Topic: Proxy and Firewall

[Mike Pascual]

I'm running Mandrake Linux 7.2 as Proxy and Firewall using ipchains. Only defined IP's are NAT'd and all of other IP is not. So that all defined IP's can use Yahoo messenger and MSN.

I'm planning to switch to SME 5.6 as Proxy and Firewall, I'm already running SME 5.6 U5 as my e-mail server and VPN server connected to my backup ISP. How can I do my previous setup in Mandrake will be the same to my new SME 5.6 connected to my Primary ISP.

Details:

Network = x.x.x.x/23

IP's NAT'd
x.x.x.x = me
x.x.x.x = boss
x.x.x.x = boss2

Other's IP is not NAT'd

Is the transparent proxy is running by default installation? or need to install some modules. I'm planning to use the server and gateway mode.

I keep searching for templates-custom but no similar to my need, also in the archive forum.

Please help....

Mike

[Paul Nesbit]

> [...]
> Other's IP is not NAT'd
>
> Is the transparent proxy is running by default installation? or
> need to install some modules. I'm planning to use the server and
> gateway mode.

NAT/masquerading is provided by default, as is transparent http and smtp proxying.  (I may be wrong about smtp - i don't have an unsupported 6.0 release at hand to verify.)

> I keep searching for templates-custom but no similar to my need,
> also in the archive forum.

The SME Server will NAT MSN and Yahoo Messenger (and ICQ). There is no need to assign public IPs to your internal workstations or customize the SME Server.  

  Paul

[Paul Nesbit]

> I'm running Mandrake Linux 7.2 as Proxy and Firewall using
> ipchains. Only defined IP's are NAT'd and all of other IP is not.
> So that all defined IP's can use Yahoo messenger and MSN.

I see that I may have misunderstood your configuration.  Why not NAT all IPs, not just the IPs for IM users?

  Paul

[Mike Pascual]

The reason why i don't like to NAT all is so that only allowed IP's can use IM.
If all are NAT'd all can use IM and I don't like that. I want only several IP's to be NAT'd in my SME. I will use SME as gateway for all of the workstation. So then I need to filter which IP's will be NAT'd.

By the way. If i want to add rules in IPTABLES where can i locate to run as a template.

#sample

-t nat -A POSTROUTING -o eth1 -j MASQUERADE
-F FORWARD
-A FORWARD -i eth0 -j DROP
-A FORWARD -i eth0 -s x.x.x.x -j ACCEPT


Thanks....

[Paul Nesbit]

> The reason why i don't like to NAT all is so that only
> allowed IP's can use IM.  If all are NAT'd all can use
> IM
 
I suggest using tcp wrappers to implement allow/disallow
policies.  (I'm not familiar enough with the MSN/Yahoo IM
protocols to know if it's feasible, but I suspect it
is.)  See man pages (and templates) for hosts.allow and
hosts.deny.
 
> and I don't like that. I want only several IP's to be
> NAT'd in my SME. I will use SME as gateway for all of
> the workstation. So then I need to filter which IP's
> will be NAT'd.
>
> By the way. If i want to add rules in IPTABLES where can
> i locate to run as a template.
 
The firewall script is /etc/rc.d/init.d/masq, templates
for that file are in
/etc/e-smith/templates/etc/rc.d/init.d/masq/, custom
templates go in
/etc/e-smith/templates/custom/etc/rc.d/init.d/masq/.
 
HTH,
 
  Paul

[Paul Nesbit]

> I suggest using tcp wrappers to implement allow/disallow
> policies.

I've thought about that for a moment - silly advice that is.  TCP wrappers are limited to access control for incoming service requests to daemons running on the server.

You can still ensure all hosts are NAT'd, and implement your allow/disallow policy using firewall rules.

Cheers,

  Paul

[Alejandro Lengua]

What about the porforwarding rules?
I installed a contrib, but it seems that it is not creating the IPTables rules and
want to check it...