April 25, 2019

Linux Networking: Using Ipchains - page 5

Multiple Machines, A Single Connection

  • July 24, 2000
  • By William Wong
The sample hardware configuration considered in this article is a computer with two network adapters. These interfaces are assumed to be eth0 and eth1. Likewise, it is assumed that the IP address given by an ISP for the Internet connection is fixed. Dynamic IP addresses will be considered in the next article.

There are a number of variables defined in the following script. In particular, the external network interface variable, extif, is set to the second Ethernet adapter, eth1. The internal network interface variable, intif, is set to eth0. The fixed IP address for the router on the external network is in the variable extip while the internal network address and mask are saved in intnet.

The following script file is assumed to be saved as /etc/rc.d/rc.firewall. It must be set up as an executable file and it should be run when the system boots. This can be done by running the script from /etc/rc.d/rc.local. Keeping the firewall file separate from rc.local allows it to be run after the computer has been booted. This is usually required when a dynamic IP address is obtained from an ISP as considered in the next article. Here's the script file:

# A simple example of ipchains saved as /etc/rc.d/rc.firewall

# Load required ip_masq modules (FTP included here)
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp

# Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

# Assign external IP variables

# Assign internal IP variables

# Initialize MASQ timeout and standard chains
ipchains -M -S 7200 10 60
ipchains -F input
ipchains -P input REJECT
ipchains -F output
ipchains -P output REJECT
ipchains -F forward
ipchains -P forward DENY

# Setup input policy
# local interface, local machines, going anywhere is valid
ipchains -A input -i $intif -s $intnet -d -j ACCEPT

# reject IP spoofing where external computer claims to be a local
ipchains -A input -i $extif -s $intnet -d -l -j REJECT

# allow external access via external interface
ipchains -A input -i $extif -s -d $extip/32 -j ACCEPT

# loopback interface is valid
ipchains -A input -i lo -s -d -j ACCEPT

# Setup output policy
# all outgoing traffic is allowed
ipchains -A output -i $intif -s -d $intnet -j ACCEPT

# prevent traffic for local network from using external interface
ipchains -A output -i $extif -s -d $intnet -l -j REJECT

# prevent traffic from local network from using external interface
ipchains -A output -i $extif -s $intnet -d -l -j REJECT

# anything else can go out
ipchains -A output -i $extif -s $extip/32 -d -j ACCEPT

# loopback interface is valid
ipchains -A output -i lo -s -d -j ACCEPT

# Setup forwarding policy
# Masquerade local net traffic to anywhere
ipchains -A forward -i $extif -s $intnet -d -j MASQ

The lo interface is a local loopback found on all computers. The masquerade support is strictly for local computers communicating with the Internet through the router. Access from the Internet is restricted to the router. If there is a Web server running on the router then this may be accessible from the Internet. Check out the next section for details.

Most Popular LinuxPlanet Stories