RedHat as a router to setup a firewall [6 machines]

RedHat as a router to setup a firewall [6 machines]

Post by Hampast » Tue, 21 Mar 2000 04:00:00



Hello,

Here is my question,

I've installed Redhat 6.0 [Hegwit] on a old P166 using 64 Mo RAM - 1 Gb
HDD.

Everything runs well, install session (console-mode only) is ok and I
can boot :-)

This machine includes 2 Ethernet Adapters Dlink. Linux recognized only
one of them but linuxconf helped me to add the second.

This computer is 'DHCP-client' of a computer than runs NT4 Server.

Located below, my ipchains script. What should I change to get this
Linux box ready to the dynamic I.P address my ISP 'll provide me ?

Second question.

Is the Masquerading automatically setupped with IPChains ? Or is there
another way to do that ?

Thank you

J.C

#!/bin/sh

# Set up variables
INTERNALIP="192.168.1.1"
EXTERNALIP="xxx.xxx.xxx.xxx"
LOOPBACK="127.0.0.1"
NETWORKIP="192.168.1.0/24"
ANYWHERE="0.0.0.0/0"
PORTS="1024:65535"

# Flush chains
/sbin/ipchains -F

TCP_ALLOWIN="ftp-data ftp"
TCP_ALLOWOUT="echo ftp-data ftp ssh telnet smtp time whois domain
finger www pop-3 nntp ntp ircd asp"
MASQ_ALLOWIN="echo ftp-data ftp telnet smtp whois domain www pop-3 nntp
irc"

#  ********************************
#  **********> INCOMING <**********
#  ********************************

# Set default policy to deny
/sbin/ipchains -P input DENY

# Unlimited traffic within the local network
/sbin/ipchains -A input -j ACCEPT -s "$NETWORKIP" -d "$ANYWHERE"

/sbin/ipchains -A input -j ACCEPT -s "$ANYWHERE" -i lo

# Target
for SERVICES in `echo $TCP_ALLOWIN` ; do
      /sbin/ipchains -A input -j ACCEPT -p tcp -s "$ANYWHERE" \
        "$PORTS" -d "$EXTERNALIP" "$SERVICES"
done

# Return
for SERVICES in `echo $TCP_ALLOWOUT` ; do
        /sbin/ipchains -A input -j ACCEPT -p tcp -s "$ANYWHERE"
"$SERVICES" \
        -d "$EXTERNALIP" "$PORTS"
done

# DNS
/sbin/ipchains -A input -j ACCEPT -p udp -s "$ANYWHERE" \
        domain
# Log the rest
/sbin/ipchains -A input -j DENY -s "$ANYWHERE" -d "$ANYWHERE" -l

#  ********************************
#  **********> OUTGOING <**********
#  ********************************

# Set default policy to deny
/sbin/ipchains -P output DENY

# Unlimited traffic within the local network
/sbin/ipchains -A output -j ACCEPT -s "$ANYWHERE" -d "$NETWORKIP"

# Logging
/sbin/ipchains -A output -j DENY -s "$ANYWHERE" -d "$NETWORKIP" -l
/sbin/ipchains -A output -j DENY -s "$NETWORKIP" -d "$ANYWHERE" -l

# Target
for SERVICES in `echo $TCP_ALLOWOUT`; do
        /sbin/ipchains -A output -j ACCEPT -p tcp -s "$EXTERNALIP"
"$PORTS" \
        -d "$ANYWHERE" "$SERVICES"

done

# Return
for SERVICES in `echo $TCP_ALLOWIN`; do
        /sbin/ipchains -A output -j ACCEPT -p tcp -s "$EXTERNALIP"
"$SERVICES" \
        -d "$ANYWHERE" "$PORTS"
done

# DNS
/sbin/ipchains -A output -j ACCEPT -p udp -s "$EXTERNALIP" \
    -d "$ANYWHERE"
/sbin/ipchains -A output -j ACCEPT -s "$ANYWHERE" -d "$ANYWHERE"

# Log the rest
/sbin/ipchains -A output -j DENY -s "$ANYWHERE" -d "$ANYWHERE" -l

#  *********************************
#  **********> Forwarded <**********
#  *********************************

# Set default policy to deny
/sbin/ipchains -P forward DENY

for MSERVICES in `echo $MASQ_ALLOWIN`; do
        /sbin/ipchains -A forward -j MASQ -p tcp -s "$NETWORKIP" -d
"$ANYWHERE" $MSERVICES
done

# DNS
/sbin/ipchains -A forward -j MASQ -p udp -s "$NETWORKIP" -d "$ANYWHERE"
domain

# Log the rest
/sbin/ipchains -A forward -j DENY -s "$ANYWHERE" -d "$ANYWHERE" -l

------------------
--
Free audio & video emails, greeting cards and forums
Talkway - http://www.talkway.com - Talk more ways (sm)

 
 
 

RedHat as a router to setup a firewall [6 machines]

Post by Mike Schopp » Tue, 21 Mar 2000 04:00:00


It would be quite a challenge for me to try to debug your ipchains
script. However, there is a site that has a script that worked for
me, straight up. It's TrinityOS. Give it a look.

Mike Schoppe


> Hello,

> Here is my question,

> I've installed Redhat 6.0 [Hegwit] on a old P166 using 64 Mo RAM - 1 Gb
> HDD.

> Everything runs well, install session (console-mode only) is ok and I
> can boot :-)

> This machine includes 2 Ethernet Adapters Dlink. Linux recognized only
> one of them but linuxconf helped me to add the second.

> This computer is 'DHCP-client' of a computer than runs NT4 Server.

> Located below, my ipchains script. What should I change to get this
> Linux box ready to the dynamic I.P address my ISP 'll provide me ?

> Second question.

> Is the Masquerading automatically setupped with IPChains ? Or is there
> another way to do that ?

> Thank you

> J.C

> #!/bin/sh

> # Set up variables
> INTERNALIP="192.168.1.1"
> EXTERNALIP="xxx.xxx.xxx.xxx"
> LOOPBACK="127.0.0.1"
> NETWORKIP="192.168.1.0/24"
> ANYWHERE="0.0.0.0/0"
> PORTS="1024:65535"

> # Flush chains
> /sbin/ipchains -F

> TCP_ALLOWIN="ftp-data ftp"
> TCP_ALLOWOUT="echo ftp-data ftp ssh telnet smtp time whois domain
> finger www pop-3 nntp ntp ircd asp"
> MASQ_ALLOWIN="echo ftp-data ftp telnet smtp whois domain www pop-3 nntp
> irc"

> #  ********************************
> #  **********> INCOMING <**********
> #  ********************************

> # Set default policy to deny
> /sbin/ipchains -P input DENY

> # Unlimited traffic within the local network
> /sbin/ipchains -A input -j ACCEPT -s "$NETWORKIP" -d "$ANYWHERE"

> /sbin/ipchains -A input -j ACCEPT -s "$ANYWHERE" -i lo

> # Target
> for SERVICES in `echo $TCP_ALLOWIN` ; do
>       /sbin/ipchains -A input -j ACCEPT -p tcp -s "$ANYWHERE" \
>         "$PORTS" -d "$EXTERNALIP" "$SERVICES"
> done

> # Return
> for SERVICES in `echo $TCP_ALLOWOUT` ; do
>         /sbin/ipchains -A input -j ACCEPT -p tcp -s "$ANYWHERE"
> "$SERVICES" \
>         -d "$EXTERNALIP" "$PORTS"
> done

> # DNS
> /sbin/ipchains -A input -j ACCEPT -p udp -s "$ANYWHERE" \
>         domain
> # Log the rest
> /sbin/ipchains -A input -j DENY -s "$ANYWHERE" -d "$ANYWHERE" -l

> #  ********************************
> #  **********> OUTGOING <**********
> #  ********************************

> # Set default policy to deny
> /sbin/ipchains -P output DENY

> # Unlimited traffic within the local network
> /sbin/ipchains -A output -j ACCEPT -s "$ANYWHERE" -d "$NETWORKIP"

> # Logging
> /sbin/ipchains -A output -j DENY -s "$ANYWHERE" -d "$NETWORKIP" -l
> /sbin/ipchains -A output -j DENY -s "$NETWORKIP" -d "$ANYWHERE" -l

> # Target
> for SERVICES in `echo $TCP_ALLOWOUT`; do
>         /sbin/ipchains -A output -j ACCEPT -p tcp -s "$EXTERNALIP"
> "$PORTS" \
>         -d "$ANYWHERE" "$SERVICES"

> done

> # Return
> for SERVICES in `echo $TCP_ALLOWIN`; do
>         /sbin/ipchains -A output -j ACCEPT -p tcp -s "$EXTERNALIP"
> "$SERVICES" \
>         -d "$ANYWHERE" "$PORTS"
> done

> # DNS
> /sbin/ipchains -A output -j ACCEPT -p udp -s "$EXTERNALIP" \
>     -d "$ANYWHERE"
> /sbin/ipchains -A output -j ACCEPT -s "$ANYWHERE" -d "$ANYWHERE"

> # Log the rest
> /sbin/ipchains -A output -j DENY -s "$ANYWHERE" -d "$ANYWHERE" -l

> #  *********************************
> #  **********> Forwarded <**********
> #  *********************************

> # Set default policy to deny
> /sbin/ipchains -P forward DENY

> for MSERVICES in `echo $MASQ_ALLOWIN`; do
>         /sbin/ipchains -A forward -j MASQ -p tcp -s "$NETWORKIP" -d
> "$ANYWHERE" $MSERVICES
> done

> # DNS
> /sbin/ipchains -A forward -j MASQ -p udp -s "$NETWORKIP" -d "$ANYWHERE"
> domain

> # Log the rest
> /sbin/ipchains -A forward -j DENY -s "$ANYWHERE" -d "$ANYWHERE" -l

> ------------------
> --
> Free audio & video emails, greeting cards and forums
> Talkway - http://www.talkway.com - Talk more ways (sm)


 
 
 

1. Cisco Router/OpenBSD router firewall setup

I have the following network and I was wishing some comments on it's
IP schema.
The IPs (except for office and DMZ) correspond to NICs as well as an
outside IP for a serial card on a cisco router.

Internet ISP Gateway [x.x.x.d1]

|
---> Cisco Router [x.x.x.d2 (outside IP ) | y.y.y.d1 (inside IP)]

|
---> OBSD FW [ y.y.y.d2 (out IP) | (192.168.1.1,192.168.2.1) (2 in
IPs)]

|
---> (192.168.1.x (DMZ), 192.168.2.x (office) ]

 That is the OBSD takes the ethernet connection from the cisco router
 and communicates with 2 sub-networks. The x.x.x and y.y.y are
Internet
 addressable IPs.

 Should I consider using only the outside IP address of the Cisco
router
 as the only internet addressable address in such a system and if so,
 how do I go about assigning IPs in the network which would be more
apt?
 My naive sense of security is telling me the less internet
addressable
 IPs in your system, the better this is for system security.

 Thanks for any comments or suggestions or related links

 Mike

2. Pentium II and big memory

3. BEST Linux distribution for ROUTER/FIREWALL machine?

4. Running web server as some user on Linux.

5. Low Power Firewall/Router Machine

6. MicroChannel in a network

7. Interested in making a firewall and router on a Linux machine

8. PPP/ISDN Slow trans. rates.

9. Router+Firewall+Proxy+DNS on one Linux-Machine??

10. using firewalled linux router as answering machine, security compromised?

11. 386sx/16 as a router/firewall machine -- is it possible?

12. Interested in making a firewall and/or router on a Linux machine

13. help to setup ftp server behind dsl router and firewall