[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
[LI] Long Msg : [Selective network access...]
[This is as a reply to Pankaj Mathur..]
Hi,
Our network has a private class B address and a public class C
address. Since I have chosen 172.16.0.0 , I cannot permit traffic
from this net directly on the internet. We have DNS , Mail and
Web services running on the public-side.
The official page is The Linux IP Firewall Chains Page
<http://www.rustcorp.com/linux/ipchains>
Please see David Ranch's
http://www.ecst.csuchico.edu/~dranch/LINUX/index-LINUX.html#ipmasq
as well.
About proxies and masq :- Traditional Proxies ,Transparent
Proxies & Masquerading are highlighted in the Howto.
Packet traffic:-
<excerpt>
The kernel starts with three lists of rules; these lists are called
firewall chains or just chains. The three chains are called input,
output and forward. When a packet comes in (say, through the Ethernet
card) the kernel uses the input chain to decide its fate. If it
survives that step, then the kernel decides where to send the packet
next (this is called routing). If it is destined for another machine,
it consults the forward chain. Finally, just before a packet is to go
out, the kernel consults the output chain.
A chain is a checklist of rules. Each rule says `if the packet header
looks like this, then here's what to do with the packet'. If the rule
doesn't match the packet, then the next rule in the chain is
consulted. Finally, if there are no more rules to consult, then the
kernel looks at the chain policy to decide what to do. In a security-
conscious system, this policy usually tells the kernel to reject or
deny the packet.
</excerpt>
You can create your own rulesets (chains) as well. This is quite
useful when creating your own filter box.
A thorough knowledge of the various options of ipchains will
be useful and there are plenty of options too.
How are the pkts handled ?
<excerpt>
There are six special targets. The first three, ACCEPT, REJECT and
DENY are fairly simple. ACCEPT allows the packet through. DENY drops
the packet as if it had never been received. REJECT drops the packet,
but (if it's not an ICMP packet) generates an ICMP reply to the source
to tell it that the destination was unreachable.
The next one, MASQ tells the kernel to masquerade the packet. For
this to work, your kernel needs to be compiled with IP Masquerading
enabled. For details on this, see the Masquerading-HOWTO and the
Appendix ``Differences between ipchains and ipfwadm''. This target is
only valid for packets traversing the forward chain.
The other major special target is REDIRECT which tells the kernel to
send a packet to a local port instead of wherever it was heading.
This can only be specified for rules specifying TCP or UDP as their
protocol. Optionally, a port (name or number) can be specified
following `-j REDIRECT' which will cause the packet to be redirected
to that particular port, even if it was addressed to another port.
This target is only valid for packets traversing the input chain.
The final special target is RETURN which is identical to falling off
the end of the chain immediately. (See ``Setting Policy'' below).
Any other target indicates a user-defined chain . The packet
will begin traversing the rules in that chain. If that chain
doesn't decide the fate of the packet, then once traversal on
that chain has finished, traversal resumes on the next rule in
the current chain.
</excerpt>
Our setup is similar to the example in IPChains-HOWTO (7.x)
except that I need only a two-way filter and not a three-way one.
ie, I have to bother about packet traffic outward,
packet traffic inward and packet traffic from my public class C
to pvt class B.
So, the following cases are to be separately considered:-
1.On Packet Filter box: (PING any network ,TRACEROUTE any network
Access DNS)
2. Within the public net ( Open net. all permitted). It is upto
the hosts to protect themselves.
3. Outward
Allow WWW, ftp, traceroute, ssh to external
Allow SMTP to Mail server
Allow POP-3 to Mail server
Allow DNS to Name server
Allow rsync to Web server
Allow WWW to Web server
Allow ping to packet filter box
These are to be done in the masquerading mode.
4. Before Packet Filtering
Anti-spoofing
Set filtering rules to DENY all
Set Up Interfaces
Insert per-protocol masquerading modules.
5. Inward :don't allow anything non-masqueraded
6.Packet Filtering for the Linux Box Itself for its public
and private interfaces. There is a default route for the public
interface.
6.Finally, remove the blocking rules.
7. ICMP traffic is treated with respect and care.
These are done as separate rule sets and aggregated.
The box works pretty well. I use a Celeron 266 , 32 MB box , two
100 Mbps cards.The box is connected to the backbone .It runs
PCQ/RHL6.1 (kernel 2.2.x) compiled with masquerading support and
ipchains is used to control the packet filtering.
Hope that helps.
Regards
--pgm
-------------------------------
P G Mohanan, Systems Manager
Central Computer Centre
KREC Surathkal
Email:pgm@xxxxxxxxxxxxx
sm@xxxxxxxxxxxxx
Phone: 0824-475984 ext 301
------------------------------
On Fri, 28 Jan 2000, Pankaj Mathur wrote:
> Hi Mohanan,
> Thanks for your reply - if you don't mind can you send me or post here a
> more detailed description of how things are working at your end. It will
> help me in putting everything in prespective. Presently I am in very
> confused state in the middle of IP- Masq, Ip- chains, DNS,Ethernet & PPP
> HOWTOs(thats quite a list).
--------------------------------------------------------------------
The Linux India Mailing List Archives are now available. Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.