Ipchans on Linux
Got DSL with one IP address?

Wanted to give your neighbors internet access?

If you want to read, go to IPCHAINS-HOWTOO

If you want to do it quick, these notes are for that purpose.

A longer explanation of what to block can be located here.

Get the Latest IPChains.
Identify the version on your system.
  
   /sbin/ipchains --version

  
See what chains are currently loaded.
  
   /sbin/ipchains -L -n
  
Delete the top rule on the input chain 
  
   /sbin/ipchains -D input 1
  
Enable a rule (ip masquerading as an example):
  
   /sbin/ipchains -A forward -s 10.1.0.0/24 -j MASQ
  

List of current masqueraded connections. 
  
   /sbin/ipchains -L
  
List the rules curently in effect.
    
   /sbin/ipchains -L 
    
Chain input (policy ACCEPT):
    
Chain forward (policy DENY):
    
  target   
    		prot     
		opt     
		source        
		destination   
		ports
    
  MASQ     
    		all     
		------   
		10.1.0.0/24   
		anywhere      
		n/a
    
  Chain output (policy ACCEPT):
      
Look at the files controling ipchains:
  
  cat /etc/rc.d/rc.firewall

      ll - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels using IPCHAINS
  
    /sbin/depmod -a
  
    /sbin/modprobe ip_masq_ftp
  
    /sbin/modprobe ip_masq_irc
  
    /sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960
  
    echo "1" > /proc/sys/net/ipv4/ip_forward
  
    /sbin/ipchains -M -S 7200 10 160
  
    /sbin/ipchains -P forward DENY
  
     /sbin/ipchains -A forward -s 10.1.0.0/24 -j MASQ
   
Add an entery so it starts when you boot.
   
    vi /etc/rc.d/rc.firewall
    
  /sbin/ipchains -P forward DENY
    
  /sbin/ipchains -A forward -s 10.1.0.0/24 -j MASQ
  
Look at your active connections, and listening ports as you connect 
  
     /usr/sbin/lsof -i TCP
    
COMMAND    PID   USER   FD   TYPE     DEVICE    SIZE      NODE NAME
    
sshd       549   root    3u  IPv4        493               TCP *:ssh (LISTEN)
    
inetd      528   root   10u  IPv4        459               TCP *:pop3 (LISTEN)
    
sshd      2320   root    5u  IPv4       3722               TCP server.mydomain.com:ssh->host.remote.com:1022 (ESTABLISHED)   
  
Hide you webserver behind the firewall with a proxy:
  
    
ipforforwarding built into the kernel too and then you add ipmasqadm
    
then the rules you write into your rc.firewall script at the end...
    
  ipmasqadm portfw -a -P tcp -L (outside IP) 80 -R (inside IP) 80 
  


iptables: sharing a PPP connection with other servers on the Lan
   
    
- Enables packet forwarding
    
      echo 1 > /proc/sys/net/ipv4/ip_forward

    
- Flush all the rules in filter and nat tables
    
      iptables --flush
    
      iptables --table nat --flush

    
- Delete all chains that are not in default filter and nat table
    
      iptables --delete-chain  
    
      iptables --table nat --delete-chain 
    
    
- Set up IP FORWARDing and Masquerading
    
      iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE

    
- Assuming one NIC to local LAN 
    
      iptables --append FORWARD --in-interface eth0 -j ACCEPT 

iptables: Linux connected via DSL, Cable, T1
   
    
- Enables packet forwarding
    
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    
- Prevents spoofing attacks against your internal networks
    
    echo 1 >/proc/sys/net/ipv4/conf/eth0/rp_filter
    
    
- Flush all the rules in filter and nat tables
    
    iptables --flush
    
    iptables --table nat --flush

    
- Delete all chains that are not in default filter and nat table
    
    iptables --delete-chain      
    
    iptables --table nat --delete-chain
    
    
-  Set up IP FORWARDing and Masquerading
    
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    
    iptables --append FORWARD --in-interface eth1 -j ACCEPT 


iptables: Block Trafic that should not be routed
   
    
-  Allow loopback access
    
    iptables -A INPUT -i lo -p all -j ACCEPT     

  
-  Block NFS
  
   iptables -A OUTPUT -o lo -p all -j ACCEPT iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
  
   iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
  
  
-  Block X-Windows and X-Windows font server
  
   iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
  
   iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP
  
  
-  Block printer port
    
   iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP
    
   iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP

  
-  Block Sun rpc/NFS
    
   iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP
    
   iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP
    
  
- Block Loopback spoofing
    
    iptables -A INPUT -p all -s localhost  -i eth0 -j DROP
    
iptables: debugging
   
    
-      
    
    iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
    
    iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "

    


  
 
   
Also check out the iproute2 rpm. It supplies the commands ip, rtacct, rtmon, tc,