Larry> what I want to do is shut off all input from the outside
Larry> world and allow masquerading from anywhere on the LAN.
You can't! If you shut that off, how can the outside world REPLY to
packets sent from your LAN to the outside? Remember, even the most
basic protocols (PING, TCP) need reply packets to work. If you shut
off the return paths, you can't do anything useful.
Larry> I also want to allow the gateway machine (192.168.2.2) to
Larry> have acess to the outside world.
Larry> I have tried:
Larry> ipchains -A input -j ACCEPT -s 192.168.2.0/24 -d 0.0.0.0/o
Larry> ipchains -A input -j DENY -s ! 192.168.2.0/24 -d 0.0.0.0/0
That does what you're mentioning, i.e. shutting off also the return
paths of the reply packets.
Larry> or:
Larry> ipchains -P input DENY
Larry> ipchains -A input -j ACCEPT -s 192.168.2.0/24 -d 0.0.0.0/0
I personally prefer this version.
Larry> Neither of these seem to work. How can I set this up so
Larry> that only masquaraded packets from the LAN, or packets from
Larry> the gateway are allowed to and from the outside world.
Instead of shutting off all inputs from the outside world, your
gateway (192.168.2.2) should allow them, but only when they come from
the suitable INTERFACE. You need some interface-based firewalling
rules. e.g.
On the gateway machine:
ipchains -F input
ipchains -P input DENY
ipchains -A input -j ACCEPT -i eth0 -s 192.168.2.0/24
ipchains -A input -j ACCEPT -i ppp0 -s ! 192.168.2.0/24
-d ! 192.168.2.0/24
Here, I assume that your LAN is attached to eth0, and the outside
world is reached via ppp0. These rules accepts all packets from ppp0,
except those (erroneous and possibly malicious) packets claiming that
they come from 192.168.2.* or those that are addressed to 192.168.2.*.
Packets from the outside world shouldn't have the 192.168.2.*
addresses as origin (nor destination, because of masquerading).
Packets from eth0 are accepted only if they have a source address
192.168.2.*. All other packets are denied.
Note that you have to add one more rule for the loopback interface;
otherwise, you'll be unable to 'telnet localhost'. This rule is
trivial, and I leave it for you as an exercise.
Now, masquerading is simple:
ipchains -F forward
ipchains -P forward DENY
ipchains -A forward -j MASQ -s 192.168.2.0/24
Return packets will be unmasqueraded.
For the outgoing packets, you'd like to do some filtering:
ipchains -F output
ipchains -P output DENY
ipchains -A output -j ACCEPT -i eth0 -d 192.168.2.0/24
ipchains -A output -j ACCEPT -i ppp0 -d ! 192.168.2.0/24
Again, it is an exercise for you to add one more rule for the loopback
interface.
Disclaimer: These rules are by no means complete or secure. Please
do thorough testing yourself to ensure they're safe.
--
.----------------------------------------------------------------------------.
`----------------------------------------------------------------------------'
by