IP Masquerading question...
Hi all... Can someone give a "Simple" howto for IP Masquerading? The how to on SuSE has so much in it that it's not understandable. I mean that it's nice to know how it was done with 1.0.0 kernels, but that don't help me now. Also all the theory is good to know, but right now I need to get up and running. My setup is my system "Opus" is connected to the 'net by a 56k modem. My wife's system "CW" is connected to Opus by a home net. Opus is running a standard install (with X) of SuSE 8.1 and CW is runnning a standard (no X) install of SuSE 7.2. Can someone give a simple 123 example of getting CW on to the 'net. Also is it needed for Opus to run a firewall? I've never needed one, but what I've read looks like I will need to start one for masquerading. Thanks JIM -- Jim Hatridge Linux User #88484 ------------------------------------------------------ BayerWulf Linux System # 129656 The Recycled Beowulf Project Looking for throw-away or obsolete computers and parts to recycle into a Linux super computer
On Saturday 23 November 2002 8:25 am, James Hatridge wrote:
My setup is my system "Opus" is connected to the 'net by a 56k modem. My wife's system "CW" is connected to Opus by a home net. Opus is running a standard install (with X) of SuSE 8.1 and CW is runnning a standard (no X) install of SuSE 7.2. Can someone give a simple 123 example of getting CW on to the 'net. Also is it needed for Opus to run a firewall? I've never needed one, but what I've read looks like I will need to start one for masquerading.
Never needed a firewall?? That's like saying you don't need locks on the doors of your house because you've never been robbed... Until you are robbed... By the way, if you end up running SuSEfirewall2, make sure you get the updates. It is broken as it comes out of the box on 8.1, at least in my opinion. I'll send you my SuSEfirewall2 config off-list. -- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 11/23/02 13:03 + +----------------------------------------------------------------------------+ "He that is proud eats up himself; pride is his own glass, his own trumpet, his own chronicle." - William Shakespeare
HI Bruce et al... On Saturday 23 November 2002 19:05, Bruce Marshall wrote:
On Saturday 23 November 2002 8:25 am, James Hatridge wrote:
My setup is my system "Opus" is connected to the 'net by a 56k modem. My wife's system "CW" is connected to Opus by a home net. Opus is running a standard install (with X) of SuSE 8.1 and CW is runnning a standard (no X) install of SuSE 7.2. Can someone give a simple 123 example of getting CW on to the 'net. Also is it needed for Opus to run a firewall? I've never needed one, but what I've read looks like I will need to start one for masquerading.
Never needed a firewall?? That's like saying you don't need locks on the doors of your house because you've never been robbed... Until you are robbed...
Well, I've used Linux only to connect to the 'net since October '98 and I've never had a problem. Of course I'm only on the 'net about 30 minutes per day. What could happen in that short time? (This is an honest question, do tell me if anything could happen. )
By the way, if you end up running SuSEfirewall2, make sure you get the updates. It is broken as it comes out of the box on 8.1, at least in my opinion.
I'll send you my SuSEfirewall2 config off-list. Please do that for me.
Thanks JIM -- Jim Hatridge Linux User #88484 ------------------------------------------------------ BayerWulf Linux System # 129656 The Recycled Beowulf Project Looking for throw-away or obsolete computers and parts to recycle into a Linux super computer
On Saturday 23 November 2002 19:05, Bruce Marshall wrote:
Never needed a firewall?? That's like saying you don't need locks on the doors of your house because you've never been robbed... Until you are robbed...
* James Hatridge;
Well, I've used Linux only to connect to the 'net since October '98 and I've never had a problem. Of course I'm only on the 'net about 30 minutes per day. What could happen in that short time? (This is an honest question, do tell me if anything could happen. )
Well I'll try to be as brief as possible. SuSEfirewal2 is not a firewall it is a packet filter which basically allows some packets to pass thru based on your definitions. When you define your allowed services ie FW_SERVICES_TCP_EXT="www" you are allowing access to your www service running on your firewall. Things start to get complicated when you have a FTP server which you are allowing other people from the net to connect and download. Because ftp does not only involve port 21 there is also the other ports involved which is randomly calculated it is difficult to configure the packet filter. If you are using other services like H323 protocol which have the connection ports dynamically assigned configuring the packet filter gets more complicated. (Netmeeting is a good example for H323 protocol) Now you can have some kernel modules to help the configuration to work efficiantly like ftp connection tracking module for iptables. Now packet filtering is basicaly is like a safety chain on the door of your house and with that on you have a little openning where you would like to check the person before you have the door wide open. The question is how safe are you with the safety chain does that give a 100% protection. IMO it is not a 100% safety yet it is better than 0 %. To have better protection you need to have packet filtering along with proxy services so you can have filtering not at the IP layer also at applicaton layer as well. It also depends how you segmented your network if you are using switches then you can have more filtering at Layer 2 level also So overall a firewall is not set and go thing it evolves as your needs change it is multilayered aiming to have the optimum protection at different OSI layers. It could be set on one machine or different layers can be at different machines. So sould you have a firewall. I do not know but I would recommend a packet filter. Hope the above does answer some of your questions. To learn more I would highly recommend "Building Internet Firewalls" from Oreilly if you are interested in learning more about firewalls -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Saturday 23 November 2002 13:56 pm, James Hatridge wrote:
Well, I've used Linux only to connect to the 'net since October '98 and I've never had a problem. Of course I'm only on the 'net about 30 minutes per day. What could happen in that short time? (This is an honest question, do tell me if anything could happen. )
Somewhere on this list (or another) within the past week I read that one person's experience was that 'someone would attempt knocking on his (computer) door' within 15 mins of going on line, on a regular basis. I don't watch the logs that closely anymore but the last time I did, someone was trying to get into my machine about 9 times a day on average. There are a lot of 'exploits' out on the net where a script-kiddie can download soemthing that can break into your computer within seconds if your door is wide open and you're running the software for which the exploit was written. In any case... it *is* possible to have your machine wiped within any 30 minute period you might be online... (or whatever other trick they want to pull) -- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 11/23/02 16:22 + +----------------------------------------------------------------------------+ "Never say anything more predictive than "Watch this!"
On Sat, 23 Nov 2002 16:25:52 -0500
Bruce Marshall
On Saturday 23 November 2002 13:56 pm, James Hatridge wrote:
Well, I've used Linux only to connect to the 'net since October '98 and I've never had a problem. Of course I'm only on the 'net about 30 minutes per day. What could happen in that short time? (This is an honest question, do tell me if anything could happen. )
Somewhere on this list (or another) within the past week I read that one person's experience was that 'someone would attempt knocking on his (computer) door' within 15 mins of going on line, on a regular basis. I
Yeah, most people will get regularly scanned when they are on the net. I'll bet the government does alot of that. I run stealth mode, and only log critical drops, and I see some unknown ip address is trying to access oddball ports on my machine occaisionally.
In any case... it *is* possible to have your machine wiped within any 30 minute period you might be online... (or whatever other trick they want to pull)
I wonder if that is true. Theoretically, if you have your services shut down, you are not running online as root, and your pppd daemon dosn't have a security flaw, it would be hard for someone on the net to get into your machine. But most people have their printer service going, and most newbies have almost every default service turned on. This definitely opens you up to Denial of Service attacks. All you need to do is visit a website who grabs your referer url, and they can start an automatic port scan on you, or hack away at your mail port to see if they can get an open relay, or they will see if they can hack your ssh server. At the very least, this steals your bandwidth, and can seem to lock up your machine. Of course a firewall is the best method of protection. I just wonder how dangerous it is to be online without a firewall, with all the latest security patches, and running as a normal user. It might be a nice research project project to do this on a number of test machines, and capture everything with something like ethereal, then do an analysis. Of course, I'm not going to volunteer to do this with my machine. :-) -- use Perl; #powerful programmable prestidigitation
On Saturday 23 November 2002 20:28 pm, zentara wrote:
On Sat, 23 Nov 2002 16:25:52 -0500
Bruce Marshall
wrote: On Saturday 23 November 2002 13:56 pm, James Hatridge wrote:
Well, I've used Linux only to connect to the 'net since October '98 and I've never had a problem. Of course I'm only on the 'net about 30 minutes per day. What could happen in that short time? (This is an honest question, do tell me if anything could happen. )
Somewhere on this list (or another) within the past week I read that one person's experience was that 'someone would attempt knocking on his (computer) door' within 15 mins of going on line, on a regular basis. I
Yeah, most people will get regularly scanned when they are on the net. I'll bet the government does alot of that. I run stealth mode, and only log critical drops, and I see some unknown ip address is trying to access oddball ports on my machine occaisionally.
In any case... it *is* possible to have your machine wiped within any 30 minute period you might be online... (or whatever other trick they want to pull)
I wonder if that is true. Theoretically, if you have your services shut down, you are not running online as root, and your pppd daemon dosn't have a security flaw, it would be hard for someone on the net to get into your machine. But most people have their printer service going, and most newbies have almost every default service turned on. This definitely opens you up to Denial of Service attacks. All you need to do is visit a website who grabs your referer url, and they can start an automatic port scan on you, or hack away at your mail port to see if they can get an open relay, or they will see if they can hack your ssh server. At the very least, this steals your bandwidth, and can seem to lock up your machine.
Speaking of ssh server... I've never heard anyone else mention placing the ssh port on some high port where it won't be found. I do this routinely and watch happily when someone is beating on port 22. Seems like it should be a normal operation. Not too many people would be opening ssh access to the world.
Of course a firewall is the best method of protection. I just wonder how dangerous it is to be online without a firewall, with all the latest security patches, and running as a normal user. It might be a nice research project project to do this on a number of test machines, and capture everything with something like ethereal, then do an analysis. Of course, I'm not going to volunteer to do this with my machine. :-)
-- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 11/23/02 21:02 + +----------------------------------------------------------------------------+ "Give a man a fish and he will eat for a day. Teach him how to fish, and he will sit in a boat and drink beer all day."
* James Hatridge;
My setup is my system "Opus" is connected to the 'net by a 56k modem. My wife's system "CW" is connected to Opus by a home net. Opus is running a standard install (with X) of SuSE 8.1 and CW is runnning a standard (no X) install of SuSE 7.2. Can someone give a simple 123 example of getting CW on to the 'net. Also is it needed for Opus to run a firewall? I've never needed one, but what I've read looks like I will need to start one for masquerading.
If you only need to masquerade and no screening (packet filtering) iptables -A POSTROUTING -t nat -j MASQUERADE -o ppp0 echo 1 > /proc/sys/net/ipv4/ip_forward Now to add a little bit of security add these also iptables -A INPUT -j DROP -m state --state NEW,INVALID -i ppp0 iptables -A FORWARD -j DROP -m state --state NEW,INVALID -i ppp0 On the other hand configuring SuSEfirewall2 is easier then you think and forget about posts like use shorewall or whatever. If you can read then you can set up SuSEfirewall2 as fast as you can read and understand :-) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
I have an iptables script with iptables -A POSTROUTING -t nat -j MASQUERADE -o eth0. When I issue "iptables -L" command I do not have information related to PORTROUTING chain. Only INPUT FORWARD and OUTPUT chains. Is it OK? POSTROUTING chain is not reported?
Little t On Mon, 2002-11-25 at 06:01, Dan Am wrote:
Am Montag, 25. November 2002 14:19 schrieb Flavio Arthur Leal Ferreira:
When I issue "iptables -L" command I do not have information related to PORTROUTING chain.
iptables -t nat -L
hth dan
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
The link eludes me at the moment but just do a search on it over at http://www.tldp.org On Sat, 2002-11-23 at 05:25, James Hatridge wrote:
Hi all...
Can someone give a "Simple" howto for IP Masquerading? The how to on SuSE has so much in it that it's not understandable. I mean that it's nice to know how it was done with 1.0.0 kernels, but that don't help me now. Also all the theory is good to know, but right now I need to get up and running.
My setup is my system "Opus" is connected to the 'net by a 56k modem. My wife's system "CW" is connected to Opus by a home net. Opus is running a standard install (with X) of SuSE 8.1 and CW is runnning a standard (no X) install of SuSE 7.2. Can someone give a simple 123 example of getting CW on to the 'net. Also is it needed for Opus to run a firewall? I've never needed one, but what I've read looks like I will need to start one for masquerading.
Thanks
JIM
-- Jim Hatridge Linux User #88484 ------------------------------------------------------ BayerWulf Linux System # 129656 The Recycled Beowulf Project Looking for throw-away or obsolete computers and parts to recycle into a Linux super computer
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Take a look at www.linuxgurz.net look under iptables... about 2 dozen sample scripts and setups. On Sun, 2002-11-24 at 19:08, Rob Benton wrote:
The link eludes me at the moment but just do a search on it over at http://www.tldp.org
--
kathee
On Sunday 24 November 2002 23.09, kathee wrote:
www.linuxgurz.net
Dead URL... What is the real one? -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
two glasses of wine -- sorry -- it is: www.linuxguruz.org embarrassed, Kat On Sun, 2002-11-24 at 17:14, Rikard Johnels wrote:
On Sunday 24 November 2002 23.09, kathee wrote:
www.linuxgurz.net
Dead URL... What is the real one? --
/Rikard
------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39
------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 > -- kathee
participants (9)
-
Bruce Marshall
-
Dan Am
-
Flavio Arthur Leal Ferreira
-
James Hatridge
-
kathee
-
Rikard Johnels
-
Rob Benton
-
Togan Muftuoglu
-
zentara