No subject
KCLUG
kclug at marauder.illiana.net
Thu Dec 13 22:05:49 CST 2001
>From erossiter1 at home.com Thu Jan 25 22:02:03 2001
Return-Path: <erossiter1 at home.com>
by marauder.illiana.net (8.11.2/8.11.2) with ESMTP id f0Q423a09900
for <kclug at kclug.org>; Thu, 25 Jan 2001 22:02:03 -0600
(InterMail vM.4.01.03.00 201-229-121) with SMTP
id <20010126040329.YUUY24109.mail.rdc1.il.home.com at cj765101b>;
Thu, 25 Jan 2001 20:03:29 -0800
Message-ID: <001e01c0874c$c96900a0$d8811618 at cj765101b>
From: "Eric Rossiter" <erossiter1 at home.com>
To: <kclug at kclug.org>
Cc: <rossiter at discoverynet.com>
Subject: IPMASQ on the @HOME network in Independence (continued)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_001B_01C0871A.7DBCF990"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Status: RO
This is a multi-part message in MIME format.
------=_NextPart_000_001B_01C0871A.7DBCF990
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
When we last left our comic book heroes... Phedup was asking...
Trying to set up IMASQ/IPCHAINS/IPWHATEVER on a RH 7.0 box connected to the
Comcast @ home cable network. Have a Win95 box on the local net. Have a
script called "gatekeeper" (see attached) fired at boot from /etc/rc.local.
Linux box works fine (with a hack to /etc/ifup =)), email, web, ftp, etc.
Win95 box no go Joe. BTW, the RH 7.0 box is dual boot w/Win2k.
I found out this evening I can ping out from the Win95 box.
Brian K was suggesting:
> > On your Windows box, you need to enter the DNS server IP
> > addresses for Comcast under the Network Properties.
> >You need to put the IP of the Linux
> > box in for the default gateway under the Windows Network Properties.
> > Finally, the Windows box needs an IP on the private network
> >(your home network (192.168.x.x or 10.0.0.x) that matches up with the
> > Private IP you picked for your Linux box.
Net adapter props. in Win2k listed the following:
IP - 24.22.129.216
Mask - 255.255.255.128
GW - 24.22.129.129
DHCP Server - 24.2.4.70
Boot to Linux....grab a smoke, feed the dog, head for the bookcase, fall
over the cat.....cuss.......
Ok, so I whipped out O'Reily's LNAG and played and phiddled with nslookup
and set type and gleaned the following:
proxy1.indpdnce1.mo.home.com - 24.16.152.15
c1-se6-2.kscymo1.mo.home.net - 24.7.74.141
lh1.rcd1.ne.home.com - 24.2.4.70 (I gather my DHCP server is in Nebraska?!?)
The RH 7.0 box is 10.0.0.1, the Win95 box is 10.0.0.2. Put 10.0.0.1 in for
the default gateway under the Windows Network Properties.
I entered all of the above in DNS under the Windows Network Properties (one
at a time, trying the different pairs) in the Win95 box. Can ping out, but
no web pages in browser, once again the dreaded "DNS error." I discovered I
can not ftp to the same site I can ping. (this a site known to me, I have
rights there and everything!!!) I am root, fear me..... "what do you want to
rm today?"....but I digress......
Brian D. was suggesting:
> > Also, make sure the M$ Windows box has IP forwarding turned
> > on. Although it
> > looks like it may be.
I can't find that on a Win95 box bubba.
But Brian D added:
>> At least on NT.
Reckon that's why I can't find it on the Win95 box. I'm droll I know, but
it's getting on in the evening. =)
Ok, so on with it Phed...... I discovered while all the gyrations on the
Win95 box were proceeding, a tail of /var/log/messages showed what you see
below:
Jan 25 20:10:39 cj765101-b kernel: Packet log: input REJECT eth0 PROTO=17
24.22.129.216:137 24.22.129.255:137 L=96 S=0x00 I=156 F=0x0000 T=64 (#5)
Jan 25 20:10:39 cj765101-b kernel: Packet log: input REJECT eth0 PROTO=17
24.22.129.216:137 24.22.129.255:137 L=96 S=0x00 I=158 F=0x0000 T=64 (#5)
Jan 25 20:10:41 cj765101-b kernel: Packet log: input REJECT eth0 PROTO=17
24.22.129.216:137 24.22.129.255:137 L=96 S=0x00 I=161 F=0x0000 T=64 (#5)
Jan 25 20:10:41 cj765101-b kernel: Packet log: input REJECT eth0 PROTO=17
24.22.129.216:137 24.22.129.255:137 L=96 S=0x00 I=163 F=0x0000 T=64 (#5)
I did a watch on a tail of /var/log/messages and this went on and on, and
the I=nnn paramet kept incrementing by one or two as you see here. Now, I
dont have a clue what this means (yet) but some of you might. The 216
address is my machine.... I believe the .255 (broadcast?) address is a
router somwhere??? Some one clue me heah?
I'm beginning to believe my own script is chokeing me off maybe? The script
was addapted by the Geeks at the Geekcave, and given to me, supposedly all I
had to do was change the IP to match my RH 7.0 box (which I did.) I have
read ipfwadm/IPCHAINS/IPTABLES in O'Reily's LNAG and it doesn't look too
rough. I think I could hack out something that would serve my purpose. I
don't understand half the stuff in that gatekeeper script....lol *blush*
Anyone wanna splain it to me, I'll buy the beer. =) If some of you more
knowledgable pholks would care to take a look at this script and make sure
I'm not phubar'n myself, I'd be phorever in your debt.
So there we have it as of this evening comic book heroes.....tune in
tomorrow......same Bat Time....same Bat Channel........
TIA
Eric R
P.S. managed to configure pine in Linux...mail server is
mail.indpdnce1.mo.home.com (just in case that gives someone a clue that it
didn't me) night pholks.....
------=_NextPart_000_001B_01C0871A.7DBCF990
Content-Type: text/plain;
name="gatekeeper.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="gatekeeper.txt"
#!/bin/sh
# TURN ON FORWARDING
echo 1 > /proc/sys/net/ipv4/ip_forward
#-------------------------------------------------------------------
echo "gatekeeper - linux kernel packet router/filter ruleset
by Consultant Field Engineering (www.cfecorp.net)
- adapted from the Geekcave rulset
- original IPCHINS-FIREWALL V1.6.2m ruleset by Ian Hall-Beyer
"
#
# IPCHAINS-FIREWALL V1.6.2m
#
# ----------------------------------------- Ipchains Firewall and MASQ =
Script -
#
# Original script by Ian Hall-Beyer (manuka at nerdherd.net)
#
# Contributors:
# terminus (cpm at dotquad.com) (ICQ & DHCP, @home testing)
# ---------------------------------------------------------------- =
Interfaces -
# Local Interface
# This is the interface that is your link to the world
LOCALIF=3D"eth0"
# Internal Interface
# This is the interface for your local network
# NOTE: INTERNALNET is a *network* address. All host bits should be 0
INTERNALNET=3D"10.0.0.0/25"
INTERNALIF=3D"eth1"
# ------------------------------------------------------- Variable =
definition -
#
# Set the location of ipchains.
IPCHAINS=3D"/sbin/ipchains"
# You shouldn't need to change anything in the rest of this section
LOCALIP=3D`ifconfig $LOCALIF | grep inet | cut -d : -f 2 | cut -d -f =
1`
LOCALMASK=3D`ifconfig $LOCALIF | grep Mask | cut -d : -f 4`
LOCALNET=3D"$LOCALIP/$LOCALMASK"
echo "Internal ($INTERNALIF): $INTERNALNET"
echo "External ($LOCALIF): $LOCALNET"
echo "-------------------------------------"
REMOTENET=3D"0/0"
# -------------------------------------- Flush everything, start from =
scratch -
echo -n "Flushing rulesets.."
# Incoming packets from the outside network
$IPCHAINS -F input
echo -n "."
# Outgoing packets from the internal network
$IPCHAINS -F output =20
echo -n "."
# Forwarding/masquerading
$IPCHAINS -F forward
echo -n "."
echo "Done!"
# ---------------------------------- Allow all connections within the =
network -
echo -n "Internal.."
$IPCHAINS -A input -s $INTERNALNET -d $INTERNALNET -j ACCEPT
$IPCHAINS -A output -s $INTERNALNET -d $INTERNALNET -j ACCEPT
echo -n ".."
echo "Done!"
# -------------------------------------------------- Allow loopback =
interface -
echo -n "Loopback.."
$IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
echo -n ".."
echo "Done!"
# -------------------------------------------------------------- =
Masquerading -
echo -n "Masquerading.."
# don't masquerade internal-internal traffic
$IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT
echo -n "."
# don't Masquerade external interface direct
$IPCHAINS -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT=20
echo -n "."
# masquerade all internal IP's going outside
$IPCHAINS -A forward -s $INTERNALNET -d $REMOTENET -j MASQ
echo -n "."
# set Default rule on MASQ chain to Deny
$IPCHAINS -P forward REJECT
echo -n "."
# --------------------- Allow all connections from the network to the =
outside -
$IPCHAINS -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT =20
$IPCHAINS -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT
echo -n ".."
echo "Done!"
# ----------------------------------Set telnet, www and FTP for minimum =
delay -
# This section manipulates the Type Of Service (TOS) bits of the=20
# packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
# in your kernel
echo -n "TOS flags.."
$IPCHAINS -A output -p tcp -d 0/0 telnet -t 0x01 0x10 -j ACCEPT =20
$IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10 -j ACCEPT
$IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10 -j ACCEPT
echo -n "..."
# Set ftp-data for maximum throughput
$IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08 -j ACCEPT
echo -n "."
echo "Done!"
# ---------------------------------------------------------- Trusted =
Networks -
# Add in any rules to specifically allow connections from hosts/nets =
that
# would otherwise be blocked.
# echo -n "Trusted Networks.."
# $IPCHAINS -A input -s [trusted host/net] -d $LOCALNET <ports> -j =
ACCEPT=20
# echo -n "."
# echo "Done!"
# ----------------------------------------------------------- Banned =
Networks -
# Add in any rules to specifically block connections from hosts/nets =
that
# have been known to cause you problems. These packets are logged.
#echo -n "Banned Networks.."
# This one is generic
# $IPCHAINS -A input -l -s [banned host/net] -d $LOCALNET <ports> -j =
REJECT
# echo -n "."
# This one blocks ICMP attacks
# $IPCHAINS -A input -l -i $LOCALIF -p icmp -s 0/0 -d $LOCALNET -j =
REJECT
# echo -n "."
#echo "Done!"
# ---------------------------- Specific port blocks on the external =
interface -
# This section blocks off ports/services to the outside that have
# vulnerabilities. This will not affect the ability to use these =
services
# within your network.=20
echo -n "Port Blocks.."
# NetBEUI/Samba
$IPCHAINS -A input -p tcp -l -s $REMOTENET -d $LOCALNET 137:139 -j =
REJECT
$IPCHAINS -A input -p udp -l -s $REMOTENET -d $LOCALNET 137:139 -j =
REJECT
echo -n "."
# Microsoft SQL
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 1433 -j REJECT
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 1433 -j REJECT
echo -n "."
# Postgres SQL
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 5432 -j REJECT
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 5432 -j REJECT
echo -n "."
# Network File System
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 2049 -j REJECT
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 2049 -j REJECT
echo -n "."
# X Displays :0-:2-
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 5999:6003 -j =
REJECT
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 5999:6003 -j =
REJECT
echo -n "."
# X Font Server :0-:2-
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 7100 -j REJECT
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 7100 -j REJECT
echo -n "."
# Back Orifice (logged)
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 31337 -j REJECT
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 31337 -j REJECT
echo -n "."
# NetBus (logged)
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 12345:12346 -j =
REJECT
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 12345:12346 -j =
REJECT
echo -n "."
echo "Done!"
# --------------------------------------------------- High Unprivileged =
ports -
# These are opened up to allow sockets created by connections allowed by =
# ipchains
echo -n "High Ports.."
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1023:65535 -j =
ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1023:65535 -j =
ACCEPT
echo -n "."
echo "Done!"
# ------------------------------------------------------------ Basic =
Services -
echo -n "Services.."
# ftp-data (20) and ftp (21)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT
echo -n ".."
# ssh (22)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 22 -j ACCEPT
echo -n "."
# telnet (23)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 23 -j ACCEPT
echo -n "."
# smtp (25)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j ACCEPT
echo -n "."
# DNS (53)
#$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
#$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
#echo -n ".."
# DHCP on LAN side (to make @Home DHCP work) (67/68)
# $IPCHAINS -A input -i $INTERNALIF -p udp -s $INTERNALNET -d =
255.255.255.255/24 67 -j ACCEPT
# $IPCHAINS -A output -i $INTERNALIF -p udp -s $INTERNALNET -d =
255.255.255.255/24 68 -j ACCEPT
# echo -n ".."
# http (80)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT
echo -n "."
# POP-3 (110)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 110 -j ACCEPT
# echo -n "."
# identd (113)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 113 -j ACCEPT
# echo -n "."
# nntp (119)
# $IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 119 -j ACCEPT
# echo -n "."
# netBluie (137)
# $IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 137 -j ACCEPT
# $IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 137 -j ACCEPT
# echo -n "."
# https (443)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 443 -j ACCEPT
# echo -n "."
# ICQ Services (it's a server service) (4000)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 4000 -j ACCEPT
# echo -n "."
# Log connections to port 25000
# $IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 25000 -j =
REJECT
echo "Done!"
# ---------------------------------------------------------------------- =
ICMP -
echo -n "ICMP Rules.."
# Use this to deny ICMP attacks from specific addresses
# $IPCHAINS -A input -b -i $EXTERNALIF -p icmp -s <address> -d 0/0 -j =
REJECT
# echo -n "."
# Allow incoming ICMP
$IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
echo -n ".."
# Allow outgoing ICMP
$IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
echo -n "...."
echo "Done!"
# -------------------------------------------------------- set default =
policy -
$IPCHAINS -A input -l -j REJECT
$IPCHAINS -A output -j ACCEPT
echo=20
echo "Finished Establishing Firewall. Made to Order by the Geekcave"
echo "http://www.geekcave.net"
------=_NextPart_000_001B_01C0871A.7DBCF990--
More information about the Kclug
mailing list