Matt's Page

Path: Networking :

This page displays some of the networking that I have done using GNU/Linux and NetBSD.

DHCP Server - Dynamically assign IP addresses.
DHCP Client on NetBSD - Dynamically get an IP addresses.
SAMBA - Share files with windows.
Linux Firewall - Linux iptables firewall script.
NetBSD Firewall - NetBSD IPFilter firewall configuration file.
NAT - NetBSD network address translation configuration file.
PPP - Peer-to-Peer modem connection configuration files for NetBSD.
DNS2Go - dns2go.com Dynamic DNS perl script.
OpenBSD Firewall - OpenBSD firewall rules.

DHCP Server � This is my configuration file for my Linux LAN DHCP server.

/etc/dhcpd.conf



authoratative;

allow unknown-clients;

subnet 192.168.1.0 netmask 255.255.255.0 {
	range 192.168.1.2 192.168.1.32;
	default-lease-time 43200;
	option subnet-mask 255.255.255.0;
	option domain-name-servers 8.8.8.8;
	option routers 192.168.1.1;
}

DHCP Client � Just add this line to the rc.conf file on NetBSD for DHCP Client support for ppp0 network interface.

/etc/rc.conf

...


dhclient=YES
dhclient_flags="ppp0"

SAMBA - This is my configuration file for my domain master Linux SAMBA server.

/etc/samba/smb.conf

[global]
        netbios name = LINUX
        workgroup = COANLAN
        server string = Linux
        security = share
        domain master = yes
        preferred master = yes

[pub]
        comment = Public Share
        path = /usr/pub
        public = yes
        writable = yes

Linux Firewall � This is my Linux iptables firewall script. It blocks all incoming connections and only allows outbound connections for a few clients. The network interface eth1 is connected to the Internet and the network interface eth0 is connected to the LAN.

/usr/local/sbin/firewall.sh

#!/bin/sh
#
# Firewall and NAT Script
#
# Author : Matthew W. Coan
# Date   : Wed Mar 30 12:59:52 EST 2005
#
# clear tables
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# flush tables
iptables -F INPUT
iptables -F FORWARD
iptables -F -t nat

# set up IPForwarding, Masqurading and NAT

# FTP 
#iptables -A FORWARD -p tcp -i eth0 -o eth1 -j ACCEPT

# winmx
#iptables -A FORWARD -p tcp -i eth0 -o eth1 --source 192.168.1.32 -j ACCEPT
#iptables -A FORWARD -p udp -i eth0 -o eth1 --source 192.168.1.32 -j ACCEPT

# AOL IM
iptables -A FORWARD -p tcp -m multiport -i eth0 -o eth1 --destination-port 5190 -j ACCEPT

# forward DHCP and BOOTP
iptables -A FORWARD -p udp -m multiport -i eth0 -o eth1 --destination-port 67 -j ACCEPT
iptables -A FORWARD -p udp -m multiport -i eth0 -o eth1 --destination-port 68 -j ACCEPT

# forward HTTP
iptables -A FORWARD -p tcp -m multiport -i eth0 -o eth1 --destination-port 80 -j ACCEPT

# forward HTTPS 
iptables -A FORWARD -p tcp -m multiport -i eth0 -o eth1 --destination-port 443 -j ACCEPT

# forward SSH
iptables -A FORWARD -p tcp -m multiport -i eth0 -o eth1 --destination-port 22 -j ACCEPT

# forward all established and related packets to eth0 from eth1
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# winmx
#iptables -t nat -A PREROUTING -p tcp -i eth1 -m multiport --destination-port 6699 -j DNAT --to-destination 192.168.1.32
#iptables -t nat -A PREROUTING -p udp -i eth1 -m multiport --destination-port 6257 -j DNAT --to-destination 192.168.1.32
#iptables -A FORWARD -p tcp -i eth1 -o eth0 -m multiport --destination-port 6699 -j ACCEPT
#iptables -A FORWARD -p udp -i eth1 -o eth0 -m multiport --destination-port 6257 -j ACCEPT

# allow astablished and related input on eth1
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# winmx
#iptables -A INPUT -p tcp -i eth1 -m multiport --destination-port 6699 -j ACCEPT
#iptables -A INPUT -p udp -i eth1 -m multiport --destination-port 6257 -j ACCEPT

# enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# allow I/O on interfaces eth0 and lo
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A OUTPUT -o eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT

# MASQUERADE
iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE

# FTP
iptables -A OUTPUT -o eth1 -s 0/0 -d 0/0 -p tcp -j ACCEPT

# BOOTP DHCP
iptables -A OUTPUT -o eth1 -s 0/0 -d 0/0 -p udp --destination-port 67:68 -j ACCEPT

# allow DNS 
iptables -A OUTPUT -o eth1 -s 0/0 -d 0/0 -p udp --destination-port 53 -j ACCEPT

# allow HTTP
iptables -A OUTPUT -o eth1 -s 0/0 -d 0/0 -p tcp --destination-port 80 -j ACCEPT
#iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -p tcp --destination-port 80 -j ACCEPT

# allow HTTPS
iptables -A OUTPUT -o eth1 -s 0/0 -d 0/0 -p tcp --destination-port 443 -j ACCEPT

# allow SSH 
iptables -A OUTPUT -o eth1 -s 0/0 -d 0/0 -p tcp --destination-port 22 -j ACCEPT
#iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -p tcp --destination-port 22 -j ACCEPT

# block spoofing
iptables -A INPUT -i eth1 -s 192.168.1.0/32 -d 0/0 -j DROP
iptables -A INPUT -i eth1 -s 127.0.0.0/8 -d 0/0 -j DROP

turn off the firewall with this script.

/usr/local/sbin/zeroipt.sh

iptables --flush
iptables --table nat --flush

iptables --delete-chain
iptables --table nat --delete-chain

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat

NetBSD Firewall � This is my IPFilter NetBSD firewall. It blocks all incoming connections. It only allows only a few outgoing connections. It is written to work with a modem that is the ppp0 network interface that is a connection to the Internet.

/etc/ipf.conf

#
# IPFilter configuration file.
#
# Author : Matthew W. Coan
# Date : Sun Jan 16 13:55:23 EST 2005
#

# Block all ppp0 packets
block in on ppp0 all
block out on ppp0 all

# ICMP
#pass in on ppp0 proto icmp all
#pass out on ppp0 proto icmp all

# DNS
pass out on ppp0 proto udp from any to any port = domain keep state

# WHO IS
pass out on ppp0 proto tcp from any to any port = whois keep state

# HTTP
pass in on ppp0 proto tcp from any to any port = http keep state
pass out on ppp0 proto tcp from any to any port = http keep state

# HTTPS
#pass in on ppp0 proto tcp from any to any port = https keep state
pass out on ppp0 proto tcp from any to any port = https keep state

# IRC
#pass out on ppp0 proto tcp from any to any port = 6669 keep state
#pass out on ppp0 proto tcp from any to any port = 6668 keep state
#pass out on ppp0 proto tcp from any to any port = 6667 keep state
#pass out on ppp0 proto tcp from any to any port = 6666 keep state

# SSH
pass in on ppp0 proto tcp/udp from any to any port = ssh keep state
pass out on ppp0 proto tcp/udp from any to any port = ssh keep state

# FTP
#pass out on ppp0 proto tcp from any to any port = ftp keep state
# Passive FTP
#pass out on ppp0 proto tcp from any to any port > 1023 keep state
# Active FTP
#pass in on ppp0 proto tcp from any to any port = ftp-data keep state
#pass in on ppp0 proto tcp from any port = ftp-data to any port > 1023 keep state

# WinMX TCP
#pass in on ppp0 proto tcp from any to 192.168.1.32 port = 6699 keep state
#pass out on ppp0 proto tcp from 192.168.1.32 to any keep state

# WinMX UDP
#pass in on ppp0 proto udp from any to 192.168.1.32 port = 6257 keep state
#pass out on ppp0 proto udp from 192.168.1.32 to any keep state

# Block and log IP spoofing
block in log on ppp0 from 192.168.1.0/32 to any
block in log on ppp0 from 127.0.0.1 to any

NAT � This is my network address translation script under NetBSD.

/etc/ipnat.conf

#
# IPNAT configuration file.
#
# Author : Matthew W. Coan
# Mon Jan 10 13:14:22 EST 2005
#
map ppp0 192.168.1.2/24 -> 0/32 proxy port ftp ftp/tcp
map ppp0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
map ppp0 192.168.1.0/24 -> 0/32

PPP � These are my point-to-point protocol (PPP) scripts under NetBSD. These scripts are used to connect to the Internet under NetBSD using a modem and the user land pppd program.

/etc/ppp/ip-up

#!/bin/sh

# start IP NAT
/etc/rc.d/ipnat forcestart

/etc/ppp/ip-down

#!/bin/sh
/etc/rc.d/ipnat forcestop

/etc/ppp/options

lock
modem
crtscts
defaultroute
/dev/tty03
56000

/etc/ppp/pap-secrets

"my_user_name@earthlink.net"    ""      mypassword

/etc/ppp/peers/earthlink

user 'my_user_name@earthlink.net'
connect '/usr/sbin/chat -v -f /etc/ppp/peers/earthlink.chat'

/etc/ppp/peers/earthlink.chat

'ABORT' 'BUSY'
'ABORT' 'ERROR'
'ABORT' 'NO CARRIER'
'ABORT' 'NO DIALTONE'
'ABORT' 'Invalid Login'
'ABORT' 'Login incorrect'
'' 'ATZ'
'OK' 'ATDT 94435644078'
'CONNECT' ''

DNS2Go � Dynamic DNS service from dns2go.com. As a perl script for the client DNS software.

dns2go_perl.tar.gz

OpenBSD Firewall � pf.conf packet filter rules.


wired = "re0"
wired2 = "ure0"
wifi  = "athn0"
loop = "lo0"
table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
	 	   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
	 	   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
	 	   203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress $wired $wifi }
block in quick on egress from  to any
block return out quick on egress from any to <martians>
block all
pass in quick on $loop
pass out quick on $loop
pass in quick on $wired inet proto tcp from any to any port { 80 68 123 } 
block in quick on $wired inet proto icmp from any to any
block in quick on $wired inet
pass out quick on $wired inet proto tcp from any to any port { 80 53 443 123 119 22 67 }
pass out quick on $wired inet proto udp from any to any port { 53 123 }
block out quick on $wired inet proto icmp from any to any 
block out quick on $wired inet
pass in quick on $wired2 inet proto tcp from any to 192.168.1.0/24 port { 80 53 443 123 119 22 67 68 137 138 139 445 }
pass in quick on $wired2 inet proto tcp from 192.168.1.0/24 to any port { 80 53 443 123 119 22 67 68 137 138 139 445 }
pass in quick on $wired2 inet proto udp from 192.168.1.0/24 to any port { 53 67 68 123 137 138 139 445 }
pass in quick on $wired2 inet proto udp from any to 192.168.1.0/24 port { 53 67 68 123 137 138 139 445 }
block in quick on $wired2 inet proto icmp from any to any
block in quick on $wired2 inet
block out quick on $wired2 inet proto icmp from any to any
block out quick on $wired2 inet
pass in on egress inet proto tcp from any to (egress) port { 53 119 22 80 443 67 68 123 } rdr-to 192.168.1.0/24 
pass in on egress inet proto udp from any to (egress) port { 53 123 } rdr-to 192.168.1.0/24

OpenBSD DHCP Daemon � dhcpd.conf dynamic host client configuration file.


#authorative;

allow unknown-clients;

subnet 192.168.1.0 netmask 255.255.255.0 {
   range 192.168.1.2 192.168.1.32;

   default-lease-time 43200;

   option subnet-mask 255.255.255.0;

   #option domain-name-servers 75.75.75.75;
   option domain-name-servers 192.168.1.1;
   #option domain-name-servers 10.0.0.1;

   option routers 192.168.1.1;
}

OpenBSD Samba � smb.conf SAMBA configuration file for working with Micosoft networking.


[global]
	interfaces = ure0 
	bind interfaces only = yes
	netbios name = INVENTLAB
	workgroup = COANLAN
	server string = PC UNIX
	security = user
	domain master = yes
	preferred master = yes
	encrypt passwords = yes

[pub]
	comment = web site
	path = /home/mcoan/pub
	public = yes
	writable = no
	browsable = yes
	guest ok = yes