Re: nat ipchains on debian woody

To: debian-isp@lists.debian.org
Subject: Re: nat ipchains on debian woody
From: Kris Deugau <kdeugau@vianet.ca>
Date: Thu, 08 Jul 2004 11:34:38 -0400
Message-id: <[🔎] 40ED698E.87DF26C7@vianet.ca>
Reply-to: debian-isp@lists.debian.org, debian-isp@lists.debian.org
References: <006801c45d42$1234a040$1700a8c0@fcastillrrn93j><40E0730C.1060704@xtraport.de> <20040628150909.05fb28ca.enrique@datalink.net.mx> <00f001c45d50$2ac97870$1700a8c0@fcastillrrn93j> <40E18B29.1F5DE7AF@vianet.ca> <[🔎] 016301c46053$6baeb3e0$1700a8c0@fcastillrrn93j> <[🔎] 40E5CBAD.DE2F00E@vianet.ca> <[🔎] 001d01c462ad$d1ff72e0$1700a8c0@fcastillrrn93j>

Francisco Castillo wrote:
> Then i do a apt-get install kernel-image-2.18.14-686, and this
> installations works fine. Then it puts me a entry on the lilo in
> order to load the new kernel (the old kernel is a 2.2 original woody,
> it has a 686 ) but the problem for me now is that when i reboot the
> kernel can´t load. It give me a kernel panic message , unable to load
> the boot.1006.  It seems like this new kernel dont works on my hard
> plataform, but it happens the same with the
> kernel-image.2.18-14-586tsc.
> 
> This could be true?

I've heard of this happening (typically with Compaq servers, for some
reason), but I've yet to have it happen to me.

If you really want to run a 2.4 kernel, or you really want iptables,
you'll probably have to compile a custom kernel.  :/  IIRC you *can*
use iptables with a 2.2 kernel, but it's a pain to get up and running.

> How can i Knew what is the soft or version of kernel-image i must use
> in my hard system?

Anyone else?  I've found stock kernels work fine for me, but I've
occasionally run into hardware that doesn't run with them.

> Could be posible to has a kernel 2.2 of woody and a nat configuration
> (ipmasquerade) ?
> Could i do it with ipchanis?

It can be done;  it also has some very specific flaws and limitations
that make it less flexible than iptables.

> What could be this procedure to setup this configuration?

Here's a very trimmed-down version of a firewall script I used to use;
for a variety of reasons I no longer use this particular script or
anything like it on most of my systems.  (Among other reasons, all my
systems are running 2.4 kernels, and so I'm using iptables instead of
ipchains.)

You'll need to modify interface names and IPs to your setup, and decide
whether to use the kernel TCP tuning listed here (I've never seen
problems with it, but...)

=====BEGIN rc.firewall=====

#!/bin/sh

case $1 in start|stop|restart)

# Setting up firewall variables

#External Interface
EXT_IF="eth0"
EXT_IP="10.10.10.24"

#Internal Interface
INT_IF="eth1"
INT_IP="192.168.2.1"

#Network stuff
INT_NET="192.168.0.0/16"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"

CWD=`pwd`

echo -n "Doing assorted network shiznit..."

#Disable TCP source routing
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
	echo 0 > $f;
done
#Turn on source address verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
	echo 1 > $f;
done
#Disable ICMP redirection
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
	echo 0 > $f;
done
#Turn on packet forwarding (for masquerading)
echo 1 > /proc/sys/net/ipv4/ip_forward

#Turn OFF ICMP replies
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

#Use TCP SYN cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Assorted TCP/IP crap (turning off unused extensions, etc.)
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo "done."

#Adding masquerading modules to make life easier.
echo -n "Adding masquerading modules..."
/sbin/modprobe ip_masq_ftp.o
/sbin/modprobe ip_masq_irc.o
/sbin/modprobe ip_masq_quake.o
/sbin/modprobe ip_masq_raudio.o
/sbin/modprobe ip_masq_vdolive.o
/sbin/modprobe ip_masq_portfw.o
/sbin/modprobe ip_masq_autofw.o
/sbin/modprobe ip_masq_user.o
echo "done."

# Check to see how this script was called.

case "$1" in
	stop)
		echo "Stopping FIREWALL services."
		echo -n "   Flushing chains..."
		/sbin/ipchains -F
		echo "done."
		echo "FIREWALL services stopped."
		;;
	start)
		echo "Starting FIREWALL services."

		echo -n "   Setting forwarding rules..."
		/sbin/ipchains -A forward -j MASQ -s $INT_NET
		echo "done."

		echo "   Setting input filter rules..."
		echo -n "      regular input rules..."
		/sbin/ipchains -A input -j ACCEPT -s any/0 domain -p tcp -i $EXT_IF
		/sbin/ipchains -A input -j ACCEPT -s any/0 domain -p udp -i $EXT_IF
		/sbin/ipchains -A input -j ACCEPT -s any/0 time -p tcp -i $INT_IF
		/sbin/ipchains -A input -j ACCEPT -s any/0 time -p udp -i $INT_IF
		/sbin/ipchains -A input -j REJECT -d $EXT_IP tftp -p udp -i $EXT_IF -l
		/sbin/ipchains -A input -j REJECT -d $EXT_IP sunrpc -p tcp -i $EXT_IF
-l
		/sbin/ipchains -A input -j REJECT -d $EXT_IP auth -p tcp -i $EXT_IF -l
		# Since we don't use nntp anyway...
		/sbin/ipchains -A input -j REJECT -d $EXT_IP nntp -p tcp -i $EXT_IF -l
		# Samba and friends;  we don't want to have anything to do with
		# these over the public interface
		/sbin/ipchains -A input -j REJECT -d $EXT_IP 134 -p tcp -i $EXT_IF -l
		/sbin/ipchains -A input -j REJECT -d $EXT_IP 135 -p tcp -i $EXT_IF -l
		/sbin/ipchains -A input -j REJECT -d $EXT_IP 136 -p tcp -i $EXT_IF -l
		/sbin/ipchains -A input -j REJECT -d $EXT_IP 137 -p tcp -i $EXT_IF -l
		/sbin/ipchains -A input -j REJECT -d $EXT_IP 138 -p tcp -i $EXT_IF -l
		/sbin/ipchains -A input -j REJECT -d $EXT_IP 139 -p tcp -i $EXT_IF -l
		# Should probably close this up
		/sbin/ipchains -A input -j REJECT -d $EXT_IP snmp -p udp -i $EXT_IF -l
		/sbin/ipchains -A input -j REJECT -d $EXT_IP 513 -p tcp -i $EXT_IF -l
		/sbin/ipchains -A input -j REJECT -d $EXT_IP 514 -p tcp -i $EXT_IF -l
		/sbin/ipchains -A input -j REJECT -d $EXT_IP 515 -p tcp -i $EXT_IF -l
		# Added for swat support
		/sbin/ipchains -A input -j REJECT -d $EXT_IP 901 -p tcp -i $EXT_IF -l
		# X?  Maybe?  Don't remember... might be VNC...
		/sbin/ipchains -A input -j REJECT -d any/0 5800:7000 -p tcp -i $EXT_IF
-l
		echo "done."
		echo "   Done setting normal input rules."

		echo "   Done setting input rules."

		echo "   Setting output firewall rules..."
	#Block outbound traffic to private networks
		echo -n "      Blocking traffic to private networks..."
		/sbin/ipchains -A output -j DENY -s 10.0.0.0/8 -i $EXT_IF
		/sbin/ipchains -A output -j DENY -s 172.16.0.0/12 -i $EXT_IF
		/sbin/ipchains -A output -j DENY -s $INT_NET -i $EXT_IF -l
		/sbin/ipchains -A output -j DENY -s 127.0.0.0/8 -i $EXT_IF
		/sbin/ipchains -A output -j DENY -s 224.0.0.0/4 -i $EXT_IF
		/sbin/ipchains -A output -j DENY -s 240.0.0.0/5 -i $EXT_IF
		/sbin/ipchains -A output -j DENY -d 10.0.0.0/8 -i $EXT_IF
		/sbin/ipchains -A output -j DENY -d 172.16.0.0/12 -i $EXT_IF
		/sbin/ipchains -A output -j DENY -d $INT_NET -i $EXT_IF -l
		/sbin/ipchains -A output -j DENY -d 127.0.0.0/8 -i $EXT_IF
		/sbin/ipchains -A output -j DENY -d 224.0.0.0/4 -i $EXT_IF
		/sbin/ipchains -A output -j DENY -d 240.0.0.0/5 -i $EXT_IF
		echo "done."
		echo "   Done setting output firewall rules."

		echo "FIREWALL services started."
		;;
	restart)
		cd $CWD
		$0 stop
		$0 start
		;;
esac
;;
*)
	echo "Usage: firewall {start|stop|restart}"
;;
esac

exit 0

=====END rc.firewall=====

-kgd
-- 
Get your mouse off of there!  You don't know where that email has been!

Reply to:

Follow-Ups:
- kernel compilation, ethernet card modules
  - From: "Francisco Castillo" <fcastillo@hostgreen.com>

References:
- Re: nat ipchains on debian woody
  - From: "Francisco Castillo" <fcastillo@hostgreen.com>
- Re: nat ipchains on debian woody
  - From: Kris Deugau <kdeugau@vianet.ca>
- Re: nat ipchains on debian woody
  - From: "Francisco Castillo" <fcastillo@hostgreen.com>

Prev by Date: Some words for evms/lvm2
Next by Date: Streaming Video Server
Previous by thread: Re: nat ipchains on debian woody
Next by thread: kernel compilation, ethernet card modules
Index(es):
- Date
- Thread