful filtering. > > chain INPUT saddr (a.b.c.d w.x.y.z) proto tcp dport (ssh http) ACCEPT; > > is translated to four rules > > iptables -t filter -A INPUT -p tcp -s a.b.c.d --dport ssh -j ACCEPT > iptables -t filter -A INPUT -p tcp -s a.b.c.d --dport http -j ACCEPT > iptables -t filter -A INPUT -p tcp -s w.x.y.z --dport ssh -j ACCEPT > iptables -t filter -A INPUT -p tcp -s w.x.y.z --dport http -j ACCEPT > > Have a look at its manpage. > > I'm working on modularizing it at the moment. > I've attached my ferm script used for dsl gateway forgot the attachment. btw: the scripts are definitely work in progress > activate.ferm to intialize it. > deactivate.ferm to reset. -- Florian Friesdorf <42ff@gmx.net> OpenPGP key available on public key servers ------> Save the future of Open Source <------ -> Online-Petition against Software Patents <- ------> http://petition.eurolinux.org <-------
# Name: ? # Date: 09.10.01 # Version: 0.12 # Author: Florian Friesdorf <42ff@gmx-net> # Desc: framework for netfilter rules on gateway machine (lan, inet, tunnels) using ferm # - ipsec is used as tunneling software # - iptables is used as packet filter # - your network is masqueraded from the internet and visible to tunnels # - lan and lo are allowed to do everything # - packets from tunnels and the internet belonging to connections are # forwarded # - input/output from tunnels and the internet run through special chains # (see below) # - invalid pakets (state INVALID) are dropped # Todo: # - ferm needs to become more flexible (e.g. include ...) # - support all three private ip ranges # - ftp isn't working # - the dns stuff needs work - at least I feel uncomfortable with it # option definitions ---------------------------------------------------------- option iptables # we use iptables option clearall # we flush all chains and delete user defined ones (policies are kept) option createchains # create used chains option verbose # turn on verbosity option lines # print what is done option automod # load modules automatically # variable definitions -------------------------------------------------------- # a valid private ip of this machine (--> pingable freeswan gateway) set my_priv_ip 192.168.0.2 set inet ppp0 set lan eth0 set tuns ipsec0 set lan_net 192.168.0.0/24 # packet filter rules --------------------------------------------------------- table filter { #--- pre-defined chains ------------------------------------------------------- chain INPUT { state INVALID DROP; state (ESTABLISHED RELATED) ACCEPT; interface (lo $lan) ACCEPT; interface $inet goto in_inet; interface $tuns goto in_tuns; policy DROP; } chain OUTPUT { state INVALID DROP; state (ESTABLISHED RELATED) ACCEPT; outerface (lo $lan) ACCEPT; outerface $inet goto out_inet; outerface $tuns goto out_tuns; policy DROP; } chain FORWARD { state INVALID DROP; state (ESTABLISHED RELATED) ACCEPT; interface (lo $lan) ACCEPT; policy DROP; } #--- user-defined in chains --------------------------------------------------- chain in_inet { proto esp goto ACPT_esp; proto icmp goto ACPT_icmp; goto ACPT_dnslookup; proto tcp { dport (ssh auth irc http https 6346) goto ACPT_tcp; } proto udp dport 500 ACCEPT; } chain in_tuns { proto icmp goto ACPT_icmp; goto ACPT_dnscache; goto ACPT_dnslookup; proto tcp { dport (ssh auth http) goto ACPT_tcp; } } #--- user-defined out chains -------------------------------------------------- chain out_inet ACCEPT; chain out_tuns { # those users are not allowed to use tunnels uid-owner ( bb broken build chackl dan maedde provozer ) REJECT; ACCEPT; } #--- handy chains used everywhere --------------------------------------------- chain ACPT_dnscache { proto udp { # in dport domain goto ACPT_udp; } } chain ACPT_dnslookup { proto tcp { # in sport domain dport 1024: goto ACPT_tcp; } proto udp { # in sport domain dport 1024: goto ACPT_udp; } } chain ACPT_esp { proto esp ACCEPT; logprefix "Mismatch in ACPT_esp: " LOG; REJECT; } chain ACPT_icmp { proto icmp { icmptype ping limit 1/s ACCEPT; icmptype ping DROP; icmptype ! ping ACCEPT; } logprefix "Mismatch in ACPT_icmp: " LOG; REJECT; } chain ACPT_tcp { proto tcp { syn limit 2/s ACCEPT; syn DROP; ! syn ACCEPT; } logprefix "Mismatch in ACPT_tcp: " LOG; REJECT; } chain ACPT_udp { proto udp { ACCEPT; } logprefix "Mismatch in ACPT_udp: " LOG; REJECT; } } # network address translation ------------------------------------------------- table nat { chain POSTROUTING { outerface $inet saddr $lan_net MASQ; outerface $tuns saddr ! $lan_net SNAT $my_priv_ip; } }
option iptables option lines table filter chain (INPUT OUTPUT FORWARD) policy ACCEPT; table nat chain (PREROUTING POSTROUTING OUTPUT) policy ACCEPT; option clearall
Attachment:
pgpfeq565MHrL.pgp
Description: PGP signature