pc/linux tcp/ip problems..

Tyler Booth ty at rebol.com
Tue Jan 25 17:23:42 PST 2000


David Johnson wrote:

> yeah, i agree.
> so i deleted all routes pertaining to 192.168.0.* and replaced it with one route
> command
> suggested by 'ME' i believe the
> route add -net 192.168.0.0 netmask 255.255.255.0 eth1
> command did the trick.. :)
> now additionally, I am installing proFTPD ... any comments?
> and if anyone is familiar with it there are two versions.. and i386 and an i686 version
>
> i would presume that would be a 486 and a pentium version correct?

close, a 386 and a Pentium Pro or Higher (Pentium II, Pentium III)

Another good this to do security with security in mind (You can't be too paranoid....)
is set up some ipfiltering rules. I'm assuming because you're using masquerading that
you're
already using ipchains. I use this script in my startup to handle a few security
measures.....


/etc/rc.d/rc.firewall:


#!/bin/bash

### This section starts up IP spoofing protection on all your interfaces.....

echo -n "Starting Spoof Protection..."
# Setup Spoofing Protection
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
   for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
   echo 1 > $f
   done
else
   echo "PROBLEMS SETTING UP SPOOFING PROTECTION, BE WORRIED!"
   echo "CONTROL-D will exit this shell and continue startup."
   echo
# Start single user shell on console
   /sbin/sulogin $CONSOLE
fi
echo "done."

### Start of ip filter rules....

echo -n "Setting IP filter rules..."
#First set default rule, deny EVERYTHING except localnet interface

ipchains -P input DENY
ipchains -A input -i lo -s 127.0.0.0/24 -j ACCEPT

# Deny SYN packets on external (DSL) interface
ipchains -A input -i eth1 -p tcp -y -l -j DENY


# Set Filtering Rules for eth0 interface (internal net)
# Create a new chain for eth0 interface
ipchains -N eth0-in
ipchains -A input -i eth0 -j eth0-in

# Set filtering rules for eth0
ipchains -A eth0-in -b -s 192.168.0.0/24 -j ACCEPT
ipchains -A eth0-in -s 127.0.0.0/24 -l -j DENY


# Set Filtering Rules for eth1 interface (external DSL net)
# Create a new chain for eth1 interface
ipchains -N eth1-in
ipchains -A input -i eth1 -j eth1-in

# Set filtering rules for eth1
ipchains -A eth1-in -s 0/0 -j ACCEPT
ipchains -A eth1-in -s 127.0.0.0/24 -l -j DENY

### Uncomment to allow inbound sendmail connections
#ipchains -A eth1-in -p tcp -s 0/0 25 -y -j ACCEPT

### Uncomment to allow inbound www connections
#ipchains -A eth1-in -p tcp -s 0/0 80 -y -j ACCEPT

### Uncomment to allow inbound ftp connections
#ipchains -A eth1-in -p tcp -s 0/0 20 -y -j ACCEPT
#ipchains -A eth1-in -p tcp -s 0/0 21 -y -j ACCEPT

### This is old and not needed for most systems but it's good protection for some....
# Deny "Ping-of-death" packets
ipchains -A input -p icmp -f -l -j DENY

### And lastly, forward internal packets to external interface and Masqerade!
# Set ip forwading for local network to internet
ipchains -A forward -p udp -s 192.168.0.0/24 -j MASQ
ipchains -A forward -p tcp -s 192.168.0.0/24 -j MASQ
ipchains -A forward -p icmp -s 192.168.0.0/24 -j MASQ

echo "done."






More information about the talk mailing list