Thanks everyone for your advice,
> If I were you, I'd start by reading
> http://www.wlug.org.nz/HowFirewallingWorks, I'd skim-read about how
> Perry's firewalling script works (at
> http://www.wlug.org.nz/PerrysFirewallingScript) and then I would
> install the .deb, which I'd find at
> http://www.wlug.org.nz/archive/debian/linuxserver-firewall_0.3_all.deb.
>
>
>
> (hint: wget the file, then dpkg -i)
What would be the advantage of installing Perry's script instead of
using the stuff supplied by the distibution?
I found some of what I was looking for in the debian package
description. If only this description had been repeated in the
introduction of the manual in /usr/shar/doc/ipmasq/ipmasq.html ! I think
I'll suggest it to the maintainer.
> This package contains scripts to initialize IP Masquerade for use as
> a firewall. IP Masquerade is a feature of Linux that allows an entire
> network of computers to be connected to another network (usually the
> Internet) with only one network address on the other network. IP
> Masquerade is often referred to as NAT (Network Address Translation)
> on other platforms.
>
> By default, this package configures the system as a basic forwarding
> firewall, with IP spoofing and stuffed routing protection. The
> firewall will allow hosts behind the firewall to get to the Internet,
> but not allow connections from the Internet to reach the hosts
> behind the firewall. However, ipmasq now features a very flexible
> framework where you can override any of the predefined rules if you
> so choose. It also allows you to control if the rules are
> reinterpreted when pppd brings a link up or down.
>
> This package should be installed on the firewall host and not on the
> hosts behind the firewall.
>
> IP Masquerade requires the kernel to be compiled with masquerading
> support (please see documentation for specific kernel options
> required).
So I think that hosts behind the firewall are protected, but I'm not
sure about the firewall machine itself.
http://www.wlug.org.nz/HowFirewallingWorks says:
> The world's simplest firewall and what it does
>
> ## Create chain which blocks new connections on the ppp0 interface, except if coming from inside.
> iptables -N block
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
> iptables -A block -j DROP
>
> ## Jump to that chain from INPUT and FORWARD chains.
> iptables -A INPUT -j block
> iptables -A FORWARD -j block
The output from ipmasq -v when the ppp link is up says this:
>
> #: Interfaces found:
> #: ppp0 203.79.79.14/255.255.255.255
> #: ppp0 203.79.79.14/255.255.255.255
> #: eth0 192.168.1.1/255.255.255.0
> echo "0" > /proc/sys/net/ipv4/ip_forward
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -P OUTPUT DROP
> /sbin/iptables -P FORWARD DROP
> /sbin/iptables -F INPUT
> /sbin/iptables -F OUTPUT
> /sbin/iptables -F FORWARD
> /sbin/iptables -t mangle -P PREROUTING ACCEPT
> /sbin/iptables -t mangle -P OUTPUT ACCEPT
> /sbin/iptables -t mangle -F PREROUTING
> /sbin/iptables -t mangle -F OUTPUT
> /sbin/iptables -t nat -P PREROUTING ACCEPT
> /sbin/iptables -t nat -P POSTROUTING ACCEPT
> /sbin/iptables -t nat -P OUTPUT ACCEPT
> /sbin/iptables -t nat -F PREROUTING
> /sbin/iptables -t nat -F POSTROUTING
> /sbin/iptables -t nat -F OUTPUT
> /sbin/iptables -A INPUT -j ACCEPT -i lo
> /sbin/iptables -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0
> /sbin/iptables -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0
> /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 255.255.255.255/32
> /sbin/iptables -A INPUT -j ACCEPT -i eth0 -s 192.168.1.1/255.255.255.0
> /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 224.0.0.0/4 -p ! tcp
> /sbin/iptables -A INPUT -j LOG -i ppp0 -s 192.168.1.1/255.255.255.0
> /sbin/iptables -A INPUT -j DROP -i ppp0 -s 192.168.1.1/255.255.255.0
> /sbin/iptables -t nat -A PREROUTING -j LOG -i ppp0 -s 192.168.1.1/255.255.255.0 /sbin/iptables -t nat -A PREROUTING -j DROP -i ppp0 -s 192.168.1.1/255.255.255.0/sbin/iptables -A INPUT -j ACCEPT -i ppp0 -d 255.255.255.255/32
> /sbin/iptables -A INPUT -j ACCEPT -i ppp0 -d 203.79.79.14/32
> /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.1/255.255.255.0 -j MASQUERADE
> /sbin/iptables -A FORWARD -i eth0 -o ppp0 -s 192.168.1.1/255.255.255.0 -j ACCEPT/sbin/iptables -A FORWARD -o eth0 -i ppp0 -d 192.168.1.1/255.255.255.0 -j ACCEPT/sbin/iptables -A OUTPUT -j ACCEPT -o lo
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 255.255.255.255/32
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 192.168.1.1/255.255.255.0
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 224.0.0.0/4 -p ! tcp
> /sbin/iptables -A FORWARD -j LOG -o ppp0 -d 192.168.1.1/255.255.255.0
> /sbin/iptables -A FORWARD -j DROP -o ppp0 -d 192.168.1.1/255.255.255.0
> /sbin/iptables -A OUTPUT -j LOG -o ppp0 -d 192.168.1.1/255.255.255.0
> /sbin/iptables -A OUTPUT -j DROP -o ppp0 -d 192.168.1.1/255.255.255.0
> /sbin/iptables -A OUTPUT -j ACCEPT -o ppp0 -d 255.255.255.255/32
> /sbin/iptables -A OUTPUT -j ACCEPT -o ppp0 -s 203.79.79.14/32
> echo "1" > /proc/sys/net/ipv4/ip_forward
> /sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
> /sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
> /sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
> /sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
> /sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
> /sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
>
Does that lot say that new imcoming connections on ppp0 are aleady
blocked or do I need to add the "The world's simplest firewall" rules
from above?
The line:
/sbin/iptables -A INPUT -j ACCEPT -i ppp0 -d 203.79.79.14/32
seems to say that new connections will be accepted.
So if I need to add rules, then I guess that the proper place is
/etc/ipmasq/rules. The setup of /etc/ipmasq/rules seems quite complex
so does anyone know where the correct place to put the extra rule is?
g