On Wed, Jan 09, 2002 at 09:58:49AM +0100, Florian Friesdorf wrote:
> On Wed, Jan 09, 2002 at 04:00:31AM +0200, Tzafrir Cohen wrote:
> > On Wed, 9 Jan 2002, Florian Friesdorf wrote:
> >
> > > On Tue, Jan 08, 2002 at 02:36:40PM -0500, Jason Stechschulte wrote:
> > > > My question:
> > > > Is ipmasq really worth using? It almost seems more difficult keeping
> > > > track of multiple .rul files, plus ipmasq has many .def files that seem
> > > > to set up rules also. From the looks of it, it seems like it may be
> > > > easier to just set it all up manually myself and have full control over
> > > > everything rather than having to learn to do things the ipmasq way.
> > >
> > > That's exactly my experience with ipmasq.
> > > My personal favourite is now ferm (apt-cache show ferm)
> > > It's a language of its own, relatively powerful, which translates either
> > > to iptables, ipchains or ipfwadm (not fully supported iirc) commands
> > > which are executed.
> > >
> >
> > Does it produce a good iptables ruleset?
> >
> > For instance: does it use basic iptables-only features such as stateful
> > filtering?
>
> It's up to you what ruleset it produces and whether you'd like to use
> stateful filtering.
>
> chain INPUT saddr (a.b.c.d w.x.y.z) proto tcp dport (ssh http) ACCEPT;
>
> is translated to four rules
>
> iptables -t filter -A INPUT -p tcp -s a.b.c.d --dport ssh -j ACCEPT
> iptables -t filter -A INPUT -p tcp -s a.b.c.d --dport http -j ACCEPT
> iptables -t filter -A INPUT -p tcp -s w.x.y.z --dport ssh -j ACCEPT
> iptables -t filter -A INPUT -p tcp -s w.x.y.z --dport http -j ACCEPT
>
> Have a look at its manpage.
>
> I'm working on modularizing it at the moment.
> I've attached my ferm script used for dsl gateway
forgot the attachment.
btw: the scripts are definitely work in progress
> activate.ferm to intialize it.
> deactivate.ferm to reset.
--
Florian Friesdorf <42ff@gmx.net>
OpenPGP key available on public key servers
------> Save the future of Open Source <------
-> Online-Petition against Software Patents <-
------> http://petition.eurolinux.org <-------
# Name: ?
# Date: 09.10.01
# Version: 0.12
# Author: Florian Friesdorf <42ff@gmx-net>
# Desc: framework for netfilter rules on gateway machine (lan, inet, tunnels) using ferm
# - ipsec is used as tunneling software
# - iptables is used as packet filter
# - your network is masqueraded from the internet and visible to tunnels
# - lan and lo are allowed to do everything
# - packets from tunnels and the internet belonging to connections are
# forwarded
# - input/output from tunnels and the internet run through special chains
# (see below)
# - invalid pakets (state INVALID) are dropped
# Todo:
# - ferm needs to become more flexible (e.g. include ...)
# - support all three private ip ranges
# - ftp isn't working
# - the dns stuff needs work - at least I feel uncomfortable with it
# option definitions ----------------------------------------------------------
option iptables # we use iptables
option clearall # we flush all chains and delete user defined ones (policies are kept)
option createchains # create used chains
option verbose # turn on verbosity
option lines # print what is done
option automod # load modules automatically
# variable definitions --------------------------------------------------------
# a valid private ip of this machine (--> pingable freeswan gateway)
set my_priv_ip 192.168.0.2
set inet ppp0
set lan eth0
set tuns ipsec0
set lan_net 192.168.0.0/24
# packet filter rules ---------------------------------------------------------
table filter {
#--- pre-defined chains -------------------------------------------------------
chain INPUT {
state INVALID DROP;
state (ESTABLISHED RELATED) ACCEPT;
interface (lo $lan) ACCEPT;
interface $inet goto in_inet;
interface $tuns goto in_tuns;
policy DROP;
}
chain OUTPUT {
state INVALID DROP;
state (ESTABLISHED RELATED) ACCEPT;
outerface (lo $lan) ACCEPT;
outerface $inet goto out_inet;
outerface $tuns goto out_tuns;
policy DROP;
}
chain FORWARD {
state INVALID DROP;
state (ESTABLISHED RELATED) ACCEPT;
interface (lo $lan) ACCEPT;
policy DROP;
}
#--- user-defined in chains ---------------------------------------------------
chain in_inet {
proto esp goto ACPT_esp;
proto icmp goto ACPT_icmp;
goto ACPT_dnslookup;
proto tcp {
dport (ssh auth irc http https 6346) goto ACPT_tcp;
}
proto udp dport 500 ACCEPT;
}
chain in_tuns {
proto icmp goto ACPT_icmp;
goto ACPT_dnscache;
goto ACPT_dnslookup;
proto tcp {
dport (ssh auth http) goto ACPT_tcp;
}
}
#--- user-defined out chains --------------------------------------------------
chain out_inet ACCEPT;
chain out_tuns {
# those users are not allowed to use tunnels
uid-owner (
bb
broken
build
chackl
dan
maedde
provozer
) REJECT;
ACCEPT;
}
#--- handy chains used everywhere ---------------------------------------------
chain ACPT_dnscache {
proto udp {
# in
dport domain goto ACPT_udp;
}
}
chain ACPT_dnslookup {
proto tcp {
# in
sport domain dport 1024: goto ACPT_tcp;
}
proto udp {
# in
sport domain dport 1024: goto ACPT_udp;
}
}
chain ACPT_esp {
proto esp ACCEPT;
logprefix "Mismatch in ACPT_esp: " LOG;
REJECT;
}
chain ACPT_icmp {
proto icmp {
icmptype ping limit 1/s ACCEPT;
icmptype ping DROP;
icmptype ! ping ACCEPT;
}
logprefix "Mismatch in ACPT_icmp: " LOG;
REJECT;
}
chain ACPT_tcp {
proto tcp {
syn limit 2/s ACCEPT;
syn DROP;
! syn ACCEPT;
}
logprefix "Mismatch in ACPT_tcp: " LOG;
REJECT;
}
chain ACPT_udp {
proto udp {
ACCEPT;
}
logprefix "Mismatch in ACPT_udp: " LOG;
REJECT;
}
}
# network address translation -------------------------------------------------
table nat {
chain POSTROUTING {
outerface $inet saddr $lan_net MASQ;
outerface $tuns saddr ! $lan_net SNAT $my_priv_ip;
}
}
option iptables option lines table filter chain (INPUT OUTPUT FORWARD) policy ACCEPT; table nat chain (PREROUTING POSTROUTING OUTPUT) policy ACCEPT; option clearall
Attachment:
pgpfeq565MHrL.pgp
Description: PGP signature