[ale] Using a linux box to hide an un-official subnet...

George A. Nies gnies at mindspring.com
Mon Jan 20 21:40:50 EST 1997 

to quote myself:

>I have a similar setup at my house.  I am using kernel 2.0.20 and
>ipfwadm (http://www.xos.nl/linux/ipfwadm).  This web page was enough
>for me to set up my own firewall rules from the example.  I am at work
>and cannot access my home box, but I would be glad to post my firewall
>script (I call it in /etc/rc.d/rc.ipfwadm).

Well, here it is:

Check out the web page mentioned above for info on how to set up your kernel.

  #!/bin/sh
  #
  # /etc/rc.d/rc.ipfw, define the firewall configuration, invoked from
  # rc.M.
  #
  # Most of this file was pulled from various web pages, I can not take
  # credit for most of this, I just put it all together.
  # 	-George A. Nies

   echo "Setting up IP masquerade"

  PATH=/sbin:/bin:/usr/sbin:/usr/bin

  # Incoming, flush and set default policy of deny. Actually the default
policy
  # is irrelevant because there is a catch all rule with deny and log.
  ipfwadm -I -f
  ipfwadm -I -p deny
  # local interface, local machines, going anywhere is valid
  ipfwadm -I -a accept -W eth0 -S localnet/24 -D 0.0.0.0/0
  # remote interface, claiming to be local machines, IP spoofing, get lost
  ipfwadm -I -a deny -V 168.121.138.104 -S localnet/16 -D 0.0.0.0/0
  # remote interface, any source, going to permanent PPP address is valid
  ipfwadm -I -a accept -V 168.121.138.104 -S 0.0.0.0/0 -D 168.121.138.104/32
  # loopback interface is valid.
  ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
  # catch all rule, all other incoming is denied 
  ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0

  # Outgoing, flush and set default policy of deny. Actually the default
policy
  # is irrelevant because there is a catch all rule with deny and log.
  ipfwadm -O -f
  ipfwadm -O -p deny
  # local interface, any source going to local net is valid
  ipfwadm -O -a accept -W eth0 -S 0.0.0.0/0 -D localnet/24
  # outgoing to local net on remote interface, stuffed routing, deny
  ipfwadm -O -a deny -V 168.121.138.104 -S 0.0.0.0/0 -D localnet/24
  # outgoing from local net on remote interface, stuffed masquerading, deny
  ipfwadm -O -a deny -V 168.121.138.104 -S localnet/24 -D 0.0.0.0/0
  # outgoing from local net on remote interface, stuffed masquerading, deny
  ipfwadm -O -a deny -V 168.121.138.104 -S 0.0.0.0/0 -D localnet/24
  # anything else outgoing on remote interface is valid
  ipfwadm -O -a accept -V 168.121.138.104 -S 168.121.138.104/32 -D 0.0.0.0/0
  # loopback interface is valid.
  ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
  # catch all rule, all other outgoing is denied and logged. pity there is no
  # log option on the policy but this does the job instead.
  ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0

  # Forwarding, flush and set default policy of deny. Actually the default
policy
  # is irrelevant because there is a catch all rule with deny and log.
  ipfwadm -F -f
  ipfwadm -F -p deny
  # Masquerade from local net on local interface to anywhere.
  ipfwadm -F -a masquerade -V 168.121.138.104 -S localnet/24 -D 0.0.0.0/0
  # catch all rule, all other forwarding is denied
  ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0

More information about the Ale mailing list