community.smoothwall.org • View topic – How do i patch the kernel in smoothwall express Degu III?.

First, i svn’d the tree for expresscore (i had to find/install an SVN client first)

cd /usr/src
svn co https://smoothwall.svn.sourceforge.net/svnroot/smoothwall/trunk expresscore

Next i “predownloaded” all of the sources.

cd /usr/src/expresscore/distrib/build
make predownload

Here’s the sample lines for connection limiting, where br0 is the internal LAN:

# only allow 25 connections per host total, only 5
# of which can be above port 1024

/usr/sbin/iptables -I FORWARD -i br0 -p tcp –syn –dport 1: -m connlimit –connlimit-above 25 -j REJECT
/usr/sbin/iptables -I FORWARD -i br0 -p tcp –syn –dport 1024: -m connlimit –connlimit-above 5 -j REJECT
/usr/sbin/iptables -I FORWARD -i br0 -p udp –dport 1: -m connlimit –connlimit-above 25 -j REJECT
/usr/sbin/iptables -I FORWARD -i br0 -p udp –dport 1024: -m connlimit –connlimit-above 5 -j REJECT

OR

/usr/sbin/iptables -A FORWARD -s 192.168.1.2 -p tcp -m connlimit –connlimit-above 10 -j DROP

Read the rest of this entry »

I required the module connlimit to limit the number of connections on one of our Debian firewall boxes. First download the iptables-1.4.2.tar.bz2version from Netfilter.

Unpack the tarball

tar -xjvf iptables-1.4.2.tar.bz2

Change directory

cd iptables-1.4.2

configure iptables

./configure –prefix=/

if you just use ./configure then everything will be installed to /usr/local

make and install iptables

make install

After that you can check your new iptables version

iptables -v

The only problem i encountered is apps which need iptables as dependency beacuse aptitude will try and install the old version of iptables again as a dependency. Either you install those apps from source as well. Or you can install two versions of iptables one under /usr/local and one under /sbin which can be confusing.

via Gentoo Blog » Upgrading Iptables to 1.4 on Debian Etch.

Upgrading Iptables to 1.4 on Debian Etch

Simon | January 28, 2009

I required the module connlimit to limit the number of connections on one of our Debian firewall boxes. After a while of try and error i found out that the iptables version shipped with debian 1.3.6 doesn’t support the new module format used in 2.6.23+ kernels. So i looked for a backported version of iptables which i did not find So i thought i would try and install iptables from source. First download the latest iptables version from Netfilter.

Unpack the tarball

tar -xjvf iptables-1.4.2.tar.bz2

Change directory

cd iptables-1.4.2

configure iptables

./configure –prefix=/usr libdir=/lib bindir=/sbin mandir=/usr/share/man

if you just use ./configure then everything will be installed to /usr/local

make and install iptables

make prefix=/usr libdir=/lib bindir=/sbin mandir=/usr/share/man install

I don’t know why but a few binaries landed in /usr/sbin instead of /sbin so i copied them to the desired location

After that you can check your new iptables version

iptables -v

The only problem i encountered is apps which need iptables as dependency beacuse aptitude will try and install the old version of iptables again as a dependency. Either you install those apps from source as well. Or you can install two versions of iptables one under /usr/local and one under /sbin which can be confusing.

via Gentoo Blog » iptables.

Linux Kernel 2.6.24 with iptables 1.4.0, ipp2p -0.8.2 and L7-filter 2.17.

The described process below works for Kernel 2.6.24 and has been tested on Debian Etch 4.0

Please note the the ipp2p project is no longer supported – Added 25/11/2009

Read the rest of this entry »

Some basic rules to allow Cisco VPN clients through firewalls:

iptables -A FORWARD -i $INSIDE_IF -o $OUTSIDE_IF -p 50 \
-s $INSIDE_NET -d $VPN_GW -j ACCEPT

iptables -A FORWARD -i $INSIDE_IF -o $OUTSIDE_IF -p udp \
-s $INSIDE_NET -d $VPN_GW –dport 500 -j ACCEPT

iptables -A FORWARD -i $INSIDE_IF -o $OUTSIDE_IF -p udp \
-s $INSIDE_NET -d $VPN_GW –dport 4500 -j ACCEPT

iptables -A FORWARD -i $INSIDE_IF -o $OUTSIDE_IF -p udp \
-s $INSIDE_NET -d $VPN_GW –dport 10000 -j ACCEPT

iptables -A FORWARD -i $INSIDE_IF -o $OUTSIDE_IF -p tcp –syn \
-s $INSIDE_NET -d $VPN_GW –dport 10000 -j ACCEPT

Original Article here

modprobe ipt_ipp2p

tc qdisc del dev eth1 root <== eth1 = internal interface
tc qdisc add dev eth1 root handle 1: htb
tc class add dev eth1 parent 1: classid 1:1 htb rate 900kbit <== max dl 900 kbits

tc class add dev eth1 parent 1:1 classid 1:11 htb rate 300kbit ceil 750kbit prio 2 <== p2p dl 300-750 kbits
tc class add dev eth1 parent 1:1 classid 1:12 htb rate 300kbit ceil 750kbit prio 1 <== www dl 300-750 kbits
tc class add dev eth1 parent 1:1 classid 1:13 htb rate 100kbit ceil 150kbit prio 0 <== ssh dl 100-150 kbits

tc qdisc add dev eth1 parent 1:11 handle 11: sfq perturb 10
tc qdisc add dev eth1 parent 1:12 handle 12: sfq perturb 10
tc qdisc add dev eth1 parent 1:13 handle 13: sfq perturb 10

tc filter add dev eth1 parent 1:0 prio 2 protocol ip handle 11 fw flowid 1:11 <== handle match –set-mark
tc filter add dev eth1 parent 1:0 prio 1 protocol ip handle 12 fw flowid 1:12 <== flowid match classid
tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 13 fw flowid 1:13

iptables -A PREROUTING -t mangle -p tcp -j CONNMARK –restore-mark
iptables -A PREROUTING -t mangle -p tcp -m mark ! –mark 0 -j ACCEPT
iptables -A PREROUTING -t mangle -p tcp -m ipp2p –ipp2p -j MARK –set-mark 11 <== match and mark p2p
iptables -A PREROUTING -t mangle -p tcp -m mark –mark 1 -j CONNMARK –save-mark

iptables -A PREROUTING -t mangle -p tcp –sport 80 -j MARK –set-mark 12 <== mark http
iptables -A PREROUTING -t mangle -p tcp –sport 22 -j MARK –set-mark 13 <== mark ssh

Links Links.

iptables Tutorial

http://ipp2p.org/documents/README

http://lartc.org/howto/lartc.qdisc.filters.html

HTB Linux queuing discipline manual – user guide

http://lartc.org/howto/lartc.cookbook.fullnat.intro.html

This a general listing of some tweaks to iptables. It may also require extra kernel modules to be loaded.

#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

Read the rest of this entry »

> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> iptables -t nat -P PREROUTING DROP
> # Box 1
> iptables -t nat -A PREROUTING -m mac –mac-source 00:50:da:e3:f3:45 -j
> ACCEPT
> # Box 2
> iptables -t nat -A PREROUTING -m mac –mac-source 00:d0:b7:18:0f:f5 -j
> ACCEPT
>
> Now this works as expected, all packets from the two MAC addresses above are
> masq’ed and routed, anything from any other MAC address is DROP’ed.

mmh… but it is a bit unclean to drop packets in the nat table. You want
to filter packets, so use the filter table. Why? Because it is
- unclean
- only the first packet of each connection hits the nat table.

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -t filter -N restr
iptables -t filter -A restr -p tcp –dport 25 -j DROP

iptables -t filter -P FORWARD DROP
iptables -t filter -A FORWARD -m mac –mac-source 00:50:da:e3:f3:45 -j ACCEPT
iptables -t filter -A FORWARD -m mac –mac-source 00:d0:b7:18:0f:f5 -j restr

Read the rest of this entry »