Firewall-NAT with IPFilter
This page describes how to configure IPFilter to run on an IRIX machine. One application discussed is for a dual-interfaced IRIX machine to act as a gateway with NAT (Network Address Translation) capabilities---such as a small private network sharing a single common external interface via an IRIX gateway. Alternately, IPFIlter could also be used on a single-interface IRIX workstation that requires a simple firewall to block all ports except a select few.
IRIX as a Router
Chapter 3 of SGI's IRIX documentation, IRIX Admin: Networking and Mail, describes a very simple process of turning an IRIX machine with multiple ethernet interfaces into a router. A summary of the steps are:
- Enable the 2nd interface (by modifying /etc/config/netif.options) and name it gate-<1st interface name>
- Reconfigure the kernel and restart the system
Supposedly, IRIX will auto-magically start routing packets for you. What is not discussed is the following:
- Is the routed daemon running?
chkconfig routed on|off
- Should I be using the gated daemon instead?
chkconfig gated on|off
- Should I enable IP Forwarding? (Software Manager->Network and Connectivity->Configure Interface)
Unfortunately, those questions will remain unanswered here because routing alone is insufficient for a "Firewall" without filtering or a "Gateway" without address translation (NAT).
While the above configuration is sufficient to route packets between two networks, it doesn't provide any filtering protection or anything to help the private network machines communicate with the web in a "transparent" manner. Specifically, in the case where the IRIX gateway is the only system with a public IP address, and the private network machines are all in the unroutable range (e.g. 192.168.x.x, 172.16.x.x or 10.0.x.x) then the replies have no way of getting back to the systems behind the firewall.
What NAT does is "masquerades" the private network machines as the gateway's IP address so that to the rest of the world all queries appear to originate from the gateway and all replies are returned to the gateway. The NAT software on the IRIX gateway is responsible for keeping track of getting the responses back to the proper source on the hidden network.
Linux has some built-in facility for this called IP Masquerading that call be enabled via commands similar to
/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE /sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 <public IP addr> dev eth1
IRIX does not have native NAT capabilities, so we need to install an additional software package (e.g. IPFilter).
IPFilter is an established open source software package written and maintained by Darren Reed under a modified BSD style license. Source code is available from the project's homepage. It claims to have been tested and run under IRIX 6.2 and 6.5 (loadable kernel module), however, there have reportedly been problems with compiling the latest version (4.1). It provides both filtering and NAT functionality.
SGI once made available a precompiled and patched version of the software on their (now defunct) Cool Software site. This packaged version was compiled against the 6.5.16 IRIX kernel, but is known to work with some caveats on systems running 6.5.30. The package installs itself under the product name ipfilter and should not be confused with the older kernel module ipfilterd which is a part of the eoe.sw.ipgate software subsystem. In fact, IPFilter and ipfilterd are mutually exclusive. There is even a terse but useful SGI Tech Pub document, IRIX Admin: IPFilter Firewall User's Guide, that explains some of the (intended) IRIX implimentation details. Like so many other SGI/IRIX efforts of the new millennium, this one too appears to have been abortive.
Fortunately, through our patron's wisdom and charity, the SGI package has been mirrored on the Nekochan.net community FTP site, here:
inst -f /path/to/6.5.16_ipfilter_3.4.27.tardist
The install components of the software base subsystem (ipfilter.sw.base) include:
f 24676 1 ipfilter.sw.base c etc/config/ipfilter f 41041 1 ipfilter.sw.base c etc/config/ipfilter.options f 24675 1 ipfilter.sw.base c etc/config/ipmon.options f 24643 1 ipfilter.sw.base c etc/config/ipnat.options f 51944 5 ipfilter.sw.base etc/init.d/ipf f 19158 2 ipfilter.sw.base c etc/ipf.conf f 40955 1 ipfilter.sw.base c etc/ipnat.conf l 0 0 ipfilter.sw.base etc/rc2.d/S33ipf f 38138 131 ipfilter.sw.base m sbin/ipf f 21023 46 ipfilter.sw.base m sbin/ipfs f 22340 281 ipfilter.sw.base m sbin/ipfstat f 13553 87 ipfilter.sw.base m sbin/ipmon f 64991 230 ipfilter.sw.base m sbin/ipnat f 21372 43 ipfilter.sw.base usr/include/netinet/ipfil.h f 18548 18 ipfilter.sw.base usr/include/netinet/ipnat.h f 33309 361 ipfilter.sw.base m usr/ipfilter/bin/ipftest f 30230 91 ipfilter.sw.base m usr/ipfilter/bin/ipresend f 59158 217 ipfilter.sw.base m usr/ipfilter/bin/ipsend f 13573 6 ipfilter.sw.base usr/ipfilter/bin/mkfilters d 0 0 ipfilter.sw.base var/db/ipf f 60660 493 ipfilter.sw.base m var/sysgen/boot/ipf.o f 3341 1 ipfilter.sw.base var/sysgen/master.d/ipf f 46163 1 ipfilter.sw.base var/sysgen/system/ipf.sm
Note that the ipfilter filter executable utilities (e.g. mkfilters) reside in a subdirectory /usr/ipfilter/bin, that will not normally be in your path.
IPFilter is a sophisticated tool and configuring it properly requires some effort with a small learning curve. Fortunately, there is an excellently written HowTo tutorial available for download in addition to other documentation. We'll cover here a few simple configuration cases that will get a new user started.
The files that control the particulars of your installation are
/etc/ipf.conf /etc/ipnat.conf /etc/config/ipfilter.options /etc/config/ipnat.options
where the first two being the ones you will almost certainly want to change.
After the package is installed you need configure the system to active it at start-up (reboot).
chkconfig ipfilterd off chkconfig ipfilter on
Note that the first command disables the conflicting ipfilterd daemon if it is enabled on your system (default is off). The ipfilter daemon will not have started yet, but you can manually invoke it as root using the start-up script
If ipfilterd was already running on your system, a reboot is probably required to fully deactivate it.
Below, example configuration files are given for two common applications of IPFIlter.
This example exercises IPFilter's filtering capability to provide a simple firewall for a machine with a single interface (ef0). The reason for installing the IPFilter package--even on a stand-alone workstation--is to protect the host against intrusions from your neighborhood. We are trying to block all ports which aren't needed because, after a IRIX default installation, a lot of services are running which are reachable over the Network.
The following example of a configuration file (/etc/ipf.conf) show also how to create some rules to let other machines access some of our services like SSH or HTTP(s). Rules process from the top down, with subsequent rule matches overriding the previous. If a rule contains the keyword "quick" processing terminates as soon as the rule's criteria is met.
#Handling the loopbackdevice pass out quick on lo0 pass in quick on lo0 #Block known "black hats" block in quick on ef0 from 18.104.22.168 to any block in quick on ef0 from 22.214.171.124 to any block in quick on ef0 from 126.96.36.199 to any #Manage the Connection to the internet (all keep state) pass out quick on ef0 proto tcp from any to any flags R/R pass out quick on ef0 proto tcp from any to any flags S keep state pass out quick on ef0 proto udp from any to any keep state pass out quick on ef0 proto icmp from any to any keep state pass out quick on ef0 proto tcp from any to any port = 21 flags S keep state #Open Connections from the Internet pass in quick on ef0 proto tcp from any to any port = 22 keep state # SSH pass in quick on ef0 proto tcp from any to any port = 80 keep state # HTTP pass in quick on ef0 proto tcp from any to any port = 443 keep state # HTTPS pass in quick on ef0 proto tcp from any to any port = 3690 keep state # SVN and CVS #Mysql Connects from a special host are allowed pass in quick on ef0 proto tcp from 188.8.131.52 to any port = 3306 keep state #ICMP managen pass in quick on ef0 proto icmp from any to any icmp-type 0 # PING pass out quick on ef0 proto icmp from any to any icmp-type 0 # PING pass in quick on ef0 proto icmp from any to any icmp-type 3 pass in quick on ef0 proto icmp from any to any icmp-type 8 pass out quick on ef0 proto icmp from any to any icmp-type 8 pass in quick on ef0 proto icmp from any to any icmp-type 11 block in log quick on ef0 proto icmp from any to any #Block some weird IP-Packages. block in log quick on ef0 proto tcp all with short block in log quick on ef0 all with opt lsrr block in log quick on ef0 all with opt ssrr #Block all and log block in log on ef0 all
Simple Gateway with NAT
(Note to self: don't forget to address here the questions posed in section "IRIX as a Router")
Here are the contents of the NAT configuration file, /etc/ipnat.conf, set up so that a private network (192.168.0.x) can access the public network through an IRIX (dual-interfaced) gateway that is running IPFilter.
map tg0 192.168.0.0/24 -> <gateway's public IP address>/32
The machines on the private network should have their default routes set to the private address of the gateway (e.g. 192.168.0.1)
Testing / Bugs
The existing SGI packaged IPFilter is known to spew the following messages to the console when it is up on machines with gigabit ethernet interfaces (tg0, tg1, etc.).
IPFilter: ipl_if_output: mbuf block too small (m_len=0) for IP vers+hlen, m_type=2 m_flags=0x41
kind of annoying but so far harmless. It has been suggested recompiling with debugging disabled will remove this problem.
The best way is to set l2tcpseg to OFF (default is ON) in /etc/config/tgconfig.options, assuming you are using an original SGI Gigabit interface on IRIX 6.5.27. --Cadmo 11:31, 19 March 2008 (PDT)
An attempt will be made to compile the latest version of IPFilter for inclusion in the Nekoware software collection. Stay tuned!