gutsy and regular PCs on edubuntu lan

wayne plettpc at gmail.com
Wed Oct 31 19:27:48 GMT 2007 

Hi All
In following the thread , maybe i could throw my 2c ,
my edubuntu is running standalone not as a gateway but it shouldnt be to 
difficult to acheive,

Here's a basic Masquerade script I've used over time to setup a gateway 
open firewall, it can also be used in conjunction with squid and 
dansguardian  , 
Change  Extif and Intif  or even pppoe to suit your setup

save it as masquerade.sh and put it in /etc/init.d/   , with a  soft 
link in rc3  ie. S40masquerade  for instance to start up after networks.
I'll test tommorow by adding a network card to my gutsy edubuntu,
Wayne

#!/bin/sh

#

#firewall-iptables

FWVER= 0.76

#

# Initial SIMPLE IP Masquerade test for 2.6 / 2.4 kernels

# using IPTABLES.

#

# Once IP Masquerading has been tested, with this simple

# ruleset, it is highly recommended to use a stronger

# IPTABLES ruleset either given later in this HOWTO or

# from another reputable resource.

#

#

#

# Log:

# 0.76 - Added comments on why the default policy is ACCEPT

# 0.75 - Added more kernel modules to the comments section

# 0.74 - the ruleset now uses modprobe vs. insmod

# 0.73 - REJECT is not a legal policy yet; back to DROP

# 0.72 - Changed the default block behavior to REJECT not DROP

# 0.71 - Added clarification that PPPoE users need to use

# "ppp0" instead of "eth0" for their external interface

# 0.70 - Added commented option for IRC nat module

# - Added additional use of environment variables

# - Added additional formatting

# 0.63 - Added support for the IRC IPTABLES module

# 0.62 - Fixed a typo on the MASQ enable line that used eth0

# instead of $EXTIF

# 0.61 - Changed the firewall to use variables for the internal

# and external interfaces.

# 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP

# all forwarded packets but it didn't have a rule to ACCEPT

# any packets to be forwarded either

# - Load the ip_nat_ftp and ip_conntrack_ftp modules by default

# 0.50 - Initial draft

#


echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n"



# The location of the iptables and kernel module programs

#

# If your Linux distribution came with a copy of iptables,

# most likely all the programs will be located in /sbin. If

# you manually compiled iptables, the default location will

# be in /usr/local/sbin

#

# ** Please use the "whereis iptables" command to figure out

# ** where your copy is and change the path below to reflect

# ** your setup

#

IPTABLES=/sbin/iptables

#IPTABLES=/usr/local/sbin/iptables

DEPMOD=/sbin/depmod

MODPROBE=/sbin/modprobe



#Setting the EXTERNAL and INTERNAL interfaces for the network

#

# Each IP Masquerade network needs to have at least one

# external and one internal network. The external network

# is where the natting will occur and the internal network

# should preferably be addressed with a RFC1918 private address

# scheme.

#

# For this example, "eth0" is external and "eth1" is internal"

#

#

# NOTE: If this doesnt EXACTLY fit your configuration, you must

# change the EXTIF or INTIF variables above. For example:

#

# If you are a PPPoE or analog modem user:

#

# EXTIF="ppp0"

#

#

EXTIF="eth0"

INTIF="eth1"

INTIF2="ath0"

echo " External Interface: $EXTIF"

echo " Internal Interface: $INTIF"

echo " Internal Interface: $INTIF2"


EXTIP="192.168.1.15"

echo " External IP: $EXTIP"


#======================================================================

#== No editing beyond this line is required for initial MASQ testing ==



echo -en " loading modules: "


# Need to verify that all modules have all required dependencies

#

echo " - Verifying that all kernel modules are ok"

$DEPMOD -a


# With the new IPTABLES code, the core MASQ functionality is now either

# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES

# options as MODULES. If your kernel is compiled correctly, there is

# NO need to load the kernel modules manually.

#

# NOTE: The following items are listed ONLY for informational reasons.

# There is no reason to manual load these modules unless your

# kernel is either mis-configured or you intentionally disabled

# the kernel module autoloader.

#


# Upon the commands of starting up IP Masq on the server, the

# following kernel modules will be automatically loaded:

#

# NOTE: Only load the IP MASQ modules you need. All current IP MASQ

# modules are shown below but are commented out from loading.

# ===============================================================


echo 
"----------------------------------------------------------------------"


#Load the main body of the IPTABLES module - "iptable"

# - Loaded automatically when the "iptables" command is invoked

#

# - Loaded manually to clean up kernel auto-loading timing issues

#

echo -en "ip_tables, "

$MODPROBE ip_tables



#Load the IPTABLES filtering module - "iptable_filter"

# - Loaded automatically when filter policies are activated



#Load the stateful connection tracking framework - "ip_conntrack"

#

# The conntrack module in itself does nothing without other specific

# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"

# module

#

# - This module is loaded automatically when MASQ functionality is

# enabled

#

# - Loaded manually to clean up kernel auto-loading timing issues

#

echo -en "ip_conntrack, "

$MODPROBE ip_conntrack



#Load the FTP tracking mechanism for full FTP tracking

#

# Enabled by default -- insert a "#" on the next line to deactivate

#

echo -en "ip_conntrack_ftp, "

$MODPROBE ip_conntrack_ftp



#Load the IRC tracking mechanism for full IRC tracking

#

# Enabled by default -- insert a "#" on the next line to deactivate

#

echo -en "ip_conntrack_irc, "

$MODPROBE ip_conntrack_irc



#Load the general IPTABLES NAT code - "iptable_nat"

# - Loaded automatically when MASQ functionality is turned on

#

# - Loaded manually to clean up kernel auto-loading timing issues

#

echo -en "iptable_nat, "

$MODPROBE iptable_nat



#Loads the FTP NAT functionality into the core IPTABLES code

# Required to support non-PASV FTP.

#

# Enabled by default -- insert a "#" on the next line to deactivate

#

echo -en "ip_nat_ftp, "

$MODPROBE ip_nat_ftp



#Loads the IRC NAT functionality into the core IPTABLES code

# Required to support NAT of IRC DCC requests

#

# Disabled by default -- remove the "#" on the next line to activate

#

#echo -e "ip_nat_irc"

#$MODPROBE ip_nat_irc


echo 
"----------------------------------------------------------------------"


# Just to be complete, here is a partial list of some of the other

# IPTABLES kernel modules and their function. Please note that most

# of these modules (the ipt ones) are automatically loaded by the

# master kernel module for proper operation and don't need to be

# manually loaded.

# --------------------------------------------------------------------

#

# ip_nat_snmp_basic - this module allows for proper NATing of some

# SNMP traffic

#

# iptable_mangle - this target allows for packets to be

# manipulated for things like the TCPMSS

# option, etc.

#

# --

#

# ipt_mark - this target marks a given packet for future action.

# This automatically loads the ipt_MARK module

#

# ipt_tcpmss - this target allows to manipulate the TCP MSS

# option for braindead remote firewalls.

# This automatically loads the ipt_TCPMSS module

#

# ipt_limit - this target allows for packets to be limited to

# to many hits per sec/min/hr

#

# ipt_multiport - this match allows for targets within a range

# of port numbers vs. listing each port individually

#

# ipt_state - this match allows to catch packets with various

# IP and TCP flags set/unset

#

# ipt_unclean - this match allows to catch packets that have invalid

# IP/TCP flags set

#

# iptable_filter - this module allows for packets to be DROPped,

# REJECTed, or LOGged. This module automatically

# loads the following modules:

#

# ipt_LOG - this target allows for packets to be

# logged

#

# ipt_REJECT - this target DROPs the packet and returns

# a configurable ICMP packet back to the

# sender.

#


echo -e " Done loading modules.\n"




#CRITICAL: Enable IP forwarding since it is disabled by default since

#

# Redhat Users: you may try changing the options in

# /etc/sysconfig/network from:

#

# FORWARD_IPV4=false

# to

# FORWARD_IPV4=true

#

echo " Enabling forwarding.."

echo "1" > /proc/sys/net/ipv4/ip_forward



# Dynamic IP users:

#

# If you get your IP address dynamically from SLIP, PPP, or DHCP,

# enable this following option. This enables dynamic-address hacking

# which makes the life with Diald and similar programs much easier.

#

echo " Enabling DynamicAddr.."

echo "1" > /proc/sys/net/ipv4/ip_dynaddr



# Enable simple IP forwarding and Masquerading

#

# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.

#

# NOTE #2: The following is an example for an internal LAN address in the

# 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask

# connecting to the Internet on external interface "eth0". This

# example will MASQ internal traffic out to the Internet but not

# allow non-initiated traffic into your internal network.

#

#

# ** Please change the above network numbers, subnet mask, and your

# *** Internet connection interface name to match your setup

#



#Clearing any previous configuration

#

# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT

# The default for FORWARD is DROP (REJECT is not a valid policy)

#

# Isn't ACCEPT insecure? To some degree, YES, but this is our testing

# phase. Once we know that IPMASQ is working well, I recommend you run

# the rc.firewall-*-stronger rulesets which set the defaults to DROP but

# also include the critical additional rulesets to still let you connect to

# the IPMASQ server, etc.

#

echo " Clearing any existing rules and setting default policy.."

$IPTABLES -P INPUT ACCEPT

$IPTABLES -F INPUT

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -F OUTPUT

$IPTABLES -P FORWARD DROP

$IPTABLES -F FORWARD

$IPTABLES -t nat -F


echo " FWD: Allow all connections OUT and only existing and related ones IN"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -j LOG

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state 
ESTABLISHED,RELATED \-j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $INTIF2 -m state --state 
ESTABLISHED,RELATED \-j ACCEPT

$IPTABLES -A FORWARD -i $INTIF2 -o $INTIF -m state --state 
ESTABLISHED,RELATED \-j ACCEPT

$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP



echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE


echo -e "\nrc.firewall-iptables v$FWVER done.\n"

More information about the edubuntu-users mailing list