Copyright (c) 1998, 1999 William Stearns Quickstart-ipchains This document is designed to help people who are unfamiliar with Mason or ipchains build a firewall using both. A novice user should be able to build a basic firewall using these instructions in 20 minutes. #include . Prepare /etc/services Mason depends on a few setup details to be able to provide a firewall that works in the way you intended. Make sure that /etc/services includes the server port names for all services you intend to work with, whether those services are running on the firewall machine or on some other machine. For example, if you intend to use ssh to connect to another system, make sure that the line ssh 22/tcp is in /etc/services. Entries that might be missing include: ftp-data 20/tcp ssh 22/tcp #Secure shell linuxconf 98/tcp squid 3128/tcp #Squid proxy cache requests icp 3130/udp #Inter Cache Protocol, used in squid It is not necessary to include entries for services that you don't use. Also, do _not_ place entries for _client_ ports in this file; Mason assumes anything referenced in this file is a server port. For example, even though one of the client ports used for ssh is 1022/tcp, you would _not_ place this in /etc/services. Doing so would cause Mason to provide incorrect rules. . Prepare the routing table and interfaces. Mason assumes that the routing table and interfaces are set up to match the way the final firewall will run. If you're running this on the actual firewall machine and all the interfaces and networks have been configured, proceed to the next step. You'll need to put in IP addresses and networks to match the way the final machine will be configured. If you have any IP addresses that are not live, simply create fake ones with commands like these: /sbin/ifconfig eth0:1 172.16.0.1 up /sbin/ifconfig eth0:2 172.18.12.94 up Similarly, fake networks can be simulated with: /sbin/route add -net 172.17.0.0 netmask 255.255.0.0 dev lo You only need to add fake IP's or networks if they are not already present. . Make a directory for the firewall I suggest /etc/firewall. If you'd like to use the "ruleshell" script I include, copy it to this directory. mkdir /etc/firewall chmod 700 /etc/firewall #Probably not a good idea to let anyone see the firewall chown root.root /etc/firewall cp /usr/doc/mason-0.10.0/ruleshell /etc/firewall chmod 700 /etc/firewall/ruleshell chown root.root /etc/firewall/ruleshell . Place any known rules in /etc/firewall/fixed-rules If you know some rules you'll need already, put them in this file. For example, if you know you'll need to masquerade all traffic from the 172.16.0.0/255.255.0.0 If you don't know of any, no problem. . Clean up If you added any new interfaces or networks just to run Mason, they can be removed with commands like the following: /sbin/ifconfig eth0:1 172.16.0.1 down /sbin/ifconfig eth0:2 172.18.12.94 down /sbin/route del -net 172.17.0.0 netmask 255.255.0.0