Linux IP Masquerade How-To

 the best of your ability without it working, try
 # enabling this option (delete the "#" character). This option is disabled
 # by default due to possible internal machine UDP port scanning
 # vulnerabilities.
 #
 #echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
 
 
 # Specify your Static IP address here.
 #
 # If you have a DYNAMIC IP address, you need to make this ruleset recognize 
 # your IP address everytime you get a new IP. To do this, enable the 
 # following one-line script. (Please note that the different single and 
 # double quote characters MATTER).
 #
 #
 # DHCP users (Cablemodem and DSL ) users:
 # ---------------------------------------
 # If you get your TCP/IP address via DHCP, **you will need ** to enable the 
 # #ed out command below underneath the PPP section AND replace the word 
 # "ppp0" with the name of your EXTERNAL Internet connection (eth0, eth1, etc) 
 # on the lines for "ppp-ip" and "EXTIP". 
 #
 # DHCP and PPP users: The remote DHCP or PPP server can and will change
 # IP addresses on you over time. To deal with this, users should configure
 # their DHCP or PPP client to re-run the rc.firewall-* ruleset everytime
 # the IP address is changed. Please see the "masq-and-dyn-addr" FAQ entry
 # in the IPMASQ howto for full details on how to do this.
 #
 #
 # Determine the external IP automatically:
 # ----------------------------------------
 #
 # The following line will determine your external IP address. This
 # line is somewhat complex and confusing but it will also work for
 # all NON-English Linux distributions.
 #
 # Make sure the EXTIF variable above is set to reflect the name
 # of your Internet connection
 #
 EXTIP="'$IFCONFIG $EXTIF | $AWK \
 /$EXTIF/'{next}//{split($0,a,":") ;split(a[2],a," ") ;print a[1];exit}''"
 
 
 
 # MASQ timeouts
 #
 # 2 hrs timeout for TCP session timeouts
 # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
 # 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec 
 # firewall timeout in ICQ itself)
 #
 $IPCHAINS -M -S 7200 10 60
 
 #############################################################################
 # Incoming, flush and set default policy of reject. Actually the default policy
 # is irrelevant because there is a catch all rule with deny and log.
 #
 $IPCHAINS -F input
 $IPCHAINS -P input REJECT
 
 # local interface, local machines, going anywhere is valid
 #
 $IPCHAINS -A input -i $INTIF -s $INTNET -d 0.0.0.0/0 -j ACCEPT
 
 # remote interface, claiming to be local machines, IP spoofing, get lost
 #
 $IPCHAINS -A input -i $EXTIF -s $INTNET -d 0.0.0.0/0 -l -j REJECT
 
 
 # remote interface, any source, going to the MASQ servers IP address is valid
 #
 # ENABLE this line if you want ALL Internet traffic to connect to your
 # the various servers running on the MASQ server. This includes 
 # web servers, ssh servers, dns servers, etc. 
 #
 # I DON'T recommend you enable this rule. Instead, only enable specific
 # access to select server ports under the "OPTIONAL INPUT Section".
 # An example of enabling HTTP (WWW) has been given below:
 #
 #
 #$IPCHAINS -A input -i $EXTIF -s 0.0.0.0/0 -d $EXTIP/32 -j ACCEPT
 
 
 # loopback interface is valid.
 #
 $IPCHAINS -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
 
 
 # ----- Begin OPTIONAL INPUT Section -----
 #
 
 # HTTPd - Enable the following lines if you either run a WWW server on
 # the IPMASQ server -OR- plan on PORTFW'ing HTTP traffic to
 # an internal WWW server
 #
 #$IPCHAINS -A input -i $EXTIF -p tcp -s 0.0.0.0/0 -d $EXTIP 80 -j ACCEPT
 
 #
 # ----- End OPTIONAL INPUT Section -----
 
 
 # catch all rule, all other incoming is denied and logged. pity there is no
 # log option on the policy but this does the job instead.
 #
 $IPCHAINS -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
 
 #############################################################################
 # Outgoing, flush and set default policy of reject. Actually

Previous

• 1
• 2
• 3
• 4
• 5

Next