[ Pobierz całość w formacie PDF ]
explanation of rc.firewall
Initial loading of extra modules
First, we see to it that the module dependencies files are up to date by issuing an
/sbin/depmod -a command. After this we load some modules that we might be in-
terested in. For example, if you want to have support for the ,REJECTandMASQUER-
ADE targets and don� t have this compiled statically into your kernel, we load these
modules.
Next is the option to loadipt_ownermodule, for example only allowing certain users
to make certain connections etc. I will not use that in this example but basically, you
could allow only root to do FTP and HTTP connections to redhat and DROP all the
others. Or you could disallow all users but your own user and root to connect from
your box to the Internet, might be boring for others, but you will be a bit more secure
to bouncing hacker attacks etc.
After this there is the first part used by our state matching filters, the loading of
ip_conntrack_ftp and ip_conntrack_irc. To do what I promised in the beginning of
this tutorial, disallowing for example passive FTP but allowing DCC sends to work,
we load only the ip_conntrack_irc module, but not the ip_conntrack_ftp module. For
this to work, these two must not be compiled into the kernel. For the vice versa, where
we want passive FTP to work, but not DCC send, we do it the other way around
of course, load the ip_conntrack_ftp module, but not the ip_conntrack_irc module.
These modules are add-ons to the kernels state matching that gives the state engine
the ability to understand certain parts of the specific protocols and how to read their
data part of packets. Since both of these protocols are complex protocols, they need
separate code (ie, the modules) that knows how to figure out which connections are
related to the actual main connection. Active FTP uses port 21 as a standard port.
When the other end wants to open up a data transfer (ie, download a file) it tells
the other end that it wants this and that file. The FTP server then tells the client
which port to connect to. Since all of this happens within the data part of the connec-
tion, the state engine would not know anything about this normally. However, the
ip_conntrack_ftp module adds the possibility for the state engine to look inside the
actual data part of the FTP sessions and figure out that "this port connection is related
to this FTP session". DCC connections in IRC works the same way, ports used for file
transfers are negotiated within the actual IRC connection and hence it needs a kernel
add-on to know how this works.
Note that you also need to load the ip_nat_irc and ip_nat_ftp if you want Network
Adress Translation to work properly on any of these protocols. They are used the
same way as the conntrack modules, but it will make it possible for the computer to
do NAT on these two protocols. The main need for these two modules, are that both
the protocols send IP adresses within the data part of the connection, which are used
35
�Chapter 5. rc.firewall file
for the other end of the connection to know where to connect. For example, when you
want to establish a DCC connection over IRC, the client sends a DCC request which
contains both an IP adress and a port to connect to. If the IRC client sits on a LAN,
and is NAT� ed by a firewall, it will send the IP adress it uses on the LAN. The LAN
IP will not be recognised by the other host, or the packets being sent from the other
end will just not be properly routed and hence the packets will be lost somewhere in
between and the DCC request will time out. What the ip_nat_irc module will do, is
to actually NAT these IP adresses and ports within the IRC packets, as needed.
Initiating the kernel for IP forwarding and others
After this we start the IP forwarding by echoing a 1 to
/proc/sys/net/ipv4/ip_forwardin this fashion :
echo "1" > /proc/sys/net/ipv4/ip_forward
In case you need dynamicIPsupport, for example if you use SLIP,PPPor DHCPyou
may enable the next option,ip_dynaddrby doing the following :
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
[ Pobierz całość w formacie PDF ]
zanotowane.pldoc.pisz.plpdf.pisz.plimuzyka.prv.pl