What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Google Groups
Subscribe to Happy Hacker
Email:
Visit this group


April 1st, 2000 Part Two

.... .- .--. .--. -.-- .... .- -.-. -.- . .-. -.. .. --. . ... -
See the Happy Hacker web site at http://www.happyhacker.org
Firewall gives you problems? Try http://happyhacker.org
.... .- .--. .--. -.-- .... .- -.-. -.- . .-. -.. .. --. . ... -

***********************************************************************
*** IP Masquarading, part 2
***********************************************************************

Ok, here I am again, writing the second part of the IP masq as promised. If
there were any questions/coments/sugestions or whatever, you can contact me at
nicolasb@pinos.com
On this chapter I'l be covering:

- IP Masquerading problems
- Firewall using your ip masquerade
- Dial on demand connections
- ICQ on IP masq
- FAQ

 

NOTE: If you are just looking to do port forwarding without IP Masquerading,
you will STILL NEED to enable IP Masquerading in both the kernel AND in either
your IPFWADM or IPCHAINS ruleset to then be able to use Linux's port
forwarding tools.

 

- Ip masquerading problems.

You might find that some TCP/IP aplications don't work under Linux IP masq.
That's becasue the aps assume port numbers or encode TCP adresses and port
numbers. This aps need special IP MASQ module to be built in the masq code or
specific PROXIES.
You can also find problems with incoming services, Linux won't handle by
default incoming services, but there are some ways to make them work. One that
you can use, but not very secure is forwarding (IPPORTFW) very stable. If you
wish authorization on incoming connections you'll need to set up TCP-wrappers
or Xinetd and you'll be able to authorize specific IP adresses.

- Supported client software
- Network clients that work with IP MASQ

Most Archie clients
FTP, all platforms
Gopher clients, all
HTTP, all plataforms
IRC, DCC supported via ip_masq_irc.o module
USENET, all plataforms, news client
PING, all plataforms, with ICMP MASQ kernel option
POP3, all supported plataforms
SSH, secure TELNET/FTP clients, all plat.
SMTP, Sendmail, Qmail, PostFix, mostly all
TELNET, all plat, remote session
TR (Traceroute), Unix and Windows based plats, some might not work
VRLM, Windows the ones that I tried, worked just fine.
Alpha Worlds, Windows
Cu-SeeMe, with ip_masq_cuseeme module loded, all plats.
ICQ, all suported clients, see the ICQ part below.
and some more...

The ones that didn't work:
Netscape coolTalk, couldn't connect
Web PHone, makes assumptions about adresses.
Intel Streaming Media Viewer Beta 1, can't connect
all H.323 programas, Netmeeting, Intel Phone.

 

- Firewall using your ip masquerade

This I didn't write, but it's usefull and I'll add it:

 

NOTE #1: Linux 2.2.x kernels less than 2.2.11 have a IPCHAINS fragmentation
bug. Because of this, people running strong IPCHAINS rulesets are open to
attack. Please upgrade your kernel to a fixed version.

NOTE #2: If you get a dynamically assigned TCP/IP address from your ISP (PPP,
ADSL, Cablemodems, etc.), you CANNOT load this strong ruleset upon boot. You
will either need to reload this firewall ruleset EVERY TIME you get a new IP
address or make your /etc/rc.d/rc.firewall ruleset more intelligent. To do
this for PPP users, carefully read and un-comment out the properly lines in
the "Dynamic PPP IP fetch" section below. You can also find more details in
the TrinityOS - Section 10 doc for more details on Strong rulesets and Dynamic
IP addresses.

Please also be aware that there are several GUI Firewall creation tools
available as well. Please see the FAQ section for full details.

Lastly, if you are using a STATIC PPP IP address, change the "ppp_ip =
"your.static.PPP.address"" line to reflect your address.

----------------------------------------------------------------

 

 

#!/bin/sh
#
# /etc/rc.d/rc.firewall: An example of a Semi-Strong IPCHAINS firewall
ruleset.
#

PATH=/sbin:/bin:/usr/sbin:/usr/bin

# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
modules
# are shown below but are commented from loading.

# Needed to initially load modules
#
/sbin/depmod -a

# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp

# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
/sbin/modprobe ip_masq_raudio

# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc

 

# Supports the masquerading of Quake and QuakeWorld by default. This modules
is
# for for multiple users behind the Linux MASQ server. If you are going to
play
# Quake I, II, and III, use the second example.
#
# NOTE: If you get ERRORs loading the QUAKE module, you are running an old
# ----- kernel that has bugs in it. Please upgrade to the newest kernel.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960

 

# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme

#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive

 

# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable
this following
# option. This enables dynamic-ip address hacking in IP MASQ, making
the life
# with Diald and similar programs much easier.
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

 

#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
/etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward

 

# Specify your Static IP address here.
#
# If you have a DYNAMIC IP address, you need to make this ruleset understand
your
# IP address everytime you get a new IP. To do this, enable the following
one-line
# script. (Please note that the different single and double quote
characters MATTER).
#
#
# DHCP users:
# -----------
# If you get your TCP/IP address via DHCP, **you will need ** to enable the
#ed out command
# below underneath the PPP section AND replace the word "ppp0" with the name
of your EXTERNAL
# Internet connection (eth0, eth1, etc) on the lines for "ppp-ip" and
"extip". It should be
# also noted that the DHCP server can change IP addresses on you. To fix
this, users should
# configure their DHCP client to re-run the firewall ruleset everytime the
DHCP lease is
# renewed.
#
# NOTE #1: Some newer DHCP clients like "pump" do NOT have this ability
to run scripts
# after a lease-renew. Because of this, you need to replace it
with something
# like "dhcpcd" or "dhclient".
#
# NOTE #2: The syntax for "dhcpcd" has changed in recent versions.
#
# Older versions used syntax like:
# dhcpcd -c /etc/rc.d/rc.firewall eth0
#
# Newer versions use syntax like:
# dhcpcd eth0 /etc/rc.d/rc.firewall
#
#
# PPP users:
# ----------
# If you aren't already aware, the /etc/ppp/ip-up script is always run when
a PPP
# connection comes up. Because of this, we can make the ruleset go and get
the
# new PPP IP address and update the strong firewall ruleset.
#
# If the /etc/ppp/ip-up file already exists, you should edit it and add a
line
# containing "/etc/rc.d/rc.firewall" near the end of the file.
#
# If you don't already have a /etc/ppp/ip-up sccript, you need to create the
following
# link to run the /etc/rc.d/rc.firewall script.
#
# ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
#
# * You then want to enable the #ed out shell command below *
#
#
# PPP and DHCP Users:
# -------------------
# Remove the # on the line below and place a # in front of the line after
that.
#
#extip= "`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e
's/.*://'`"

# For PPP users with STATIC IP addresses:
#
extip="your.static.PPP.address"

# ALL PPP and DHCP users must set this for the correct EXTERNAL interface name
extint="ppp0"

# Assign the internal IP
intint="eth0"
intnet="192.168.1.0/24"

 

# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec
firewall timeout in ICQ itself)
#
ipchains -M -S 7200 10 60

#############################################################################
# Incoming, flush and set default policy of reject. Actually the default
policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F input
ipchains -P input REJECT

# local interface, local machines, going anywhere is valid
#
ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost
#
ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT

# remote interface, any source, going to permanent PPP address is valid
#
ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT

# loopback interface is valid.
#
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

#############################################################################
# Outgoing, flush and set default policy of reject. Actually the default
policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F output
ipchains -P output REJECT

# local interface, any source going to local net is valid
#
ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
#
ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT

# outgoing from local net on remote interface, stuffed masquerading, deny
#
ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT

# anything else outgoing on remote interface is valid
#
ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT

# loopback interface is valid.
#
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

More--->>


 HOME | THE HAPPY HACKER BOOK | HACKER WARGAMES
GUIDES TO (MOSTLY) HARMLESS HACKING
THE HAPPY HACKER BOOKSTORE | HACKER LINKS
NEWS & VIEWS | SOFTWARE STORE
CONTACT US | WEBMASTER
 © 2013 Happy Hacker All rights reserved.