[KLUG Members] linux MASQ/NAT and port forwarding (yahoo)
Scott Webster Wood
members@kalamazoolinux.org
Mon, 7 Jan 2002 04:03:07 -0500
This is a multi-part message in MIME format.
------=_NextPart_000_0019_01C19730.36D2E5E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Alright, every time I learn to use a dag nagged firewall command on linux
masquerading, some new think tank gets ahold of the kernel and stirs the
mix. First it was ipfwadm - then ipchains - now it's iptables
I have yahoo messenger running on one of my boxes and I would like to litmus
test some of the features such as the audio and cam support even if they
aren't necessarily things I will use on a regular basis. Meanwhile, I
figured it would be a good chance to play with iptables. But I can't seem
to get it to work!
According to the yahoo website, the audio side needs tcp on port 5001 and
udp on port 5055. Meanwhile, the cam support supposedly needs port 5100
Before I prejudice this with what I have tried thus far, I would be curious
to know what the 'best case' method is for setting up port forwarding?
For any replies, assume that my external IP and internal net are as follows:
External Interface is $extint = eth0
External IP address is set to variable $extip
Internal network is 192.168.0.0/255.255.0.0 on $intint = eth0
Laptop is on 192.168.0.2 (NAT box is 192.168.0.1)
Masquerading is set up and working with no problems (See attached rc file)
------=_NextPart_000_0019_01C19730.36D2E5E0
Content-Type: application/octet-stream;
name="rc.firewall"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="rc.firewall"
#!/bin/sh=0A=
#=0A=
# /etc/rc.d/rc.firewall: An example of a Semi-Strong IPCHAINS firewall =
ruleset. =0A=
#=0A=
=0A=
state=3D$1=0A=
=0A=
if [ $state =3D "" ]=0A=
then=0A=
state=3D"up"=0A=
fi=0A=
=0A=
if [ $state =3D "down" ]=0A=
then=0A=
echo Bringing down ppp interface=0A=
else=0A=
echo Bringing up ppp interface=0A=
fi=0A=
=0A=
PATH=3D/sbin:/bin:/usr/sbin:/usr/bin=0A=
=0A=
# Load all required IP MASQ modules=0A=
#=0A=
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ =
modules=0A=
# are shown below but are commented from loading.=0A=
=0A=
# Needed to initially load modules=0A=
#=0A=
#/sbin/depmod -a=0A=
=0A=
# Supports the proper masquerading of FTP file transfers using the PORT =
method=0A=
#=0A=
# /sbin/modprobe -v ip_masq_ftp=0A=
=0A=
# Supports the masquerading of RealAudio over UDP. Without this module,=0A=
# RealAudio WILL function but in TCP mode. This can cause a =
reduction=0A=
# in sound quality=0A=
#=0A=
# /sbin/modprobe -v ip_masq_raudio=0A=
=0A=
# Supports the masquerading of IRC DCC file transfers=0A=
#=0A=
# /sbin/modprobe ip_masq_irc=0A=
=0A=
=0A=
# Supports the masquerading of Quake and QuakeWorld by default. This =
modules is=0A=
# for for multiple users behind the Linux MASQ server. If you are =
going to =0A=
# play Quake I, II, and III, use the second example.=0A=
#=0A=
# NOTE: If you get ERRORs loading the QUAKE module, you are running =
an old=0A=
# ----- kernel that has bugs in it. Please upgrade to the newest =
kernel.=0A=
#=0A=
#Quake I / QuakeWorld (ports 26000 and 27000)=0A=
#/sbin/modprobe ip_masq_quake=0A=
#=0A=
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)=0A=
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960=0A=
=0A=
=0A=
# Supports the masquerading of the CuSeeme video conferencing software=0A=
#=0A=
#/sbin/modprobe ip_masq_cuseeme=0A=
=0A=
#Supports the masquerading of the VDO-live video conferencing software=0A=
#=0A=
#/sbin/modprobe ip_masq_vdolive=0A=
=0A=
=0A=
echo Setting /proc/sys/net/ipv4 switches=0A=
#CRITICAL: Enable IP forwarding since it is disabled by default since=0A=
#=0A=
# Redhat Users: you may try changing the options in =0A=
# /etc/sysconfig/network from:=0A=
#=0A=
# FORWARD_IPV4=3Dfalse=0A=
# to=0A=
# FORWARD_IPV4=3Dtrue=0A=
#=0A=
echo Enabling ipv4 packet forwarding support=0A=
echo "1" > /proc/sys/net/ipv4/ip_forward=0A=
=0A=
=0A=
#CRITICAL: Enable automatic IP defragmenting since it is disabled by =
default =0A=
# in 2.2.x kernels =0A=
#=0A=
# This used to be a compile-time option but the behavior was =
changed =0A=
# in 2.2.12. It should also be noted that some distributions =
have=0A=
# removed this option from the /proc table. If this entry =
isn't=0A=
# present in your /proc, don't worry about it.=0A=
#=0A=
#echo "1" > /proc/sys/net/ipv4/ip_always_defrag=0A=
=0A=
=0A=
# Dynamic IP users:=0A=
#=0A=
# If you get your IP address dynamically from SLIP, PPP, or DHCP, =
enable this # following option. This enables dynamic-ip address =
hacking in IP MASQ, =0A=
# making the life with Diald and similar programs much easier.=0A=
#=0A=
echo Enabling ipv4 Dynamic IP support=0A=
echo "1" > /proc/sys/net/ipv4/ip_dynaddr=0A=
=0A=
=0A=
# Enable the LooseUDP patch which some Internet-based games require=0A=
#=0A=
# If you are trying to get an Internet game to work through your IP =
MASQ box,=0A=
# and you have set it up to the best of your ability without it =
working, try=0A=
# enabling this option (delete the "#" character). This option is =
disabled=0A=
# by default due to possible internal machine UDP port scanning=0A=
# vunerabilities.=0A=
#=0A=
#echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose=0A=
=0A=
=0A=
# Specify your Static IP address here.=0A=
#=0A=
# If you have a DYNAMIC IP address, you need to make this ruleset =
understand =0A=
# your IP address everytime you get a new IP. To do this, enable the =0A=
# following one-line script. (Please note that the different single =
and =0A=
# double quote characters MATTER).=0A=
#=0A=
#=0A=
# DHCP users:=0A=
# -----------=0A=
# If you get your TCP/IP address via DHCP, **you will need ** to =
enable the =0A=
# #ed out command below underneath the PPP section AND replace the =
word =0A=
# "ppp0" with the name of your EXTERNAL Internet connection (eth0, =
eth1, etc) =0A=
# on the lines for "ppp-ip" and "extip". It should be also noted that =
the =0A=
# DHCP server can change IP addresses on you. To fix this, users =
should =0A=
# configure their DHCP client to re-run the firewall ruleset everytime =
the =0A=
# DHCP lease is renewed.=0A=
#=0A=
# NOTE #1: Some DHCP clients like the original "pump" (the newer=0A=
# versions have been fixed) did NOT have the ability to =
run =0A=
# scripts after a lease-renew. Because of this, you need =
to =0A=
# replace it with something like "dhcpcd" or "dhclient".=0A=
#=0A=
# NOTE #2: The syntax for "dhcpcd" has changed in recent versions.=0A=
#=0A=
# Older versions used syntax like:=0A=
# dhcpcd -c /etc/rc.d/rc.firewall eth0=0A=
#=0A=
# Newer versions use syntax like:=0A=
# dhcpcd eth0 /etc/rc.d/rc.firewall=0A=
#=0A=
# NOTE #3: For Pump users, put the following line in /etc/pump.conf:=0A=
#=0A=
# script /etc/rc.d/rc.firewall=0A=
#=0A=
# PPP users:=0A=
# ----------=0A=
# If you aren't already aware, the /etc/ppp/ip-up script is always run =
when =0A=
# a PPP connection comes up. Because of this, we can make the ruleset =
go and =0A=
# get the new PPP IP address and update the strong firewall ruleset.=0A=
#=0A=
# If the /etc/ppp/ip-up file already exists, you should edit it and =
add a line=0A=
# containing "/etc/rc.d/rc.firewall" near the end of the file.=0A=
#=0A=
# If you don't already have a /etc/ppp/ip-up sccript, you need to =
create the =0A=
# following link to run the /etc/rc.d/rc.firewall script.=0A=
#=0A=
# ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up=0A=
#=0A=
# * You then want to enable the #ed out shell command below *=0A=
#=0A=
#=0A=
=0A=
if [ $state !=3D "down" ]=0A=
then=0A=
echo retreiving and setting interface defaults=0A=
# ALL PPP and DHCP users must set this for the correct EXTERNAL =
interface name=0A=
extint=3D"ppp0"=0A=
# PPP and DHCP Users:=0A=
# -------------------=0A=
# Remove the # on the line below and place a # in front of the line =
after that.=0A=
#=0A=
extip=3D"`/sbin/ifconfig $extint | grep 'inet addr' | awk '{print $2}' | =
sed -e 's/.*://'`"=0A=
=0A=
# For PPP users with STATIC IP addresses:=0A=
#=0A=
#extip=3D"your.static.PPP.address"=0A=
=0A=
fi=0A=
=0A=
# Assign the internal IP=0A=
intint=3D"eth0"=0A=
intnet=3D"192.168.0.0/16"=0A=
=0A=
=0A=
# MASQ timeouts=0A=
#=0A=
# 2 hrs timeout for TCP session timeouts=0A=
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received=0A=
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec =
firewall timeout in ICQ itself)=0A=
#=0A=
#echo setting masquerade timeouts=0A=
#ipchains -M -S 7200 10 60=0A=
=0A=
#########################################################################=
####=0A=
# Incoming, flush and set default policy of reject. Actually the default =
policy=0A=
# is irrelevant because there is a catch all rule with deny and log.=0A=
#=0A=
echo flushing input rules=0A=
#ipchains -F input=0A=
iptables -F=0A=
iptables -X=0A=
echo setting default input policy=0A=
iptables -P INPUT DROP=0A=
=0A=
echo setting new input rules=0A=
=0A=
#ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT=0A=
iptables -A INPUT -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT=0A=
=0A=
if [ $state !=3D "down" ]=0A=
then=0A=
echo ...setting external interface input rules=0A=
# local interface, local machines, going anywhere is valid=0A=
=0A=
# remote interface, claiming to be local machines, IP spoofing, get lost=0A=
#=0A=
#ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -j REJECT=0A=
iptables -A INPUT -i $extint -s $intnet -d 0.0.0.0/0 -j REJECT=0A=
=0A=
# remote interface, any source, going to permanent PPP address is valid=0A=
#=0A=
#ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT=0A=
iptables -A INPUT -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT=0A=
=0A=
fi=0A=
=0A=
# loopback interface is valid.=0A=
#=0A=
#ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT=0A=
iptables -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT=0A=
=0A=
# catch all rule, all other incoming is denied and logged. pity there is =
no=0A=
# log option on the policy but this does the job instead.=0A=
#=0A=
#ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -j REJECT=0A=
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j REJECT=0A=
=0A=
=0A=
#########################################################################=
####=0A=
# Outgoing, flush and set default policy of reject. Actually the default =
policy=0A=
# is irrelevant because there is a catch all rule with deny and log.=0A=
#=0A=
echo flushing output rules=0A=
#ipchains -F output=0A=
#iptables -F OUTPUT=0A=
echo setting default output policy=0A=
#ipchains -P output REJECT=0A=
iptables -P OUTPUT DROP=0A=
=0A=
echo configuring new output rules=0A=
=0A=
#ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT=0A=
iptables -A OUTPUT -o $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT=0A=
=0A=
if [ $state !=3D "down" ]=0A=
then=0A=
echo ...configuring external interface output rules=0A=
# local interface, any source going to local net is valid=0A=
#=0A=
# outgoing to local net on remote interface, stuffed routing, deny=0A=
#=0A=
#ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -j REJECT=0A=
iptables -A OUTPUT -o $extint -s 0.0.0.0/0 -d $intnet -j REJECT=0A=
=0A=
# outgoing from local net on remote interface, stuffed masquerading, deny=0A=
#=0A=
#ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -j REJECT=0A=
iptables -A OUTPUT -o $extint -s $intnet -d 0.0.0.0/0 -j REJECT=0A=
=0A=
# anything else outgoing on remote interface is valid=0A=
#=0A=
#ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT=0A=
iptables -A OUTPUT -o $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT=0A=
=0A=
fi=0A=
=0A=
# loopback interface is valid.=0A=
#=0A=
#ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT=0A=
iptables -A OUTPUT -o lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT=0A=
=0A=
# catch all rule, all other outgoing is denied and logged. pity there is =
no=0A=
# log option on the policy but this does the job instead.=0A=
#=0A=
#ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -j REJECT=0A=
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j REJECT=0A=
=0A=
#########################################################################=
####=0A=
# Forwarding, flush and set default policy of deny. Actually the default =
policy=0A=
# is irrelevant because there is a catch all rule with deny and log.=0A=
#=0A=
#echo flushing forward rules=0A=
#ipchains -F forward=0A=
#iptables -F FORWARD=0A=
iptables -t nat -F=0A=
iptables -t nat -X=0A=
#echo setting default forward policy=0A=
#ipchains -P forward DENY=0A=
#iptables -P FORWARD DROP=0A=
=0A=
if [ $state !=3D "down" ]=0A=
then=0A=
echo setting up masquerading rules=0A=
# Masquerade from local net on local interface to anywhere.=0A=
#=0A=
#ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ=0A=
iptables -t nat -A POSTROUTING -o $extint -s $intnet -d 0.0.0.0/0 -j =
MASQUERADE=0A=
=0A=
#=0A=
# catch all rule, all other forwarding is denied and logged. pity there =
is no=0A=
# log option on the policy but this does the job instead.=0A=
#=0A=
#ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -j REJECT=0A=
#iptables -A FORWARD -s 0.0.0.0/0 -d 0.0.0.0/0 -j REJECT=0A=
=0A=
fi=0A=
=0A=
#End of file=0A=
------=_NextPart_000_0019_01C19730.36D2E5E0--
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com