Re: Setting up a server

[Dave Price <davep@kinaole.org>]

On Fri, Jun 28, 2002 at 03:05:21PM -0700, curtis wrote:
> No, that don't work.
> 
> Below is a previous post of mine.  In response to this, one person said 
> to use iptables since I was using 2.4.xx kernel.

Yes, it will work and should not be too difficult.

In 2.0 and earlear we had ipfwadm ...

2.2 brought us ipchains

2.4 _strongly_suggests_ iptables

The idea of each method, for purposes of connecting a LAN to the internet
through a 'server' or firewall are the same.  We want to do (at the very
least) NAT (Network Address Translation) or IP-Masqurerading.  Two term
for the same thing: All the traffic coming from our LAN 'looks like' it
came from our firewall or NAT box address.  The NAT box keeps track of
which device on the LAN gets the replies (connection tracking in
iptables terminology)

To get iptables to work, you need to enable iptables in your kernel
_and_ enable compiling of each of the modules that iptables relies upon
and build those too.  (make modules; make modules_install).

Your error massage earlier indicates that iptables wants to run for you,
but can't find the modules to load for you.

I have seen it recomended that you turn on (building of) ALL the
modules, since building ones that you do not use will not hurt
anything.

That done, keep your old kernel around (you always do that just in case
right; leave it available in lilo or grub) and boot your new one.

Try running this very simple script as root to flip on a basic ipmasq
configuration for iptables...

--
#!/bin/bash
# iptables - test script

####
# default table :

    # setup the default policies -- DROP everything
    iptables -P OUTPUT  ACCEPT
    iptables -P INPUT   ACCEPT
    iptables -P FORWARD ACCEPT


    # flush out all the old chains and delete user chains
    iptables -F
    iptables -X

   ####
    # INPUT chain -- what can come into the system

        # allow loopback
        iptables -A INPUT -i lo -j ACCEPT
        #iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT

        # allow replies
        iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT
        iptables -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT

        # take all input from the LAN (assumes addresses are correct)
        iptables -A INPUT -i eth0 -j ACCEPT

        # allow ping
        iptables -A INPUT -p icmp -j ACCEPT

    ####
    # OUTPUT chain -- what is allowed to get out

        # allow loopback
        iptables -A OUTPUT -o lo -j ACCEPT
      # stop all samba stuff going out the DSL line, but tell the host
(me)
        iptables -A OUTPUT -o eth1 -p tcp --dport 137:139 -j REJECT

        iptables -A OUTPUT -o eth0 -j ACCEPT
        iptables -A OUTPUT -o eth1 -j ACCEPT


####
# nat table -- how we translate (masq) stuff

    # flush out all the old chains
    iptables -t nat -F


    ####
    # POSTROUTING chain

        # allow loopback
        iptables -A OUTPUT -o lo -j ACCEPT

        # masquerade stuff from the LAN to the WAN
        iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

        # enable forwarding in the kernel
    echo "1" > /proc/sys/net/ipv4/ip_forward

## end
--
Once run, your lsmod (modules loaded in RAM) might look a bit like this:

davep@fw:~$ su -c "lsmod"
Password: 
Module                  Size  Used by    Not tainted
ipt_MASQUERADE          1216   1  (autoclean)
iptable_nat            13236   1  (autoclean) [ipt_MASQUERADE]
ipt_REJECT              2816   1  (autoclean)
ipt_state                608   2  (autoclean)
ip_conntrack           13228   2  (autoclean) [ipt_MASQUERADE
iptable_nat ipt_state]
iptable_filter          1760   1  (autoclean)
ip_tables              10592   7  [ipt_MASQUERADE iptable_nat ipt_REJECT
ipt_state iptable_filter]
serial_cs               4480   0  (unused)
xirc2ps_cs             11652   1 
pcnet_cs               10404   1 
8390                    5984   0  [pcnet_cs]
af_packet               8296   1 
--
As you can see, most of the modules are iptables related ... you have to
have compiled and installed all of them to get this to work...

Here are the modules on this system:

davep@fw:~$ ls /lib/modules/2.4.18/kernel/net/ipv4/netfilter/       
ip_conntrack.o       ipfwadm.o         ipt_ULOG.o       ipt_state.o
ip_conntrack_ftp.o   ipt_LOG.o         ipt_ah.o         ipt_tcpmss.o
ip_conntrack_irc.o   ipt_MARK.o        ipt_esp.o        ipt_tos.o
ip_nat_ftp.o         ipt_MASQUERADE.o  ipt_length.o     ipt_ttl.o
ip_nat_irc.o         ipt_MIRROR.o      ipt_limit.o      ipt_unclean.o
ip_nat_snmp_basic.o  ipt_REDIRECT.o    ipt_mac.o        iptable_filter.o
ip_queue.o           ipt_REJECT.o      ipt_mark.o       iptable_mangle.o
ip_tables.o          ipt_TCPMSS.o      ipt_multiport.o  iptable_nat.o
ipchains.o           ipt_TOS.o         ipt_owner.o

Now, I am might get feedback about this being less than perfect. It is,
but it will work.

(Note the last line about putting a '1' into the proc filesystem to turn
on forwarding? All routers need at least that much happening)

ipchains (and ipfwadm) were _much_ simpler to 'get the basics' out of,
but iptables allow 'stateful' packet filterring and are much more
flexible and powerful ...

That said, here is how you would do it with ipchains (just basic NAT)
--
(This is /etc/init.d/iptables on a debian potato system of mine)
#! /bin/sh
# Script to control packet filtering.

# by dap ... from ipchains-HOWTO 12/2000 ...
# note: to create /etc/ipchains.rules, 
#       run "ipchains-save > /etc/ipchains.rules"

# If no rules, do nothing.

[ -f /etc/ipchains.rules ] || exit 0
        
        case "$1" in
        start)
                echo -n "Turning on packet filtering:"
                /sbin/ipchains-restore < /etc/ipchains.rules || exit 1
                echo 1 > /proc/sys/net/ipv4/ip_forward
                echo "."
        ;;
        stop)
                echo -n "Turning off packet filtering:"
                echo 0 > /proc/sys/net/ipv4/ip_forward
                /sbin/ipchains -F
                /sbin/ipchains -X
                /sbin/ipchains -P input ACCEPT
                /sbin/ipchains -P output ACCEPT
                /sbin/ipchains -P forward ACCEPT
                echo "."
        ;;
        *)
        echo "Usage: /etc/init.d/packetfilter {start|stop}"
        exit 1
        ;;
        esac
exit 0

# Make sure this is run early in the bootup procedure. 
# In my case (Debian 2.1), I make a symbolic
# link called `S39packetfilter' in the `/etc/rcS.d' 
# directory (this will be run before S40network). 

--
(You need a /etc/ipchains.rules for this one to work tho...
--
dbx:/home/davep# cat /etc/ipchains.rules 
:input ACCEPT
:forward DENY
:output ACCEPT
-I input -s 63.225.175.59 -j DENY -l
-I input -s 63.225.165.246 -j DENY -l
-I input -s 63.225.190.28 -j DENY -l
-I input -s 63.225.18.129 -j DENY -l
-I input -s 63.231.54.72  -j DENY -l
-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ

(all those -I input -s .... DENY lines are just idiot hosts with
nimwitda virus who keep trying to probe my apache web server like it was
an IIS box, they just get their packets quietly dropped on the doormat.

The real work are the first three, and the last line.

Now,  this config _is_ incredibly open and most sane people would tell
you that I am insane to connect such a firewall to the internet.  They
are right, except that:

1> it works for my purposes
2> the hosts it protects are pretty well hardened in there own right.  I
just want this box to NAT for me ...

I really hope this helps.  

I should also point to the docs at samba.org which are maintained by the
author of the iptables code (rusty).  Hard reading, but well worth the
effort, especially after you get a basic config running and want to
understand how it works.

aloha,
dave


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org