IP MASQ / Routing Problem

Hello:

I would like to replace my current Windows-based gateway machine, but I am having a problem getting IP MASQ working properly. Here is the setup:

RedHat Linux 7.0 - kernel 2.2.17
eth1 10.1.1.215
eth0 63.72.X.215
(both of these connected to an Intel 10/100 switch)
Router 63.72.X.1 --> Dedicated Internet Connection

Windows Client IP 10.1.1.216
Default Gateway IP 10.1.1.215


I can ping from the internal Windows client to both the internal and external ethernet addresses of the Linux box. I can also ping to the external interface (63.72.X.2) of my current Windows-based gateway.

I cannot ping any other addresses inside or outside of the router from the Windows client. In fact, I cannot ping to the router.

I can, however, ping to any internal or external address from the Linux box.

Here is my routing table:
Destination----Gateway------Genmask---------Flags----Iface
10.1.1.0-------0.0.0.0------255.255.255.0---U--------eth1
63.72.X.0------0.0.0.0------255.255.255.0---U--------eth0
127.0.0.0------0.0.0.0------255.0.0.0-------U--------lo
0.0.0.0--------63.72.X.1----0.0.0.0---------UG-------eth0


Below is the very simple rc.firewall file I am using.
/etc/rc.d/rc.firewall

#!/bin/sh
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth1 -s 10.1.1.0/24 -j MASQ


To get this to load on startup I have added the folloing line to the end of the rc.local file.

echo "Loading the rc.firewall ruleset..." /etc/rc.d/rc.firewall


If there is any additional information I can provide to clarify the issue please let me know. I am new to Linux, so if I am doing something dumb, my apologies. Thanks.

Steve

Steve,

Your set-up gave me a headache trying to picture it so I had to draw it in the end.
Anyway I can see your mistake.
You have forgotten to let the input and output rules allow the forward MASQ option to work and packets to come back into the input chain.
Then they are forwarded to your MASQ setting.

Try this in your rc.firewall script instead.
I've added some setting to help speed up your connection and confuse OS fingerprint scans. "+ stop DOS attack etc etc"

#!/bin/sh
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
sysctl -w net.ipv4.vs.timeout_established=3600
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.vs.timeout_synack=60
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=3600
sysctl -w net.ipv4.icmp_echoreply_rate=10
sysctl -w net.ipv4.tcp_fin_timeout=360
sysctl -w net.ipv4.tcp_rfc1337=1
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# only set this if you have more then about 400kb connection ie DSL
echo 262144 > /proc/sys/net/core/rmem_default
echo 262144 > /proc/sys/net/core/rmem_max
echo 262144 > /proc/sys/net/core/wmem_default
echo 262144 > /proc/sys/net/core/wmem_max

ipchains -F
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward REJECT
# sets timeout vaules for FIN flags etc..
ipchains -M -S 7200 10 60
# magic NAT setting for MASQing
ipchains -A forward -i eth1 -s 10.1.1.0/24 -j MASQ


-----------
Then you have to add some rules to stop people hacking your linux box. "i.e a good firewall with your NATwall"

example:
LAN = 192.168.0.1 "eth0"
External = 192.168.100.10 "eth0:0"
-------------- oooo ---------------
Now put this into your /etc/rc.d/firewall.sh script.

# firewall script by Raz
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# clear all ipchains settings
ipchains -F

# Deny all access to server secure mode enabled.
ipchains -P input REJECT
ipchains -P output REJECT
ipchains -P forward REJECT

# sets timeout vaules for FIN flags etc..
ipchains -M -S 4800 10 60

# magic NAT setting for MASQing
# only used so internal lan can use firewall as gateway to access internet etc.
ipchains -A forward -s 192.168.0.0/24 -j MASQ

# allows access to server from Internal and local only
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
ipchains -A input -i eth0 -s 192.168.0.0/24 -j ACCEPT
ipchains -A output -i eth0 -d 192.168.0.0/24 -j ACCEPT

# stops spoof attacks and Windozes netbios crap
ipchains -A input -p tcp -s 0/0 --dport 137:139 -j REJECT
ipchains -A input -p udp -s 0/0 --dport 137:139 -j REJECT
ipchains -A forward -p tcp -s 0/0 --dport 137:139 -j REJECT
ipchains -A forward -p udp -s 0/0 --dport 137:139 -j REJECT
ipchains -A output -p tcp -s 0/0 --dport 137:139 -j REJECT
ipchains -A output -p udp -s 0/0 --dport 137:139 -j REJECT
ipchains -A input -i eth0:0 -s 10.0.0.0/8 -d 0/0 -j REJECT -l
ipchains -A input -i eth0:0 -s 172.16.0.0/12 -d 0/0 -j REJECT -l
ipchains -A input -i eth0:0 -s 192.168.0.0/16 -d 0/0 -j REJECT -l
ipchains -A input -i eth0:0 -s 127.0.0.0/8 -d 0/0 -j REJECT -l
ipchains -A input -i eth0:0 -s 255.255.255.255 -j REJECT -l
ipchains -A input -i eth0:0 -d 0.0.0.0 -j REJECT -l

# turns off tracerouting to you, EXTERNAL IP used
ipchains -A input -p udp -d 192.168.100.10 -s 0/0 33434:33600 -j DENY -l

# access allowed from internet to website port 80 only:
ipchains -A input -p tcp -s 0/0 --sport 1023:65535 -d 192.168.100.10 --dport 80 -j ACCEPT
ipchains -A output -p tcp -s 192.168.100.10 --sport 80 -d 0/0 -j ACCEPT

# dont know your DNS's address so lets call it 154.67.86.2 & 154.67.85.2
# DNS lookup allowed only

ipchains -A output -p tcp -s 192.168.100.10 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 154.67.86.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT
# secondary DNS allow
ipchains -A input -p tcp ! -y -s 154.67.85.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT
# DNS lookup udp allowed
ipchains -A output -p udp -s 192.168.100.10 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp -s 154.67.86.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT
# secondary DNS allow UDP
ipchains -A input -p udp -s 154.67.85.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT

# allow your firewall to surf the net and internal users
# that use the firewall as a gateway.
# HTTP 80,https and proxy access
# also improve the speed with TOS on internet connections
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 80 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 80 -d 192.168.100.10 1023:65535 -j ACCEPT
# HTTPS 443 access
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 443 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 443 -d 192.168.100.10 1023:65535 -j ACCEPT
# HTTP 8080 access
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 8080 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 8080 -d 192.168.100.10 1023:65535 -j ACCEPT

# example to allow users to use MSN
# MSN messenger
ipchains -A output -p tcp -s 192.168.100.10 1023:65535 --dport 1863 -j ACCEPT
ipchains -A input -p tcp ! -y -s 64.4.13.0/24 --sport 1863 -d 192.168.100.10 1023:65535 -j ACCEPT

# allow your private windozes box on the internal lan SSH
# or telnet access, only 192.168.0.122 is the windozes
# example ip address you use to remotely connect to the firewall
# change 22 to 23 if you need telnet access.
ipchains -A input -p tcp -s 192.168.0.122 --sport 22 -d 192.168.0.1 1023:65535 -j ACCEPT -l
# logs all connections for you to check with an IDS script
ipchains -A output -p tcp -s 192.168.0.1 --dport 22 -d 192.168.0.122 -j ACCEPT

# now the fun bit to log people trying to scan the firewall
# also stops people pinging it etc etc etc etc
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 2 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 3 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 4 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 5 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 6 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 7 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 8 -j REJECT -l
# that looks for counting scans and log to messages file

ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 20 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 21 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 23 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 25 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 53 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 79 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 110 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 111 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 113 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 443 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 8080 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 6000 -j REJECT -l

# icmp pings and pongs etc
ipchains -A output -p icmp -s 0/0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 3 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 4 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 9 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 11 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 12 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 14 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 18 -d 0/0 -j ACCEPT
# deny ICMP requests for security
# change this and you screw up the point of icmp to manage packets
ipchains -A input -p icmp -s 0/0 --icmp-type 8 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 5 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 10 -d 0/0 -j DENY -l
# done

Have fun..
/raz

Hi Raz,

Thanks for the quick reply. I have replaced my current configuration with the firewall config you have provided. I have changed the IP addresses to reflect my network setup. I am still having the same problem, though. I can ping the internal and external interfaces of the Linux box and to ONE ip address on our public network, but nothing else.

This is very strange. I could understand if I wasn't able to ping ANY ip addresses on our public network, but why can I ping only ONE address on that network and not to our router or other machines configured with real IP addresses?

Any ideas?

Steve

Ok, here is something interesting. I have placed the linux box, another server and my client pc on a seperate hub. I have configured the parts as follows:

Client PC 10.1.1.216
Linux G/W eth1: 10.1.1.215
Linux G/W eth0: 63.72.X.215
Server PC 63.72.X.1

I am now able to ping from the client to both interfaces on the Linux box and to the Server PC.

Somehow the existance of another gateway(the Windows-based gateway) on my network must have caused a problem with routing through the Linux gateway. Perhaps the fact that I was originally getting replies from only the external (Windows-based) G/W ip address has something to do with this. Anyway, I'm sure there is a lesson on routing in this, but for the life of me I can't figure out what it is.

If someone could explain this to me, I sure would like to know what is happening. Again, thanks for the help Raz.

Steve

There is very simple solution for your problem i think
u try only this

This code is 100% Tested

#!/bin/sh
#
#
/sbin/depmod -a
#
/sbin/modprobe ip_masq_ftp

/sbin/modprobe ip_masq_raudio

/sbin/modprobe ip_masq_irc

/sbin/modprobe ip_masq_icq

/sbin/modprobe ip_masq_vdolive

echo "1" > /proc/sys/net/ipv4/ip_forward


#echo "1" > /proc/sys/net/ipv4/ip_always_defrag


echo "1" > /proc/sys/net/ipv4/ip_dynaddr


/sbin/ipchains -M -S 7200 10 160


#!/bin/sh
#
#
/sbin/ipchains -P forward DENY
/sbin/route add -net 192.168.0.0/255 eth0
/sbin/ipchains -A forward -s 0/0 -j MASQ

Danish,

Your script enables the firewall for DCHP + it also adds a route to a subnet he's not using. "/sbin/route add -net 192.168.0.0/255 eth0 "

But I think your right with the -s 0/0 instead of the -i eth1, this will enable any interface to MASQ. "the -i should have worked"

Also you've taken the defrag option out, this is needed so people can't bypass your rules as the packets are resembled before they hit the wall.

so trying this one again:

Easy script would be:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

ipchains -F
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward REJECT
# sets timeout vaules for FIN flags etc..
ipchains -M -S 7200 10 60
# magic NAT setting for MASQing
ipchains -A forward -s 0/0 -j MASQ

/Raz

Thanks for the replies. I will try the changes you both have suggested. BTW, after I meake changes to the rc.firewall file, do I have to restart network services to enable the changes? If so, how do I do this? Remember, I AM a newbie :-), and I am used to MS where you have to reboot.

Steve

np,

No you don't have to restart the service, but you must flush the chains each time with the line I put in:

ipchains -F

Then just run the rc.firewall script.

Type ipchains -L -n to look at what rules are set.

/Raz

Raz in the large example i see some things that i'm not sure about :-

1. you use 2 files your "/etc/rc.d/firewall.sh script"
and "rc.firewall". My firewall only has the "rc.firewall"
what is the other file and how is it used.

2. what does the MSN Messenger ruleset do because I
thought it was used for a internal machine to use the
talk function with a external machine. But this does not
work.

3. I have a DHCP assigned address for my cable modem, Is
there a way of using a strong firewall ruleset like the
example you submitted with my setup.

My setup :-

redhat 7
kernal 2.2.18
eth0 = 192.168.1.1
eth1 = dhcp (blueyonder cable modem)

Cheers

___________________
Have Fun

Hi Smurf,
That's what this group is for, answering questions on all Linux matters.

1) rc.firewall is just a script like all the others, in my example my rc.local file would then run the firewall.sh script, or it could run the rc.firewall script.
It's best to not use the rc.firewall name as you might want different levels of security, so you have different scripts that block and lock down more and more things.

For example on my system I have 5 levels of security, one where users can access certain internet services and the other where only admin tasks will work.
I call the scripts DefCon1.sh, DefCon2.sh, ...... DefCon5 would basically allow all access and switch off the firewall.

2) On your system if you have set-up your Linux box as a gateway with NAT then you will have to allow 2 main things.
a) allow the PC's to talk to the internal firewall
b) allow the firewall to talk to MSN's servers on the MSN port with SYN requests rejected.

example:
ipchains -A output -p tcp -s your_firewalls_internet_address_here 1023:65535 --dport 1863 -j ACCEPT
ipchains -A input -p tcp ! -y -s 64.4.13.0/24 --sport 1863 -d your_firewalls_internet_address_here 1023:65535 -j ACCEPT

3) I've never used DHCP on a firewall, but you would want to add some way for the script to pick out the dynamic ip and add it to the rules. example in the start of the script.

EXTDEV=eth1
# ppp0 if a ppp connection
EXTERNALIP=`ifconfig $EXTDEV | grep "inet addr:" | \
awk -F: {'print $2'} | cut -d\ -f 1`
if [ -z "${EXTERNALIP}" ]; then
exit 1
fi

#Then you would use the EXTERNALIP string to edit the rule.
# example
ipchains -A output -p tcp -s $EXTERNALIP/32 1023:65535 --dport 1863 -j ACCEPT
ipchains -A input -p tcp ! -y -s 64.4.13.0/24 --sport 1863 -d $EXTERNALIP/32 1023:65535 -j ACCEPT

--------------

That would give you a secure firewall, provided you wrote your whole rule set like this.

/raz