* firewall rules
@ 2003-04-14 14:00 Payal Rathod
2003-04-14 17:18 ` Michael K
0 siblings, 1 reply; 4+ messages in thread
From: Payal Rathod @ 2003-04-14 14:00 UTC (permalink / raw)
To: netfilter
Hi,
I have made a few firewall rules, almost stolen from IP-Masquerading
HOWTO. Can you please check them and tell about any loopholes.
I have a lan of 15 computers and a central linux server. Users can
telnet, ping, http, ssh, pop3, smtp in this linux box if only they
belong to the lan.
Also, users of the lan have internet access to everything except www,
how do I mention it? Only ip 192.168.10.1, 192.168.10.3, 192.168.10.10
have www net access also. Rest no.
So as not to waste bandwidth I have put the rules on my site at
www.geocities.com/rpayal99/firewall-b1.txt Please have a look at them
and suggest changes. For security I have just made a small change to
external IP, but the rest of all the rules are kept as they are.
With warm regards,
-Payal
--
"Visit GNU/Linux Success Stories"
www.geocities.com/rpayal99
Guest-Book Section Updated.
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: firewall rules
2003-04-14 14:00 firewall rules Payal Rathod
@ 2003-04-14 17:18 ` Michael K
0 siblings, 0 replies; 4+ messages in thread
From: Michael K @ 2003-04-14 17:18 UTC (permalink / raw)
To: 'Payal Rathod'; +Cc: netfilter
#Here you go. I haven't tried the syntax.
INTERNAL_INTERFACE='eth0'
EXTERNAL_INTERFACE='eth1'
EXTERNAL_IP=`ifconfig $EXTERNAL_INTERFACE | awk '/inet/ { print $2 }' |
awk -F ":" '{ print $2 }'`
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -F
iptables -t nat -F
Iptables -t mangle -F
#ESTABLISHED,RELATED
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#SSH
iptables -A INPUT -p tcp -s 192.168.10.0/24 --sport 512: --dport 22 -j
ACCEPT
#Telnet (Only use if you must, ssh is better)
iptables -A INPUT -p tcp -s 192.168.10.0/24 --sport 1024: --dport 23 -j
ACCEPT
#SMTP
iptables -A INPUT -p tcp -s 192.168.10.0/24 --sport 1024: --dport 25 -j
ACCEPT
#POP3
iptables -A INPUT -p tcp -s 192.168.10.0/24 --sport 1024: --dport 110 -j
ACCEPT
#FTP
iptables -A INPUT -p tcp -s 192.168.10.0/24 --sport 1024: --dport 21 -j
ACCEPT
#Web
iptables -A INPUT -p tcp -s 192.168.10.0/24 --sport 1024: -m multiport
--dports 80,443 -j ACCEPT
#Ping
iptables -A INPUT -p ICMP -s 192.168.10.0/24 --icmp-type echo-request -j
ACCEPT
#Surfing from the firewall
iptables -A OUTPUT -p tcp --dports 80,443 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
#Internet sharing
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j SNAT --to
$EXTERNAL_IP
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -p tcp
-s 192.168.10.1 --dport 80 -j ACCEPT
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -p tcp
-s 192.168.10.3 --dport 80 -j ACCEPT
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -p tcp
-s 192.168.10.1 --dport 443 -j ACCEPT
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -p tcp
-s 192.168.10.3 --dport 443 -j ACCEPT
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -s
192.168.10.0/24 --dport ! 80 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#/Klintan
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Payal Rathod
> Sent: Monday, April 14, 2003 4:00 PM
> To: netfilter@lists.netfilter.org
> Subject: firewall rules
>
>
> Hi,
> I have made a few firewall rules, almost stolen from
> IP-Masquerading HOWTO. Can you please check them and tell
> about any loopholes. I have a lan of 15 computers and a
> central linux server. Users can telnet, ping, http, ssh,
> pop3, smtp in this linux box if only they belong to the lan.
> Also, users of the lan have internet access to everything
> except www, how do I mention it? Only ip 192.168.10.1,
> 192.168.10.3, 192.168.10.10 have www net access also. Rest no.
>
> So as not to waste bandwidth I have put the rules on my site
> at www.geocities.com/rpayal99/firewall-b1.txt Please have a
> look at them and suggest changes. For security I have just
> made a small change to external IP, but the rest of all the
> rules are kept as they are.
>
> With warm regards,
> -Payal
>
>
>
> --
> "Visit GNU/Linux Success Stories"
> www.geocities.com/rpayal99
> Guest-Book Section Updated.
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* firewall rules
@ 2002-09-11 14:12 Scott van Looy
2002-09-11 17:36 ` Antony Stone
0 siblings, 1 reply; 4+ messages in thread
From: Scott van Looy @ 2002-09-11 14:12 UTC (permalink / raw)
To: netfilter
I'm using ADSL and have 6 IP addresses available - So I've (starting from
an example firewall I found on the internet) slowly built the IPtables
stuff up to the following mess :)
I was wondering if any of you expert types could look it over and give me
pointers as to where I might be able to improve upon the rules, etc.
Also, if I'm using pre and postrouting, do these filters bypass the
FORWARD chain? If so I'm probably wasting my time with lots of the forward
rules ;)
It's meant to block any port below 1024 except for exceptions and
provide 1:1 NAT for my internal network
Here goes!
#Default rules (there's no problem with a default accept on output is
#there?)
$IPTABLES -F INPUT
$IPTABLES -P INPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -F
echo " Assigning IPs"
/sbin/ifconfig ppp0:1 213.152.47.234 netmask 255.255.255.248
/sbin/ifconfig ppp0:2 213.152.47.235 netmask 255.255.255.248
/sbin/ifconfig ppp0:3 213.152.47.236 netmask 255.255.255.248
/sbin/ifconfig ppp0:4 213.152.47.237 netmask 255.255.255.248
/sbin/ifconfig ppp0:5 213.152.47.238 netmask 255.255.255.248
echo " Setting pre and post routing"
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.2 -o ppp0 -j SNAT \
--to-source 213.152.47.234
$IPTABLES -t nat -A PREROUTING -i ppp0 -d 213.152.47.234 -j DNAT \
--to-destination 192.168.0.2
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.27 -o ppp0 -j SNAT \
--to-source 213.152.47.235
$IPTABLES -t nat -A PREROUTING -i ppp0 -d 213.152.47.235 -j DNAT \
--to-destination 192.168.0.27
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.3 -o ppp0 -j SNAT \
--to-source 213.152.47.236
$IPTABLES -t nat -A PREROUTING -i ppp0 -d 213.152.47.236 -j DNAT \
--to-destination 192.168.0.3
#Is setting the forward here setting it to globally forward
# everything thus making the rest of the forward ruleset pintless?
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
#Forward rules for other machines on the internal network
#Open ports > 1023
$IPTABLES -A FORWARD -p tcp --dport ! 0:1023 -j ACCEPT
$IPTABLES -A FORWARD -p udp --destination-port ! 0:1023 -j ACCEPT
#Except certain stuff (Netmeeting/SSH/dns/identd/etc)
$IPTABLES -A FORWARD -p udp --destination-port 111 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 111 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 522 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p udp --destination-port 53 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -j ACCEPT
#Input rules for the firewall/server
#Open ports > 1023
$IPTABLES -A INPUT -p tcp --dport ! 0:1023 -j ACCEPT
$IPTABLES -A INPUT -p udp --destination-port ! 0:1023 -j ACCEPT
#Except certain stuff (Netmeeting/SSH/dns/http/etc)
$IPTABLES -A INPUT -i $INTIF -p udp --destination-port 137 -j ACCEPT
$IPTABLES -A INPUT -p udp --destination-port 111 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 111 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 993 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 389 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 522 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p udp --destination-port 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT
$IPTABLES -A INPUT -p udp --destination-port 138 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 139 -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
#Stuff to transparent proxy using squid
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j \
REDIRECT --to-port 3128
#Stuff to enable Netmeeting/MSN
$IPTABLES -t nat -A PREROUTING -i br0 -p tcp --dport 1863 -j \
REDIRECT --to-ports 1863
$IPTABLES -t nat -A PREROUTING -i br0 -p tcp --dport 389 -j \
REDIRECT --to-ports 389
$IPTABLES -t nat -A PREROUTING -i br0 -p tcp --dport 522 -j \
REDIRECT --to-ports 522
How's that? Is it likely to be reasonably secure?
Regards,
Scott
--
Scott van Looy - email:me@ethosuk.org.uk | web:www.ethosuk.org.uk
PGP Fingerprint: 7180 5543 C6C4 747B 7E74 802C 7CF9 E526 44D9 D4A7
-------------------------------------------
|/// /// /// /// WIDE LOAD /// /// /// ///|
-------------------------------------------
A tall, dark stranger will have more fun than you.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: firewall rules
2002-09-11 14:12 Scott van Looy
@ 2002-09-11 17:36 ` Antony Stone
0 siblings, 0 replies; 4+ messages in thread
From: Antony Stone @ 2002-09-11 17:36 UTC (permalink / raw)
To: netfilter
On Wednesday 11 September 2002 3:12 pm, Scott van Looy wrote:
> Also, if I'm using pre and postrouting, do these filters bypass the
> FORWARD chain? If so I'm probably wasting my time with lots of the forward
> rules ;)
No. PREROUTING and POSTROUTING are for address translation (you *can*
filter in these chains, but you *really* shouldn't...). FORWARD is for
filtering, and you do have to have the right combination of rules in both /
all three chains to get things working.
> #Default rules (there's no problem with a default accept on output is
> #there?)
Not really, no. It only becomes a problem if your firewall gets rooted and
someone starts running an application you don't want on it, generating
packets to the Internet. If someone else has got that far, though, they can
probably turn your firewall rules off altogether, though.
> $IPTABLES -F INPUT
> $IPTABLES -P INPUT DROP
> $IPTABLES -F OUTPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F FORWARD
> $IPTABLES -P FORWARD DROP
> $IPTABLES -t nat -F
Very nice.
> echo " Assigning IPs"
> /sbin/ifconfig ppp0:1 213.152.47.234 netmask 255.255.255.248
> /sbin/ifconfig ppp0:2 213.152.47.235 netmask 255.255.255.248
> /sbin/ifconfig ppp0:3 213.152.47.236 netmask 255.255.255.248
> /sbin/ifconfig ppp0:4 213.152.47.237 netmask 255.255.255.248
> /sbin/ifconfig ppp0:5 213.152.47.238 netmask 255.255.255.248
>
> echo " Setting pre and post routing"
> $IPTABLES -t nat -A POSTROUTING -s 192.168.0.2 -o ppp0 -j SNAT \
> --to-source 213.152.47.234
> $IPTABLES -t nat -A PREROUTING -i ppp0 -d 213.152.47.234 -j DNAT \
> --to-destination 192.168.0.2
> $IPTABLES -t nat -A POSTROUTING -s 192.168.0.27 -o ppp0 -j SNAT \
> --to-source 213.152.47.235
> $IPTABLES -t nat -A PREROUTING -i ppp0 -d 213.152.47.235 -j DNAT \
> --to-destination 192.168.0.27
> $IPTABLES -t nat -A POSTROUTING -s 192.168.0.3 -o ppp0 -j SNAT \
> --to-source 213.152.47.236
> $IPTABLES -t nat -A PREROUTING -i ppp0 -d 213.152.47.236 -j DNAT \
> --to-destination 192.168.0.3
All looks fine so far.
> #Is setting the forward here setting it to globally forward
> # everything thus making the rest of the forward ruleset pintless?
>
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
Okay, so this rule allows absolutely everything outbound.
Doesn't mean the rest of the rules are pointless, because you may want to
allow some stuff inbound. You won't be able to restrict anything outbound
after this rule, though.
> #Forward rules for other machines on the internal network
> #Open ports > 1023
> $IPTABLES -A FORWARD -p tcp --dport ! 0:1023 -j ACCEPT
> $IPTABLES -A FORWARD -p udp --destination-port ! 0:1023 -j ACCEPT
Ugh :-( What are these rules for ??? Why do you want absolutely anything
to get in from the outside on high ports !?
> #Except certain stuff (Netmeeting/SSH/dns/identd/etc)
> $IPTABLES -A FORWARD -p udp --destination-port 111 -j ACCEPT
> $IPTABLES -A FORWARD -p tcp --dport 111 -j ACCEPT
> $IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
> $IPTABLES -A FORWARD -p tcp --dport 522 -j ACCEPT
> $IPTABLES -A FORWARD -p tcp --dport 443 -j ACCEPT
> $IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT
> $IPTABLES -A FORWARD -p udp --destination-port 53 -j ACCEPT
> $IPTABLES -A FORWARD -p icmp -j ACCEPT
Are you *sure* you want to allow port 111 in ?
The rest I can understand, except for port 522 - what's that ?
> #Input rules for the firewall/server
>
> #Open ports > 1023
> $IPTABLES -A INPUT -p tcp --dport ! 0:1023 -j ACCEPT
> $IPTABLES -A INPUT -p udp --destination-port ! 0:1023 -j ACCEPT
Ugh again. Makes me think you haven't heard of connection tracking and
using -m state --state ESTABLISHED,RELATED ?
> #Except certain stuff (Netmeeting/SSH/dns/http/etc)
> $IPTABLES -A INPUT -i $INTIF -p udp --destination-port 137 -j ACCEPT
> $IPTABLES -A INPUT -p udp --destination-port 111 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 111 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 993 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 389 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 522 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
> $IPTABLES -A INPUT -p udp --destination-port 53 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT
> $IPTABLES -A INPUT -p udp --destination-port 138 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 139 -j ACCEPT
> $IPTABLES -A INPUT -p icmp -j ACCEPT
Seems like a surprising amount of stuff to allow in to your firewall ? Are
yu really running all these services on the firewall box itself ?
> #Stuff to transparent proxy using squid
> $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j \
> REDIRECT --to-port 3128
Fair enough.
> #Stuff to enable Netmeeting/MSN
> $IPTABLES -t nat -A PREROUTING -i br0 -p tcp --dport 1863 -j \
> REDIRECT --to-ports 1863
> $IPTABLES -t nat -A PREROUTING -i br0 -p tcp --dport 389 -j \
> REDIRECT --to-ports 389
> $IPTABLES -t nat -A PREROUTING -i br0 -p tcp --dport 522 -j \
> REDIRECT --to-ports 522
Ah. So that explains what some of the port numbers I didn't recognise are
for. Fair enough.
> How's that? Is it likely to be reasonably secure?
Not bad except that I *really* don't like the "allow all access to high
ports" policy, and I'm not convinced that you need all those rules in your
INPUT chain.
Do you know that iptables is different from ipchains, and packets going
*through* an iptables firewall traverse only the FORWARD filtering chain, not
INPUT or OUTPUT as well ?
I also think you should find out about connection tracking, and consider
whether a rule such as
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
at the top of your ruleset would help you get rid of that "open all high
ports" policy.
Hope this helps,
Antony.
--
If at first you don't succeed, destroy all the evidence that you tried.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-04-14 17:18 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-04-14 14:00 firewall rules Payal Rathod
2003-04-14 17:18 ` Michael K
-- strict thread matches above, loose matches on Subject: below --
2002-09-11 14:12 Scott van Looy
2002-09-11 17:36 ` Antony Stone
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.