Nandy
10-08-2000, 01:47 AM
Ohh well! Here i go...
I am tryin to set up a firewall using rh linux 6.2. I have spend the last 3 days trying to do this and it is not funny anymore.
This is what i got. A Digital 486 dx2 66 with 16 megs and 2 hd about 250 mb each. I have 2 nic, one is a dlink de-220 and the other is a comp usa generic card.
I get to the net using my windows box as the gateway for the rest of the lan. If i am using the windows pc as the gateway, all pc's can ping each other and any server on the net. When i am using the proxy pc, all the pc's can ping each other but only the proxy pc can ping servers on the net. I made sure i changed the gateway routing to reflect the new gateway ip on both the linux and the windows pc. Also made sure the ipforward is enabled.
When i do the ping i can see the lights on my switch and cable modem blink just once, and that is it. I got cable modem service with timewarner.
I am very new to linux so maybe i am just making a very simple mistake. Please point it out. Ahhh! the problem exist before and after i run the script for the firewall. I had to turn off the ip masquerading capabilities of the scrip because it was giving me and error but that was about it. After everything is working ok i will track the error. Looks like it is a typo... I wil paste the script here for just in case...
That is all i am doing, making sure ip forward is running and running this script. I am not sure, but i think that is all i need to secure my linux box a little more, at least for the beggining... I think...
Thanks you'all,
Nandy
#!/bin/sh
#############################################
#
# IPCHAINS Configuration Script v1.0
#
# Copyright 1999 Matthew Cerha (mcerha@io.com)
#
# This script is designed to configure a simple
# set of IPCHAINS rules for a two interface
# Linux firewall using IP-Masquerading.
#
# Inspiration from the Isinglass firewall
# script. http://www.tummy.com/isinglass
#
# Usage: firewall <on | off>
#
# After configuring the script variables,
# put a a line in your RC scripts like:
#
# /root/bin/firewall on
#
#############################################
#############################################
# Begin Configuration Section
#############################################
# Internal Interface
#
# This is the interface on the inside (trusted
# side) of the firewall.
#
# INTERNAL_INT=<eth0 | eth1 | ppp0>
#
INTERNAL_INT=eth0
# External Interface
#
# This is the interface on the outside (untrusted
# side) of the firewall.
#
# EXTERNAL_INT=<eth0 | eth1 | ppp0>
#
EXTERNAL_INT=eth1
# Masquerading
#
# Uncomment the following to enable IP-masquerading
# of your internal network.
# (Recommened)
#
#MASQ=yes
# Load Firewall Kernel Modules
#
# Uncomment the following in you need to load any
# firewall kernel modules. If you have compiled a kernel
# with the firewalling options built-in (FTP, IRC,
# Quake, RealAudio), please comment the follwing line.
# Note: If you are using a stock RedHat kernel, you will
# need to uncomment the following line.
#
#MODS=yes
# Common Inbound Services
#
# Uncomment each service that you would like accessible
# on your firewall from the outside world. Enable only
# those services which are absolutely necessary.
#
#FTP=yes
#HTTP=yes
#HTTPS=yes
#IDENT=yes
#IMAP=yes
#POP=yes
#SMTP=yes
#SSH=yes
#TELNET=yes
# DNS Query Replies
#
# Uncomment the following variable to allow the
# responses from DNS servers through the firewall.
# (Recommended)
#
DNS=yes
# Inbound ICMP
#
# Uncomment the following to allow hosts outside your
# firewall to "ping" your firewall.
# (Not Recommended)
#
#IN_PING=yes
# Outbound ICMP
#
# Uncomment the following to allow hosts inside your
# firewall to "ping" and "traceroute" through the
# firewall to the rest of the world.
# (Optional)
#
OUT_PING=yes
OUT_TRACEROUTE=yes
#############################################
# End Configuration Section
#############################################
#############################################
# Begin Firewall Configuration
#############################################
PATH=/sbin:/usr/sbin:/bin:/usr/bin
# The following function enables the firewall rules.
# It allows estalished connections through the firewall
# by default.
function firewall_on {
# Internal Trusted Network
INTERNAL_NET=`ifconfig $INTERNAL_INT | grep inet | awk '{print $2}' | cut -d ":" -f 2`
INTERNAL_MASK=`ifconfig $INTERNAL_INT | grep inet | awk '{print $4}' | cut -d ":" -f 2`
INTERNAL=$INTERNAL_NET/$INTERNAL_MASK
# External Untrusted Network
EXTERNAL_NET=`ifconfig $EXTERNAL_INT | grep inet | awk '{print $2}' | cut -d ":" -f 2`
#EXTERNAL_MASK=`ifconfig $EXTERNAL_INT | grep inet | awk '{print $4}' | cut -d ":" -f 2`
EXTERNAL_MASK=32
EXTERNAL=$EXTERNAL_NET/$EXTERNAL_MASK
# Disable kernel-level IP forwarding for security.
echo "0" > /proc/sys/net/ipv4/ip_forward
# Load some firewall kernel modules
if [ ! -z $MODS ] ; then
modprobe ip_masq_ftp
modprobe ip_masq_irc
modprobe ip_masq_raudio
modprobe ip_masq_quake
fi
# Flush out any existing firewall rules
ipchains -F input
ipchains -F output
ipchains -F forward
# Build the list of services to be allowed in via the external
# interface.
COMMON=""
[ ! -z $FINGER ] && COMMON="$COMMON 79"
[ ! -z $FTP ] && COMMON="$COMMON 20 21"
[ ! -z $HTTP ] && COMMON="$COMMON 80"
[ ! -z $HTTPS ] && COMMON="$COMMON 443"
[ ! -z $IDENT ] && COMMON="$COMMON 113"
[ ! -z $IMAP ] && COMMON="$COMMON 143"
[ ! -z $POP ] && COMMON="$COMMON 109 110"
[ ! -z $SMTP ] && COMMON="$COMMON 25"
[ ! -z $SSH ] && COMMON="$COMMON 22"
[ ! -z $TELNET ] && COMMON="$COMMON 23"
# Enable a rule to allow the selected common TCP services in
# the external interface of the firewall.
if [ ! -z "$COMMON" ] ; then
for I in $COMMON
do
ipchains -A input -i $EXTERNAL_INT -p TCP -s 0/0 \
-d $EXTERNAL $I -j ACCEPT
done
fi
# Enable a rule to allow inbound DNS responses from UDP port 53.
if [ ! -z $DNS ] ; then
ipchains -A input -i $EXTERNAL_INT -p UDP -s 0/0 53 \
-d $EXTERNAL -j ACCEPT
fi
# Enable a rule to allow established inbound TCP connections.
ipchains -A input ! -y -i $EXTERNAL_INT -p TCP -s 0/0 \
-d $EXTERNAL -j ACCEPT
# Enable a rule to allow inbound ICMP echo-replies.
if [ ! -z $IN_PING ] ; then
ipchains -A input -i $EXTERNAL -p ICMP -s 0/0 0 \
-d $EXTERNAL -j ACCEPT
fi
# Enable a rule to allow outbound ICMP echo-requests.
if [ ! -z $OUT_PING ] ; then
ipchains -A input -i $EXTERNAL_INT -p ICMP -s 0/0 8 \
-d $EXTERNAL -j ACCEPT
fi
# Enable a rule to allow outbound traceroutes.Destination-Unreachable (3)
# Requires inbound ICMP destination-unreachbles and TTL-exceeded messages.
if [ ! -z $OUT_TRACEROUTE ] ; then
ipchains -A input -i $EXTERNAL_INT -p ICMP -s 0/0 3 \
-d $EXTERNAL -j ACCEPT
ipchains -A input -i $EXTERNAL_INT -p ICMP -s 0/0 11 \
-d $EXTERNAL -j ACCEPT
fi
# Enable IP-masquerading.
if [ ! -z $MASQ ] ; then
ipchains -P forward DENY
ipchains -A forward -s $INTERNAL -d 0/0 -j MASQ
fi
# Deny all other inbound traffic.
ipchains -A input -i $EXTERNAL_INT -s 0/0 -d $EXTERNAL -j DENY
# Enable kernel-level IP forwarding.
echo "1" > /proc/sys/net/ipv4/ip_forward
} # End function firewall_on
# The following function disables all firewall rules.
function firewall_off {
# Disable kernel-level IP forwarding for security.
echo "0" > /proc/sys/net/ipv4/ip_forward
# Flush all existing firewall rules.
ipchains -F input
ipchains -F output
ipchains -F forward
} # End function firewall_off
# Main Function
if [ "$1" = "on" ] ; then
echo "Enabling firewall."
firewall_on
exit 0
elif [ "$1" = "off" ] ; then
echo "Disabling firewall."
firewall_off
exit 0
else
echo "Usage: firewall <on | off>"
exit 0
fi
#############################################
# End Firewall Configuration
#############################################
I am tryin to set up a firewall using rh linux 6.2. I have spend the last 3 days trying to do this and it is not funny anymore.
This is what i got. A Digital 486 dx2 66 with 16 megs and 2 hd about 250 mb each. I have 2 nic, one is a dlink de-220 and the other is a comp usa generic card.
I get to the net using my windows box as the gateway for the rest of the lan. If i am using the windows pc as the gateway, all pc's can ping each other and any server on the net. When i am using the proxy pc, all the pc's can ping each other but only the proxy pc can ping servers on the net. I made sure i changed the gateway routing to reflect the new gateway ip on both the linux and the windows pc. Also made sure the ipforward is enabled.
When i do the ping i can see the lights on my switch and cable modem blink just once, and that is it. I got cable modem service with timewarner.
I am very new to linux so maybe i am just making a very simple mistake. Please point it out. Ahhh! the problem exist before and after i run the script for the firewall. I had to turn off the ip masquerading capabilities of the scrip because it was giving me and error but that was about it. After everything is working ok i will track the error. Looks like it is a typo... I wil paste the script here for just in case...
That is all i am doing, making sure ip forward is running and running this script. I am not sure, but i think that is all i need to secure my linux box a little more, at least for the beggining... I think...
Thanks you'all,
Nandy
#!/bin/sh
#############################################
#
# IPCHAINS Configuration Script v1.0
#
# Copyright 1999 Matthew Cerha (mcerha@io.com)
#
# This script is designed to configure a simple
# set of IPCHAINS rules for a two interface
# Linux firewall using IP-Masquerading.
#
# Inspiration from the Isinglass firewall
# script. http://www.tummy.com/isinglass
#
# Usage: firewall <on | off>
#
# After configuring the script variables,
# put a a line in your RC scripts like:
#
# /root/bin/firewall on
#
#############################################
#############################################
# Begin Configuration Section
#############################################
# Internal Interface
#
# This is the interface on the inside (trusted
# side) of the firewall.
#
# INTERNAL_INT=<eth0 | eth1 | ppp0>
#
INTERNAL_INT=eth0
# External Interface
#
# This is the interface on the outside (untrusted
# side) of the firewall.
#
# EXTERNAL_INT=<eth0 | eth1 | ppp0>
#
EXTERNAL_INT=eth1
# Masquerading
#
# Uncomment the following to enable IP-masquerading
# of your internal network.
# (Recommened)
#
#MASQ=yes
# Load Firewall Kernel Modules
#
# Uncomment the following in you need to load any
# firewall kernel modules. If you have compiled a kernel
# with the firewalling options built-in (FTP, IRC,
# Quake, RealAudio), please comment the follwing line.
# Note: If you are using a stock RedHat kernel, you will
# need to uncomment the following line.
#
#MODS=yes
# Common Inbound Services
#
# Uncomment each service that you would like accessible
# on your firewall from the outside world. Enable only
# those services which are absolutely necessary.
#
#FTP=yes
#HTTP=yes
#HTTPS=yes
#IDENT=yes
#IMAP=yes
#POP=yes
#SMTP=yes
#SSH=yes
#TELNET=yes
# DNS Query Replies
#
# Uncomment the following variable to allow the
# responses from DNS servers through the firewall.
# (Recommended)
#
DNS=yes
# Inbound ICMP
#
# Uncomment the following to allow hosts outside your
# firewall to "ping" your firewall.
# (Not Recommended)
#
#IN_PING=yes
# Outbound ICMP
#
# Uncomment the following to allow hosts inside your
# firewall to "ping" and "traceroute" through the
# firewall to the rest of the world.
# (Optional)
#
OUT_PING=yes
OUT_TRACEROUTE=yes
#############################################
# End Configuration Section
#############################################
#############################################
# Begin Firewall Configuration
#############################################
PATH=/sbin:/usr/sbin:/bin:/usr/bin
# The following function enables the firewall rules.
# It allows estalished connections through the firewall
# by default.
function firewall_on {
# Internal Trusted Network
INTERNAL_NET=`ifconfig $INTERNAL_INT | grep inet | awk '{print $2}' | cut -d ":" -f 2`
INTERNAL_MASK=`ifconfig $INTERNAL_INT | grep inet | awk '{print $4}' | cut -d ":" -f 2`
INTERNAL=$INTERNAL_NET/$INTERNAL_MASK
# External Untrusted Network
EXTERNAL_NET=`ifconfig $EXTERNAL_INT | grep inet | awk '{print $2}' | cut -d ":" -f 2`
#EXTERNAL_MASK=`ifconfig $EXTERNAL_INT | grep inet | awk '{print $4}' | cut -d ":" -f 2`
EXTERNAL_MASK=32
EXTERNAL=$EXTERNAL_NET/$EXTERNAL_MASK
# Disable kernel-level IP forwarding for security.
echo "0" > /proc/sys/net/ipv4/ip_forward
# Load some firewall kernel modules
if [ ! -z $MODS ] ; then
modprobe ip_masq_ftp
modprobe ip_masq_irc
modprobe ip_masq_raudio
modprobe ip_masq_quake
fi
# Flush out any existing firewall rules
ipchains -F input
ipchains -F output
ipchains -F forward
# Build the list of services to be allowed in via the external
# interface.
COMMON=""
[ ! -z $FINGER ] && COMMON="$COMMON 79"
[ ! -z $FTP ] && COMMON="$COMMON 20 21"
[ ! -z $HTTP ] && COMMON="$COMMON 80"
[ ! -z $HTTPS ] && COMMON="$COMMON 443"
[ ! -z $IDENT ] && COMMON="$COMMON 113"
[ ! -z $IMAP ] && COMMON="$COMMON 143"
[ ! -z $POP ] && COMMON="$COMMON 109 110"
[ ! -z $SMTP ] && COMMON="$COMMON 25"
[ ! -z $SSH ] && COMMON="$COMMON 22"
[ ! -z $TELNET ] && COMMON="$COMMON 23"
# Enable a rule to allow the selected common TCP services in
# the external interface of the firewall.
if [ ! -z "$COMMON" ] ; then
for I in $COMMON
do
ipchains -A input -i $EXTERNAL_INT -p TCP -s 0/0 \
-d $EXTERNAL $I -j ACCEPT
done
fi
# Enable a rule to allow inbound DNS responses from UDP port 53.
if [ ! -z $DNS ] ; then
ipchains -A input -i $EXTERNAL_INT -p UDP -s 0/0 53 \
-d $EXTERNAL -j ACCEPT
fi
# Enable a rule to allow established inbound TCP connections.
ipchains -A input ! -y -i $EXTERNAL_INT -p TCP -s 0/0 \
-d $EXTERNAL -j ACCEPT
# Enable a rule to allow inbound ICMP echo-replies.
if [ ! -z $IN_PING ] ; then
ipchains -A input -i $EXTERNAL -p ICMP -s 0/0 0 \
-d $EXTERNAL -j ACCEPT
fi
# Enable a rule to allow outbound ICMP echo-requests.
if [ ! -z $OUT_PING ] ; then
ipchains -A input -i $EXTERNAL_INT -p ICMP -s 0/0 8 \
-d $EXTERNAL -j ACCEPT
fi
# Enable a rule to allow outbound traceroutes.Destination-Unreachable (3)
# Requires inbound ICMP destination-unreachbles and TTL-exceeded messages.
if [ ! -z $OUT_TRACEROUTE ] ; then
ipchains -A input -i $EXTERNAL_INT -p ICMP -s 0/0 3 \
-d $EXTERNAL -j ACCEPT
ipchains -A input -i $EXTERNAL_INT -p ICMP -s 0/0 11 \
-d $EXTERNAL -j ACCEPT
fi
# Enable IP-masquerading.
if [ ! -z $MASQ ] ; then
ipchains -P forward DENY
ipchains -A forward -s $INTERNAL -d 0/0 -j MASQ
fi
# Deny all other inbound traffic.
ipchains -A input -i $EXTERNAL_INT -s 0/0 -d $EXTERNAL -j DENY
# Enable kernel-level IP forwarding.
echo "1" > /proc/sys/net/ipv4/ip_forward
} # End function firewall_on
# The following function disables all firewall rules.
function firewall_off {
# Disable kernel-level IP forwarding for security.
echo "0" > /proc/sys/net/ipv4/ip_forward
# Flush all existing firewall rules.
ipchains -F input
ipchains -F output
ipchains -F forward
} # End function firewall_off
# Main Function
if [ "$1" = "on" ] ; then
echo "Enabling firewall."
firewall_on
exit 0
elif [ "$1" = "off" ] ; then
echo "Disabling firewall."
firewall_off
exit 0
else
echo "Usage: firewall <on | off>"
exit 0
fi
#############################################
# End Firewall Configuration
#############################################