[H-GEN] ip masq, ,chaining, proxies, squid etc

[Ben Carlyle]

[ Humbug *General* list - semi-serious discussions about Humbug and
Unix-related topics. ]


Darrin Milson wrote:
> > I assumed that all I would have to due is enable forwarding in
> > etc/sysconfig/network and do 
> > ipchains -P forward DENY 
> > and 
> > ipchains -A foward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0
> > as explained in APC pocket book.  It doesn't mention anything about
> > proxies or firewalls and I don't know a great deal about any of it.
> > All help appreciate and reciprocated where possible.

Everything looks pretty much fine to me, although I have little experience
with ipchains.  What appears to me to be most likely to be wrong is the
setup of the machines on your network.   The first thing to check is their
default routes.

Each machine on the network must have a default route through your gatway
in order for the gateway to realise that it needs to masquerade the packets.
On a linux machine you should have a line like the following in your route
tables (see /sbin/route, or /sbin/route -n if your dns isn't operating):
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         guardian.qtc.fo 0.0.0.0         UG    0      0        2 eth0
or 
0.0.0.0         123.231.132.213 0.0.0.0         UG    0      0        2 eth0

On a windows machine, check your TCP/IP configuration panel settings for
ethernet.


Harry Phillips wrote (rearranged for readability):

> Don't ask me what they do or if the order of the second ipchains line matters
> but the other PC's on the network can do anything including Commonwealth
> Netbank. I got all the settings by reading, reading and reading all the HOW-TO
> that were relevant and some that weren't.

Here is a brief explaination as to what you're doing there, and it comes in
two parts:

Part 1)  Loading kernel modules.

> /sbin/depmod -a
This line updates the dependancies between all kernel modules in the system.
As the dependancies typically do not change during a machine's operation,
and most distributions automatically perform a depmod -a during bootup, it
is probably unessasary.

> /sbin/modprobe ip_masq_portfw
... several more module inclusions ...
> /sbin/modprobe ip_masq_irc
These lines load your IP Masq modules, including specific modules for proxying
UDP connections that can't be handled by the core logic due to the lack of a
TCP "connection" to keep track of which machine returning packets are meant to
go to.  When I last setup masq they had to be loaded manually, so they are
probably necessary to load here if you are using the UDP protocols listed.
Your distribution may already do this, use "lsmod" to take a peek at which
modules are loaded in memory at any time.

Part 2)  Configuring the forwarding firewall

This is as Harry has already listed, and is a two step operation

> ipchains -P forward DENY
Make the default rule when packet forwarding is requested to deny that
request.  This is important, because if you promiscuiously masquerade
to anyone on the internet who requests it you'll be putting your IP stamp
into the logs of the machines our evil system-cracker buddies exploit.

> ipchains -A forward -s 192.168.1.0/24 -j MASQ
This command adds a specific rule to permit Masq-based forwarding from
any host within the 192.168.1.x address range.  If you wanted to be a
BOFH, you could add seperate rules for different protocols.  In addition,
I would definately ammend this line as appropriate for your network device
name:
> ipchains -A forward -s 192.168.1.0/24 -j MASQ -i eth0
This will protect you from just about any IP spoofing attack, by ensuring
masq is only performed if the connection originated from your local network.

I personally would add one command in between the two that are listed here.
According to my reading (I don't have a recent kernel to trial this on),
the following command should clear out any rules that existed beforehand,
so if your firewall is only intended ot masquerade as described in this file,
then stale commands won't sit around allowing other things to happen.

ipchains -F forward

Have a read through the ipchains(8) man page for further info.


Benjamin.


--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.