Linux Networking: Using Ipchains - page 5
Multiple Machines, A Single ConnectionThe sample hardware configuration considered in this article is a computer with two network adapters. These interfaces are assumed to be eth0 and eth1. Likewise, it is assumed that the IP address given by an ISP for the Internet connection is fixed. Dynamic IP addresses will be considered in the next article.
There are a number of variables defined in the following script. In
particular, the external network interface variable, extif, is set to the
second Ethernet adapter, eth1. The internal network interface variable, intif,
is set to eth0. The fixed IP address for the router on the external network is
in the variable
extip while the internal network address and mask are saved in
/etc/rc.d/rc.firewall. It must be set up as an executable file and it should be run when the system boots. This can be done by running the script from
/etc/rc.d/rc.local. Keeping the firewall file separate from
rc.localallows it to be run after the computer has been booted. This is usually required when a dynamic IP address is obtained from an ISP as considered in the next article. Here's the script file:
#!/bin/sh # A simple example of ipchains saved as /etc/rc.d/rc.firewall # PATH=/sbin:/bin:/usr/sbin:/usr/bin # Load required ip_masq modules (FTP included here) /sbin/depmod -a /sbin/modprobe ip_masq_ftp # Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward # Assign external IP variables extip="22.214.171.124" extif="eth1" # Assign internal IP variables intif="eth0" intnet="192.168.1.0/24" # Initialize MASQ timeout and standard chains ipchains -M -S 7200 10 60 ipchains -F input ipchains -P input REJECT ipchains -F output ipchains -P output REJECT ipchains -F forward ipchains -P forward DENY # Setup input policy # local interface, local machines, going anywhere is valid ipchains -A input -i $intif -s $intnet -d 0.0.0.0/0 -j ACCEPT # reject IP spoofing where external computer claims to be a local ipchains -A input -i $extif -s $intnet -d 0.0.0.0/0 -l -j REJECT # allow external access via external interface ipchains -A input -i $extif -s 0.0.0.0/0 -d $extip/32 -j ACCEPT # loopback interface is valid ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # Setup output policy # all outgoing traffic is allowed ipchains -A output -i $intif -s 0.0.0.0/0 -d $intnet -j ACCEPT # prevent traffic for local network from using external interface ipchains -A output -i $extif -s 0.0.0.0/0 -d $intnet -l -j REJECT # prevent traffic from local network from using external interface ipchains -A output -i $extif -s $intnet -d 0.0.0.0/0 -l -j REJECT # anything else can go out ipchains -A output -i $extif -s $extip/32 -d 0.0.0.0/0 -j ACCEPT # loopback interface is valid ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # Setup forwarding policy # Masquerade local net traffic to anywhere ipchains -A forward -i $extif -s $intnet -d 0.0.0.0/0 -j MASQ
The lo interface is a local loopback found on all computers. The masquerade support is strictly for local computers communicating with the Internet through the router. Access from the Internet is restricted to the router. If there is a Web server running on the router then this may be accessible from the Internet. Check out the next section for details.
Sponsored by BlackBerry
BlackBerry® Enterprise Server Express enables businesses of any size to quickly and easily get started with the BlackBerry solution. It provides advanced BlackBerry smartphone features with no additional software or user license fees, and works with any Internet-enabled BlackBerry data plan or a BlackBerry enterprise data plan. Download now!