Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
IP Masquerade in Gentoo configurations (mini-mini-mini-howto
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
dingo
n00b
n00b


Joined: 18 Aug 2002
Posts: 58

PostPosted: Mon Aug 26, 2002 1:55 am    Post subject: IP Masquerade in Gentoo configurations (mini-mini-mini-howto Reply with quote

I looked through the forums for help on setting up a Masquerade box a few days ago, and found alot of questions and answers for bits and pieces of information on the subject. Since the IP-Masquerade-Howto is pretty hefty and 90% irrelevent to a 2.4 gentoo linux install and is not gentoo-specific on how to enable/disable iptables with gentoo rc scripts, that i would just post my configurations... and maybe prevent future questions.

Packages:
emege dhcpcd (if your connected to a dhcp server)
emerge iptables (absolutely required)
emerge xinetd (not needed, but recommended for a server with daemons)

Kernel: (cut from /usr/src/linux/.config)

#
# Networking options
#
CONFIG_PACKET=m
# CONFIG_PACKET_MMAP is not set
# CONFIG_NETLINK_DEV is not set
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
# CONFIG_IP_ROUTE_FWMARK is not set
CONFIG_IP_ROUTE_NAT=y
# CONFIG_IP_ROUTE_MULTIPATH is not set
# CONFIG_IP_ROUTE_TOS is not set
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_ROUTE_LARGE_TABLES is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
CONFIG_INET_ECN=y
CONFIG_SYN_COOKIES=y


# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
# CONFIG_IP_NF_MATCH_TOS is not set
CONFIG_IP_NF_MATCH_AH_ESP=m
# CONFIG_IP_NF_MATCH_LENGTH is not set
# CONFIG_IP_NF_MATCH_TTL is not set
# CONFIG_IP_NF_MATCH_TCPMSS is not set
CONFIG_IP_NF_MATCH_STEALTH=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_UNCLEAN=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_MIRROR=m
CONFIG_IP_NF_TARGET_MIRROR=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
# CONFIG_IP_NF_NAT_LOCAL is not set
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
# CONFIG_IP_NF_ARPTABLES is not set
CONFIG_IP_NF_COMPAT_IPCHAINS=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_COMPAT_IPFWADM=m
CONFIG_IP_NF_NAT_NEEDED=y

notice the large amount of unneccesary modules ^_*, even though we wont be using any of them its cool, if we want stuff later we can add them. compile and install your kernel & modules (duh)

/etc/init.d/iptables Configuration:

start() {
ebegin "Loading iptables state and starting firewall"
# This variable is set in /etc/conf.d/iptables
if [ ! -f ${IPTABLES_SAVE} ]

then
einfo "Not starting iptables. First create some rules then run"
einfo "iptables-save > ${IPTABLES_SAVE}"
else
/sbin/iptables-restore < ${IPTABLES_SAVE}
echo "1" > /proc/sys/net/ipv4/ip_forward
# IRC Capabilities
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_irc
# FTP Capabilities
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
fi

eend $?


The /etc/conf.d/iptables that comes with gentoo is hella-weak, and so is the init.d/iptables, I modified my /etc/init.d/iptables to enable/disable ipv4/ip_forward and modprobe some modules for FTP and IRC support. I proboly over-did it, but modprobe doesn't care.

/etc/conf.d/net Configurations:

iface_eth0="192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0"
iface_eth1="10.0.0.1 broadcast 255.255.255.255 netmask 255.255.0.0"
# ^-temporary untill dhcpd runs and probobly isnt needed

iface_eth1="dhcp"


Gentoo-suggested security measures with /proc sysctrl:

# basic kernel-level security:
echo "Configuring /proc/sys/net for network security..."
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
/bin/echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
/bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies


Where these go is up to you, i put them in /etc/init.d/net.eth1, because I only really need this sort of security if I'm connected to the internet. It could probobly go into init.d/iptables too, and modified to turn them on/off in start() and stop() if you like.
I just want to stress that this disables icmp echo requests, so if your following along with the masquerade howto and for some reason you can't ping the server from the client, its likely because icmp is disabled. I tested mine by ssh or nmap.

/var/lib/iptables/rules-save Configuration:

# Generated by iptables-save v1.2.7 on Sun Aug 25 14:56:42 2002
*nat
:PREROUTING ACCEPT [85:7923]
:POSTROUTING ACCEPT [2:144]
:OUTPUT ACCEPT [3:228]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Sun Aug 25 14:56:42 2002
# Generated by iptables-save v1.2.7 on Sun Aug 25 14:56:42 2002
*filter
:INPUT ACCEPT [91:15604]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [59:9492]
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -j LOG
COMMIT
# Completed on Sun Aug 25 14:56:42 2002
[/cplor]

This is the default (no firewalling really being done) settings that the masquerade howoto suggests. I'm sure it would work if this was pasted straight to the rules-save file. Please keep in mind that eth0 is the INTERNAL network inerface, and eth1 is the EXTERNAL.

You can also create these at the command prompt:
[color=indigo]
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -j LOG
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


The client-side (gentoo linux) is very easy, just uncomment the last line in /etc/conf.d/net (gateway="eth0/192.168.0.1"). Windows varies, just add 192.168.0.1 to your gateway in tcp/ip settings for your specific network card. You still have to add your external network(ISP)'s DNS server to all of the local network clients (both linux and windows)

Hope this helps (and i hope the bb font codes worked), most definitly correct me if this is incomplete or wrong.

Just a reminder that you need to be very carefull configuring your masquerade server. I suggest learning to use nmap, ettercap, and other security tools on your server from outside your local network to make sure your server isn't leaving its fly open.
Back to top
View user's profile Send private message
rac
Bodhisattva
Bodhisattva


Joined: 30 May 2002
Posts: 6553
Location: Japanifornia

PostPosted: Mon Aug 26, 2002 4:49 am    Post subject: Reply with quote

Moving (with shadow) from Networking & Security to Documentation, Tips & Tricks.
_________________
For every higher wall, there is a taller ladder
Back to top
View user's profile Send private message
k0nig
n00b
n00b


Joined: 09 Jun 2003
Posts: 3
Location: nebraska

PostPosted: Mon Sep 01, 2003 6:37 pm    Post subject: mines breaks Reply with quote

mines break here:

Code:
netfilter.c:47: `NF_MAX_HOOKS' undeclared here (not in a function)
netfilter.c:56: parse error before "nf_queue_outfn_t"
netfilter.c:56: warning: no semicolon at end of struct or union
netfilter.c:58: parse error before '}' token
netfilter.c:58: warning: type defaults to `int' in declaration of `queue_handler'
netfilter.c:58: warning: data definition has no type or storage class
netfilter.c:64: warning: `struct nf_hook_ops' declared inside parameter list
netfilter.c:64: warning: its scope is only this definition or declaration, which is probably not what you want
netfilter.c: In function `nf_register_hook':
netfilter.c:69: dereferencing pointer to incomplete type
netfilter.c:69: dereferencing pointer to incomplete type
netfilter.c:70: dereferencing pointer to incomplete type
netfilter.c:70: dereferencing pointer to incomplete type
netfilter.c:72: dereferencing pointer to incomplete type
netfilter.c:72: dereferencing pointer to incomplete type
netfilter.c:75: dereferencing pointer to incomplete type
netfilter.c: At top level:
netfilter.c:84: warning: `struct nf_hook_ops' declared inside parameter list
netfilter.c: In function `nf_unregister_hook':
netfilter.c:87: dereferencing pointer to incomplete type
netfilter.c: At top level:
netfilter.c:98: warning: `struct nf_sockopt_ops' declared inside parameter list
netfilter.c: In function `nf_register_sockopt':
netfilter.c:108: dereferencing pointer to incomplete type
netfilter.c:108: dereferencing pointer to incomplete type
netfilter.c:109: dereferencing pointer to incomplete type
netfilter.c:109: dereferencing pointer to incomplete type
netfilter.c:110: dereferencing pointer to incomplete type
netfilter.c:110: dereferencing pointer to incomplete type
netfilter.c:111: dereferencing pointer to incomplete type
netfilter.c:111: dereferencing pointer to incomplete type
netfilter.c:112: dereferencing pointer to incomplete type
netfilter.c:112: dereferencing pointer to incomplete type
netfilter.c:123: dereferencing pointer to incomplete type
netfilter.c: At top level:
netfilter.c:129: warning: `struct nf_sockopt_ops' declared inside parameter list
netfilter.c: In function `nf_unregister_sockopt':
netfilter.c:134: dereferencing pointer to incomplete type
netfilter.c:138: dereferencing pointer to incomplete type
netfilter.c:143: dereferencing pointer to incomplete type
netfilter.c: In function `nf_sockopt':
netfilter.c:304: dereferencing pointer to incomplete type
netfilter.c:306: dereferencing pointer to incomplete type
netfilter.c:307: dereferencing pointer to incomplete type
netfilter.c:308: dereferencing pointer to incomplete type
netfilter.c:310: dereferencing pointer to incomplete type
netfilter.c:314: dereferencing pointer to incomplete type
netfilter.c:315: dereferencing pointer to incomplete type
netfilter.c:316: dereferencing pointer to incomplete type
netfilter.c:318: dereferencing pointer to incomplete type
netfilter.c:329: dereferencing pointer to incomplete type
netfilter.c:330: dereferencing pointer to incomplete type
netfilter.c:331: dereferencing pointer to incomplete type
netfilter.c: In function `nf_iterate':
netfilter.c:357: dereferencing pointer to incomplete type
netfilter.c: At top level:
netfilter.c:396: parse error before "nf_queue_outfn_t"
netfilter.c:397: warning: function declaration isn't a prototype
netfilter.c: In function `nf_register_queue_handler':
netfilter.c:401: `pf' undeclared (first use in this function)
netfilter.c:401: (Each undeclared identifier is reported only once
netfilter.c:401: for each function it appears in.)
netfilter.c:404: `outfn' undeclared (first use in this function)
netfilter.c: In function `nf_unregister_queue_handler':
netfilter.c:422: request for member `outfn' in something not a structure or union
netfilter.c:423: request for member `data' in something not a structure or union
netfilter.c: In function `nf_queue':
netfilter.c:442: request for member `outfn' in something not a structure or union
netfilter.c:447: dereferencing pointer to incomplete type
netfilter.c:456: dereferencing pointer to incomplete type
netfilter.c:457: warning: excess elements in struct initializer
netfilter.c:457: warning: (near initialization for `(anonymous)')
netfilter.c:457: warning: excess elements in struct initializer
netfilter.c:457: warning: (near initialization for `(anonymous)')
netfilter.c:457: warning: excess elements in struct initializer
netfilter.c:457: warning: (near initialization for `(anonymous)')
netfilter.c:457: warning: excess elements in struct initializer
netfilter.c:457: warning: (near initialization for `(anonymous)')
netfilter.c:457: warning: excess elements in struct initializer
netfilter.c:457: warning: (near initialization for `(anonymous)')
netfilter.c:457: warning: excess elements in struct initializer
netfilter.c:457: warning: (near initialization for `(anonymous)')
netfilter.c:463: request for member `outfn' in something not a structure or union
netfilter.c:463: request for member `data' in something not a structure or union
netfilter.c: At top level:
netfilter.c:540: warning: `struct nf_info' declared inside parameter list
netfilter.c: In function `nf_reinject':
netfilter.c:542: dereferencing pointer to incomplete type
netfilter.c:547: dereferencing pointer to incomplete type
netfilter.c:547: dereferencing pointer to incomplete type
netfilter.c:548: dereferencing pointer to incomplete type
netfilter.c:548: dereferencing pointer to incomplete type
netfilter.c:564: dereferencing pointer to incomplete type
netfilter.c:564: dereferencing pointer to incomplete type
netfilter.c:565: dereferencing pointer to incomplete type
netfilter.c:566: dereferencing pointer to incomplete type
netfilter.c:566: dereferencing pointer to incomplete type
netfilter.c:567: dereferencing pointer to incomplete type
netfilter.c:572: dereferencing pointer to incomplete type
netfilter.c:576: dereferencing pointer to incomplete type
netfilter.c:576: dereferencing pointer to incomplete type
netfilter.c:577: dereferencing pointer to incomplete type
netfilter.c:577: dereferencing pointer to incomplete type
netfilter.c:577: dereferencing pointer to incomplete type
netfilter.c:587: dereferencing pointer to incomplete type
netfilter.c:587: dereferencing pointer to incomplete type
netfilter.c:588: dereferencing pointer to incomplete type
netfilter.c:588: dereferencing pointer to incomplete type
netfilter.c: At top level:
netfilter.c:665: warning: `struct nf_ct_info' declared inside parameter list
netfilter.c: In function `netfilter_init':
netfilter.c:672: `NF_MAX_HOOKS' undeclared (first use in this function)
netfilter.c: At top level:
netfilter.c:47: storage size of `nf_hooks' isn't known
make[3]: *** [netfilter.o] Error 1
make[3]: Leaving directory `/usr/src/linux-2.4.20-gentoo-r6/net/core'
make[2]: *** [first_rule] Error 2
make[2]: Leaving directory `/usr/src/linux-2.4.20-gentoo-r6/net/core'
make[1]: *** [_subdir_core] Error 2
make[1]: Leaving directory `/usr/src/linux-2.4.20-gentoo-r6/net'
make: *** [_dir_net] Error 2

_________________
:[]
http://www.stompinggroundz.net/mosh/ss.jpg
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum