IP_masquerade wil niet werken tussen gentoo en XP ;( - Linux en overige clients

zondag 15 september 2002 21:56

Acties:

Firesnake

Topicstarter

Voordat een ieder gaat roepen rtfm en utfs kan ik vertellen dat ik dat al gedaan heb en er nog immer niet ben uitgekomen.
Ik draai dus met gentoo en heb de kernel gebouwt zoals aangegeven op hier staat aangegeven. En in eerste instantie de hele howto gevolgd, maar dat werkte niet en omdat zelfs "iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE" gevolgd door "echo 1 > /proc/sys/net/ipv4/ip_forward" niet werkte heb ik maar een andere manier geprobeerd en ben met firestarter aan de gang gegaan en die heeft het volgende script gegenereerd wat ook al niet werkt

code:

#!/bin/sh
# Generated by Firestarter 0.9.0, NETFILTER in use

# --------( Initial Setup - Variables (required) )--------

# Type of Service (TOS) parameters
# 8: Maximum Throughput - Minimum Delay
# 4: Minimize Delay - Maximize Reliability
# 16: No Delay - Moderate Throughput - High Reliability

TOSOPT=8

# Default Packet Rejection Type
# ( do NOT change this here - set it in the GUI instead )

STOP=DENY


# --------( Initial Setup - Network Information (required) )--------

IF=ppp0
INIF=eth0
IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \  -f 1`
MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`
NET=$IP/$MASK

INIP=`/sbin/ifconfig $INIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`
INMASK=`/sbin/ifconfig $INIF | grep Mas | cut -d : -f 4`
INNET=$INIP/$INMASK
# --------( Initial Setup - Firewall Location Check )--------

IPT=/sbin/iptables
MPB=/sbin/modprobe
LSM=/sbin/lsmod
RMM=/sbin/rmmod

# --------( Initial Setup - Firewall Modules Check )--------

# Some distributions still load ipchains
$LSM | grep ipchains -q -s && $RMM ipchains

# --------( Initial Setup - Firewall Modules Autoloader )--------

if ! ( $LSM | /bin/grep ip_conntrack > /dev/null ); then
$MPB ip_conntrack
fi
if ! ( $LSM | /bin/grep ip_conntrack_ftp > /dev/null ); then
$MPB ip_conntrack_ftp
fi
if ! ( $LSM | /bin/grep ip_conntrack_irc > /dev/null ); then
$MPB ip_conntrack_irc
fi
if ! ( $LSM | /bin/grep ipt_REJECT > /dev/null ); then
$MPB ipt_REJECT
fi
if ! ( $LSM | /bin/grep ipt_REDIRECT > /dev/null ); then
$MPB ipt_REDIRECT
fi
if ! ( $LSM | /bin/grep ipt_TOS > /dev/null ); then
$MPB ipt_TOS
fi
if ! ( $LSM | /bin/grep ipt_MASQUERADE > /dev/null ); then
$MPB ipt_MASQUERADE
fi
if ! ( $LSM | /bin/grep ipt_LOG > /dev/null ); then
$MPB ipt_LOG
fi
if ! ( $LSM | /bin/grep iptable_mangle > /dev/null ); then
$MPB iptable_mangle
fi
if ! ( $LSM | /bin/grep iptable_nat > /dev/null ); then
$MPB iptable_nat
fi

# --------( Initial Setup - Additional Firewall Modules (PPP) )--------

if ! ( $LSM | /bin/grep bsd_comp > /dev/null ); then
$MPB bsd_comp
fi
if ! ( $LSM | /bin/grep _deflate > /dev/null ); then
$MPB ppp_deflate
fi

# --------( Chain Configuration - Flush Existing Chains )--------

# Delete user made chains. Flush and zero the chains.

$IPT -F
$IPT -X
$IPT -Z

# --------( Chain Configuration - Delete Extinct Chains )--------

# Delete `nat' and `mangle' chains.

if ( $LSM | /bin/grep iptable_mangle > /dev/null ); then
$IPT -t mangle -F
fi
if ( $LSM | /bin/grep iptable_nat > /dev/null ); then
$IPT -t nat -F
fi

# --------( Chain Configuration - Create Default Result Chains )--------

# Create a new log and drop (LD) convenience chain.
$IPT -N LD 2> /dev/null
$IPT -F LD
$IPT -A LD -j LOG
$IPT -A LD -j DROP

STOP=LD

# --------( Chain Configuration - Create Default Traffic Chains )--------

# Create a new 'unclean module check' (UNCLEAN) convenience chain.
$IPT -N UNCLEAN 2> /dev/null
$IPT -F UNCLEAN
$IPT -A UNCLEAN -j $STOP

# Create a new 'stateful module check' (STATE) convenience chain.
$IPT -N STATE 2> /dev/null
$IPT -F STATE
$IPT -I STATE -m state --state NEW -i ! lo -j ACCEPT
$IPT -A STATE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A STATE -j $STOP

# Create a new 'sanity (check, mark and fwd) check' (SANITY) convenience chain.
$IPT -N SANITY 2> /dev/null
$IPT -F SANITY
$IPT -A SANITY -j $STOP

# --------( Chain Configuration - Set Default Chain Policy )--------

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT


# --------( Initial Setup - Nameservers )--------

# Allow responses from the nameservers
while read s1 s2
    do
        if [ $s1 = "nameserver" ] ; then
            $IPT -A INPUT -p tcp ! --syn -s $s2 -d 0/0 -j ACCEPT
            $IPT -A INPUT -p udp -s $s2 -d 0/0 -j ACCEPT
        fi
    done < /etc/resolv.conf

# --------( Initial Setup - External Lists )--------

# Trusted hosts
while read host
    do
        $IPT -A INPUT -s $host -d 0/0 -j ACCEPT
    done < /etc/firestarter/trusted-hosts

# Blocked hosts
while read host
    do
        $IPT -A INPUT -s $host -d 0/0 -j DROP
    done < /etc/firestarter/blocked-hosts

# Forwarded ports
while read port int_host int_port
    do
        $IPT -A FORWARD -p tcp -d $int_host --dport $int_port -j ACCEPT
        $IPT -A FORWARD -p udp -d $int_host --dport $int_port -j ACCEPT
        $IPT -A PREROUTING -t nat -p tcp -d $NET --dport $port -j DNAT --to $int_host:$int_port
        $IPT -A PREROUTING -t nat -p udp -d $NET --dport $port -j DNAT --to $int_host:$int_port
    done < /etc/firestarter/forward

# Open ports
while read port
    do
        $IPT -A INPUT -p tcp -s 0/0 -d $NET --dport $port -j ACCEPT
        $IPT -A INPUT -p udp -s 0/0 -d $NET --dport $port -j ACCEPT
    done < /etc/firestarter/open-ports

# Stealthed ports (Ports open to specific hosts)
while read port host
    do
        $IPT -A INPUT -p tcp -s $host -d $NET --dport $port -j ACCEPT
        $IPT -A INPUT -p udp -s $host -d $NET --dport $port -j ACCEPT
    done < /etc/firestarter/stealthed-ports

# Blocked ports (explicit, no logging)
while read port
    do
        $IPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport $port -j DROP
        $IPT -A INPUT -p udp -s 0/0 -d 0/0 --dport $port -j DROP
    done < /etc/firestarter/blocked-ports

# --------( Chain Configuration Finalize - Set Default Chain Policy )--------

$IPT -P OUTPUT DROP


# --------( Sysctl Tuning - Recommended Parameters )--------

# Turn off IP forwarding by default
# (this will be enabled if you require masquerading)

if [ -e /proc/sys/net/ipv4/ip_forward ]; then
  echo 0 > /proc/sys/net/ipv4/ip_forward
fi

# Log 'odd' IP addresses (excludes 0.0.0.0 & 255.255.255.255)

if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
  echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
fi

# --------( Sysctl Tuning - TCP Parameters )--------

# Turn off TCP Timestamping in kernel
if [ -e /proc/sys/net/ipv4/tcp_timestamps ]; then
  echo 0 > /proc/sys/net/ipv4/tcp_timestamps
fi

# Set TCP Re-Ordering value in kernel to '5'
if [ -e /proc/sys/net/ipv4/tcp_reordering ]; then
  echo 5 > /proc/sys/net/ipv4/tcp_reordering
fi

# Turn off TCP ACK in kernel
if [ -e /proc/sys/net/ipv4/tcp_sack ]; then
  echo 0 > /proc/sys/net/ipv4/tcp_sack
fi

#Turn off TCP Window Scaling in kernel
if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]; then
  echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
fi

#Set Keepalive timeout to 30 seconds
if [ -e /proc/sys/net/ipv4/tcp_keepalive_time ]; then
  echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
fi

#Set FIN timeout to 30 seconds
if [ -e /proc/sys/net/ipv4/tcp_fin_timeout ]; then
  echo 1800 > /proc/sys/net/ipv4/tcp_fin_timeout
fi

# Set TCP retry count to 3
if [ -e /proc/sys/net/ipv4/tcp_retries1 ]; then
  echo 3 > /proc/sys/net/ipv4/tcp_retries1
fi

#Turn off ECN notification in kernel
if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then
  echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi

# --------( Sysctl Tuning - SYN Parameters )--------

# Turn on SYN cookies protection in kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

# Set SYN ACK retry attempts to '3'
if [ -e /proc/sys/net/ipv4/tcp_synack_retries ]; then
  echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
fi

# Set SYN backlog buffer to '64'
if [ -e /proc/sys/net/ipv4/tcp_max_syn_backlog ]; then
  echo 64 > /proc/sys/net/ipv4/tcp_max_syn_backlog
fi

# Set SYN retry attempts to '6'
if [ -e /proc/sys/net/ipv4/tcp_syn_retries ]; then
  echo 6 > /proc/sys/net/ipv4/tcp_syn_retries
fi

# --------( Sysctl Tuning - Routing / Redirection Parameters )--------

# Turn on source address verification in kernel
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
  for f in /proc/sys/net/ipv4/conf/*/rp_filter
  do
   echo 1 > $f
  done
fi

# Turn off source routes in kernel
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
  for f in /proc/sys/net/ipv4/conf/*/accept_source_route
  do
   echo 0 > $f
  done
fi

# Do not respond to 'redirected' packets
if [ -e /proc/sys/net/ipv4/secure_redirects ]; then
  echo 0 > /proc/sys/net/ipv4/secure_redirects
fi

# Do not reply to 'redirected' packets if requested
if [ -e /proc/sys/net/ipv4/send_redirects ]; then
  echo 0 > /proc/sys/net/ipv4/send_redirects
fi

# Do not reply to 'proxyarp' packets
if [ -e /proc/sys/net/ipv4/proxy_arp ]; then
  echo 0 > /proc/sys/net/ipv4/proxy_arp
fi

# Set FIB model to be RFC1812 Compliant
# (certain policy based routers may break with this - if you find
#  that you can't access certain hosts on your network - please set
#  this option to '0' - which is the default)

if [ -e /proc/sys/net/ipv4/ip_fib_model ]; then
  echo 2 > /proc/sys/net/ipv4/ip_fib_model
fi

# --------( Sysctl Tuning - ICMP/IGMP Parameters )--------

# ICMP Dead Error Messages protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi

# ICMP Broadcasting protection
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi

# IGMP Membership 'overflow' protection
# (if you are planning on running your box as a router - you should either
#  set this option to a number greater than 5, or disable this protection
#  altogether by commenting out this option)

if [ -e /proc/sys/net/ipv4/igmp_max_memberships ]; then
  echo 1 > /proc/sys/net/ipv4/igmp_max_memberships
fi

# --------( Sysctl Tuning - Miscellanous Parameters )--------

# Set TTL to '64' hops
# (If you are running a masqueraded network, or use policy-based
#  routing - you may want to increase this value depending on the load
#  on your link.)

if [ -e /proc/sys/net/ipv4/conf/all/ip_default_ttl ]; then
  for f in /proc/sys/net/ipv4/conf/*/ip_default_ttl
  do
   echo 64 > $f
  done
fi

# Always defragment incoming packets
# (Some cable modems [ Optus @home ] will suffer intermittent connection
#  droputs with this setting. If you experience problems, set this to '0')

if [ -e /proc/sys/net/ipv4/ip_always_defrag ]; then
  echo 1 > /proc/sys/net/ipv4/ip_always_defrag
fi

# Keep packet fragments in memory for 8 seconds
# (Note - this option has no affect if you turn packet defragmentation
#  (above) off!)

if [ -e /proc/sys/net/ipv4/ipfrag_time ]; then
  echo 8 > /proc/sys/net/ipv4/ipfrag_time
fi

# Do not reply to Address Mask Notification Warnings
# (If you are using your machine as a DMZ router or a PPP dialin server
#  that relies on proxy_arp requests to provide addresses to it's clients
#  you may wish to disable this option by setting the value to '1'

if [ -e /proc/sys/net/ipv4/ip_addrmask_agent ]; then
  echo 0 > /proc/sys/net/ipv4/ip_addrmask_agent
fi

# Turn on dynamic TCP/IP address hacking
# (Some broken PPPoE clients require this option to be enabled)
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
  echo 1 > /proc/sys/net/ipv4/ip_dynaddr
fi


# --------( Sysctl Tuning - IPTables Specific Parameters )--------

# Doubling current limit for ip_conntrack
if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then
  echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max
fi

# --------( Rules Configuration - Specific Rule - Loopback Interfaces )--------

# Allow all traffic on the loopback interface
$IPT -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPT -t filter -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT


# --------( Rules Configuration - ICMP - Default Ruleset )--------

# Allowing all ICMP
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET -m limit --limit 1/s -j ACCEPT


# --------( Rules Configuration - Masquerading )--------

# --------( Rules Configuration - Masquerading - Firewall Modules Autoloader )--------

if ! ( $LSM | /bin/grep ip_nat_ftp > /dev/null ); then
$MPB ip_nat_ftp
fi

if ! ( $LSM | /bin/grep ip_nat_irc > /dev/null ); then
$MPB ip_nat_irc
fi

# --------( Rules Configuration - Masquerading - Sysctl Modifications )--------

#Turn on IP forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]
 then
  echo 1 > /proc/sys/net/ipv4/ip_forward
fi

# --------( Rules Configuration - Masquerading - Default Policy )--------

#Setting forward (masquerading) policy to DENY
$IPT -t filter -P FORWARD DROP

# --------( Rules Configuration - Masquerading - Default Ruleset )--------

#TCPMSS Fix - Needed for *many* broken PPPO{A/E} clients
$IPT -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# --------( Rules Configuration - Forwarded Traffic - Block Traffic w/ Incorrect Flags )--------

$IPT -t filter -I FORWARD -m unclean -j UNCLEAN

# --------( Rules Configuration - Forwarded Traffic - Block Traffic w/ Invalid Flags )--------

$IPT -t filter -A INPUT -m state --state INVALID -j $STOP

# --------( Rules Configuration - Forwarded Traffic - Block Traffic w/ Excessive Fragmented Packets )--------

$IPT -t filter -A INPUT -f -m limit --limit 10/minute -j $STOP

#Forward Int/Ext & Ext/Int Traffic before Masquerading
$IPT -t filter -A FORWARD -d 0/0 -s $INNET -o $IF -j ACCEPT
$IPT -t filter -A FORWARD -d $INNET -j ACCEPT
#Masquerade outgoing traffic
$IPT -t nat -A POSTROUTING -o $IF -j MASQUERADE

#Don't masq external interface traffic
$IPT -t nat -A POSTROUTING -s $NET -d 0/0 -j ACCEPT

#Allow traffic from internal network going anywhere
$IPT -t filter -A INPUT -s $INNET -d 0/0 -j ACCEPT
$IPT -t filter -A OUTPUT -s $INNET -d 0/0 -j ACCEPT
$IPT -t filter -A OUTPUT -p icmp -s $INNET -d 0/0 -j ACCEPT

# --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Incorrect Flags )--------

$IPT -t filter -I INPUT -i $IF -m unclean -j UNCLEAN


# --------( Rules Configuration - Inbound Traffic - Block nonroutable IP Addresses )--------

#Block nonroutable IPs
$IPT -t filter -A INPUT -s 1.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 2.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 5.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 7.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 23.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 27.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 31.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 36.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 37.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 39.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 41.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 42.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 58.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 59.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 60.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 69.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 70.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 71.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 72.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 73.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 74.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 75.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 76.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 77.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 78.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 79.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 82.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 83.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 84.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 85.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 86.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 87.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 88.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 89.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 90.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 91.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 92.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 93.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 94.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 95.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 96.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 97.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 98.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 99.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 100.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 101.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 102.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 103.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 104.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 105.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 106.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 107.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 108.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 109.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 110.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 111.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 112.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 113.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 114.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 115.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 116.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 117.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 118.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 119.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 120.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 121.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 122.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 123.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 124.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 125.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 126.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 128.66.0.0/16 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 172.16.0.0/12 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 197.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 221.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 222.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 223.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 240.0.0.0/4 -d $NET -i $IF -j $STOP

# --------( Rules Configuration - Inbound Traffic - Block known Trojan Ports )--------

#Block Back Orifice
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 31337 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 31337 -m limit --limit 2/minute -j $STOP

$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 31337 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 31337 -m limit --limit 2/minute -j $STOP

#Block Trinity v3
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 33270 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 33270 -m limit --limit 2/minute -j $STOP

$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 33270 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 33270 -m limit --limit 2/minute -j $STOP

#Block Subseven (1.7/1.9)
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 1234 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 6711 -m limit --limit 2/minute -j $STOP

$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 1234 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 6711 -m limit --limit 2/minute -j $STOP

#Block Stacheldraht
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 16660 --syn -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 60001 --syn -m limit --limit 2/minute -j $STOP

$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 16660 --syn -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 60001 --syn -m limit --limit 2/minute -j $STOP

#Block NetBus
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 12345:12346 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 12345:12346 -m limit --limit 2/minute -j $STOP

$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 12345:12346 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 12345:12346 -m limit --limit 2/minute -j $STOP

#Block MS-RPC (dce)
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 135 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 135 -m limit --limit 2/minute -j $STOP

$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 135 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 135 -m limit --limit 2/minute -j $STOP

#Block Trin00
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 1524 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 27665 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 27444 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 31335 -m limit --limit 2/minute -j $STOP

$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 1524 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 27665 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 27444 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 31335 -m limit --limit 2/minute -j $STOP


# --------( Rules Configuration - Inbound Traffic - Block Multicast Traffic )--------

# (some cable/DSL providers require their clients to accept multicast transmissions
#  you should remove the following four rules if you are affected by multicasting
$IPT -t filter -A INPUT -s 224.0.0.0/8 -d 0/0 -j $STOP
$IPT -t filter -A INPUT -s 0/0 -d 224.0.0.0/8 -j $STOP
$IPT -t filter -A OUTPUT -s 224.0.0.0/8 -d 0/0 -j $STOP
$IPT -t filter -A OUTPUT -s 0/0 -d 224.0.0.0/8 -j $STOP


# --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Stuffed Routing )--------

# (early versions of PUMP - (the DHCP client application included in RH / Mandrake) require
#  inbound packets to be accepted from a source address of 255.255.255.255.  If you have issues
#  with DHCP clients on your local LAN - either update PUMP, or remove the first rule below)
$IPT -t filter -A INPUT -s 255.255.255.255 -j $STOP
$IPT -t filter -A INPUT -d 0.0.0.0 -j $STOP
$IPT -t filter -A OUTPUT -s 255.255.255.255 -j $STOP
$IPT -t filter -A OUTPUT -d 0.0.0.0 -j $STOP


# --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Invalid Flags )--------

$IPT -t filter -A INPUT -m state --state INVALID -j $STOP


# --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Excessive Fragmented Packets )--------

$IPT -t filter -A INPUT -f -m limit --limit 10/minute -j $STOP


# --------( Rules Configuration - Inbound Traffic - Ruleset Filtered by GUI )--------

#DHCP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 67:68 -i $IF -j ACCEPT

$IPT -t filter -A INPUT -p udp -s 0/0 -d 0/0 --dport 67:68 -i $IF -j ACCEPT


# --------( Rules Configuration - Inbound Traffic - Default Ruleset )--------

#Block NFS
$IPT -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -i $IF -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -i $IF -j $STOP

#Block SAMBA
$IPT -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 137:139 -i $IF -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d 0/0 --dport 137:139 -i $IF -j $STOP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 445 -i $IF -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d 0/0 --dport 445 -i $IF -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s 0/0 -d 0/0 --dport 137:139 -o $IF -j $STOP
$IPT -t filter -A OUTPUT -p udp -s 0/0 -d 0/0 --dport 137:139 -o $IF -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s 0/0 -d 0/0 --dport 445 -o $IF -j $STOP
$IPT -t filter -A OUTPUT -p udp -s 0/0 -d 0/0 --dport 445 -o $IF -j $STOP

#Block uPNP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 5000 -i $IF -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d 0/0 --dport 5000 -i $IF -j $STOP

#Block Xwindows
$IPT -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6015 -i $IF -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d 0/0 --dport 6000:6015 -i $IF -j $STOP


# --------( Rules Configuration - Inbound Traffic - Highport Connection Fixes )--------

$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j $STOP


# --------( Rules Configuration - Inbound Traffic - Highport Connections )--------

$IPT  -A INPUT -p tcp -s 0/0 -d $NET --dport 1024:65535 -j STATE
$IPT  -A INPUT -p udp -s 0/0 -d $NET --dport 1023:65535 -j ACCEPT


# --------( Rules Configuration - Outbound Traffic - Highport Connection Fixes )--------

$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP


# --------( Rules Configuration - Outbound Traffic - TTL Mangling )--------

$IPT -A OUTPUT -m ttl --ttl 64

# --------( Rules Configuration - Outbound Traffic - Block Traffic w/ Incorrect Flags )--------

$IPT -t filter -I OUTPUT -o $IF -m unclean -j UNCLEAN


# --------( Rules Configuration - Outbound Traffic - Default Ruleset )--------

$IPT -A OUTPUT -p icmp -s $NET -d 0/0 -o $IF -j ACCEPT
$IPT -A OUTPUT -j ACCEPT


# --------( Catch all Rules (required) )--------

# Deny everything not let through earlier
$IPT -A INPUT -j $STOP

De output van ifconfig is de volgende:

code:

eth0      Link encap:Ethernet  HWaddr 00:50:BF:90:BD:4B
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:244 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:34843 (34.0 Kb)  TX bytes:1887 (1.8 Kb)
          Interrupt:10 Base address:0x1000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:468 (468.0 b)  TX bytes:468 (468.0 b)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:213.xxx.xxx.xxx P-t-P:195.190.241.129  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1092 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1243 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:502432 (490.6 Kb)  TX bytes:208870 (203.9 Kb)

En de windows machine heb ik IP_adres 192.168.0.2 gegeven en als gateway 192.168.0.1 (wat ook de dns is geworden)

Al met al werkt het nog steeds niet en na een hele dag lezen proberen en werken word ik er een beetje tureluurs van

Wie geeft mij de verlossende oplossing om masquerading eindelijk aan te krijgen

zondag 15 september 2002 23:05

Acties:

Buffy

Fire bad, Tree pretty

Wat werkt er eigenlijk niet?

Wat is de foutmelding die je op je XP bak krijgt?
Kan je vanaf je gentoo bak je XP bak pingen en omgekeerd?
Kan je vanaf je XP bak een IP adres op het internet pingen?
Kan je een internet hostname resolven (pingen) vanaf je XP bak?

PS: je zegt dat je de gentoo bak als dns hebt opgegeven in XP, heb je dan ook een forwarding nameserver draaien op je gentoo bak?

That which doesn't kill us, makes us stranger - Trevor (AEon FLux)
When a finger points at the moon, the imbecile looks at the finger (Chinese Proverb)

zondag 15 september 2002 23:44

Acties:

Slaiter

Firesnake

Topicstarter

Dawns_sister schreef op 15 september 2002 @ 23:05:
Wat werkt er eigenlijk niet?

Wat is de foutmelding die je op je XP bak krijgt?
Kan je vanaf je gentoo bak je XP bak pingen en omgekeerd?
Kan je vanaf je XP bak een IP adres op het internet pingen?
Kan je een internet hostname resolven (pingen) vanaf je XP bak?

PS: je zegt dat je de gentoo bak als dns hebt opgegeven in XP, heb je dan ook een forwarding nameserver draaien op je gentoo bak?

XP bak geeft geen foutmelding behalve dat de pagina niet gevonden kan worden.
Ik kan zowel vanaf gentoo de windows machine pingen als omgekeert en ook een internet ip pingen lukt (213.239.154.35), maar een hostname lukt niet.

Neen geen forwarding server draaien, maar de instellingen zijn gelijk aan toen ik debian nog had en daarwerkte het ook gewoon zo

zondag 15 september 2002 23:47

Acties:

Slaiter

Firesnake

Topicstarter

Laat maar nadat de dns omgezet is werkt het zoals het hoord

Reageer