IPCHAINS
Packet filtering is synonymous with firewalls. This is the process of deciding
whether a packet should be allowed to pass or not.
Although you use the same tool (ipchains) to control both masquerading and
transparent proxying, these are seperate processes and should not give the
impression that these processes are closely related.
Chain Operations:
-N Create a new chain.
-X Delete an empty chain.
-P Change the policy for a built-in chain.
-L List the rules in a chain.
-F Flush the rules out of a chain.
-Z Zero the packet and byte counters on all rules in a chain.
Chain Rule Manipulations:
-A Append a new rule to a chain.
-I Insert a new rule at some position in a chain.
-R Replace a rule at some position in a chain.
-D Delete a rule at some position in a chain.
-D Delete the first rule that matches in a chain.
Other
-M -L List the currently masqueraded connections.
-M -S Set masquerading timout values.
While manipulating the rules of the firewall, timing issues occur where packets
are allowed through the system while the changes are being made. To prevent this
from occuring, drop all packets for the duration of the changes by doing the
following:
% ipchains -I input 1 -j DENY
% ipchains -I output 1 -j DENY
% ipchains -I forward 1 -j DENY
...make changes...
% ipchains -D input 1
% ipchains -D output 1
% ipchains -D forward 1
#------------------------------------------------------------------------------------
#!/bin/sh
#
# rc.firewall
#
# Flush everything (start from scratch)...
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
# If your machine is assigned an IP via DHCP...
# /sbin/ipchains -M -S 7200 10 60
# /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 68 -d 0/0 67 -p udp
# Redirect for HTTP Transparent Proxy...
/sbin/ipchains -A input -p tcp -s 192.1.2.0/24 -d 0.0.0.0/0 80 -j REDIRECT 8080
# Create your own chain...
/sbin/ipchains -N my-chain
# Allow email to get to the server...
/sbin/ipchains -A my-chain -s 0.0.0.0/0 smtp -d 192.1.2.10 1024:-j ACCEPT
# Allow email connections to outside email servers...
/sbin/ipchains -A my-chain -s 192.1.2.10 -d 0.0.0.0/0 smtp -j ACCEPT
# Allow Web connections to your WWW server...
/sbin/ipchains -A my-chain -s 0.0.0.0/0 www -d 192.1.2.11 1024: -j ACCEPT
# Allow Web connections to outside WWW server...
/sbin/ipchains -A my-chain -s 192.1.2.0/24 1024: -d 0.0.0.0/0 www -j ACCEPT
# Allow DNS traffic...
/sbin/ipchains -A my-chain -p UDP -s 0.0.0.0/0 dns -d 192.1.2.0/24 -j ACCEPT
# If you are using masquerading
# Don't masq internal-internal traffic...
/sbin/ipchains -A forward -s 192.1.2.0/24 -d 192.1.2.0/24 -j ACCEPT
# Don't masq external interface direct...
/sbin/ipchains -A forward -s 24.94.1.0/24 -d 0.0.0.0/0 -j ACCEPT
# Masquerade all internal IP's going outside
/sbin/ipchains -A forward -s 192.1.2.0/24 -d 0.0.0.0/0 -j MASQ
# Deny all other packets
/sbin/ipchains -P my-chain input DENY
Since ipchains inserts and deletes rules from the kernel's packet filtering
section, all setups will be lost upon reboot. You can use the 'ipchains-save'
and 'ipchains-restore' scripts to save a firewall setup.
% ipchains-save > /etc/ipchains.rules
ipchains bootstrap script:
#!/bin/sh
# /etc/init.d/packetfilter
# run this script during bootstrap, before S40network.
# symlink "S39packetfilter"
RULES="/etc/ipchains.rules"
[ -f "$RULES" ] || exit 0
case "$1" in
start)
echo -n "Turning on packet filtering:"
/sbin/ipchains-restore < $RULES || exit 1
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "."
;;
stop)
echo -n "Turning off packet filtering:"
echo "0" > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -F
/sbin/ipchains -X
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward ACCEPT
echo "."
;;
save)
echo -n "Saving packet filtering rules:"
/sbin/ipchains-save > $RULES
echo "."
;;
*)
echo "Usage: `basename "$0"` [start|stop|save]"
echo ""
exit 1
;;
esac
exit 0