[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Firewall and IPMASQ

> From: "Bjornson, Matt" <mbjornson techies com>
> Date: Wed, 5 Apr 2000 11:16:00 -0500 
> I am trying to figure out how to create a script that would be run on a
> firewall machine between the DSL "modem" and my private network.  I am
> admittedly not too bright and am not able to figure how to write a ipchains
> script that will
> 1.	Keep out all traffic exccept to my apache webserver and to receive
> email ( sendmail) this is a different machine than the firewall box.
> 2.	IP Masquerade all internal machines (3) when they access the
> external internet.
> Is there any information or scripts that anyone has used for these purposes
> or any books that anyone would suggest?
> Thanks Matt

The IP Masquerade is excellent IMO, and provides explicit instructions
for #2.

I found the Firewall HOWTO more "cryptic", but eventually put together
some rules to keep out all traffic from my ppp connection.  You would
want to change -i ppp0 to -i eth0 (or whatever device your internet
connection comes through).

Here's the basic idea for masquerading internal machines (change the
IP to your internal IP).

# default policy for forwards is DENY
/sbin/ipchains -P forward DENY

# masquerade local network
/sbin/ipchains -A forward -s -j MASQ

Here's a simple firewall to keep out incoming connect requests:
/sbin/ipchains -N ppp-in
/sbin/ipchains -A input -i ppp0 -j ppp-in
/sbin/ipchains -A ppp-in -p tcp -y -l -j REJECT

Note: this may not be perfect, but it seems to work (others please
feel free to chime in with better suggestions).

To allow webserver connections, it would be something like (but not

/sbin/ipchains -A ppp-in -p tcp -s 0/0 -d your-ip 80 -j ACCEPT

This would have to be before the above REJECT line since once a
"match" is found, it skips the rest of the chain.

Please see the HOWTOs for more ideas, but this should get you started.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]