ipchains-1.3.8 (IP Masquarade)

Description

Ipchains is used to set up, maintain, and inspect the IP firewall rules in the Linux kernel.

Configuration

  1. Prepare Configuration script file and execute

    2. # Flush chains
ipchains -F

# Enable IP Forward
echo 1 > /proc/sys/net/ipv4/ip_forward

ipchains -A input -i ppp0 -s 192.168.0.0/24 -d 0/0 -j DENY
ipchains -P forward DENY
ipchains -A forward -i ppp0 -p tcp -s 192.168.0.0/24 -d 0/0 137:139 -j DENY
ipchains -A forward -i ppp0 -p udp -s 192.168.0.0/24 -d 0/0 137:139 -j DENY
ipchains -A forward -i ppp0 -p tcp -s 192.168.0.0/24 -d 0/0 445 -j DENY
ipchains -A forward -i ppp0 -p udp -s 192.168.0.0/24 -d 0/0 445 -j DENY

# IP Masquerade
ipchains -A forward -s 192.168.0.0/24 -j MASQ -l
  2. Edit Startup script /etc/init.d/ipchains for IP Forwarding

    3. #!/bin/bash
#
# Startup script to implement /etc/sysconfig/ipchains pre-defined rules.
#
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with ipchains.
#
# Script Author:        Joshua Jensen <joshua@redhat.com>
#   -- hacked up by gafton with help from notting
#
# config: /etc/sysconfig/ipchains

# This is an interactive program, we need the current locale

[ -f /etc/profile.d/lang.sh ] && . /etc/profile.d/lang.sh

if [ "$LANG" = "ja" -o "$LANG" = "ja_JP.eucJP" ]; then
    # We can't Japanese on normal console at boot time.
    # So, force to set LANG=C
    if [ "$TERM" = "linux" ] ; then
        LANG=C
    fi
fi

# Source 'em up
. /etc/init.d/functions

IPCHAINS_CONFIG=/etc/sysconfig/ipchains

if [ ! -x /sbin/ipchains ]; then
        exit 0
fi

KERNELMAJ=`uname -r | sed                   -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`

if [ "$KERNELMAJ" -lt 2 ] ; then
        exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 2 ] ; then
        exit 0
fi

if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -eq 4 ]; then
        if [ ! -f /proc/net/ip_fwchains ]; then
                modprobe ipchains >/dev/null 2>&1 || exit 0
        fi
fi

case "$1" in
  start)
        echo 1 > /proc/sys/net/ipv4/ip_forward
        # don't do squat if we don't have the config file
        if [ -f $IPCHAINS_CONFIG ]; then
            # If we don't clear these first, we might be adding to
            #  pre-existing rules.
            action $"Flushing all current rules and user defined chains:" ipchai
ns -F
            action $"Clearing all current rules and user defined chains:" ipchai
ns -X
            ipchains -Z
            echo -n $"Applying ipchains firewall rules: "
                grep -v "^[[:space:]]*#" $IPCHAINS_CONFIG | grep -v '^[[:space:]
]*$' | /sbin/ipchains-restore -p -f && \
                    success $"Applying ipchains firewall rules" || \
                    failure $"Applying ipchains firewall rules"
            echo
            touch /var/lock/subsys/ipchains
        fi
        ;;

  stop)
        echo 0 > /proc/sys/net/ipv4/ip_forward
        action "Flushing all chains:" ipchains -F
        action "Removing user defined chains:" ipchains -X
        echo -n $"Resetting built-in chains to the default ACCEPT policy:"
        ipchains -P input ACCEPT && \
            ipchains -P forward ACCEPT && \
            ipchains -P output ACCEPT && \
          success $"Resetting built-in chains to the default ACCEPT policy" || \
          failure $"Resetting built-in chains to the default ACCEPT policy"
        echo
        rm -f /var/lock/subsys/ipchains
        ;;

  restart)
        # "restart" is really just "start" as this isn't a daemon,
        #  and "start" clears any pre-defined rules anyway.
        #  This is really only here to make those who expect it happy
        $0 start
        ;;

  status)
        ipchains -nL
        ;;

  panic)
        echo -n $"Changing target policies to DENY: "
        ipchains -P input DENY && \
            ipchains -P forward DENY && \
            ipchains -P output DENY && \
          success $"Changing target policies to DENY" || \
          failure $"Changing target policies to DENY"
        echo
        action $"Flushing all chains:" ipchains -F
        action $"Removing user defined chains:" ipchains -X
        ;;

  save)
        echo -n $"Saving current rules to $IPCHAINS_CONFIG: "
        /sbin/ipchains-save > $IPCHAINS_CONFIG  2>/dev/null && \
          success $"Saving current rules to $IPCHAINS_CONFIG" || \
          failure $"Saving current rules to $IPCHAINS_CONFIG"
        echo
        ;;

  *)
        echo $"Usage: $0 {start|stop|restart|status|panic|save}\n"
        exit 1
esac

exit 0
  3. Save IP Chains and restart

    4. # /etc/init.d/ipchains save
Saving current rules to /etc/sysconfig/ipchains:           [  OK  ]
# /etc/init.d/ipchains restart
Flushing all current rules and user defined chains:        [  OK  ]
Clearing all current rules and user defined chains:        [  OK  ]
Applying ipchains firewall rules:                          [  OK  ]
  4. Run IP Chains automatically when server is restarted

    5. # ntsysv

Confirmation

# ipchains -L
Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
DENY       all  ------  192.168.0.0/24       anywhere              n/a
Chain forward (policy DENY):
target     prot opt     source                destination           ports
DENY       tcp  ------  192.168.0.0/24       anywhere              any ->   netbios-ns:netbios-ssn
DENY       udp  ------  192.168.0.0/24       anywhere              any ->   netbios-ns:netbios-ssn
DENY       tcp  ------  192.168.0.0/24       anywhere              any ->   445
DENY       udp  ------  192.168.0.0/24       anywhere              any ->   445
MASQ       all  ----l-  192.168.0.0/24       anywhere              n/a
Chain output (policy ACCEPT):
Back
Google
Web www.grape-info.com