[lug] Weird Masquerading Problem
George Sexton
gsexton at mhsoftware.com
Fri Jul 7 09:31:54 MDT 2000
Regrettably it was cranial flatulence causing the problem. I had been
tweaking the script and I changed:
ipchains -A forward -j MASQ -s 10.1.1.0/24 -d ! 10.1.1.0/24
to
ipchains -A forward -i eth1 -j MASQ -s 10.1.1.0/24 -d ! 10.1.1.0/24
This really broke even though the NIC and source mask were correct. Oh,
well. Next time I play with firewalls, I save the old copy with the date as
part of the name....
> -----Original Message-----
> From: lug-admin at lug.boulder.co.us [mailto:lug-admin at lug.boulder.co.us]On
> Behalf Of Ferdinand Schmid
> Sent: Friday, July 07, 2000 12:57 AM
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] Weird Masquerading Problem
>
>
> George:
> Masquerading happens through IP chains and is a kernel feature. You are
> talking about a crash of your system. Could it be that your kernel isn't
> cosher anymore? If you are confident that your rules are set
> properly then I
> would probably try installing a new kernel.
>
> Here is the core of a masquerading setup that I use (the
> production version has
> a fair amount of extras that are not essential for masquerading to work):
>
> Ferdinand
>
>
>
> #!/bin/bash
> ############################################################
> # Firewalling Rules
> ############################################################
> #
> # flush all rules
> #
> ipchains -F input
> ipchains -F output
> ipchains -F forward
> #
> #
> # set policies
> #
> ipchains -P input DENY
> ipchains -P output ACCEPT
> ipchains -P forward ACCEPT
> #
> #
> # allow some packets in but accept all those on the internal interface
> #
> ipchains -A input -i lo -j ACCEPT
> #
> #
> # deny any coming from outside which are illegal
> #
> ipchains -A input -i eth0 -s 255.255.255.255/32 -b -j DENY -l
> ipchains -A input -i eth0 -s 127.0.0.0/8 -b -j DENY -l
> ipchains -A input -i eth0 -s 192.168.0.0/16 -b -j DENY -l
> ipchains -A input -i eth0 -s 172.16.0.0/12 -b -j DENY -l
> ipchains -A input -i eth0 -s 10.0.0.0/8 -b -j DENY -l
> #
> #
> # allow return packets from connections we initiated
> #
> ipchains -A input -i eth0 -p tcp ! -y -j ACCEPT
> #
> # allow DNS replies
> #
> ipchains -A input -i eth0 -p tcp -s 204.160.204.10 53 -j ACCEPT
> ipchains -A input -i eth0 -p udp -s 204.160.204.10 53 -j ACCEPT
> ipchains -A input -i eth0 -p tcp -s 204.251.161.10 53 -j ACCEPT
> ipchains -A input -i eth0 -p udp -s 204.251.161.10 53 -j ACCEPT
> #
> #
> # allow NTP replies
> #
> #ipchains -A input -i eth0 -p udp -d 132.163.4.101 123 -j ACCEPT
> #ipchains -A input -i eth0 -p udp -d 132.163.4.102 123 -j ACCEPT
> #ipchains -A input -i eth0 -p udp -d 132.163.4.103 123 -j ACCEPT
> #
> #
> # allow certain classes of ICMP
> #
> ipchains -A input -i eth0 -p icmp --dport 0 -j ACCEPT
> ipchains -A input -i eth0 -p icmp --dport 3 -j ACCEPT
> ipchains -A input -i eth0 -p icmp --dport 11 -j ACCEPT
> #
> #
> # deny syslog messages from other machines
> ipchains -A input -i eth0 -p udp --dport 514 -j DENY -l
> #
> #
> # finally deny all other packets to input and LOG them
> #
> ipchains -A input -j DENY -l
> #
> #
> #################################################################
> # MASQ rules
> #################################################################
> #
> ipchains -A forward -j MASQ -s 10.1.1.0/24 -d ! 10.1.1.0/24
> #
> #
> # Source Routing
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
> echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route
> # END OF FILE
>
>
> George Sexton wrote:
>
> > I have this weird problem on a machine that I can't figure out.
> >
> > For some reason, masquerading just stopped working. It was working fine,
> > then one day there was a crash, and then it didn't work any more.
> >
> > I have done a pretty thorough security check so I am fairly
> confident the
> > box has not been hacked. I have checked current rules using IPCHAINS and
> > everything looks good. I also tried replacing the NIC on the theory that
> > maybe there was something strange in the NIC driver (EEPro100
> which has been
> > notoriously bad lately).
> >
> > The only thing I can think is that there is another box with
> the same IP. I
> > shut down the Linux box, and waited for a while, and didn't see anything
> > that looked like another box on the same IP address. This one
> has me really
> > stumped. I would appreciate any ideas.
> >
> > George Sexton
> > MH Software, Inc.
> > Voice: 303 438 9585
> > http://www.mhsoftware.com
> >
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
> --
> Ferdinand Schmid
> Architectural Energy Corporation
> http://www.archenergy.com
> 303-444-4149
>
>
>
>
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list