PDA

View Full Version : HOWTO: Setup a Linux IP Masquerade



peepee
02-21-2002, 01:53 PM
This guide Im writing for dummies... like me. It is not an exhaustive work on iptables, masquerading, or anything at all.

But it works cut'n'paste on Red Hat 7.2 (2.4.x kernels).

Please let me know if you try this and it's not working for you, post here.

---cut---

I read a user was having problems setting up his IP Masq in his Linux box, and I want to share the way I do it - this is good up to the out-of-box release of Red Hat 7.0, I am about to install 7.2 now so as to run showeq (need the libs), so I'll lt you know if it works.

If you have a script to share for your IP Masq, please post it here, I would like to see how other people do it... mine uses IPChains, but through a wrapper for the old ipfwadm (which is what I have used for years)...

As a side note: It is very rude to tell people they don't know what they are doing without at least providing an answer - any loser can pretend he knows what he is talking about - and that's all you are if you just talk trash and don't add value (do a query in the showeq forums on 'masq' and you'll see what I mean).

Argueing on the internet is like playing in the special olympics - You might win, but you're still a retard.

Anyways, how it works:

1) Get 2 eth cards of the same make/model - I reccomend buying the oldest 3com cards the store has (thus adding to the chance your modules are included in your distribution). Or just check ahead to see what eth cards are supported by your distribution, then make a list and take it to the store - check your vendors (like RedHat's) website, or just go to google and query on 'linux ethernet module' OR Just buy 3com (lazy way, 98% accuracy).

2) Install linux like normal, load eveything if you have drive space, otherwise look at the FAQ on setting up for showeq later on at the showeq forum.

3) So setup your network using the menus provided, plugging in your info (IP, GW, etc).

4) Test your internet connect directly to your box - good so far? Proceed. If not you have to mess with it here - you need a standalone connect before you can proceed... Use linuxconf or netcfg for menu programs and ifconfig -a at the command line for quick info (there is alot more you can do, but if you can setup a windows single eth connect, this isn't much harder).

5) Ok now that we have a box talking to the internet, you need to go to the store and buy 1 crossover cable and 1 patch cable (at least) and 1 dummy hub. Any old hub will work, I use an Intel 8 port one, but I have a couple old big time fancy NT routers that I have used. I just don't want the extra noise of their fans running

6) Crossover cable goes from your second card to your hub. Patch cable goes from the hub to the other PC you want on your network.

7) Now check your path on your linux box: echo $PATH and find a spot you want to create your little startup script for your ip masq - I use /usr/sbin (sbin usually relates to netwoking type bins, but whatever). Make a new file there, with these lines (can't make up your mind what to call it - try "mymasq"):

/sbin/ifconfig eth1 down
/sbin/ifconfig eth1 192.168.3.1 broadcast 0.0.0.255 netmask
255.255.255.0
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -b -S 192.168.1.0/24 -D 0.0.0.0/0
echo "1" > /proc/sys/net/ipv4/ip_forward

8) chmod +x on that file you just created.

9) run that file.

10) Go to the other pc that is all plugged in and ready to go.

Change it's IP to: 192.168.1.2
Change it's GW to: 192.168.1.1 (which is your linux box's second eth adapter - eth1)

DNS info can stay 'real' - in other words whatever your DNS is that your linux box is talking to. Hostname can be the same as your linux box too.

11) Reboot the pc that you just created as a masquerade endpoint (from 10).

12) Test that pc, you should be connected.

The only thing you won't be able to do on your masq endpoints (make as many as you want, follow step 10, just change their IP by 1 on the last number like .3 .4 .5, etc etc) is host many games

I am not that smart, if someone could add info on freeing up ports (depending on the game's port that is required) please add it here.

What you can do is JOIN any game, like EQ, and you can run packet sniffing software, like showeq, on your linux box and it will work (assuming that is setup right). I do it you can too!

Can someone please copy and paste this to the showeq forums?

Also can someone please add alternative scripts to my script here - using mayby more secure methods? I know there are other ways, but I am not that smart to know them all.

---

Ok, time for a follow up and some error correction:

echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/ifconfig eth1 down
/sbin/ifconfig eth1 192.168.3.1 broadcast 0.0.0.255 netmask 255.255.255.0
/sbin/ipfwadm-wrapper -F -p deny
/sbin/ipfwadm-wrapper -F -a m -b -S 192.168.1.0/24 -D 0.0.0.0/0

1) Put the echo command as the first thing in order to enable port forwarding at all.

2) Change the ipfwadm calls to ipfwadm-wrapper (this is really an ipchains call, using a wrapper to emulate old ipfwadm protocals).

Works fine for kernels 2.3 and older - 2.4 screws us all by ignoring all ipchains protocal calls... you MUST rewrite everything to iptables now. I am gonna have a talk with Linus and straighten him out. This was crude and rude and not in the spirit of linux legacy coverage at all.

So anyways, I moved to the 21st century and ripped and hacked together a iptables script for masquerading. Here it is:

#!/bin/sh

#config IPMASQ
/sbin/ifconfig eth1 down
/sbin/ifconfig eth1 192.168.1.1 broadcast 0.0.0.255 netmask 255.255.255.0

IPTABLES="/sbin/iptables"

#Time to clean house

#Clear out any existing firewall rules, and any chains that might have
#been created
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X

#Setup our policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

#This enables ip forwarding, and thus by extension, NAT
#Turn this on if you're going to be doing NAT or Masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward


#Our actual rules

#Our NAT stuff

#Source NAT everything heading out the eth0 (external) interface to be the
#given IP. If you have a dynamic ip or a DHCP ip that changes
#semi-regularly, comment this and uncomment the second line
#
#Remember to change the ip address to your static ip
#
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

#$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#These are port-forwarding examples for several different cases.
#These map the specified ports to the specified ip address.
#
#This one maps port 80 to 192.168.1.1. Anything incoming over eth0 to
#the server will be redirected invisibly to port 80 on 192.168.1.1
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.1
#
#These two redirect a block of ports, in both udp and tcp.
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 2300:2400 -j DNAT --to 192.168.1.1
#$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 2300:2400 -j DNAT --to 192.168.1.1


#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
$IPTABLES -N firewall
$IPTABLES -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPTABLES -A firewall -j DROP

#Now, our dropwall chain, for the final catchall filter
$IPTABLES -N dropwall
$IPTABLES -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPTABLES -A dropwall -j DROP

#Our "hey, them's some bad tcp flags!" chain
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPTABLES -A badflags -j DROP

#And our silent logging chain
$IPTABLES -N silent
$IPTABLES -A silent -j DROP


#Accept ourselves (loopback interface), 'cause we're all warm and friendly
$IPTABLES -A INPUT -i lo -j ACCEPT

#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

#Drop icmp, but only after letting certain types through
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewall

#Accept SSH connections from everywhere.
#Uncomment this if you're running SSH and want to be able to access it
#from the outside world.
#
#$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT

#Lets do some basic state-matching
#This allows us to accept related and established connections, so
#client-side things like ftp work properly, for example.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Uncomment to drop port 137 netbios packets silently. We don't like
#that netbios stuff, and it's #way too spammy with windows machines on
#the network.
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent

#Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
$IPTABLES -A INPUT -j dropwall

This works. Just make sure your showeq.conf file has the IP (192.168.1.x) cast and eth1 (assuming eth1 is your GW nic).

KennySP
02-21-2002, 02:21 PM
Buying 2 ethernet cards is a waste, Linux supports ICMP redirection and IP aliasing. Just use one Card and 2 IP Addresses would work just as well with a hub in the middle.

then you have eth0:0 and eth0:1

KennySP

peepee
02-21-2002, 03:23 PM
Good idea Kenny. My rig is a p166 that goes back to Red Hat 5.0, I didn't even know about virtual IPs (did it on some SUNs at work by request) until 1999 :)

Please keep adding your ideas and comments here and bump if you like this thread... I know alot of people have questions and just want a quick and dirty way to get running.

Cryonic
02-22-2002, 01:40 AM
The 2.4 series kernels can use IPchains. If you built your own kernel from scratch then you must have missed the option in the networking section. If you are using a prebuilt kernel (like from RH) it might have it compiled in, but IPtables is getting loaded first, so ipchains isn't used. Unload the iptables module and load up the ipchains module.

insmod, rmmod, lsmod are your friends.

peepee
02-22-2002, 06:29 AM
Cryonic - That's interesting, whenever I tried my simple ipfwadm-wrapper script or a much more verbose and detailed ipchains script I got protocal not available, which tells me it isn't in the kernel - I built this kernel out of the box, but selecting all packages by hand - but I don't remeber what packages specific to ipchains there were, but I think I saw some.

Well, either way I am not begrudging getting a iptables script working, it is the wave of the future, and I know I am a bad one for not changing stuff that I already got working unless I absolutely have to :)

S_B_R
02-22-2002, 10:01 AM
I would suggest that you do use IPTables. It's a much more robust solution that IPChains. Just for example IPTables has Statefull packet inspection, while IPChains is Stateless. More info on iptables (http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2817396,00.html)

Cryonic
02-22-2002, 01:33 PM
You can't have iptables and ipchains loaded at the same time. I listed 3 commands in my last post for a reason.

dbrot
03-05-2002, 08:32 PM
I took PeePee's iptables how-to and added a few lines. Added some rmmod and insmod so you don't have to recompile your kernel to support iptables. Recompiling takes a long time on a slow machine. Anyways I tried this script using RH 7.2 and EQ does zone properly and works great.

Just cut and paste it into gedit and save it as /etc/rc.d/rc.firewall or what ever name you want. Chmod the permissions to 755 to make it an executable. And add /etc/rc.d/rc.firewall to your rc.local file to startup automatically.

#!/bin/sh
# You could either run this simple script or do the long way and recompile your kernel with IPTABLES.

# Turn off/flush IPCHAINS
/sbin/ipchains -F

# Remove IPCHAINS mod
/sbin/rmmod ipchains

# Insert IPTABLES mod
/sbin/insmod ip_tables
/sbin/insmod iptable_filter

# Clear out any existing firewall rules, and any chains that might have been created
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -F -t nat
/sbin/iptables -X

# Setup our policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

# This enables ip forwarding, and thus by extension, NAT. Turn this on if you're going to be doing NAT or Masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward

# Source NAT everything heading out the ppp0 or eth0 (external) interface to be the given IP. If you have a dynamic ip or a DHCP ip that changes semi-regularly, comment this and uncomment the second line
#
# Remember to change the ip address to your static ip

#/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

# Use this for dhcp assigned IP addresses (ppp0=1st modem/ eth0=1st nic which is your external connection to the internet)
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Now, our firewall chain. We use the limit commands to cap the rate at which it alerts to 15 log messages per minute
/sbin/iptables -N firewall
/sbin/iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
/sbin/iptables -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter
/sbin/iptables -N dropwall
/sbin/iptables -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
/sbin/iptables -A dropwall -j DROP

# Our "hey, them's some bad tcp flags!" chain
/sbin/iptables -N badflags
/sbin/iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
/sbin/iptables -A badflags -j DROP

# And our silent logging chain
/sbin/iptables -N silent
/sbin/iptables -A silent -j DROP

# Accept ourselves (loopback interface), 'cause we're all warm and friendly
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Drop those nasty packets! These are all TCP flag combinations that should never, ever occur in the wild. All of these are illegal combinations that are used to attack a box in various ways, so we just drop them and log them here.
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through
/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j firewall

# Lets do some basic state-matching. This allows us to accept related and established connections, so client-side things like ftp work properly, for example.
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Uncomment to drop port 137 netbios packets silently. We don't like that netbios stuff, and it's way too spammy with windows machines on the network.
/sbin/iptables -A INPUT -p udp --sport 137 --dport 137 -j silent

# Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
/sbin/iptables -A INPUT -j dropwall


If I missed anything please post a comment.

dbrot
05-28-2003, 04:06 PM
I use this firewall config with RH9. I tested it on GRC.com port scan and the ports came up at stealthed.

Cut and paste it into gedit and save it as /etc/rc.d/rc.firewall or what ever name you want. Chmod the permissions to 755 to make it an executable. And add /etc/rc.d/rc.firewall to your rc.local file to startup automatically.
_______________________________________________


#!/bin/sh
#
# Clear out any existing firewall rules, and any chains that might have been created
/sbin/iptables -F
/sbin/iptables -F INPUT

/sbin/iptables -F INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -F -t nat
/sbin/iptables -X

# Setup our policies

#If running Squid the INPUT must be ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

# This enables ip forwarding, and thus by extension, NAT. Turn this on if you're going to be doing NAT or Masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward

# Use this for dhcp assigned IP addresses (ppp0=1st modem/ eth0=1st nic which is your external connection to the internet)
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Accept ourselves (loopback interface), 'cause we're all warm and friendly
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Drop those nasty packets! These are all TCP flag combinations that should never, ever occur in the wild. All of these are illegal combinations that are used to attack a box in various ways, so we just drop them and log them here.
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Drop icmp
/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j DROP
/sbin/iptables -A INPUT -p icmp --icmp-type 3 -j DROP
/sbin/iptables -A INPUT -p icmp --icmp-type 11 -j DROP
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -j DROP
/sbin/iptables -A INPUT -p icmp -j DROP

# Lets do some basic state-matching. This allows us to accept related and established connections, so client-side things like ftp work properly, for example.
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Drop port 135-139 netbios packets. We don't like that netbios stuff, and it's way too spammy with windows machines on the network.

/sbin/iptables -A INPUT -i ppp0 -p tcp -m multiport --dport 135,136,137,138,139,445 -j DROP
/sbin/iptables -A FORWARD -i ppp0 -p tcp -m multiport --dport 135,136,137,138,139,445 -j DROP
/sbin/iptables -A FORWARD -o ppp0 -p tcp -m multiport --dport 135,136,137,138,139,445 -j DROP
/sbin/iptables -A OUTPUT -o ppp0 -p tcp -m multiport --dport 135,136,137,138,139,445 -j DROP
/sbin/iptables -A INPUT -i ppp0 -p udp -m multiport --dport 135,136,137,138,139,445 -j DROP
/sbin/iptables -A FORWARD -i ppp0 -p udp -m multiport --dport 135,136,137,138,139,445 -j DROP
/sbin/iptables -A FORWARD -o ppp0 -p udp -m multiport --dport 135,136,137,138,139,445 -j DROP
/sbin/iptables -A OUTPUT -o ppp0 -p udp -m multiport --dport 135,136,137,138,139,445 -j DROP

#Drops all Incoming/Forward/Outgoing requests on specific ports.
#Remove the following ports if you are running that server.
#Ports 23=telnet/25=smtp/79=finger/80=http/110=pop3/113=ident/143=imap/443=https/5000=UPnP

/sbin/iptables -A INPUT -i ppp0 -p tcp -m multiport --dport 21,23,25,79,80,110,113,143,443,5000 -j DROP
/sbin/iptables -A FORWARD -i ppp0 -p tcp -m multiport --dport 23,25,79,110,113,143,5000 -j DROP
/sbin/iptables -A FORWARD -o ppp0 -p tcp -m multiport --dport 23,25,79,110,113,143,5000 -j DROP
/sbin/iptables -A OUTPUT -o ppp0 -p tcp -m multiport --dport 23,25,79,110,113,143,5000 -j DROP
/sbin/iptables -A INPUT -i ppp0 -p udp -m multiport --dport 21,23,25,79,80,110,113,143,433,5000 -j DROP
/sbin/iptables -A FORWARD -i ppp0 -p udp -m multiport --dport 23,25,79,110,113,143,5000 -j DROP
/sbin/iptables -A FORWARD -o ppp0 -p udp -m multiport --dport 23,25,79,110,113,143,5000 -j DROP
/sbin/iptables -A OUTPUT -o ppp0 -p udp -m multiport --dport 23,25,79,110,113,143,5000 -j DROP

# Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
#/sbin/iptables -A INPUT -j DROP

Ratt
05-28-2003, 05:47 PM
If you are running Gentoo, do this:

#emerge monmotha

Edit the config file and put your ip address in there.

#/etc/init.d/monmotha start
#rc-update add default monmotha

You are done and have a robust firewall.

junk
05-29-2003, 08:19 AM
I don't know what happened to them, but http://ipmasq.cjb.net/ was the Linux IP Masquerading bible. They're gone, but thankfully I saved the site. =) You can get it here (in one big honkin' HTML file):

ipmasq.zip (http://www.geocities.com/fts616/ipmasq.zip)

(Edit: maybe I should read my own shit sometimes. Dranch's Homepage (http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#ipmasq))

myseqnewb
06-01-2003, 06:16 AM
Glad to see my post is still serving some purpose a year later (sorry the peepee account is hosed, I can't login or get a password reset on it - this forum is one of the biggest pains to get an account setup and running on).

panna
06-02-2003, 06:25 AM
http://ipmasq.cjb.net/ is now at: http://www.e-infomax.com/ipmasq/

Goodluck with your Masqings ;)