Linux Networking: Using Ipchains - page 5
Multiple Machines, A Single ConnectionThe sample hardware configuration considered in this article is a computer with two network adapters. These interfaces are assumed to be eth0 and eth1. Likewise, it is assumed that the IP address given by an ISP for the Internet connection is fixed. Dynamic IP addresses will be considered in the next article.
There are a number of variables defined in the following script. In
particular, the external network interface variable, extif, is set to the
second Ethernet adapter, eth1. The internal network interface variable, intif,
is set to eth0. The fixed IP address for the router on the external network is
in the variable
extip while the internal network address and mask are saved in
/etc/rc.d/rc.firewall. It must be set up as an executable file and it should be run when the system boots. This can be done by running the script from
/etc/rc.d/rc.local. Keeping the firewall file separate from
rc.localallows it to be run after the computer has been booted. This is usually required when a dynamic IP address is obtained from an ISP as considered in the next article. Here's the script file:
#!/bin/sh # A simple example of ipchains saved as /etc/rc.d/rc.firewall # PATH=/sbin:/bin:/usr/sbin:/usr/bin # Load required ip_masq modules (FTP included here) /sbin/depmod -a /sbin/modprobe ip_masq_ftp # Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward # Assign external IP variables extip="184.108.40.206" extif="eth1" # Assign internal IP variables intif="eth0" intnet="192.168.1.0/24" # Initialize MASQ timeout and standard chains ipchains -M -S 7200 10 60 ipchains -F input ipchains -P input REJECT ipchains -F output ipchains -P output REJECT ipchains -F forward ipchains -P forward DENY # Setup input policy # local interface, local machines, going anywhere is valid ipchains -A input -i $intif -s $intnet -d 0.0.0.0/0 -j ACCEPT # reject IP spoofing where external computer claims to be a local ipchains -A input -i $extif -s $intnet -d 0.0.0.0/0 -l -j REJECT # allow external access via external interface ipchains -A input -i $extif -s 0.0.0.0/0 -d $extip/32 -j ACCEPT # loopback interface is valid ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # Setup output policy # all outgoing traffic is allowed ipchains -A output -i $intif -s 0.0.0.0/0 -d $intnet -j ACCEPT # prevent traffic for local network from using external interface ipchains -A output -i $extif -s 0.0.0.0/0 -d $intnet -l -j REJECT # prevent traffic from local network from using external interface ipchains -A output -i $extif -s $intnet -d 0.0.0.0/0 -l -j REJECT # anything else can go out ipchains -A output -i $extif -s $extip/32 -d 0.0.0.0/0 -j ACCEPT # loopback interface is valid ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # Setup forwarding policy # Masquerade local net traffic to anywhere ipchains -A forward -i $extif -s $intnet -d 0.0.0.0/0 -j MASQ
The lo interface is a local loopback found on all computers. The masquerade support is strictly for local computers communicating with the Internet through the router. Access from the Internet is restricted to the router. If there is a Web server running on the router then this may be accessible from the Internet. Check out the next section for details.
Solid state disks (SSDs) made a splash in consumer technology, and now the technology has its eyes on the enterprise storage market. Download this eBook to see what SSDs can do for your infrastructure and review the pros and cons of this potentially game-changing storage technology.
- 1Linux Top 3: GNOME 3.12 and New Betas for Ubuntu 14.04 and OpenMandriva Lx 2014.0
- 2Linux Top 3: Linus Lashes out, Linux 3.14 Gets PIE and Ubuntu One is Done.
- 3Linux Top 3: Ubuntu 14.04, Debian Gives Squeeze More Life and Red Hat Goes Atomic
- 4Linux Top 3: RHEL 6.5, Debian 7.2 and EOL for Linux 3.0.x
- 5Linux Top 3: CoreOS, Oracle Enterprise Linux 7 and Ubuntu 14.10