From hax0r on Tue, 18 Jan 2000
I've done masquerading a couple of times thanks to the wealth of information on it, esp. with cable/dsl.
But now I'm in a situation where I actually have 30 or so ip's to work with so I dont need to masquerade, only thats all I know how to do The linux box is to act as a normal firewall/gateway for various win boxen
Do I simply have to add the corrent routes for eth0 and eth1 and echo 1 > /proc/sys/net/ipv4/ip_forward?
the main command I have for masq now is
$IPCHAINS -A forward -s $INTERNALNET -d 0/0 -j MASQ
do I have to change MASQ to ACCEPT or delete this line altogether?
You can just delete the line.
Routing really is that simple. You configure your interfaces with their routes, you enable the kernel's routing flag through the sysctl() (/proc/sys/net/.../) and that's it.
Note that you will probably still want to use ipchains to implement some packet filtering rules. Those are there to protect yourself from script-kiddies who are scanning the 'net for vulnerable hosts. They have scripts that are trying known exploits to break into any systems they can find (generally by scanning IP address ranges).
Note that your router (Linux) is the only thing between your MS-Windows boxes and the Internet. Win '98 and NT are relatively safe from "takeover" exploits. They don't offer interactive login service by default, and their APIs don't readily support remote control. So the principle dangers to your MS Windows systems are in the following three categories:
MS Windows systems are typically not very robust. Historically they have been locked up, or rebooted when they receive gibberish network traffic on any port to which they are listening. It is lucky for Windows users that their OS ships "deaf" and doesn't listen for much.
- DoS: denial of service
- File Service Leakage
- Trojan Horses
The "file sharing" features in MS Windows are notorious complex, insecure, and unstable. You should definitely stop all traffic between ports 137 through 139 and the Internet.
Packet filtering won't protect you from viruses and trojan horses. These you'll primarily get via e-mail attachments, and your best defense is to avoid executing programs and opening documents that are sent to you. (Unfortunately most Microsoft application products currently support various forms of executable macros and dynamic content embedded in their "data").
Personally I'd suggest that you actually continue to use IP masquerading as much as you can. It's somewhat safer in that the script kiddies can't establish direct connections to your internal systems.
At the same time you should protect your Linux router using a combination of packet filtering and hosts.deny (TCP_Wrappers) rules, and by disabling any services that you aren't actively using. Replace telnet with ssh, and FTP with scp or sslftp. Read the Security HOWTO (http://www.linuxdoc.org/HOWTO/Security-HOWTO.html) by Kevin Fenzi and Dave Wreski and the Linux Administrators Security Guide (http://metalab.unc.edu/lasg)
- (Warning!: you'll need a PDF viewer for that last URL, I've heard that Kurt agreed to open this up to HTML conversion but I can't find a handly link to it at the moment).
[ The HTML version is now available at http://www.securityportal.com/lasg/. To find this, I looked in the FAQ found at the URL Jim gave, found that that the main site didn't work, and decided to try it with standard HTTP instead of HTTPS after all. The home page there is quite basic but led me to the correct place. Enjoy! -- Heather ]
From Justin Azoff on Tue, 18 Jan 2000
Thanks for all the info on routing etc, no wonder i couldnt find any info
on it, its too simple.
Unfortunately the dsl provider that finally came through only gave us one ip so im back to masquerading