'Re:Probably a FAQ... but...'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipchains-list
Subject:    Re:Probably a FAQ... but...
From:       JERRY_GREGORY () udlp ! com
Date:       2001-02-21 18:54:27
[Download RAW message or body]

Marco-

I presume that your firewall DENYs packets from your LAN to the internet.  So
you'll need to add rules for your client machine in the "input" and "forward"
chains.  Substitute the gateway ip address for "this_server", and the LAN ip
address for "client01", the specific port that you want to allow access to on
external servers for "this_specific_port", and your LAN subnet for "this_lan". 
I assume that your client needs access to tcp ports only.  If so, your security
problem may not be as bad as you think since you only need to allow non-tcp syn
packets into your system for ip-masq.  That means that you can receive the
packets for connections that originate inside your LAN, but you don't have to
accept connection attempts from outside of your LAN.    

There are many ways to do what you want.  Here's one way.  (If you are REALLY
concerned about security, you can always add the "-l" option to log the activity
that gets through for your new rules.)  Edit your firewall script to include:

# Allow client01 special access to external ip addresses outside of this LAN
/sbin/ipchains -A input -p tcp -s client01 -d ! this_lan/8 -j ACCEPT
# Accept responses to ip-masq-ed connections (non- tcp syn packets only, ports
61000:65095)
/sbin/ipchains -A input -p tcp ! y -s 0/0 -d this_server 61000:65095 -j ACCEPT
# Masquerade for client01 to any ip addres, this_specific_port only
/sbin/ipchains -A forward -p tcp -s client01 -d 0/0 this_specific_port -j MASQ

Remember, the order of rules in a chain is important, so put the above rules
BEFORE you do a blanket DENY.  If it doesn't work, at least it will give you
food for thought...

URLs: linuxdoc.org.  Find the ip-chains howto.  Before you "hack" your firewall,
you may want to understand more of the capabilities of ipchains.  Also, check
out the ip-masquerading howto.  You may be interested in the transparent-proxy
MINI-howto, as you may already have your network configured that way.

Jerry G.

____________________Reply Separator____________________
Subject:    Probably a FAQ... but...
Author: "Marco Cunha" <marco.cunha@tecinf.pt>
Date:       2/21/2001 5:31 PM

Hi everyone. This is probably a FAQ but after burning my brain for some hours
now I haven't been able to get it just yet.

I have a box that acts as "proxy" to the Internet. I run squid on it, a name
server for the company's domain (with two views), sendmail, apache and a couple
of other services.

I have to turn this into a proxy/firewall solution because there's the need for
one computer inside the internal network to connect to random computers on the
internet on a specific port. (I realise the security problems this creates but I
have no other choice).

Until now I didn't even have routing enabled. I just need to hack the firewall
into letting that one source address send packets out into the internet to that
specific port and not let any of the other users do anything whatsoever other
than access the proxy (like before).

Can anyone give me some pointers on what to do ?

I think i need to setup somekind of masquerading for that specific source
address and specifc destination port. How should I go about that ? Is it
standard masquerading ? I'd be more than happy to read some docs if anyone can
kindly send me some URL's :)





Received: from portal.udlp.com ([10.1.1.245]) by ccmail.udlp.com with SMTP
  (IMA Internet Exchange 3.14) id 004FC1F4; Wed, 21 Feb 2001 11:37:47 -0600
Received: from portal.udlp.com (root@localhost)
    by portal.udlp.com with ESMTP id LAA03614
    for <JERRY_GREGORY@udlp.com>; Wed, 21 Feb 2001 11:38:15 -0600 (CST)
Received: from chiphazard.amotken.com (roc-24-24-63-86.rochester.rr.com
[24.24.63.86])
    by portal.udlp.com with ESMTP id LAA03602
    for <JERRY_GREGORY@udlp.com>; Wed, 21 Feb 2001 11:38:15 -0600 (CST)
Received: from localhost (mail@localhost)
    by chiphazard.amotken.com (8.9.3/8.9.3) with SMTP id MAA26766;
    Wed, 21 Feb 2001 12:38:06 -0500
Received: by east.balius.com (bulk_mailer v1.13); Wed, 21 Feb 2001 12:32:13
-0500
Received: from linux.tecinf.pt ([194.38.141.225])
    by chiphazard.amotken.com (8.9.3/8.9.3) with ESMTP id MAA26611
    for <IPChains-list@east.balius.com>; Wed, 21 Feb 2001 12:32:09 -0500
Received: from stargate (stargate.tecinf.pt [10.1.2.9])
    by linux.tecinf.pt (8.11.2/8.9.3) with ESMTP id f1LHW3V02655
    for <IPChains-list@east.balius.com>; Wed, 21 Feb 2001 17:32:04 GMT
From: "Marco Cunha" <marco.cunha@tecinf.pt>
To: <IPChains-list@east.balius.com>
Subject: Probably a FAQ... but...
Date: Wed, 21 Feb 2001 17:31:51 -0000
Message-ID: <002c01c09c2c$34213720$0902010a@tecinf.pt>
MIME-Version: 1.0
Content-Type: text/plain;
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Importance: Normal
X-Logged: Logged by linux.tecinf.pt as f1LHW3V02655 at Wed Feb 21 17:32:04 2001
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by chiphazard.amotken.com id
MAA26612

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic