Re: Setting up a server
On Fri, Jun 28, 2002 at 03:05:21PM -0700, curtis wrote:
> No, that don't work.
>
> Below is a previous post of mine. In response to this, one person said
> to use iptables since I was using 2.4.xx kernel.
Yes, it will work and should not be too difficult.
In 2.0 and earlear we had ipfwadm ...
2.2 brought us ipchains
2.4 _strongly_suggests_ iptables
The idea of each method, for purposes of connecting a LAN to the internet
through a 'server' or firewall are the same. We want to do (at the very
least) NAT (Network Address Translation) or IP-Masqurerading. Two term
for the same thing: All the traffic coming from our LAN 'looks like' it
came from our firewall or NAT box address. The NAT box keeps track of
which device on the LAN gets the replies (connection tracking in
iptables terminology)
To get iptables to work, you need to enable iptables in your kernel
_and_ enable compiling of each of the modules that iptables relies upon
and build those too. (make modules; make modules_install).
Your error massage earlier indicates that iptables wants to run for you,
but can't find the modules to load for you.
I have seen it recomended that you turn on (building of) ALL the
modules, since building ones that you do not use will not hurt
anything.
That done, keep your old kernel around (you always do that just in case
right; leave it available in lilo or grub) and boot your new one.
Try running this very simple script as root to flip on a basic ipmasq
configuration for iptables...
--
#!/bin/bash
# iptables - test script
####
# default table :
# setup the default policies -- DROP everything
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
# flush out all the old chains and delete user chains
iptables -F
iptables -X
####
# INPUT chain -- what can come into the system
# allow loopback
iptables -A INPUT -i lo -j ACCEPT
#iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
# allow replies
iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT
# take all input from the LAN (assumes addresses are correct)
iptables -A INPUT -i eth0 -j ACCEPT
# allow ping
iptables -A INPUT -p icmp -j ACCEPT
####
# OUTPUT chain -- what is allowed to get out
# allow loopback
iptables -A OUTPUT -o lo -j ACCEPT
# stop all samba stuff going out the DSL line, but tell the host
(me)
iptables -A OUTPUT -o eth1 -p tcp --dport 137:139 -j REJECT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
####
# nat table -- how we translate (masq) stuff
# flush out all the old chains
iptables -t nat -F
####
# POSTROUTING chain
# allow loopback
iptables -A OUTPUT -o lo -j ACCEPT
# masquerade stuff from the LAN to the WAN
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# enable forwarding in the kernel
echo "1" > /proc/sys/net/ipv4/ip_forward
## end
--
Once run, your lsmod (modules loaded in RAM) might look a bit like this:
davep@fw:~$ su -c "lsmod"
Password:
Module Size Used by Not tainted
ipt_MASQUERADE 1216 1 (autoclean)
iptable_nat 13236 1 (autoclean) [ipt_MASQUERADE]
ipt_REJECT 2816 1 (autoclean)
ipt_state 608 2 (autoclean)
ip_conntrack 13228 2 (autoclean) [ipt_MASQUERADE
iptable_nat ipt_state]
iptable_filter 1760 1 (autoclean)
ip_tables 10592 7 [ipt_MASQUERADE iptable_nat ipt_REJECT
ipt_state iptable_filter]
serial_cs 4480 0 (unused)
xirc2ps_cs 11652 1
pcnet_cs 10404 1
8390 5984 0 [pcnet_cs]
af_packet 8296 1
--
As you can see, most of the modules are iptables related ... you have to
have compiled and installed all of them to get this to work...
Here are the modules on this system:
davep@fw:~$ ls /lib/modules/2.4.18/kernel/net/ipv4/netfilter/
ip_conntrack.o ipfwadm.o ipt_ULOG.o ipt_state.o
ip_conntrack_ftp.o ipt_LOG.o ipt_ah.o ipt_tcpmss.o
ip_conntrack_irc.o ipt_MARK.o ipt_esp.o ipt_tos.o
ip_nat_ftp.o ipt_MASQUERADE.o ipt_length.o ipt_ttl.o
ip_nat_irc.o ipt_MIRROR.o ipt_limit.o ipt_unclean.o
ip_nat_snmp_basic.o ipt_REDIRECT.o ipt_mac.o iptable_filter.o
ip_queue.o ipt_REJECT.o ipt_mark.o iptable_mangle.o
ip_tables.o ipt_TCPMSS.o ipt_multiport.o iptable_nat.o
ipchains.o ipt_TOS.o ipt_owner.o
Now, I am might get feedback about this being less than perfect. It is,
but it will work.
(Note the last line about putting a '1' into the proc filesystem to turn
on forwarding? All routers need at least that much happening)
ipchains (and ipfwadm) were _much_ simpler to 'get the basics' out of,
but iptables allow 'stateful' packet filterring and are much more
flexible and powerful ...
That said, here is how you would do it with ipchains (just basic NAT)
--
(This is /etc/init.d/iptables on a debian potato system of mine)
#! /bin/sh
# Script to control packet filtering.
# by dap ... from ipchains-HOWTO 12/2000 ...
# note: to create /etc/ipchains.rules,
# run "ipchains-save > /etc/ipchains.rules"
# If no rules, do nothing.
[ -f /etc/ipchains.rules ] || exit 0
case "$1" in
start)
echo -n "Turning on packet filtering:"
/sbin/ipchains-restore < /etc/ipchains.rules || exit 1
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "."
;;
stop)
echo -n "Turning off packet filtering:"
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -F
/sbin/ipchains -X
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward ACCEPT
echo "."
;;
*)
echo "Usage: /etc/init.d/packetfilter {start|stop}"
exit 1
;;
esac
exit 0
# Make sure this is run early in the bootup procedure.
# In my case (Debian 2.1), I make a symbolic
# link called `S39packetfilter' in the `/etc/rcS.d'
# directory (this will be run before S40network).
--
(You need a /etc/ipchains.rules for this one to work tho...
--
dbx:/home/davep# cat /etc/ipchains.rules
:input ACCEPT
:forward DENY
:output ACCEPT
-I input -s 63.225.175.59 -j DENY -l
-I input -s 63.225.165.246 -j DENY -l
-I input -s 63.225.190.28 -j DENY -l
-I input -s 63.225.18.129 -j DENY -l
-I input -s 63.231.54.72 -j DENY -l
-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
(all those -I input -s .... DENY lines are just idiot hosts with
nimwitda virus who keep trying to probe my apache web server like it was
an IIS box, they just get their packets quietly dropped on the doormat.
The real work are the first three, and the last line.
Now, this config _is_ incredibly open and most sane people would tell
you that I am insane to connect such a firewall to the internet. They
are right, except that:
1> it works for my purposes
2> the hosts it protects are pretty well hardened in there own right. I
just want this box to NAT for me ...
I really hope this helps.
I should also point to the docs at samba.org which are maintained by the
author of the iptables code (rusty). Hard reading, but well worth the
effort, especially after you get a basic config running and want to
understand how it works.
aloha,
dave
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: