On Friday 08 June 2001 7:36 pm, john layton wrote:
>
> I know little about routing, IP masquerading/spoofing and proxying, or
> their interaction, however a problem has come to my attention (see atatched
> email) such that two networks need to be connected through a linux box with
> two ethernet cards (one card plugged into a cable modem NTL) and the other
> is visible to windows machines on the local network.
I'd be happy to help, I happen to have SuSE 7.1, and have used Masquerading
and squid proxy with a packet filtering firewall for a company Internet
gateway.
To be secure and safe, it would be best to do a little more than Simon's
reply suggested. Home networks seem to be getting cracked often these days!
> ---------- Forwarded Message ----------
> Subject: Help!
> Date: Tue, 5 Jun 2001 17:10:46 +0100
> From: mick <mickcarter@ntlworld.com>
> To: twallace@cais.com j.s.layton@totalise.co.uk
>
> I have a network problem which I think is related to routing. Having read
> your article www.dc.net/twallace/linux_route on simple routing and followed
> the instructions the problem remains.....
>
> I have a machine with Suse Linux 7.1 which has two network cards
> (192.168.0.1 and 62.254.2.69). 192.168.0.1 goes to a switch which is
> connected to window machines, the 62.254.2.69 (from dhcp) is connected to a
> cable modem and goes to the internet. I am running squid http proxy server
> to deal with any web request on the network, but how do I get pop3, smtp,
> napster (port 8888 I think) and other internet protocols. Is this something
> to do with routing and/or ip-masquerading? Is there a good book?
First off you need to decide on packet filtering on your SuSE 7.1 machine.
If you don't plan to offer any services to the net, then setting SuSE
personal firewall on is simplest and it blocks all incoming connections, but
allows DNS queries to be made, based on contents of resolv.conf. If you use
other UDP protocols, like NTP then you will have to open up the firewall a
little to cater for them.
Roughly you set a variable 'REJECT_ALL_INCOMING' to 'eth0 masq', and add your
own input chains for any protocols you wish to allow.
You should also run YOU (Yast Online Update) as there's some important
security patches.
Take note of this, or your interface will not be able to get an IP address,
when you enable a firewall!
# DHCP: For people who receive their external IP address from either DHCP or
# BOOTP such as ADSL or Cablemodem users, it is necessary to use the
# following before the deny command. The "bootp_client_net_if_name"
# should be replaced the name of the link that the DHCP/BOOTP server
# will put an address on to? This will be something like "eth0",
# "eth1", etc.
#
# This example is currently commented out.
#
#
#/sbin/ipchains -A input -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67 -d
0/0 68 -p udp
With squid, I'd run a caching name server accessible for you local net, I can
give you a tarball config for that. You can forward queries to the ISP DNS
server, and open up UDP packets with source port 'domain'.
For SMTP the simplest is to run sendmail or postfix. I know sendmail best,
and as you aren't allowing any connections to be initiated, you run little
risk of a remote exploit. Basically you'll need to set up (easiest in
YaST2), smtp.ntlworld.com as your SMARTHOST, add all host and/or domain names
that you wish to receive email by to the alias list (Cw class or add to
Fw/etc/mail/sendmail.cw). You may have to alter the access tables in
/etc/mail, if you allow incoming connections it is _vital_ that you do not
run an open relay, but merly permit mail from/to your domain to be relayed.
For POP3 you can either run fetchmail, and download to the server, then
install one of the POP3 daemons, to serve the local network, or you can
masquerade.
In order to Masquerade you are best to read the ipchains and the
IP-Masquerade HOWTO at www.linuxdoc.org eg)
http://www.mirror.ac.uk/sites/www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html,
You need to create a script that runs after the firewall final one, sometime
late on in your boot, the basics are :
1) Check spoof protection on your external interface
echo 1 > /proc/sys/ipv4/conf/eth0/rp_filter
SuSE already ignores ICMP redirects, after their firewall scripts, no harm in
setting acceecho 1 > /proc/sys/ipv4/conf/eth0/rp_filter
pt redirects to '0'.
2) Enable routing, and force defragmentation of packets.
for sysctl in ip_forward ip_always_defrag ip_dynaddr
do
echo 1 > /proc/sys/ipv4/$sysctl
done
The ip_dynaddr is to enable 'dynamic-ip address hacking in IP MASQ' as you
use DHCP.
3) Set the policy of the forward chain to deny
ipchains -P forward DENY
4) Look up in the HOWTO the 'ipchains -S' option, as you will need to adjust
the masquerading timeouts.
# MASQ timeouts
/sbin/ipchains -M -S 7200 10 160
5) Create rules of form
Assuming the Internet interface is eth0, you could also use
--destination-port pop3, to allow connections to anywhere.
ipchains -A forward -i eth0 -s 192.168.0.0/16 -d pop3_host pop3 -j MASQ
Now, for debugging it's great to have a catch all rule to log denied packets,
then put in rules to silently drop any common ones, that Windows machines
often generate. Must be last rule in shell script. To test connections,
using telnet pop.ntlworld.com pop from the internal network should quickly
show if the masquerading works or not.
ipchains -A forward -j DENY -l
If you explicitly masquerade the protocols you want to, you will learn what
connections the Windows PCs attempt. Also some protocols like ftp will not
work without loading of modules (eg) ip_masq_ftp), you might need to add
modprobe's to your script.
Rob
--------------------------------------------------------------------
http://www.lug.org.uk http://www.linuxportal.co.uk
http://www.linuxjob.co.uk http://www.linuxshop.co.uk
--------------------------------------------------------------------
This archive was generated by hypermail 2.1.3 : Thu 22 Nov 2001 - 13:13:50 GMT