TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:9525] IPCHAINS, Firewall and Masquerading
- To: tclug-list@mn-linux.org
- Subject: Re: [TCLUG:9525] IPCHAINS, Firewall and Masquerading
- From: ^chewie <chewie@wookimus.net>
- Date: Thu, 28 Oct 1999 16:36:08 -0500 (CDT)
- In-Reply-To: <199910282034.PAA00987@guinness.urw.org>
The best approach to doing IP-Chains firewalls is to sit down and hack
it out. I know it sucks to hear that, but until you do, you'll never
understand what really goes on. I'll give you some hints, though...
* Diagram your traffic scenarios. Remember, you need to
allow all traffic input on the internal interface
from your internal network, but not your external
network.
* Set ACCEPT as your default policy to everything. Add the
MASQ rule to the forward chain. Prove to yourself
that a simple masquerade works...
* Set DENY as your default policy on everything. Then add
rules until the packet you want can traverse the
firewall.
* Test packets with the "-C" option. This is a very helpful
option, and a kudos to the developers who included it.
* Remember to create rules to allow traffice from your
local loop interface to your local loop interface.
* The "-y" option is very useful on the input chain to an
interface. It allows you to specify that return input
from tcp based connections that originate from the
firewall.
I have an init script that saves your existing chains at shutdown and
restores them at reboot, if you'd like them. What I don't have is a
script to do the initial setup. If all you want is a workable
masquerade and you can handle some somewhat confusing scripting,
download the ipmasq deb file from the debian website
(http://www.debian.org). If you have redhat, install the 'alien'
package so you can convert the deb to an rpm. Either that or install
the debian package manager and manually extract the tarball. If you
have Debian, all the better.
Later!
^chewie
+----------------------------------------------------+
| Chad Walstrom mailto:chewie@wookimus.net |
| ICQ: 9985127 http://wookimus.net/~chewie |
+----------------------------------------------------+
Need a new truck? Check out my '97 Explorer 2-door
Sport at http://wookimus.net/~chewie/truck.html