|
|
ADSP 21xx 
Have you found this site useful? Did we save you time? Did we cure your head-ache? Is your hair growing back now? Please make a donation to help with maintenance. |
Custom Search
Mandrake Linux 10.0Copyright, Aerospace Software Ltd., GPL, 2004 http://www.AerospaceSoftware.com ScopeSometimes, one gets a situation where a single DSL or DOCSIS line is too slow, while a T1 line is overkill and too expensive. This guide explains how to configure TCP/IP routing to perform load sharing between two Network Interface Cards (NIC). This enables the use of multiple DSL/DOCSIS lines for increased throughput and redundancy in a multi network system. You could also use this system with two modems if you are in a rural area and only has dial-up internet access and you happen to have two phone lines. We assume that you have three Network Interface Cards (NIC) installed and working, that eth0 has a fixed IP address, while eth1 gets its address via DHCP. This is only to make things interesting. The internal LAN interface is assumed to be eth2, has a fixed address and supplies the local network with addresses via DHCP.
Load Balancing Dual Uplink
with
Three Way Firewall
Uplink ------------------------ Downlink
| |
DSL0 --------------| eth0 |
| |
WAN | eth2|--------------- LAN
| |
DSL1 --------------| eth1 |
| |
------------------------
There are many howto guides on The Linux Kernel Documentation Project pages that describe routing, but they fail to mention which files you have to modify, where you have to put new files and how to hook things together. How the networking system starts up consequently remains a big mystery and this is an attempt to clarify that a bit. This guide describes how to create a sophisticated system with a dual DSL/DOCSIS interface, with load balancing and a double barrel firewall to keep the system safe. Start-upHere is a brief description of how Linux boots up:
Initialization is controlled by /etc/inittab. The network initialization occurs in runlevel 5. The network is started by link /etc/rc.d/rc5.d/S10network, which points to /etc/rc.d/init.d/network. The network script calls /etc/sysconfig/network-scripts/ifup, once for each physical/virtual interface. Each interface has a file called /etc/sysconfig/network-scripts/ifcfg-ethn, where n ranges from 0 to 2 for a system with three NICs. The ifup script calls the ifcfg-ethn and ifup-routes scripts. Once that lot has done their things, the NICs are up and the routing table is configured with a basic configuration. For us to add some fancy routing to this mix, we have to create a new routing script and call it after the network script. For security, we also need to create a set of rules for netfilter, to protect the system with a multi network firewall. NIC ConfigurationConfiguration of networking, dhcpd and dhclient is very easy. Run the Mandrake Network configuration wizard: Click Menu, System, Configuration, Configure your computer and finally click Network and internet, New connection and have fun. Here are some details, if you need to debug it manually. The NIC configuration is controlled by scripts /etc/sysconfig/ifcfg-ethn, where n ranges from 0 to 2 for this three NIC case. Bring the network up and down with service network restart and check what is going on with ifconfig and ping, until you are sure all three interfaces are working. The configuration scripts should look somewhat like the following examples: File ifcfg-etho: DEVICE=eth0 BOOTPROTO=DHCP ONBOOT=yes MII_NOT_SUPPORTED=yes NEEDHOSTNAME=no File ifcfg-eth1: DEVICE=eth1 BOOTPROTO=static ONBOOT=yes IPADDR=192.168.1.10 NETMASK=255.255.255.0 NETWORK=192.168.1.0 MII_NOT_SUPPORTED=yes NEEDHOSTNAME=no File ifcfg-eth2: DEVICE=eth2 BOOTPROTO=static ONBOOT=yes IPADDR=192.168.10.1 NETMASK=255.255.255.0 NETWORK=192.168.10.0 MII_NOT_SUPPORTED=yes NEEDHOSTNAME=no The two uplinks are eth0 and eth1. We make the one dynamic and the other static, just to show how to handle that in the routing script. Therefore dhclient needs to run on eth0. The local LAN port eth2 is also static and this port should run a DHCP server dhcpd to enumerate the other computers on the LAN. Fire ExtinguisherIt is best to ensure that the firewall is completely closed, before you configure the network. We can do this by adding a small script immediately before the network initialization script. This will deny a hacker/worm a small window of opportunity to get into the system. Create file /etc/rc.d/rc.fire.extinguisher: #! /bin/bash # Close the firewall before we start networking # Hook it from /etc/rc.d/rc5.d/S08fire.extinguisher IPTABLES=/sbin/iptables echo "Fire Extinguisher: Block all traffic" $IPTABLES -F INPUT $IPTABLES -P INPUT DROP $IPTABLES -F FORWARD $IPTABLES -P FORWARD DROP $IPTABLES -F OUTPUT $IPTABLES -P OUTPUT DROP Make this script executable and hook it from /etc/rc.d/rc5.d as follows: $ su # chmod 700 /etc/rc.d/rc.fire.extinguisher # ln -s /etc/rc.d/rc.fire.extinguisher \ /etc/rc.d/rc5.d/S08fire.extinguisher You can check the netfilter status with: # iptables -L to see what is going on. Double Barrel FirewallWe need an interesting firewall to make this setup work. We have to deny forwarding between the two uplinks, to avoid the creation of a loop and we need to masquerade the LAN using Network Address Translation (NAT). Create a new file /etc/rc.d/rc.firewall.dual, make it executable and hook it into the initialization system, immediately after the /etc/rc.d/rc5.d/network script. Here is how to practise safe computing and avoid a shotgun wedding with a hairy hacker:
#!/bin/sh
#
# rc.firewall.dual
#
# Aerospace:
FWVER=0.90
# Original by Redhat - Modified by Aerospace Software Ltd.
# http://www.AerospaceSoftware.com
#
# An example of a stronger IPTABLES firewall with IP Masquerade
# support for 2.4.x kernels.
#
# Log:
#
# 0.90 - Aerospace: Modify for 3 way firewall with dual uplink
# 0.80 - Aerospace: Add protection for MS Windows Hosts and forward game
ports
# Load iptable_mangle module for Port Forwarding.
# 0.79s - ruleset now uses modprobe instead of insmod
# 0.78s - REJECT is not a legal policy yet; back to DROP
# 0.77s - Changed the default block behavior to REJECT not DROP
# 0.76s - Added a comment about the OPTIONAL WWW ruleset and a comment
# where to put optional PORTFW commands
# 0.75s - Added clarification that PPPoE users need to use
# "ppp0" instead of "eth0" for their external interface
# 0.74s - Changed the EXTIP command to work on NON-English distros
# 0.73s - Added comments in the output section that DHCPd is optional
# and changed the default settings to disabled
# 0.72s - Changed the filter from the INTNET to the INTIP to be
# stateful; moved the command VARs to the top and made the
# rest of the script to use them
# 0.70s - Added a disabled examples for allowing internal DHCP
# and external WWW access to the server
# 0.63s - Added support for the IRC module
# 0.62s - Initial version based upon the basic 2.4.x rc.firewall
echo -e "\nLoad rc.firewall - version $FWVER\n"
# The location of various iptables and other shell programs
#
# If your Linux distribution came with a copy of iptables, most
# likely it is located in /sbin. If you manually compiled
# iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
# Aerospace:
IPTABLES=/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig
# Set the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" and "eth1" are external and "eth2" is internal"
#
# NOTE: If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables. For example:
#
# If you are a PPPoE or analog modem user:
# EXTIF="ppp0"
#
# Aerospace:
EXTIF0="eth0"
EXTIF1="eth1"
INTIF="eth2"
echo "External Interface0: $EXTIF0"
echo "External interface1: $EXTIF1"
echo "Internal Interface: $INTIF"
# Specify your Static IP address here or let the script take care of it
# for you.
#
# If you prefer to use STATIC addresses in your firewalls, un-# out the
# static example below and # out the dynamic line. If you don't care,
# just leave this section alone.
#
# If you have a DYNAMIC IP address, the ruleset already takes care of
# this for you. Please note that the different single and double quote
# characters and the script MATTER.
#
#
# DHCP users:
# -----------
# If you get your TCP/IP address via DHCP, **you will need ** to enable the
# #ed out command below underneath the PPP section AND replace the word
# "eth0" with the name of your EXTERNAL Internet connection (ppp0, ippp0,
# etc) on the lines for "ppp-ip" and "extip". You should also note that the
# DHCP server can and will change IP addresses on you. To deal with this,
# users should configure their DHCP client to re-run the rc.firewall ruleset
# everytime the DHCP lease is renewed.
#
# NOTE #1: Some DHCP clients like the original "pump" (the newer
# versions have been fixed) did NOT have the ability to run
# scripts after a lease-renew. Because of this, you need to
# replace it with something like "dhcpcd" or "dhclient".
#
# NOTE #2: The syntax for "dhcpcd" has changed in recent versions.
#
# Older versions used syntax like:
# dhcpcd -c /etc/rc.d/rc.firewall eth0
#
# Newer versions execute a file called /etc/dhcpc/dhcpcd-eth0.exe
#
# NOTE #3: For Pump users, put the following line in /etc/pump.conf:
#
# script /etc/rc.d/rc.firewall
#
# PPP users:
# ----------
# If you aren't already aware, the /etc/ppp/ip-up script is always run when
# a PPP connection comes up. Because of this, we can make the ruleset go and
# get the new PPP IP address and update the strong firewall ruleset.
#
# If the /etc/ppp/ip-up file already exists, you should edit it and add a line
# containing "/etc/rc.d/rc.firewall" near the end of the file.
#
# If you don't already have a /etc/ppp/ip-up sccript, you need to create the
# following link to run the /etc/rc.d/rc.firewall script.
#
# ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
#
# * You then want to enable the #ed out shell command below *
#
#
# Determine the external IP automatically:
# ----------------------------------------
#
# The following lines will determine your external IP addresses. This
# line is somewhat complex and confusing but it will also work for
# all NON-English Linux distributions:
#
EXTIP0="`$IFCONFIG $EXTIF0 | $AWK \
/$EXTIF0/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
EXTIP1="`$IFCONFIG $EXTIF1 | $AWK \
/$EXTIF1/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
echo "External IP0: $EXTIP0"
echo "External IP1: $EXTIP1"
# Assign the internal TCP/IP network and IP address
# Aerospace:
INTIP="`$IFCONFIG $INTIF | $AWK \
/$INTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
# Change this to suit:
INTNET="192.168.10.0/24"
echo "Internal Network: $INTNET"
echo "Internal IP: $INTIP"
# Set a few other local variables
#
UNIVERSE="0.0.0.0/0"
#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==
# Need to verify that all modules have all required dependencies
#
echo -en "\nVerify that all kernel modules are ok"
$DEPMOD -a
echo -en "Load kernel modules:"
# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
# options as MODULES. If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
# NOTE: The following items are listed ONLY for informational reasons.
# There is no reason to manual load these modules unless your
# kernel is either mis-configured or you intentionally disabled
# the kernel module autoloader.
#
# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
# modules are shown below but are commented out from loading.
# ===============================================================
echo "Load the main body of the IPTABLES module - ip_tables"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables"
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
$MODPROBE ip_tables
fi
echo "Load the IPTABLES filter module - iptable_filter"
#
# - Loaded automatically when filter policies are activated
echo "Load the stateful connection tracking framework - ip_conntrack"
#
# The conntrack module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack
fi
echo "Load the FTP tracking mechanism for full FTP tracking"
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack_ftp
fi
echo "Load the IRC tracking mechanism for full IRC tracking"
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack_irc
fi
echo "Load the general IPTABLES NAT code - iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
$MODPROBE iptable_nat
fi
echo "Load the FTP NAT functionality into the core IPTABLES code"
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_nat_ftp"
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
$MODPROBE ip_nat_ftp
fi
echo "---"
# Just to be complete, here is a list of the remaining kernel modules
# and their function. Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
# --------------------------------------------------------------------
#
# ipt_mark - this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
#
# ipt_limit - this target allows for packets to be limited to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within a range
# of port numbers vs. listing each port individually
#
# ipt_state - this match allows to catch packets with various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets that have invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
#
# ipt_LOG - this target allows for packets to be
# logged
#
# ipt_REJECT - this target DROPs the packet and returns
# a configurable ICMP packet back to the
# sender.
#
# iptable_mangle - this target allows for packets to be manipulated
# for things like the TCPMSS option, etc. ALSO USED
# FOR PORT FORWARDING!!!
# CRITICAL: Enable IP forwarding since it is disabled by default
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "Enable IP forwarding"
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable the following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
#
echo "Enable Dynamic Address"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "---"
#############################################################################
#
# Enable Stronger IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal LAN on eth2, with
# 192.168.10.x network with a 255.255.255.0 or a "24" bit subnet
# mask connecting to the Internet on external interface "eth0/eth1".
# This example will MASQ internal traffic out to the Internet
# but not allow non-initiated traffic into your internal network.
#
# ** Please change the above network numbers, subnet mask, and your
# *** Internet connection interface name to match your setup
#
# Clear any previous configuration
#
# Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP
#
# You CANNOT change this to REJECT as it isn't a vaild policy setting.
# If you want REJECT, you must explictly REJECT at the end of a giving
# INPUT, OUTPUT, or FORWARD chain
#
echo "Clear any existing rules and set default policy to DROP"
# Aerospace:
$IPTABLES -F INPUT
$IPTABLES -P INPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F FORWARD
$IPTABLES -P FORWARD DROP
$IPTABLES -F -t nat
# Aerospace: This is needed for PORT FORWARDING
$IPTABLES -F -t mangle
#
# Flush the user chain, if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
#
# Delete all User-specified chains
$IPTABLES -X
#
# Reset all IPTABLES counters
$IPTABLES -Z
# Configure specific CHAINS for later use in the ruleset
#
# NOTE: Some users prefer to have their firewall silently
# "DROP" packets while others prefer to use "REJECT"
# to send ICMP error messages back to the remote
# machine.
#
# NOTE: Without the --log-level set to "info", every single
# firewall hit will goto ALL vtys. This is a very big
# pain.
#
echo "Create a logging DROP chain"
$IPTABLES -N drop-and-log-it
#$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j DROP
echo -e "\nLoad INPUT rulesets"
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
echo "Inp: Loopback interfaces are valid"
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
echo "Inp: Local interface, local machines, going anywhere is valid"
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
echo "Inp: Remote interfaces, claiming to be local machines, IP spoofing, get
lost"
#
$IPTABLES -A INPUT -i $EXTIF0 -s $INTNET -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF1 -s $INTNET -d $UNIVERSE -j drop-and-log-it
echo "Inp: External interface, from any source, for ICMP traffic is valid"
#
# If you would like your machine to "ping" from the Internet,
# enable this next line
#
$IPTABLES -A INPUT -i $EXTIF0 -p ICMP -s $UNIVERSE -d $EXTIP0 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF1 -p ICMP -s $UNIVERSE -d $EXTIP1 -j ACCEPT
echo "Inp: Remote interface, any source, going to permanent PPP address is
valid"
#
#$IPTABLES -A INPUT -i $EXTIF0 -s $UNIVERSE -d $EXTIP0 -j ACCEPT
#$IPTABLES -A INPUT -i $EXTIF1 -s $UNIVERSE -d $EXTIP1 -j ACCEPT
echo "Inp: Allow any related traffic coming back to the MASQ server in"
# Aerospace:
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ----- Begin OPTIONAL INPUT Section -----
#
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
echo "Inp: Allow internal dhcpd server"
# Aerospace:
$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
# NOTE: This is NOT needed for simply enabling PORTFW. This is ONLY
# for users that plan on running Apache on the MASQ server itself
#
#echo -e "Inp: Allow EXTERNAL access to the WWW server"
#$IPTABLES -A INPUT -i $EXTIF0 -m state --state NEW,ESTABLISHED,RELATED \
# -p tcp -s $UNIVERSE -d $EXTIP0 --dport 80 -j ACCEPT
#$IPTABLES -A INPUT -i $EXTIF1 -m state --state NEW,ESTABLISHED,RELATED \
# -p tcp -s $UNIVERSE -d $EXTIP1 --dport 80 -j ACCEPT
echo "Inp: Allow ssh on port 22 in"
$IPTABLES -A INPUT -i $EXTIF0 -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF1 -p tcp --dport 22 -j ACCEPT
echo "Inp: Allow ftp on port 21 in"
$IPTABLES -A INPUT -i $EXTIF0 -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF0 -p udp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF1 -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF1 -p udp --dport 21 -j ACCEPT
#
# ----- End OPTIONAL INPUT Section -----
echo "Inp: Catch all rule, all other incoming is denied and logged"
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e "\nLoad OUTPUT rulesets"
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
echo "Out: Loopback interface is valid"
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
echo "Out: Local interfaces, any source going to local net is valid"
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP0 -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP1 -d $INTNET -j ACCEPT
echo "Out: Local interface, any source going to local net is valid"
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
echo "Out: Outgoing to local net on remote interface, stuffed routing, deny"
#
$IPTABLES -A OUTPUT -o $EXTIF0 -s $UNIVERSE -d $INTNET -j drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF1 -s $UNIVERSE -d $INTNET -j drop-and-log-it
echo "Out: Anything else outgoing on remote interface is valid"
#
$IPTABLES -A OUTPUT -o $EXTIF0 -s $EXTIP0 -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF1 -s $EXTIP1 -d $UNIVERSE -j ACCEPT
# ----- Begin OPTIONAL OUTPUT Section -----
#
echo "Out: Allow internal dhcpd server"
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
# - Remove BOTH #s all the #s if you need this functionality.
#
# Aerospace:
$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT
#
# ----- End OPTIONAL OUTPUT Section -----
echo "Out: Catch all rule, all other outgoing is denied and logged"
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e "\nLoad FORWARD rulesets"
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#
# ----- Begin OPTIONAL FORWARD Section -----
#
# Aerospace:
### Don't need to do this with radios, since the connection is established from
the inside
### but it is good example of a port forwarding rule and is easy to test.
#echo "Fwd: DNAT Forward port 8002 for Nectarine Demoscene Radio"
#$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF -p tcp --dport 8002 -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $EXTIF0 -p tcp --dport 8002 -j DNAT --to
192.168.10.245:8002
#$IPTABLES -A FORWARD -i $EXTIF1 -o $INTIF -p tcp --dport 8002 -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $EXTIF1 -p tcp --dport 8002 -j DNAT --to
192.168.10.245:8002
#
# Aerospace:
# Block outgoing NetBios (if you have windows machines running
# on the private subnet). This will not affect any NetBios
# traffic that flows over a VPN tunnel, but it will stop
# local windows machines from broadcasting themselves to
# the internet.
# Also block Windows Messenger pop-up advertisements.
echo "Fwd: Drop windoze NetBIOS, SMB and Messenger packets"
$IPTABLES -A FORWARD -p tcp --dport 135:139 -j drop-and-log-it
$IPTABLES -A FORWARD -p udp --dport 135:139 -j drop-and-log-it
$IPTABLES -A FORWARD -p tcp --dport 445 -j drop-and-log-it
$IPTABLES -A FORWARD -p udp --dport 445 -j drop-and-log-it
echo "Fwd: Drop Windoze SQL Slammer virus packets"
$IPTABLES -A FORWARD -p tcp --dport 1434 -j drop-and-log-it
$IPTABLES -A FORWARD -p udp --dport 1434 -j drop-and-log-it
echo "Fwd: Block the WindowsXP RPC DCOM worm"
$IPTABLES -A FORWARD -p tcp --dport 4444 -j drop-and-log-it
$IPTABLES -A FORWARD -p udp --dport 4444 -j drop-and-log-it
$IPTABLES -A FORWARD -p tcp --dport 593 -j drop-and-log-it
$IPTABLES -A FORWARD -p udp --dport 593 -j drop-and-log-it
$IPTABLES -A FORWARD -p tcp --dport 69 -j drop-and-log-it
$IPTABLES -A FORWARD -p udp --dport 69 -j drop-and-log-it
echo "Fwd: Block some other damn Windoze thing"
$IPTABLES -A FORWARD -p tcp --dport 9898 -j drop-and-log-it
$IPTABLES -A FORWARD -p udp --dport 5554 -j drop-and-log-it
#
# ----- End OPTIONAL FORWARD Section -----
echo "Fwd: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF0 -o $INTIF -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF0 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF1 -o $INTIF -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF1 -j ACCEPT
echo "Fwd: Catch all rule, all other forwarding is denied and logged"
#
$IPTABLES -A FORWARD -j drop-and-log-it
echo "NAT: Enable SNAT (MASQUERADE) functionality on external interface"
#
$IPTABLES -t nat -A POSTROUTING -o $EXTIF0 -j SNAT --to $EXTIP0
$IPTABLES -t nat -A POSTROUTING -o $EXTIF1 -j SNAT --to $EXTIP1
#######################################################################
echo -e "\nFirewall Done.\n"
Make this script executable and hook it into the initialization system. To do that, we need to rename the network script to make some room in the sequence: $ su # mv /etc/rc.d/rc5.d/S10network /etc/rc.d/rc5.d/S09network # chmod 700 /etc/rc.d/rc.firewall.dual # ln -s /etc/rc.d/rc.firewall.dual /etc/rc.d/rc5.d/S10firewall If we would run the firewall script now, the system should work using the default routes over eth0 for internet access, and eth2 for the LAN. To get both eth0 and eth1 to work and do load sharing, we need to configure routing. Routing TablesThe first thing to do is to add two new table definitions to the routing system. Edit file /etc/iproute2/rt_tables and add tables T0 and T1 at the bottom: # # reserved values # #255 local #254 main #253 default #0 unspec # # local # Dual ports - 2 separate routing tables required 1 T0 2 T1 Configure RoutingCreate a new file /etc/rc.d/rc.route. In this file, define the routing for the two ports each in its own table, then use the main routing table to tie the lot together. There is only so much that you can do in any one routing table. For instance, you can only define one default route in a table. We need two default routes, one for each NIC and the only way to do that, is to define multiple tables. This is best understood by reading the script itself: #! /bin/bash We then add a link to this script after configuring the NICs in run level 5. Hook the Routing ScriptThe best place to add the new routing script into the system intialization sequence, is immediately after the network script and firewall in run level 5. The network script was hooked with the link /etc/rc.d/rc5.d/S10network, but we moved it to S09network and used S10firewall. The next position is S12syslog. We could therefore make a link for S11: $ su # chmod 700 /etc/rc.d/rc.route # ln -s /etc/rc.d/rc.route /etc/rc.d/rc5.d/S11route Run this script and if all went well, you will have a great dual uplink load sharing firewall. You can test the system using ping, by specifying the port you want to ping out of: $ ping -I eth0 www.yahoo.com $ ping -I eth1 www.yahoo.com and both of them should work. Note that routes are cached and the same routes will therefore always be accessed over the same NIC. This system is therefore not ideal, but the load should balance out fairly well in a busy system. Have fun!
|
|
Copyright © 2005-2008, Aerospace Software Ltd., GPL. |