IP Chains


"Bruce S. Marshall" says

(http://www.oreilly.com/catalog/linag2/chapter/ch09.html) for an
EXCELLENT discussion of ipchains and its implementation



Formatted and edited for readability for The Linux Step by Step Sites 2000-04-18 by Ian Marchak

As mentioned by the author, he obtained help and info from  TrinityOS (TM)(c) which is well worth a look after you get through this document.  If you are going to bring a machine up as a full time firewall you can't be concerned enough about security, which is why you should also check out the Step By Steps on Security located here.


Version 1.1 -- 2000-02-02 By Hans-Cees Speel
The original document can be located at: http://www.sepa.tudelft.nl/webstaf/hanss/hanss.html

How to make a gateway (with firewall) with a Caldera 2.3 linux machine used to share the internet with other computers with the use of a modem (modemsharing). The actual modem used in my set-up is a cable modem that runs like a regular modem through the first serial COM-port. Other words to say the same is that we do internetsharing, modemsharing, IP-chains, masquerading, nat, and what not.

Contents

0. Logging
I. Install Caldera2.3 (not covered in the scope of this document)
II. Setup ISP connections
III. Configuring ipchains and the firewall.
IV. The setting of the firewall
V. Extras
VI. Logging Errors

What is a gateway (in this case)? A machine used to share entrance to the internet. This means that all internet traffic runs through the gateway. In this case the gateway has an (external) modem connection to the internet.  The modem is used to dial in with an isp that delivers dynamic IP numbers (DHCP). The modem dials automatically to the internet when the machines behind it request it. (i.e.: they start using a browser or check  email.)

With some adjustment these notes could probably work for other connection types as well (real cablemodems for instance or internal modems).

This howto shows all steps as I took them. And I have a working gateway now. This does not guarentee that there are not better or more clever ways.  I just don't know them yet.  It could be that some things are superfluous.

0. Logging

See EXTRAS at the bottom of this Step By Step. It explains how to see all your logging information on your prompt. It will make this whole process more easy, believe me.

I. Installation

Install COL2.3 with all programs.  This means having about 2 gig if space on your harddrive. Make sure your ethernet card works for your internal lan first. You can check this by using the "ifconfig" command.

From this point on, we assume there is: a successful install of COL2.3, a working network card, and a configured modem. If not, you'd better hit the links and get those working before proceeding.

II. Setting up ISP Connections

If your install and ethernet card both worked, dial-in to your ISP should be set up next.

This is what the Caldera OpenLinux CD says:
Take a look by putting the CD in your player and use netscape to go to this url: file:///mnt/cdrom/col/doc/html/gsg/index.html there you are. Very handy. Pages 107 and 108 show how to configure pppd without using kppp.  This information can also be found online here.

We will follow these instructions...

Connecting Without KPPP

Although KPPP provides a convenient graphical tool for reaching the Internet, you may want to use standard scripts to create a non-graphical connection using PPP. This section describes how to do that.

NOTE: You still need the information from your ISP described at the beginning of this chapter.

To set up a script-based PPP connection:

1.Log into OpenLinux as user root.

2.To verify whether or not your system's Linux kernel includes PPP support, type lsmod and press Enter.

3.If the PPP module (ppp.o) doesn't appear in the list, typemodprobe ppp and press Enter to load PPP support.

4.Add your ISP's nameserver IP addresses to the /etc/resolv.conf file (for example, nameserver 192.168.1.1).

5.Add your system's IP address to the /etc/hosts file (for example, 192.168.100.23 swift.caldera.com swift).  If you're not connected to an internal network, use "0.0.0.0" as your system's IP address.

6.Create a /etc/ppp/options file with the following lines:

connect "/usr/sbin/chat -f /etc/ppp/chat-script"
/dev/modem 38400
modem
crtscts
defaultroute
noipdefault
user isp_user

The "isp_user" in this script is the user account at your ISP. Use the number "38400" in the script for a 28.8Kbps modems; use 115200 for 56K modems.

NOTE: The next three steps assume your ISP uses PAP authentication. If you use manual or CHAP authentication, contact your ISP for additional information.

1.Create the /etc/ppp/chat-script file with the following lines:
ABORT BUSY
ABORT "NO DIAL TONE"
"" ATDT5551212
CONNECT ""

The "5551212" in the script is the phone number to dial to connect to your ISP.

2.Create an authentication file named /etc/ppp/pap-secrets that contains these lines:
isp_user * isp_passwd
In this file, "isp_user" is your ISP username and "isp_psswd" is your ISP account password in plaintext (for example, bob * GfG2vhY).

3.Make the /etc/ppp/pap-secrets file secure by executing this command:
chmod 600 /etc/ppp/pap-secrets

To start up your script-based PPP Connection:

1.Enter this command from a terminal emulator or console:
pppd

Your modem uses the scripts you created to dial your ISP and connect. Depending on the speed of your ISP's authentication process, your system will be connected to your ISP within 15-45 seconds of hearing the dial tone.

To verify whether or not you're connected to your ISP, you can use the ping command to echo a system on the Internet. (For example, type ping www.yahoo.com and press Enter.) If a series of lines appear one at a time, you're connected. To abort the output of the ping command, press 'Ctrl+C'

To stop the PPP Connection
1.Enter this command:
kill `cat /var/run/ppp0.pid`
 

so far what Caldera says and what we will do. Make sure you log in as root.

So do this:

a) open a terminal (you can do that by clicking on the two-computer icon in your tray) "lsmod". If there is no ppp listed you must type "modprobe ppp" (without the "", always leave out the "").

b) Find kfm (kde filemanager). I always leave one open. You can get a second window by typing cntr-n, just as with netscape. The program is located at K>system>filemanager (superuser mode).
Go to the /etc/resolv.conf file and add: "nameserver 195.96.96.97".  Of course with your ISP's nameserver IP.

c) Go to the /etc/hosts file and add your internal network. So for instance:

192.168.0.2 momsmachine mom
192.168.0.3 dadswindoze dad

And also add the gateway itself

192.168.0.1 linuxgateway gateway

This means of course that your windoze and other computers that use the gateway must have these names and numbers. Windows computers can be fed their name at:
networkneighbourhood ->options->indentification.

The internal IP number can be set at:
networkneighbourhood->options->tcpipnetworkcard

Also set the default gateway (the internal IP of the linuxgateway for instance 192.168.0.1). The nameserver at the windoze computers can be the nameserver of your ISP.

d) Now the /etc/ppp/options file.
Make it to look like this:

debug
connect "/usr/sbin/chat -f /etc/ppp/chat-script"
/dev/ttyS0 115200
modem
crtscts
defaultroute
user isp_user
195.96.98.253:195.95.98.1
ipcp-accept-remote
ipcp-accept-local
demand
idle 300

This option file makes sure that when you run pppd (by typing "pppd" at the terminal) and thus run pppd, the program is started, but there is no dialing in yet. The option demand sets it so that only when traffic is seen, a connection will be made by modem. For instance if you type "ping 195.96.96.97" the link will come up. Now type Ctrl-C to stop the pinging.

The log will say that there two ip's have been set. These are bogus ip's. They are removed when an actual link is set up to your isp. The two ipcp statements make sure that goes ok (see "man pppd" for more info). The idle statement makes sure your modem connection is terminated when there is no traffic for 300 seconds. The 115200 can be changed if your modem is not a 33000 modem. You can use the IP of the default gateway of your isp as the second number in the ....:..... statement.

You should make a file /var/log/debug if it is not already there.

e)now the file /etc/ppp/chat-script
It should say

ABORT BUSY
ABORT "NO DIAL TONE"
"" ATDT4
CONNECT ""

It is possible that your modem needs slightly different commands!

That is all. The 4 after atdt is the number I have to dial at Casema in the hague the netherlands.

f) make the file /etc/ppp/pap-secrets
Caldera comes with a file pap-secrets.sample. Use that, copy it to the pap-secrets. Add a new line:

isp_user * isp_passwd

isp_user is your username, isp_passwd your password.

Save as /etc/ppp/pap-secrets

type "chmod 600 /etc/ppp/pap-secrets"

You can now dial in by typing "pppd" if your modem is at the COM1 port.  If you do "ping 195.96.96.97" you should get reply. If not try another IP because it probably means my isp is down (wouldn't be the first time).  Ctrl-C stops the ping. Type "ps -ax" and you can see if pppd is running. You can stop it by looking at the number in the first row and type "kill number", where number stands for the number in the first row before pppd.

At /var/log/debug you can see what went wrong.

III. Configuring ipchains and the firewall.

So now you can dial in, but you hardly have a gateway. We will make one now. After that we will make the firewall rules.

First IP chains. IP chains is the name of the programs that can tell the kernel to do its stuff on with incoming packets over networks. It is the same program that can forward packets, filter them (the firewall) and qork them (make them appear to come all from one computer --masquerading--).

A) go to /etc/rc.d/rc.local
add the line:

/etc/rc.d/rc.firewall

Save the file

b) make a file /etc/rc.d/rc.firewall
put in it:

#!/bin/sh
#called from rc.local
logger THIS IS the rcfirewall script
modprobe ip_masq_ftp
modprobe ip_masq_irc
modprobe ip_masq_raudio
echo "1" > /proc/sys/net/ipv4/ip_forward
ipchains -P forward DENY
ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0
IPFORWARDING=yes
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
logger first firewall script finished, ipchains and masquerading work now.

You may add other modprobes if you want to do quake and so on. The last rule is only needed when you do not have a fixed IP number. Almost noone has one, don't worry.

save the file and do chmod 700 /etc/rc.d/rc.firewall

The gateway should work now. There is no firewall yet! We will make one in the next step.

IV. The setting of the firewall

The original firewall set of rules that I adapted comes from TrinityOS(TM)(c)
Written, Maintained, and Copyrighted by David A. Ranch

He also helped me out getting this fixed, which took a while...
His file works with diald. I did it without diald, since I had problems with it, and ppp can do demand dialing too. The less to do the better.

The trick is that the firewall must include the new IP we get everytime we dial in again (remember we use a dynamic IP). This is more safe (slightly) than a fixed IP by the way. This is pulled off by using ip-up and ip-down: two scripts that are run automatically when the line goes up and down.

Here's how we do this:

A) open /etc/ppp/ip-up
add:

logger THIS IS the ip-up script running &
/etc/rc.d/rc.firewallup &
#/etc/rc.d/rc.firewallbigup &
logger this was the ip-up script &

save it and do "chmod 700 /etc/ppp/ip-up".

This script is used to call a set of firewall rules that must be added to /etc/rc.d/xxxx. In this case we used  /etc/rc.d/rc.firewallbigup
The logger lines can be traced back in the /var/log/messages. That is handy because if something goes wrong you can try to figure out where it is.

There are two links in the ip-up file: one to rc.firewallup, and one to rc.firwallbigup. The first one is to test without a lot of rules, and the second holds all the rules. Only if it works without the rules should you try all the rules and thus change the # from one link to another.

thus change
/etc/rc.d/rc.firewallup &
#/etc/rc.d/rc.firewallbigup &

to

#/etc/rc.d/rc.firewallup &
/etc/rc.d/rc.firewallbigup &

when you are ready to try the big firewall set we will built below.

B) Now we can add the real firewall rules. First we make a small set to
test. After that a big set for real.

make a file /etc/rc.d/rc.firewallup.
add:

#!/bin/sh
logger THIS IS the rc.firewallup script to test
logger loading masq modules
modprobe ip_masq_vdolive
logger now vdolive should run, check with lsmod

logger - Setting Policies: IN/OUT is ACCEPT; FWD is reject (poor
security;
great functionality)
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward REJECT

logger Flushing any old rulesets
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
 

logger Extending MASQ timeouts.
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
# IPCHAINS
/sbin/ipchains -M -S 7200 10 60
logger rc.firewallup done

So that is it. do "chmod 700 /etc/rc.d/rc.firewallup" and you are done.

Now we must make a file that flushes the rules when the pppd link goes
down.
find /etc/ppp/ip-down or make it.

add:

#!/bin/bash
#
# The pppd executes this script every time a PPP connection goes down
# and passes the following args to it:
#
# $1 device
# $2 tty
# $3 speed
# $4 local IP addr
# $5 remote IP addr
#
# You can then execute special commands (like removing routes)
# depending on the arguments passed by the pppd.
#
logger THIS IS the ipdownscript
/etc/rc.d/flush
logger ready flushing

do "chmod 700 etc/ppp/ip-down"

make /etc/rc.d/flush
add:

#!/bin/sh
logger THIS IS flush
#
echo " - Flushing all old rules and setting all default policies to
REJECT "
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward

logger Set default policies to accept
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward ACCEPT
logger rulesets are flushed

do "chmod 700 etc/rc.d/flush"

done!

Now you can run pppd and ping to see if all goes well. The
/var/log/messages should show the logger lines.

C) If B works, we can do the real firewall.

Make /etc/rc.d/rc/firewallbigup.

Remember to change the link in /etc/ppp/ip-up by moving the #.

You must adjust the rules if you use a www server, and ftp server or other server that is to be accesible by the outside.

NOTE: 'ipfirewallupbig' is a big script, to keep this page quick to load, and readable, it has been moved to this link

do "chmod 700 /etc/rc.d/rc.firewallbigup"

When a link is started from pppd to the modem you should see the logger things in var/log/messages.

Everytime the firewall filters something out this will be reported.

At last you can sit at your fireplace and rest safely....

But...you should really also update your kernel, since version 2.10 is not save and comes with Caldera. See: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri

How to do that? I will try to find out for myself....

a good place to start is http://www.Calderasystems.com/support/resources/ and howto.tucows.com.

What you should also do is check other things about security. You should at least disable telnet and ftp and http, use host.allow and so on. See the trinityos for all this. If you don't do this a hacker will find you.
 

V. EXTRAS  (Very handy)

Automatically and transparent logging.

This comes from :

TrinityOS(TM)(c) Written, Maintained, and Copyrighted by David A. Ranch

I copied it and added some changes:

It is very relaxed, because you see all the logger lines on your terminal, and also when the firewall refuses traffic. Especially when you are debugging this is helpful.

Like the real-time log monitor above, its nice to be able to see errors in real time whenever you suspect problems via a TELNET, SSH, etc. To do this, create the file with the following:

/usr/local/sbin/logit
--
#/bin/sh
tail -f /var/log/samba.d/smb.nmb &
tail -f /var/log/samba.d/smb.smb &
tail -f /var/log/secure &
tail -f /var/log/messages &
--

Close the file and then fix it's permissions with
"chmod 700 /usr/local/sbin/logit".

If you do not use Samba you can cut out those lines above and below.

Now, whenever you are suspecting problems with ANYTHING on your Linux box,   just run "/usr/local/sbin/logit" and watch the error logs go by in real-time.  I recommend to type in "clear" at the UNIX prompt now and then to clean the screen up for readibility sake. When you are done with "logit", run the command "killall tail" to stop all the logging. The problem with this "killall" is it kills the TTY logging. To fix this, I recommend to use the "recycle" script"

/usr/local/sbin/recycle
--
#!/bin/sh
echo Killing all existing tails from logit, etc
killall tail
--

Close the file and then fix it's permissions with "chmod700 /usr/local/sbin/recycle".

Now you must also make the file /var/log/secure if it does not exist yet. You can also change the /etc/syslog.conf if you want. At least have a look at it. You can manage what you will get logged, and where. A good way to see if all permissions are ok, is also to log in as a normal user and to try to view and write to these files.

VI.  Logging Errors

To fix the Caldera bug about ip-compress errors in your log when a line comes up:

edit /etc/modules.conf and include these lines at the bottom of the file:

alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_defl

searchSearch Index