Re: [TCLUG:7419] firewall configuration

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:7419] firewall configuration
From: "Clayton T. Fandre" <cfandre@maddog.mn-linux.org>
Date: Mon, 09 Aug 1999 12:39:12 -0500
References: <37AEF805.3F853C76@mr.net>
Sender: linus@cfsmo.honeywell.com

David Guy Brizan wrote:
> 
> Hey folks! This is a follow up from Clay's talk on Saturday. (Thanks
> Clay! Very informative.) For those of you who are using ipchains to do
> firewalling, here is a URL which, used properly, generates a script
> which can be used for the "rc.firewall" which Clay makes reference to:
> 
>         http://rlz.ne.mediaone.net/linux/firewall/

Thanks. I will put that link on the TCLUG web page.

> 
> (Start by selecting "General Home System..." unless you happen to be a
> mediaone.net customer, I guess.)
> 
> I found it a little hard to understand, personally. And, unless I missed
> something, it doesn't account for IP Masquerading at all, which, I
> believe, is the most common thing ipchains / ipfwadm are used for on
> Linux.

ipchains are used for much more than IP Masquerading. Basically they are
used to manage firewall rules in Linux. A Linux firewall does NOT have
to be using IP Masquerading. It could just be used to route packets
between two networks. Therefore ipchains would just be used to determine
what is to be accepted/rejected. Just think of it as a packet-filter.

> 
> Oh well. Maybe someone can step up and make something similar, but
> better. Maybe I will, if I suddenly get a heap of free time on my hands.
> In the mean time, these commands are taken from the ("3.1.  Rusty's
> Three-Line Guide To Masquerading" section of the) IPCHAINS-HOWTO:
> 
>         # ipchains -P forward DENY
>         # ipchains -A forward -i ppp0 -j MASQ
>         # echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> (Substitute ppp0 with your "external" interface, of course.) The two, in
> combination, should give you a decent firewall / router... except, I
> believe, you have to open all ports above 61000 for masquerading. (See
> previous question and -- I hope -- discussion.)

No you do not need to open up a hole above 61000. I never heard that and
I would be interested in where you got that information. IP Masquerading
doesn't use any ports to work. The three command is all you need to get
it going.

To explain the command again:

ipchains -P forward DENY               # This sets the default policy to
DENY EVERYTHING
ipchains -A forward -i ppp0 -j MASQ    # This adds a forward policy
through ppp0 for all masqueraded packets.
echo 1 > /proc/sys/net/ipv4/ip_forward # This enables packet forwarding
in the kernel

Clay

-- 
Clay Fandre
cfandre@maddog.mn-linux.org
Twin Cities Linux Users Group
http://www.mn-linux.org

Follow-Ups:
- hosts.deny logging
  - From: David Royer <David.D.Royer-1@tc.umn.edu>
- Re: [TCLUG:7419] firewall configuration
  - From: David Guy Brizan <dbrizan@mr.net>

References:
- firewall configuration
  - From: David Guy Brizan <dbrizan@mr.net>

Prev by Date: Newbie Question
Next by Date: Re: [TCLUG:7424] Newbie Question
Prev by thread: firewall configuration
Next by thread: Re: [TCLUG:7419] firewall configuration
Index(es):
- Date
- Thread