peepee
02-21-2002, 01:53 PM
This guide Im writing for dummies... like me. It is not an exhaustive work on iptables, masquerading, or anything at all.
But it works cut'n'paste on Red Hat 7.2 (2.4.x kernels).
Please let me know if you try this and it's not working for you, post here.
---cut---
I read a user was having problems setting up his IP Masq in his Linux box, and I want to share the way I do it - this is good up to the out-of-box release of Red Hat 7.0, I am about to install 7.2 now so as to run showeq (need the libs), so I'll lt you know if it works.
If you have a script to share for your IP Masq, please post it here, I would like to see how other people do it... mine uses IPChains, but through a wrapper for the old ipfwadm (which is what I have used for years)...
As a side note: It is very rude to tell people they don't know what they are doing without at least providing an answer - any loser can pretend he knows what he is talking about - and that's all you are if you just talk trash and don't add value (do a query in the showeq forums on 'masq' and you'll see what I mean).
Argueing on the internet is like playing in the special olympics - You might win, but you're still a retard.
Anyways, how it works:
1) Get 2 eth cards of the same make/model - I reccomend buying the oldest 3com cards the store has (thus adding to the chance your modules are included in your distribution). Or just check ahead to see what eth cards are supported by your distribution, then make a list and take it to the store - check your vendors (like RedHat's) website, or just go to google and query on 'linux ethernet module' OR Just buy 3com (lazy way, 98% accuracy).
2) Install linux like normal, load eveything if you have drive space, otherwise look at the FAQ on setting up for showeq later on at the showeq forum.
3) So setup your network using the menus provided, plugging in your info (IP, GW, etc).
4) Test your internet connect directly to your box - good so far? Proceed. If not you have to mess with it here - you need a standalone connect before you can proceed... Use linuxconf or netcfg for menu programs and ifconfig -a at the command line for quick info (there is alot more you can do, but if you can setup a windows single eth connect, this isn't much harder).
5) Ok now that we have a box talking to the internet, you need to go to the store and buy 1 crossover cable and 1 patch cable (at least) and 1 dummy hub. Any old hub will work, I use an Intel 8 port one, but I have a couple old big time fancy NT routers that I have used. I just don't want the extra noise of their fans running
6) Crossover cable goes from your second card to your hub. Patch cable goes from the hub to the other PC you want on your network.
7) Now check your path on your linux box: echo $PATH and find a spot you want to create your little startup script for your ip masq - I use /usr/sbin (sbin usually relates to netwoking type bins, but whatever). Make a new file there, with these lines (can't make up your mind what to call it - try "mymasq"):
/sbin/ifconfig eth1 down
/sbin/ifconfig eth1 192.168.3.1 broadcast 0.0.0.255 netmask
255.255.255.0
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -b -S 192.168.1.0/24 -D 0.0.0.0/0
echo "1" > /proc/sys/net/ipv4/ip_forward
8) chmod +x on that file you just created.
9) run that file.
10) Go to the other pc that is all plugged in and ready to go.
Change it's IP to: 192.168.1.2
Change it's GW to: 192.168.1.1 (which is your linux box's second eth adapter - eth1)
DNS info can stay 'real' - in other words whatever your DNS is that your linux box is talking to. Hostname can be the same as your linux box too.
11) Reboot the pc that you just created as a masquerade endpoint (from 10).
12) Test that pc, you should be connected.
The only thing you won't be able to do on your masq endpoints (make as many as you want, follow step 10, just change their IP by 1 on the last number like .3 .4 .5, etc etc) is host many games
I am not that smart, if someone could add info on freeing up ports (depending on the game's port that is required) please add it here.
What you can do is JOIN any game, like EQ, and you can run packet sniffing software, like showeq, on your linux box and it will work (assuming that is setup right). I do it you can too!
Can someone please copy and paste this to the showeq forums?
Also can someone please add alternative scripts to my script here - using mayby more secure methods? I know there are other ways, but I am not that smart to know them all.
---
Ok, time for a follow up and some error correction:
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/ifconfig eth1 down
/sbin/ifconfig eth1 192.168.3.1 broadcast 0.0.0.255 netmask 255.255.255.0
/sbin/ipfwadm-wrapper -F -p deny
/sbin/ipfwadm-wrapper -F -a m -b -S 192.168.1.0/24 -D 0.0.0.0/0
1) Put the echo command as the first thing in order to enable port forwarding at all.
2) Change the ipfwadm calls to ipfwadm-wrapper (this is really an ipchains call, using a wrapper to emulate old ipfwadm protocals).
Works fine for kernels 2.3 and older - 2.4 screws us all by ignoring all ipchains protocal calls... you MUST rewrite everything to iptables now. I am gonna have a talk with Linus and straighten him out. This was crude and rude and not in the spirit of linux legacy coverage at all.
So anyways, I moved to the 21st century and ripped and hacked together a iptables script for masquerading. Here it is:
#!/bin/sh
#config IPMASQ
/sbin/ifconfig eth1 down
/sbin/ifconfig eth1 192.168.1.1 broadcast 0.0.0.255 netmask 255.255.255.0
IPTABLES="/sbin/iptables"
#Time to clean house
#Clear out any existing firewall rules, and any chains that might have
#been created
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
#Setup our policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#This enables ip forwarding, and thus by extension, NAT
#Turn this on if you're going to be doing NAT or Masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward
#Our actual rules
#Our NAT stuff
#Source NAT everything heading out the eth0 (external) interface to be the
#given IP. If you have a dynamic ip or a DHCP ip that changes
#semi-regularly, comment this and uncomment the second line
#
#Remember to change the ip address to your static ip
#
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
#$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#These are port-forwarding examples for several different cases.
#These map the specified ports to the specified ip address.
#
#This one maps port 80 to 192.168.1.1. Anything incoming over eth0 to
#the server will be redirected invisibly to port 80 on 192.168.1.1
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.1
#
#These two redirect a block of ports, in both udp and tcp.
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 2300:2400 -j DNAT --to 192.168.1.1
#$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 2300:2400 -j DNAT --to 192.168.1.1
#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
$IPTABLES -N firewall
$IPTABLES -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPTABLES -A firewall -j DROP
#Now, our dropwall chain, for the final catchall filter
$IPTABLES -N dropwall
$IPTABLES -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPTABLES -A dropwall -j DROP
#Our "hey, them's some bad tcp flags!" chain
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPTABLES -A badflags -j DROP
#And our silent logging chain
$IPTABLES -N silent
$IPTABLES -A silent -j DROP
#Accept ourselves (loopback interface), 'cause we're all warm and friendly
$IPTABLES -A INPUT -i lo -j ACCEPT
#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags
#Drop icmp, but only after letting certain types through
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewall
#Accept SSH connections from everywhere.
#Uncomment this if you're running SSH and want to be able to access it
#from the outside world.
#
#$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT
#Lets do some basic state-matching
#This allows us to accept related and established connections, so
#client-side things like ftp work properly, for example.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Uncomment to drop port 137 netbios packets silently. We don't like
#that netbios stuff, and it's #way too spammy with windows machines on
#the network.
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
#Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
$IPTABLES -A INPUT -j dropwall
This works. Just make sure your showeq.conf file has the IP (192.168.1.x) cast and eth1 (assuming eth1 is your GW nic).
But it works cut'n'paste on Red Hat 7.2 (2.4.x kernels).
Please let me know if you try this and it's not working for you, post here.
---cut---
I read a user was having problems setting up his IP Masq in his Linux box, and I want to share the way I do it - this is good up to the out-of-box release of Red Hat 7.0, I am about to install 7.2 now so as to run showeq (need the libs), so I'll lt you know if it works.
If you have a script to share for your IP Masq, please post it here, I would like to see how other people do it... mine uses IPChains, but through a wrapper for the old ipfwadm (which is what I have used for years)...
As a side note: It is very rude to tell people they don't know what they are doing without at least providing an answer - any loser can pretend he knows what he is talking about - and that's all you are if you just talk trash and don't add value (do a query in the showeq forums on 'masq' and you'll see what I mean).
Argueing on the internet is like playing in the special olympics - You might win, but you're still a retard.
Anyways, how it works:
1) Get 2 eth cards of the same make/model - I reccomend buying the oldest 3com cards the store has (thus adding to the chance your modules are included in your distribution). Or just check ahead to see what eth cards are supported by your distribution, then make a list and take it to the store - check your vendors (like RedHat's) website, or just go to google and query on 'linux ethernet module' OR Just buy 3com (lazy way, 98% accuracy).
2) Install linux like normal, load eveything if you have drive space, otherwise look at the FAQ on setting up for showeq later on at the showeq forum.
3) So setup your network using the menus provided, plugging in your info (IP, GW, etc).
4) Test your internet connect directly to your box - good so far? Proceed. If not you have to mess with it here - you need a standalone connect before you can proceed... Use linuxconf or netcfg for menu programs and ifconfig -a at the command line for quick info (there is alot more you can do, but if you can setup a windows single eth connect, this isn't much harder).
5) Ok now that we have a box talking to the internet, you need to go to the store and buy 1 crossover cable and 1 patch cable (at least) and 1 dummy hub. Any old hub will work, I use an Intel 8 port one, but I have a couple old big time fancy NT routers that I have used. I just don't want the extra noise of their fans running
6) Crossover cable goes from your second card to your hub. Patch cable goes from the hub to the other PC you want on your network.
7) Now check your path on your linux box: echo $PATH and find a spot you want to create your little startup script for your ip masq - I use /usr/sbin (sbin usually relates to netwoking type bins, but whatever). Make a new file there, with these lines (can't make up your mind what to call it - try "mymasq"):
/sbin/ifconfig eth1 down
/sbin/ifconfig eth1 192.168.3.1 broadcast 0.0.0.255 netmask
255.255.255.0
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -b -S 192.168.1.0/24 -D 0.0.0.0/0
echo "1" > /proc/sys/net/ipv4/ip_forward
8) chmod +x on that file you just created.
9) run that file.
10) Go to the other pc that is all plugged in and ready to go.
Change it's IP to: 192.168.1.2
Change it's GW to: 192.168.1.1 (which is your linux box's second eth adapter - eth1)
DNS info can stay 'real' - in other words whatever your DNS is that your linux box is talking to. Hostname can be the same as your linux box too.
11) Reboot the pc that you just created as a masquerade endpoint (from 10).
12) Test that pc, you should be connected.
The only thing you won't be able to do on your masq endpoints (make as many as you want, follow step 10, just change their IP by 1 on the last number like .3 .4 .5, etc etc) is host many games
I am not that smart, if someone could add info on freeing up ports (depending on the game's port that is required) please add it here.
What you can do is JOIN any game, like EQ, and you can run packet sniffing software, like showeq, on your linux box and it will work (assuming that is setup right). I do it you can too!
Can someone please copy and paste this to the showeq forums?
Also can someone please add alternative scripts to my script here - using mayby more secure methods? I know there are other ways, but I am not that smart to know them all.
---
Ok, time for a follow up and some error correction:
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/ifconfig eth1 down
/sbin/ifconfig eth1 192.168.3.1 broadcast 0.0.0.255 netmask 255.255.255.0
/sbin/ipfwadm-wrapper -F -p deny
/sbin/ipfwadm-wrapper -F -a m -b -S 192.168.1.0/24 -D 0.0.0.0/0
1) Put the echo command as the first thing in order to enable port forwarding at all.
2) Change the ipfwadm calls to ipfwadm-wrapper (this is really an ipchains call, using a wrapper to emulate old ipfwadm protocals).
Works fine for kernels 2.3 and older - 2.4 screws us all by ignoring all ipchains protocal calls... you MUST rewrite everything to iptables now. I am gonna have a talk with Linus and straighten him out. This was crude and rude and not in the spirit of linux legacy coverage at all.
So anyways, I moved to the 21st century and ripped and hacked together a iptables script for masquerading. Here it is:
#!/bin/sh
#config IPMASQ
/sbin/ifconfig eth1 down
/sbin/ifconfig eth1 192.168.1.1 broadcast 0.0.0.255 netmask 255.255.255.0
IPTABLES="/sbin/iptables"
#Time to clean house
#Clear out any existing firewall rules, and any chains that might have
#been created
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
#Setup our policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#This enables ip forwarding, and thus by extension, NAT
#Turn this on if you're going to be doing NAT or Masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward
#Our actual rules
#Our NAT stuff
#Source NAT everything heading out the eth0 (external) interface to be the
#given IP. If you have a dynamic ip or a DHCP ip that changes
#semi-regularly, comment this and uncomment the second line
#
#Remember to change the ip address to your static ip
#
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
#$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#These are port-forwarding examples for several different cases.
#These map the specified ports to the specified ip address.
#
#This one maps port 80 to 192.168.1.1. Anything incoming over eth0 to
#the server will be redirected invisibly to port 80 on 192.168.1.1
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.1
#
#These two redirect a block of ports, in both udp and tcp.
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 2300:2400 -j DNAT --to 192.168.1.1
#$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 2300:2400 -j DNAT --to 192.168.1.1
#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
$IPTABLES -N firewall
$IPTABLES -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPTABLES -A firewall -j DROP
#Now, our dropwall chain, for the final catchall filter
$IPTABLES -N dropwall
$IPTABLES -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPTABLES -A dropwall -j DROP
#Our "hey, them's some bad tcp flags!" chain
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPTABLES -A badflags -j DROP
#And our silent logging chain
$IPTABLES -N silent
$IPTABLES -A silent -j DROP
#Accept ourselves (loopback interface), 'cause we're all warm and friendly
$IPTABLES -A INPUT -i lo -j ACCEPT
#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags
#Drop icmp, but only after letting certain types through
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewall
#Accept SSH connections from everywhere.
#Uncomment this if you're running SSH and want to be able to access it
#from the outside world.
#
#$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT
#Lets do some basic state-matching
#This allows us to accept related and established connections, so
#client-side things like ftp work properly, for example.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Uncomment to drop port 137 netbios packets silently. We don't like
#that netbios stuff, and it's #way too spammy with windows machines on
#the network.
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
#Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
$IPTABLES -A INPUT -j dropwall
This works. Just make sure your showeq.conf file has the IP (192.168.1.x) cast and eth1 (assuming eth1 is your GW nic).