Linux Networking: Using Ipchains
Setting Up The Router
William Wong
Monday, July 24, 2000 08:05:03 AM
The sample hardware configuration considered in this article is a computer with
two network adapters. These interfaces are assumed to be eth0 and eth1.
Likewise, it is assumed that the IP address given by an ISP for the Internet
connection is fixed. Dynamic IP addresses will be considered in the next
article.
There are a number of variables defined in the following script. In
particular, the external network interface variable, extif, is set to the
second Ethernet adapter, eth1. The internal network interface variable, intif,
is set to eth0. The fixed IP address for the router on the external network is
in the variable extip while the internal network address and mask are saved in intnet.
The following script file is assumed to be saved as
/etc/rc.d/rc.firewall. It must be set up as an executable file and
it should be run when the system boots. This can be done by running the script
from /etc/rc.d/rc.local. Keeping the firewall file separate from
rc.local allows it to be run after the computer has been booted.
This is usually required when a dynamic IP address is obtained from an ISP as
considered in the next article. Here's the script file:
#!/bin/sh
# A simple example of ipchains saved as /etc/rc.d/rc.firewall
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# Load required ip_masq modules (FTP included here)
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
# Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
# Assign external IP variables
extip="64.66.99.123"
extif="eth1"
# Assign internal IP variables
intif="eth0"
intnet="192.168.1.0/24"
# Initialize MASQ timeout and standard chains
ipchains -M -S 7200 10 60
ipchains -F input
ipchains -P input REJECT
ipchains -F output
ipchains -P output REJECT
ipchains -F forward
ipchains -P forward DENY
# Setup input policy
# local interface, local machines, going anywhere is valid
ipchains -A input -i $intif -s $intnet -d 0.0.0.0/0 -j ACCEPT
# reject IP spoofing where external computer claims to be a local
ipchains -A input -i $extif -s $intnet -d 0.0.0.0/0 -l -j REJECT
# allow external access via external interface
ipchains -A input -i $extif -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
# loopback interface is valid
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# Setup output policy
# all outgoing traffic is allowed
ipchains -A output -i $intif -s 0.0.0.0/0 -d $intnet -j ACCEPT
# prevent traffic for local network from using external interface
ipchains -A output -i $extif -s 0.0.0.0/0 -d $intnet -l -j REJECT
# prevent traffic from local network from using external interface
ipchains -A output -i $extif -s $intnet -d 0.0.0.0/0 -l -j REJECT
# anything else can go out
ipchains -A output -i $extif -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
# loopback interface is valid
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# Setup forwarding policy
# Masquerade local net traffic to anywhere
ipchains -A forward -i $extif -s $intnet -d 0.0.0.0/0 -j MASQ
The lo interface is a local loopback found on all computers. The masquerade
support is strictly for local computers communicating with the Internet through
the router. Access from the Internet is restricted to the router. If there is a
Web server running on the router then this may be accessible from the Internet.
Check out the next section for details.
Next: Caveats »
