Re: ip masq performance
On Tue, 22 Feb 2000, Stuart Ballard wrote:
>=As a first pass at configuring this thing (I don't plan on leaving it
>=like this, but I'm at the stage where I just want *something* that
>=works) I set it up using:
>=
>=echo "1" > /proc/sys/net/ipv4/ip_forward
>=ipchains -P forward MASQ
>=
Dear Stuart,
I have similar hardware configuration but first I was thinking about
security (this was only reason why I am with Linux - easy to configure
what you really want).
Please look on attached shell script I run on IP-UP event by PPPD.
It works not too bad for last couple of month (for me!).
If you will have a lot of messages in the logs than you need
to adjust some rules. I understand it is not perfect.
The idea is from one Web site (sorry I missed a name).
---
Regards,
Pavel Epifanov.
epv@casema.net , pavel_e@yahoo.com
#!/bin/sh
#
# IPCHAINS-ALL
#
###########################################
IPCHAINS="/sbin/ipchains"
# Allow forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
###########################################
# Incoming packets from the outside network
$IPCHAINS -F input
# Outgoing packets from the internal network
$IPCHAINS -F output
# Forwarding/masquerading
$IPCHAINS -F forward
###########################################
# Allow MASQ connections
$IPCHAINS -A forward -s 10.0.0.0/255.0.0.0 -j MASQ
#
###########################################
# Disallow any UDP incomming connections
# SSH
$IPCHAINS -A input -p udp -s 0.0.0.0/0 53 -i ppp0 -j ACCEPT
# BBC real-audio
$IPCHAINS -A input -p udp -s 0.0.0.0/0 6970 -i ppp0 -j ACCEPT
# ??? WEB Browsing
$IPCHAINS -A input -p udp -s 0.0.0.0/0 2140 -i ppp0 -j ACCEPT
$IPCHAINS -A input -p udp -d 0.0.0.0/0 31789 -i ppp0 -j ACCEPT
#
# CIPE test
$IPCHAINS -A input -p udp -s 0.0.0.0/0 31121 -i ppp0 -j ACCEPT
$IPCHAINS -A input -p udp -s 0.0.0.0/0 31122 -i ppp0 -j ACCEPT
#
# default - REJECT
$IPCHAINS -A input -p udp -i ppp0 -l -j DENY
#
###########################################
# Disallow any outside incomming connections
# RPC
$IPCHAINS -A input -p tcp -d 0.0.0.0/0 111 -i ppp0 -l -j DENY
# SMTP
$IPCHAINS -A input -p tcp -d 0.0.0.0/0 25 -i ppp0 -l -j DENY
# Printer
$IPCHAINS -A input -p tcp -d 0.0.0.0/0 515 -i ppp0 -l -j DENY
# ???
$IPCHAINS -A input -p tcp -d 0.0.0.0/0 840 -i ppp0 -l -j DENY
# DNS
$IPCHAINS -A input -p tcp -d 0.0.0.0/0 53 -i ppp0 -l -j DENY
# NFS
$IPCHAINS -A input -p tcp -d 0.0.0.0/0 2049 -i ppp0 -l -j DENY
# Concert?
$IPCHAINS -A input -p tcp -d 0.0.0.0/0 786 -i ppp0 -l -j DENY
# ???
#$IPCHAINS -A input -p tcp -d 0.0.0.0/0 1113 -i ppp0 -l -j DENY
#$IPCHAINS -A input -p tcp -d 0.0.0.0/0 1114 -i ppp0 -l -j DENY
#$IPCHAINS -A input -p tcp -d 0.0.0.0/0 1115 -i ppp0 -l -j DENY
#$IPCHAINS -A input -p tcp -d 0.0.0.0/0 1116 -i ppp0 -l -j DENY
#
# default - ACCEPT till TCP wrappers
$IPCHAINS -A input -p tcp -i ppp0 -j ACCEPT
#
###########################################
#Set telnet, www and FTP for minimum delay - OUTPUT
$IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10
# Set ftp-data for maximum throughput
$IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08
#Set telnet, www and FTP for minimum delay - FORWARD
$IPCHAINS -A forward -p tcp -d 0/0 www -t 0x01 0x10
$IPCHAINS -A forward -p tcp -d 0/0 ftp -t 0x01 0x10
# Set ftp-data for maximum throughput
$IPCHAINS -A forward -p tcp -d 0/0 ftp-data -t 0x01 0x08
###########################################
#
/usr/bin/logger -s IPCHAINS up.
###########################################
Reply to: