Menu

Home

Genealogy

Linux

Setting up NAT and MonMotha's firewall

In order to implement NAT (Network Address Translation) also known as Internet Sharing you need to first install ip-masquerading. You will find all the details about ip-masquerading on their homepage.
I will focus on the Debian methods on this page and this is done by doing as root (su);

apt-get install ipmasq

You need to implement ipv4 for iptables to work so do;

#modconf

This should bring up a text menu. If it doesn't, then install modconf using apt. Go down the list until you see "kernel/net/ipv4/netfilter", select this option and go down the list and select ip_tables. After installing go down the list again and ensure that the module iptable_nat has a "+" next to it. If it doesn't install it. You need the following for MonMotha's script (from requirements in the script);

You will need (at least) the following kernel options to use this firewall:
IP_IPTABLES,IP_FILTER,IP_MATCH_STATE and IP_TARGET_REJECT.
| To use the masquerading you will also need (at least):
IP_CONNTRACK, IP_NAT, IP_NAT_NEEDED and IP_TARGET_MASQUERADE

Now you need MonMotha's script. When you have opened the download link, you will be presented with an ftp file structure. Go down to 2.3 and select the latest version rc.firewall-2.3.8-pre9 (The server hosting MonMotha's script is apparantly down (10/03/2006) so use my copy). You can also download the same file from me here. This will present as a text page. Copy and paste the text into a text editor. The basic setting parameters follow the comments list. The following is what it looks like;

# Main Options
IPTABLES="/usr/sbin/iptables"
TCP_ALLOW="80 25 22"
UDP_ALLOW="68 6112 6119 4000"
INET_IFACE="eth1"
LAN_IFACE="eth0"
INTERNAL_LAN="192.168.0.0/24"
MASQ_LAN="192.168.0.0/24"
SNAT_LAN=""
DROP="TREJECT"
DENY_ALL=""
DENY_HOSTWISE_TCP=""
DENY_HOSTWISE_UDP=""
BLACKHOLE=""
BLACKHOLE_DROP="DROP"
ALLOW_HOSTWISE_TCP=""
ALLOW_HOSTWISE_UDP=""
TCP_FW=""
UDP_FW=""
MANGLE_TOS_OPTIMIZE="FALSE"
DHCP_SERVER="FALSE"
BAD_ICMP="5 9 10 15 16 17 18"
ENABLE="N"

# Flood Params
LOG_FLOOD="2/s"
SYN_FLOOD="20/s"
PING_FLOOD="1/s"

# Outbound filters
# FIXME: Update config help wiki then remove one-liner help
ALLOW_OUT_TCP="" # Internal hosts allowed to be forwarded out on TCP (do not put
this/these host/s in INTERNAL_LAN, but do define their method of access [snat, masq] if not a public ip)
PROXY="" # Redirect for Squid or other TRANSPARENT proxy. Syntax to specify the
proxy is "host:port".
MY_IP="" # Set to the internal IP of this box (with the firewall), only needed for
PROXY= # Below here is experimental (please report your successes/failures)
MAC_MASQ="" # Currently Broken
MAC_SNAT="" # Ditto...
TTL_SAFE="" USE_SYNCOOKIES="FALSE"
RP_FILTER="TRUE"
ACCEPT_SOURCE_ROUTE="FALSE"
SUPER_EXEMPT=""
BRAINDEAD_ISP="FALSE"
ALLOW_HOSTWISE_PROTO=""
# Only touch these if you're daring (PREALPHA stuff, as in basically non-functional)
DMZ_IFACE="" # Interface your DMZ is on (leave blank if you don't have one) -
Obsolete: Will be removed before 2.4.0

There are some key lines above that need to be configured;

TCP_ALLOW="80 25 22"

These are the ports that are open. Default are 80 for http, 25 for email and 22 for sftp. If you want to add or reduce the open ports this is place to do it. The same goes for the line below which are the ports for UDP

INET_IFACE="eth1"

This is the network card number that connects with your router or the Internet facing NIC and in this case it is "eth1".

LAN_IFACE="eth0"

This specifies the network card facing your internal network and is specified as "eth0"
Some very useful lines follow;

DENY_ALL=""
DENY_HOSTWISE_TCP=""
DENY_HOSTWISE_UDP=""
BLACKHOLE=""
BLACKHOLE_DROP="DROP"
ALLOW_HOSTWISE_TCP=""
ALLOW_HOSTWISE_UDP=""

Let's look at how to use these rules. I have had problems with users from certain IP addresses and have taken the decision to exclude them from access to the server so I have the following rule;

DENY_ALL="203.160.0.0/23 81.213.232.0/23 85.97.126.0/23 85.98.26.10/23"

Note that the suffix "/23" excludes all addresses from 0 through 255. If you wanted to exclude an IP purely from port 80 then apply the following rule;

DENY_ALL="203.160.0.0/23>80"

Now having set up the various parameters you need to save the script. This is done by saving it as "rc.firewall.sh in /etc/init.d Now to make the script executable from a consol as root do;

cd /etc/init.d
chmod 700 rc.firewall

Check to see if the script will run by doing as root from a consol;

/etc/init.d/rc.firewall start

The script should output what it is doing and should be error free. If you get errors then you need to correct the script relevant to the error message that you get. You can stop the script running by using the same command but instead of using "start" use "stop".
Now you need to setup the script to run at boot time so you need to do again as root from the consol;

cd /etc/init.d
update-rc.d rc.firewall defaults 89

If you ever want to remove the soft links for initiating the script during the boot phase then do;

cd /etc/init.d
update-rc.d -f rc.firewall remove

I hope you find the information useful and enjoy the site. If you have any suggestions or comments or would like to contact me then please e-mail me
Rob Oats
Feb 2006