John R. McPherson wrote:
Glenn Ramsey wrote:
I'm having some trouble with the ipmasq firewall setup on my Debian box.
What version of debian are you using, and what kernel version? I assume you're using debian woody on a machine like that.
It started as woody but now it's mainly sarge. Has kernel 2.4.21-1-k7. The machine is a workstation that doubles as a dialup machine and masq host for a couple of other machines.
2.4 and 2.6 series linux kernels use iptables instead of ipmasq - my woody box doesn't have any files named "*ipmasq*" on it at all. I think the woody install defaults to 2.2, although 2.4 is an option.
ipmasq is a set of config scripts, the scripts have options for ipfwadm, ipchains and iptables. You should see it listed if you do dpkg -l ipmasq
You could try looking in /etc/ppp - there are scripts that get run eg in ip-up.d, so maybe something in there is fiddling with the settings.
It defintely does run when ppp comes up and goes down because it needs to regenerate all the external rules because the ppp ip address changes. Here's what it does: $ ipmasq -v -n #: Interfaces found: #: ppp0 203.79.74.40/255.255.255.255 #: ppp0 203.79.74.40/255.255.255.255 #: eth0 192.168.1.1/255.255.255.0 #: Turn off forwarding for 2.1 kernels #: Disable automatic IP defragmentation echo "0" > /proc/sys/net/ipv4/ip_forward #: Flush all and set default policy of deny. /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -F INPUT /sbin/iptables -F OUTPUT /sbin/iptables -F FORWARD /sbin/iptables -t mangle -P PREROUTING ACCEPT /sbin/iptables -t mangle -P OUTPUT ACCEPT /sbin/iptables -t mangle -F PREROUTING /sbin/iptables -t mangle -F OUTPUT /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT /sbin/iptables -t nat -F PREROUTING /sbin/iptables -t nat -F POSTROUTING /sbin/iptables -t nat -F OUTPUT #: #: ********************************************************** #: *** CUSTOM CHAINS *** #: ********************************************************** #: #: #: ********************************************************** #: *** FORWARD CHAIN *** #: ********************************************************** #: #: Forward packets among internal networks #: #: ********************************************************** #: *** INPUT CHAIN *** #: ********************************************************** #: #: Accept all packets coming in from the loopback interface /sbin/iptables -A INPUT -j ACCEPT -i lo #: Deny and log all packets trying to come in from a 127.0.0.0/8 address #: over a non-'lo' interface /sbin/iptables -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0 /sbin/iptables -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0 #: Accept dumb broadcast packets on internal interfaces /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 255.255.255.255/32 #: Accept packets from internal networks on internal interfaces /sbin/iptables -A INPUT -j ACCEPT -i eth0 -s 192.168.1.1/255.255.255.0 #: Accept multicast packets (adresses 224.0.0.0) from internal interfaces /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 224.0.0.0/4 -p ! 6 #: Disallow and log packets trying to come in over external interfaces #: from hosts claiming to be internal /sbin/iptables -A INPUT -j LOG -i ppp0 -s 192.168.1.1/255.255.255.0 /sbin/iptables -A INPUT -j DROP -i ppp0 -s 192.168.1.1/255.255.255.0 /sbin/iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A PREROUTING -t nat -j ACCEPT -i ppp0 -d 203.79.74.40/32 -p udp --destination-port 5004:65535 /sbin/iptables -A PREROUTING -t nat -j DROP -i ppp0 -d 203.79.74.40/32 -p tcp --destination-port 137:139 /sbin/iptables -A PREROUTING -t nat -j DROP -i ppp0 -d 203.79.74.40/32 -p tcp --destination-port 80 /sbin/iptables -A PREROUTING -t nat -j DROP -i ppp0 -d 203.79.74.40/32 -p tcp --destination-port 111 /sbin/iptables -A PREROUTING -t nat -j DROP -i ppp0 -d 203.79.74.40/32 -p tcp --destination-port 445 /sbin/iptables -A PREROUTING -t nat -j DROP -i ppp0 -d 203.79.74.40/32 -p udp --destination-port 137:139 /sbin/iptables -A PREROUTING -t nat -j LOG -i ppp0 -d 203.79.74.40/32 -p tcp --destination-port 0:5003 /sbin/iptables -A PREROUTING -t nat -j DROP -i ppp0 -d 203.79.74.40/32 -p tcp --destination-port 0:5003 /sbin/iptables -A PREROUTING -t nat -j LOG -i ppp0 -d 203.79.74.40/32 -p udp --destination-port 0:5003 /sbin/iptables -A PREROUTING -t nat -j DROP -i ppp0 -d 203.79.74.40/32 -p udp --destination-port 0:5003 #: Accept dumb broadcast packets on external interfaces /sbin/iptables -A INPUT -j ACCEPT -i ppp0 -d 255.255.255.255/32 #: Accept incoming packets from external networks on external interfaces /sbin/iptables -A INPUT -j ACCEPT -i ppp0 -d 203.79.74.40/32 #: #: ********************************************************** #: *** IP MASQUERADING *** #: ********************************************************** #: #: Masquerade packets from internal networks /sbin/iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.1/255.255.255.0 -j MASQUERADE /sbin/iptables -A FORWARD -i eth0 -o ppp0 -s 192.168.1.1/255.255.255.0 -j ACCEPT /sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #: #: ********************************************************** #: *** OUTPUT CHAIN *** #: ********************************************************** #: #: Allow packets to go out over the loopback interface /sbin/iptables -A OUTPUT -j ACCEPT -o lo #: Allow dumb broadcast packets to leave on internal interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 255.255.255.255/32 #: Allow packets for internal hosts to be delivered using internal interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 192.168.1.1/255.255.255.0 #: Allow multicast packets (adresses 224.0.0.0) to be delivered using #: internal interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 224.0.0.0/4 -p ! 6 #: Deny and log packets attempting to leave over external interfaces claiming #: to be for internal networks /sbin/iptables -A FORWARD -j LOG -o ppp0 -d 192.168.1.1/255.255.255.0 /sbin/iptables -A FORWARD -j DROP -o ppp0 -d 192.168.1.1/255.255.255.0 /sbin/iptables -A OUTPUT -j LOG -o ppp0 -d 192.168.1.1/255.255.255.0 /sbin/iptables -A OUTPUT -j DROP -o ppp0 -d 192.168.1.1/255.255.255.0 /sbin/iptables -A POSTROUTING -t nat -j ACCEPT -o ppp0 -s 203.79.74.40/255.255.255.255 -p udp --source-port 5004:65535 /sbin/iptables -A POSTROUTING -t nat -j DROP -o ppp0 -s 0.0.0.0/0 -p tcp --source-port 137:139 /sbin/iptables -A POSTROUTING -t nat -j DROP -o ppp0 -s 0.0.0.0/0 -p tcp --source-port 80 /sbin/iptables -A POSTROUTING -t nat -j DROP -o ppp0 -s 0.0.0.0/0 -p tcp --source-port 111 /sbin/iptables -A POSTROUTING -t nat -j DROP -o ppp0 -s 0.0.0.0/0 -p tcp --source-port 445 /sbin/iptables -A POSTROUTING -t nat -j DROP -o ppp0 -s 0.0.0.0/0 -p udp --source-port 137:139 /sbin/iptables -A POSTROUTING -t nat -j LOG -o ppp0 -s 0.0.0.0/0 -p tcp --source-port 0:5003 /sbin/iptables -A POSTROUTING -t nat -j DROP -o ppp0 -s 0.0.0.0/0 -p tcp --source-port 0:5003 /sbin/iptables -A POSTROUTING -t nat -j LOG -o ppp0 -s 0.0.0.0/0 -p udp --source-port 0:5003 /sbin/iptables -A POSTROUTING -t nat -j DROP -o ppp0 -s 0.0.0.0/0 -p udp --source-port 0:5003 #: Allow dumb broadcast packets to leave on external interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o ppp0 -d 255.255.255.255/32 #: Allow packets for external networks leave over external interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o ppp0 -s 203.79.74.40/32 #: #: ********************************************************** #: *** SERVICES *** #: ********************************************************** #: #: Turn on forwarding for 2.1 kernels #: Enable automatic IP defragmentation echo "1" > /proc/sys/net/ipv4/ip_forward #: Set masqerading timeouts: #: 2 hrs for TCP #: 10 sec for TCP after FIN has been sent #: 160 sec for UDP (important for ICQ users) #: Run the deprecated /etc/ipmasq.rules, if present #: Deny and log anything that may have snuck past any of our other rules /sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0 g -- Glenn Ramsey <glenn(a)componic.co.nz> 07 8627077 http://www.componic.co.nz