IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Linux Forum / A sample working chain.
Post #58,701
by static
10/23/02 7:10:16 AM
Reply
New A sample working chain.
#! /bin/sh

# Script for setting up IP Chaining.
# It will work whether or not PPP is actually up.

PATH=/sbin
ANY=0.0.0.0/0
HERE=$ANY
# ^^^ This probably needs to be changed when I get my real addresses.
# ... then again... perhaps not... :-)

# Setup

ipchains -P input DENY
ipchains -P output ACCEPT
ipchains -P forward ACCEPT

ipchains -F
ipchains -X

# PPP input chain
ipchains -N PPP
ipchains -A PPP -s 10.0.0.0/8 -j DENY -l
ipchains -A PPP -d 10.0.0.0/8 -j DENY -l
ipchains -A PPP -s 127.0.0.0/8 -j DENY -l
ipchains -A PPP -p tcp -d $HERE 1024: ! -y -j ACCEPT
ipchains -A PPP -p udp -d $HERE 1024: -j ACCEPT
ipchains -A PPP -p tcp -d $HERE http -j ACCEPT
# ipchains -A PPP -p tcp -d $HERE https -j ACCEPT
# ipchains -A PPP -p tcp -d $HERE ftp -j ACCEPT
ipchains -A PPP -p udp -d $HERE domain -j ACCEPT
ipchains -A PPP -p tcp -d $HERE domain -j ACCEPT
ipchains -A PPP -p tcp -d $HERE smtp -j ACCEPT
ipchains -A PPP -p tcp -d $HERE auth -j REJECT
ipchains -A PPP -p tcp -d $HERE ssh -s $WORK -j ACCEPT
ipchains -A PPP -p tcp -s $ANY ssh -j ACCEPT
ipchains -A PPP -p icmp -s $ANY -j ACCEPT
ipchains -A PPP -p tcp -d $HERE 1024: -s $ANY ftp-data -y -j ACCEPT
ipchains -A PPP -j DENY -l

# input chain
ipchains -A input -i ppp+ -j PPP
ipchains -A input -i eth+ -j ACCEPT
ipchains -A input -i lo -j ACCEPT
ipchains -A input -l

# forwarding
ipchains -A forward -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
ipchains -A forward -s 10.0.0.0/8 -i ppp+ -j MASQ

# output
ipchains -A output -i eth+ -j ACCEPT
ipchains -A output -i lo -j ACCEPT
ipchains -A output -i ppp+ -p tcp -d $ANY 137:139 -j DENY


This should get you started. I know I'm being somewhat lazy :-) in not just explaining things. You've got the basic idea, but I think the forward chain needs to default to ACCEPT.

As regards saving them, I would actually suggest you tinker with the rules directly with the ipchains command, and then use /etc/init.d/ipchains save to actually save it. Remember to use chkconfig to make sure the IP chains are loaded at bootup!

As regards email, you probably want a combination of fetchmail and something else. Normally I would recommend [link|http://www.courier-mta.org/|Courier], but I've had trouble with Fetchmail delivering to Courier and no-one associated with either product was interested in investigating it. (This is a bit of a shame as Courier includes an IMAP server, a POP3 server and a webmail server.)

Wade.

"Ah. One of the difficult questions."
Post #58,755
by jake123
10/23/02 9:36:55 AM
Reply
New Re: A sample working chain.
Well, you've got some extra stuff that I don't, for security reasons... but wrt masq, that's exactly what I have. I also tried it with ipchains -P forward ACCEPT, but that didn't make any difference... and I didn't think it would because there are a lot of websites that DO work... it's just a significant number of them that don't. At any rate, it's working now with squid as a proxy, exim as an smtp forwarder, and other protocols like telnet, ftp, pop, nntp, etc working just fine via nat. Personally, I think it's the provider... there have been three NAT engines on that network now (linux, warp, and windows based) and ALL of them do the same thing... which I believe means it's not them doing it at all. I mean, I've used the OS/2 solution (safefire) for well over a year on my home network on adsl, and it's always worked fine... I've seen wingate in action on plenty of networks, and I have little doubt that the linux NAT can handle a little http without breathing hard, but my home provider is not the same outfit as these guys have... and since we're talking about Ma Bell here, it wouldn't surprise me in the least if they were playing games... and esp. considering that it's very clear that have things configured in a similar manner for their smtp server (only the router can connect... masqed packets get denied... not rejected, denied) I'm about 99% sure it's them. I'm not sure what it is about these sites that trip their firewalls... but trip them it seems to do. As soon as there's dynamic content on the site, the jig is up. Either they're doing it on purpose or they have some VERY badly configured proxies in there somewhere...
--\n-------------------------------------------------------------------\n* Jack Troughton                            jake at consultron.ca *\n* [link|http://consultron.ca|http://consultron.ca]                   [link|irc://irc.ecomstation.ca|irc://irc.ecomstation.ca] *\n* Laval Qu\ufffdbec Canada                   [link|news://news.consultron.ca|news://news.consultron.ca] *\n-------------------------------------------------------------------
     Debian Linux Question about modules for ethernet - (jake123) - (24) - Oct. 19, 2002, 03:10:10 PM EDT
         Re: Debian Linux Question about modules for ethernet - (pwhysall) - (23) - Oct. 19, 2002, 05:10:05 PM EDT
             Re: Debian Linux Question about modules for ethernet - (jake123) - (22) - Oct. 19, 2002, 05:16:11 PM EDT
                 Re: Debian Linux Question about modules for ethernet - (pwhysall) - (4) - Oct. 19, 2002, 05:17:56 PM EDT
                     Re: Debian Linux Question about modules for ethernet - (jake123) - (3) - Oct. 19, 2002, 05:18:52 PM EDT
                         Re: Debian Linux Question about modules for ethernet - (pwhysall) - (2) - Oct. 19, 2002, 05:29:25 PM EDT
                             Re: Debian Linux Question about modules for ethernet - (jake123) - (1) - Oct. 19, 2002, 05:41:18 PM EDT
                                 You never will have... - (folkert) - Oct. 19, 2002, 06:42:25 PM EDT
                 what happens when you do ifconfig -a - (boxley) - (16) - Oct. 19, 2002, 05:45:33 PM EDT
                     Re: what happens when you do ifconfig -a - (jake123) - (15) - Oct. 19, 2002, 06:12:48 PM EDT
                         is there a lan0 in /dev ? - (boxley) - (14) - Oct. 19, 2002, 06:44:10 PM EDT
                             There won't be. - (pwhysall) - (13) - Oct. 19, 2002, 06:47:36 PM EDT
                                 Re: There won't be. - (jake123) - (11) - Oct. 19, 2002, 07:30:17 PM EDT
                                     Just give it an address that doesn't interfere - (scoenye) - (10) - Oct. 19, 2002, 08:15:02 PM EDT
                                         Re: Just give it an address that doesn't interfere - (jake123) - (9) - Oct. 19, 2002, 09:10:18 PM EDT
                                             Too many choices - (scoenye) - (7) - Oct. 20, 2002, 12:19:37 PM EDT
                                                 Things are beginning to come together... - (jake123) - (6) - Oct. 20, 2002, 05:02:22 PM EDT
                                                     Some hints. - (static) - (5) - Oct. 21, 2002, 12:49:01 AM EDT
                                                         Re: Some hints. - (jake123) - (4) - Oct. 21, 2002, 11:16:35 AM EDT
                                                             Yet more hints. - (static) - (3) - Oct. 22, 2002, 01:27:25 AM EDT
                                                                 Re: Yet more hints. - (jake123) - (2) - Oct. 22, 2002, 03:12:18 PM EDT
                                                                     A sample working chain. - (static) - (1) - Oct. 23, 2002, 07:10:16 AM EDT
                                                                         Re: A sample working chain. - (jake123) - Oct. 23, 2002, 09:36:55 AM EDT
                                             When I was using Linux to make pppoe connections . . - (Andrew Grygus) - Oct. 20, 2002, 01:36:55 PM EDT
                                 is that across the board linux? no hme0 or sme0? -NT - (boxley) - Oct. 20, 2002, 12:04:25 AM EDT

Debian is Sex.
45 ms