[lug] Weird Masquerading Problem
Ferdinand Schmid
fschmid at archenergy.com
Fri Jul 7 00:57:23 MDT 2000
George:
Masquerading happens through IP chains and is a kernel feature. You are
talking about a crash of your system. Could it be that your kernel isn't
cosher anymore? If you are confident that your rules are set properly then I
would probably try installing a new kernel.
Here is the core of a masquerading setup that I use (the production version has
a fair amount of extras that are not essential for masquerading to work):
Ferdinand
#!/bin/bash
############################################################
# Firewalling Rules
############################################################
#
# flush all rules
#
ipchains -F input
ipchains -F output
ipchains -F forward
#
#
# set policies
#
ipchains -P input DENY
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
#
#
# allow some packets in but accept all those on the internal interface
#
ipchains -A input -i lo -j ACCEPT
#
#
# deny any coming from outside which are illegal
#
ipchains -A input -i eth0 -s 255.255.255.255/32 -b -j DENY -l
ipchains -A input -i eth0 -s 127.0.0.0/8 -b -j DENY -l
ipchains -A input -i eth0 -s 192.168.0.0/16 -b -j DENY -l
ipchains -A input -i eth0 -s 172.16.0.0/12 -b -j DENY -l
ipchains -A input -i eth0 -s 10.0.0.0/8 -b -j DENY -l
#
#
# allow return packets from connections we initiated
#
ipchains -A input -i eth0 -p tcp ! -y -j ACCEPT
#
# allow DNS replies
#
ipchains -A input -i eth0 -p tcp -s 204.160.204.10 53 -j ACCEPT
ipchains -A input -i eth0 -p udp -s 204.160.204.10 53 -j ACCEPT
ipchains -A input -i eth0 -p tcp -s 204.251.161.10 53 -j ACCEPT
ipchains -A input -i eth0 -p udp -s 204.251.161.10 53 -j ACCEPT
#
#
# allow NTP replies
#
#ipchains -A input -i eth0 -p udp -d 132.163.4.101 123 -j ACCEPT
#ipchains -A input -i eth0 -p udp -d 132.163.4.102 123 -j ACCEPT
#ipchains -A input -i eth0 -p udp -d 132.163.4.103 123 -j ACCEPT
#
#
# allow certain classes of ICMP
#
ipchains -A input -i eth0 -p icmp --dport 0 -j ACCEPT
ipchains -A input -i eth0 -p icmp --dport 3 -j ACCEPT
ipchains -A input -i eth0 -p icmp --dport 11 -j ACCEPT
#
#
# deny syslog messages from other machines
ipchains -A input -i eth0 -p udp --dport 514 -j DENY -l
#
#
# finally deny all other packets to input and LOG them
#
ipchains -A input -j DENY -l
#
#
#################################################################
# MASQ rules
#################################################################
#
ipchains -A forward -j MASQ -s 10.1.1.0/24 -d ! 10.1.1.0/24
#
#
# Source Routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route
# END OF FILE
George Sexton wrote:
> I have this weird problem on a machine that I can't figure out.
>
> For some reason, masquerading just stopped working. It was working fine,
> then one day there was a crash, and then it didn't work any more.
>
> I have done a pretty thorough security check so I am fairly confident the
> box has not been hacked. I have checked current rules using IPCHAINS and
> everything looks good. I also tried replacing the NIC on the theory that
> maybe there was something strange in the NIC driver (EEPro100 which has been
> notoriously bad lately).
>
> The only thing I can think is that there is another box with the same IP. I
> shut down the Linux box, and waited for a while, and didn't see anything
> that looked like another box on the same IP address. This one has me really
> stumped. I would appreciate any ideas.
>
> George Sexton
> MH Software, Inc.
> Voice: 303 438 9585
> http://www.mhsoftware.com
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
--
Ferdinand Schmid
Architectural Energy Corporation
http://www.archenergy.com
303-444-4149
More information about the LUG
mailing list