- Oct 10, 1999
- 9,286
- 15
- 81
I have posted this many times before but thought I would post without it being requested.
Install Linux - Configure your two NIC's www.linuxnewbie.org/nhf/intel/network/nicinstall.html (or modem www.linuxnewbie.org/nhf/intel/modems/index.html and NIC) with 1-external (WAN) IP and one internal IP.
Install "easyfw", www.linux-kheops.com/pub/easyfw/easyfwGB.html, follow the directions given there .
Then create rc.firewall, w3.ihs.ac.at/~fetz/ipchains/HOWTO-4.html or
www.linuxnewbie.org/nhf/intel/network/firewall.html, and this is an excellent configuration site/tool (thanks to Damaged for the reminder)
http://www.linux-firewall-tools.com/linux/firewall/index.html
then grab Portsentry and LogCheck here www.psionic.com/ and use these instructions found here
www.linuxnewbie.org/nhf/intel/security/portsentry1.html. This should get you started and give you a VERY secure network and
easily configurable "router" for future services. As far as portforwarding, Download and install IPMASQADM http://juanjox.kernelnotes.org/ and use these rule's for allowing things like NAPSTER and GNUTELLA and many other services, here are some examples and BTW you can cut and paste these into your /etc/rc.d/rc.local file;
#Napster Rule
echo "Napster rule started....................."
ipmasqadm portfw -a -P tcp -L <WAN IP> 6699 -R 192.168.1.0 6699
#Gnutella port forward rule.
echo "Gnutella rule started...................."
ipmasqadm portfw -a -P tcp -L <WAN IP> 6346 -R 192.168.1.0 6346
#FTP Rule
echo "Starting FTP portforwarding................"
ipmasqadm portfw -a -P tcp -L <WAN IP> 21 -R <server IP> 21
ipmasqadm portfw -a -P tcp -L <WAN IP> 20 -R <server IP> 20
#Terminal Server Rule
echo "Starting Terminal server rule..................."
ipmasqadm portfw -a -P tcp -L <WAN IP> 3389 -R <server IP> 3389
#VNC rule
echo "Start VNC rule......................"
ipmasqadm portfw -a -P tcp -L <WAN IP> 5900 -R <server IP> 5900
#Website rule
echo "HTTP forwarding......................."
ipmasqadm portfw -a -P tcp -L <WAN IP> 80 -R <server IP> 80
#Mail settings
echo "e-mail portforwarding........................"
ipmasqadm portfw -a -P tcp -L <WAN IP> 25 -R <server IP> 25
ipmasqadm portfw -a -P tcp -L <WAN IP> 110 -R <server IP> 110
ipmasqadm portfw -a -P tcp -L <WAN IP> 135 -R <server IP> 135
As you can see you can forward almost any service that needs to be or can be "pinholed" through a firewall. Another important thing to remember is that NetBIOS is a major "leak" or indication of a network, add this to you rc.local as well.
ipchains -A input -i eth0 -y -s 0.0.0.0/0 -d 192.168.1.0 --destination-port 137:139 -j REJECT(if eth0 is outside interface)
This rule can also be done for other services as well. As far as types of services that will be automatically forwarded, here is a output of my LSMOD;
Module Size Used by
ip_masq_vdolive 1232 0 (unused)
ip_masq_user 2408 0 (unused)
ip_masq_raudio 2896 1
ip_masq_quake 1252 0 (unused)
ip_masq_portfw 2352 13
ip_masq_mfw 3008 0 (unused)
ip_masq_irc 1456 0 (unused)
ip_masq_ftp 3696 0
ip_masq_cuseeme 1008 0 (unused)
ip_masq_autofw 2336 0 (unused)
3c59x 18632 2 (autoclean)
ipx 13500 1 (autoclean)
vfat 11004 0 (unused)
fat 32640 0 [vfat]
supermount 14880 2 (autoclean)
opl3 13896 0
sb 36884 0
uart401 6480 0 [sb]
sound 64184 0 [opl3 sb uart401]
soundlow 300 0 [sound]
soundcore 3524 6 [sb sound]
NOTICE that I have 13 instances of portfw in use, 1- raudio (realplayer or streaming content). The IRC also allows ICQ, and the quake module
allows allmost all internet games, I play TFC quite alot and have not had a single problem with any Quake or UT. One other VERY important
thing to do, open up "ksysv" and make sure that you disable all "r" services from starting on boot, there is a good NHF at linuxnewbie about
shutting down uneeded or "leaky" services here, www.linuxnewbie.org/nhf/intel/security/armorlin.html Again this is all free, but don't think that it will be up and perfect overnight. It takes time and soon you will have a better understanding of
networking and firewalling. Here are some imortant rules that you might find usful for security.
#DENY a connection to the IPMASQ
ipchains -I input -s <WWW ip address> -j DENY -l
#IP filtering, for instance, you dont want someone to have access to serverices behind the firewall.
ipchains -A input -i eth0 -p tcp -y -s <www ip address/0>-d <LAN ip address> --destination-port <port number> -j REJECT
# another way of "filtering" services that you have running but don't want connections to is, this is a rule for filtering NetBIOS on my network.
ipchains -A input -i eth0 -y -s 0.0.0.0/0 -d 192.168.1.0 --destination-port 137:139 -j REJECT
There are many more rules to be used and for different reasons. If you know a good one or one that you use often then lets add it to this.
Shux
Install Linux - Configure your two NIC's www.linuxnewbie.org/nhf/intel/network/nicinstall.html (or modem www.linuxnewbie.org/nhf/intel/modems/index.html and NIC) with 1-external (WAN) IP and one internal IP.
Install "easyfw", www.linux-kheops.com/pub/easyfw/easyfwGB.html, follow the directions given there .
Then create rc.firewall, w3.ihs.ac.at/~fetz/ipchains/HOWTO-4.html or
www.linuxnewbie.org/nhf/intel/network/firewall.html, and this is an excellent configuration site/tool (thanks to Damaged for the reminder)
http://www.linux-firewall-tools.com/linux/firewall/index.html
then grab Portsentry and LogCheck here www.psionic.com/ and use these instructions found here
www.linuxnewbie.org/nhf/intel/security/portsentry1.html. This should get you started and give you a VERY secure network and
easily configurable "router" for future services. As far as portforwarding, Download and install IPMASQADM http://juanjox.kernelnotes.org/ and use these rule's for allowing things like NAPSTER and GNUTELLA and many other services, here are some examples and BTW you can cut and paste these into your /etc/rc.d/rc.local file;
#Napster Rule
echo "Napster rule started....................."
ipmasqadm portfw -a -P tcp -L <WAN IP> 6699 -R 192.168.1.0 6699
#Gnutella port forward rule.
echo "Gnutella rule started...................."
ipmasqadm portfw -a -P tcp -L <WAN IP> 6346 -R 192.168.1.0 6346
#FTP Rule
echo "Starting FTP portforwarding................"
ipmasqadm portfw -a -P tcp -L <WAN IP> 21 -R <server IP> 21
ipmasqadm portfw -a -P tcp -L <WAN IP> 20 -R <server IP> 20
#Terminal Server Rule
echo "Starting Terminal server rule..................."
ipmasqadm portfw -a -P tcp -L <WAN IP> 3389 -R <server IP> 3389
#VNC rule
echo "Start VNC rule......................"
ipmasqadm portfw -a -P tcp -L <WAN IP> 5900 -R <server IP> 5900
#Website rule
echo "HTTP forwarding......................."
ipmasqadm portfw -a -P tcp -L <WAN IP> 80 -R <server IP> 80
#Mail settings
echo "e-mail portforwarding........................"
ipmasqadm portfw -a -P tcp -L <WAN IP> 25 -R <server IP> 25
ipmasqadm portfw -a -P tcp -L <WAN IP> 110 -R <server IP> 110
ipmasqadm portfw -a -P tcp -L <WAN IP> 135 -R <server IP> 135
As you can see you can forward almost any service that needs to be or can be "pinholed" through a firewall. Another important thing to remember is that NetBIOS is a major "leak" or indication of a network, add this to you rc.local as well.
ipchains -A input -i eth0 -y -s 0.0.0.0/0 -d 192.168.1.0 --destination-port 137:139 -j REJECT(if eth0 is outside interface)
This rule can also be done for other services as well. As far as types of services that will be automatically forwarded, here is a output of my LSMOD;
Module Size Used by
ip_masq_vdolive 1232 0 (unused)
ip_masq_user 2408 0 (unused)
ip_masq_raudio 2896 1
ip_masq_quake 1252 0 (unused)
ip_masq_portfw 2352 13
ip_masq_mfw 3008 0 (unused)
ip_masq_irc 1456 0 (unused)
ip_masq_ftp 3696 0
ip_masq_cuseeme 1008 0 (unused)
ip_masq_autofw 2336 0 (unused)
3c59x 18632 2 (autoclean)
ipx 13500 1 (autoclean)
vfat 11004 0 (unused)
fat 32640 0 [vfat]
supermount 14880 2 (autoclean)
opl3 13896 0
sb 36884 0
uart401 6480 0 [sb]
sound 64184 0 [opl3 sb uart401]
soundlow 300 0 [sound]
soundcore 3524 6 [sb sound]
NOTICE that I have 13 instances of portfw in use, 1- raudio (realplayer or streaming content). The IRC also allows ICQ, and the quake module
allows allmost all internet games, I play TFC quite alot and have not had a single problem with any Quake or UT. One other VERY important
thing to do, open up "ksysv" and make sure that you disable all "r" services from starting on boot, there is a good NHF at linuxnewbie about
shutting down uneeded or "leaky" services here, www.linuxnewbie.org/nhf/intel/security/armorlin.html Again this is all free, but don't think that it will be up and perfect overnight. It takes time and soon you will have a better understanding of
networking and firewalling. Here are some imortant rules that you might find usful for security.
#DENY a connection to the IPMASQ
ipchains -I input -s <WWW ip address> -j DENY -l
#IP filtering, for instance, you dont want someone to have access to serverices behind the firewall.
ipchains -A input -i eth0 -p tcp -y -s <www ip address/0>-d <LAN ip address> --destination-port <port number> -j REJECT
# another way of "filtering" services that you have running but don't want connections to is, this is a rule for filtering NetBIOS on my network.
ipchains -A input -i eth0 -y -s 0.0.0.0/0 -d 192.168.1.0 --destination-port 137:139 -j REJECT
There are many more rules to be used and for different reasons. If you know a good one or one that you use often then lets add it to this.
Shux
Facebook
Twitter