What is YDL?
Downloads
Support
Community
Enhanced
Get started OpenCL

The OpenCL
Programming Book
$19.50
» See more


Yellow Dog Linux General

TOPIC: YDL Modem Gateway/Firewall


Introduction:

This article might help in setting up a modem gateway and firewall. Sometimes it might be handy to be able to share a modem on a small local network.

Prerequisites:
  • Installed modem and a functioning ppp connection.

  • Kernel 2.4.x with support for iptables built in. Kernels 2.4.x needs at least ppp 2.4.1.installed

  • Iptables userspace command installed (Not present in YDL 2/2.1 installs) Visit: http://netfilter.samba.org/

  • Ip forwarding enabled (echo "1" > /proc/sys/net/ipv4/ip_forward)

HOW-TO's for the above can be found at www.linuxdoc.org/HOWTO/HOWTO-INDEX/howtos.html
You can test if iptables is installed by issuing this command at the shell prompt:
iptables -h [ENTER]
If iptables is installed you get the following:
iptables v1.2.5
Usage: iptables -[ADC] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands:
Either long or short options are allowed.
	--append  -A chain				Append to chain
	--delete  -D chain				Delete matching rule from chain
	--delete  -D chain rulenum		Delete rule rulenum (1 = first) from chain
	--insert  -I chain [rulenum]	Insert in chain as rulenum (default 1=first)
	--replace -R chain rulenum		Replace rule rulenum (1 = first) in chain
	--list    -L [chain]			List the rules in a chain or all chains
	--flush   -F [chain]			Delete all rules in  chain or all chains
	--zero    -Z [chain]			Zero counters in chain or all chains
	--check   -C chain				Test this packet on chain
	--new     -N chain				Create a new user-defined chain
	--delete-chain	-X [chain]		Delete a user-defined chain
	--policy  -P chain target		Change policy on chain to target
	--rename-chain	-E				old-chain new-chain

Change chain name, (moving any references)

	Options:
	--proto   -p [!] proto			protocol: by number or name, eg. `tcp'
	--source  -s [!] address[/mask]	source specification
	--destination -d [!] address[/mask]	destination specification
	--in-interface -i [!] input name[+]	network interface name ([+] for wildcard)
	--jump     -j target			target for rule (may load target extension)
	--match    -m match				extended match (may load extension)
	--numeric  -n					numeric output of addresses and ports
	--out-interface -o [!] output name[+]	network interface name ([+] for wildcard)
	--table    -t table				table to manipulate (default: `filter')
	--verbose  -v					verbose mode
	--line-numbers					print line numbers when listing
	--exact    -x					expand numbers (display exact values)
	[!] --fragment  -f				match second or further fragments only
	--modprobe=			try to insert modules using this command
	--set-counters PKTS BYTES		set the counter during insert/append
	!] --version   -V				print package version.

If nothing happens you can try:
modprobe iptables_nat [ENTER]
... which will load the appropriate modules and then try the above command. If that still doesn't help you need to compile a new kernel, see the kernel-compile-how-to. You can also check out http://netfilter.samba.org/ for more on installation of IPTABLES binaries.

Some basic knowledge about scripting and file system we will create some simple scripts that can be called upon either at startup or at will. The scripts will be 'dial, hang, firewall'.

We will now edit:
/etc/rc.d/rc.local [ENTER]
... for some start up procedures.

Let's start with dial
Use a text editor, I use pico, and make a script called 'dial' in the directory /etc/ppp/. The code should be something like this:
#!/bin/bash
echo "Bringing up ppp"
pppd 207.164.7.1:207.164.7.1 /dev/ttyS0
firewall start
echo "Ready to make a call!"

As you see, the script presumes you have your modem at '/dev/ttyS0' which might not always be the case. br>
Save and type:
chmod 0700 /etc/ppp/dial [ENTER]
... which will give it appropriate permissions (I think).

Next type:
pico /etc/ppp/hang [ENTER]
... and enter the following:
#!/bin/bash
kill `cat /var/run/ppp0.pid`
firewall stop
echo "Killed ppp0"

Save, and then:
chmod 0700 /etc/ppp/hang [ENTER] /etc/ppp/ ip_tables_firewall [ENTER]
... and then edit and add '#!/bin/bash'


???????? WHAT IS THIS ???????? 
########################################################################
### FILE:       /etc/ppp/ip_tables_firewall
### PURPOSE:    Start/Stop IP TABLES masquerade service
### Copyright 2000 Tim Burden 
### Originally by Kevin Martin 
### Modified for IP Tables/Netfilter kernel 2.4.x 
### by Ake Svensson
### Free for public redistribution under the terms of the GNU Public
### License.
########################################################################
case "$1" in
start)
echo -n "Starting IP Tables masquerading and NAT support... "
# Allow loopback access. This rule must come before the rules denying port access!!
iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT
# NAT/MASQ routing for modem ppp0
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
# Block X-windows
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP
# Block outside localhosts "so called" for use as router eth0/eth1 (for later use)
#iptables -A INPUT -p all -s localhost -d eth0 -j DROP
# Block NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
# Block ftp
echo -n "Blocking ftp port 21..." echo -n " " iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 21 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 21 -j DROP
echo -n "Shut ftp!"
echo -n " "
# IP tables logging to /var/log/messages for debugging req. module ipt_LOG.o
# iptables -A INPUT -j LOG --log-prefix "INPUT_DROP:"
# iptables -A INPUT -j LOG --log-prefix "OUTPUT_DROP:"
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo "Done."
;;

stop)
echo -n "Stopping IP Tables masquerading and NAT support... "
# /sbin/rmmod ip_masq_cuseeme
# /sbin/rmmod ip_masq_ftp
# /sbin/rmmod ip_masq_irc
# /sbin/rmmod ip_masq_quake
# /sbin/rmmod ip_masq_raudio
# /sbin/rmmod ip_masq_vdolive
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
echo "Done."
;;

*)

echo "Usage: /etc/ppp/ip_tables_firewall {start|stop}"
exit 1
;; esac
exit 0

This script presumes you have an ethernet card at 'eth0' but you might need to change this according to your hardware set up. It also presumes the card has the ip 192.168.1.254 which isn't likely. Edit as necessary and take a good look at the lines beginning with '# BlockS(.'. This script blocks ftp, nfs and X-windows services for external clients.

Save the above and type:
chmod 0700 /etc/ppp/ ip_tables_firewall [ENTER]
Now we will create some symbolic links to our scripts '/etc/ppp':
cd /sbin [ENTER] ln /etc/ppp/ ip_tables_firewall firewall [ENTER]

This creates a symbolic link called firewall. Now:
chmod 0700 firewall [ENTER] cd /usr/local/sbin [ENTER] ln /etc/ppp/dial dial [ENTER] ln /etc/ppp/hang [ENTER] chmod 0700 [ENTER]
... the moment of truth:
Type dial [ENTER]

If you get this:

Bringing up ppp
Starting IP Tables masquerading and NAT support... Blocking ftp port 21...
Shut ftp! Done.
Ready to make a call!

You can also:
ifconfig [ENTER]
and hopefully you get:
ppp0    Link encap:Point-to-Point Protocol
        inet addr:207.164.7.1  P-t-P:207.164.7.1  Mask:255.255.255.255
        UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
        RX packets:0 errors:0 dropped:0 overruns:0 frame:0
        TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0
(besides eth1 [ENTER] or eth0 [ENTER] and lo [ENTER])

You're ready! Try your browser on some other machine in your network and your linux box should begin to dial out (if your network is otherwise properly configured). When your done surfing just type 'hang' and the firewall and gateway code will go away.

If you want more insights into the iptables firewall scripting please check www.linuxdoc.org/HOWTO/HOWTO-INDEX/howtos.html.

Now as the last point we will edit the start script:
rc.local [ENTER]
... so that it loads iptables at startup:
pico /etc/rc.d/rc.local [ENTER]

... and make a new line a bit down and add
modprobe iptables_nat
Save the file ... that will load the needed iptables modules at start up.


REMEMBER TO BACKUP
rc.local

BEFORE YOU EDIT IT!

Now, you should be set to share your surfin' - enjoy!

This HOWTO was written by Ake Svensson



 
          Copyright ® 1999-2010. Fixstars Corporation. All rights reserved.
YDL.net Fixstars Corporation