Bad Filter Set?

Bad Filter Set?

[Dan Egli]

[-- Attachment #1: Type: text/plain, Size: 1005 bytes --]

I'm a bit lost here, so hopefully someone can work with me on this. I
created a firewall script that is intended to  block most attempts for
access to the system, while allowing certain protocols (i.e. http, Telet,
ftp, ssh, etc..) to go through. It also needs to do Masquerading. I am very
new to IpTables (or even firewalls in general) so I'm not completely 100%
surprised when this script fails. However, it seems to close down ALL access
to the machine, even on ports that were specifically allowed!?  I'm
attaching my firewall script to this email. Someone please tell me what I
did wrong?

Remember, this filter needs to do two things (in addition to blocking the
ports). 1) Needs to perform generalized IP Masquerading.  2)(this part is
not done and so is not in the script) Needs to forward all incoming traffic
on ports: 8000, 8080, and 8021 to the machine 192.168.0.5. The port #s will
not change.

Thanks!
Dan

P.S. I edited the file on a WinXP machine so it's in DOS text format. Sorry
folks.

[-- Attachment #2: fwscript --]
[-- Type: application/octet-stream, Size: 30034 bytes --]

Re: Bad Filter Set?

[Antony Stone]

On Thursday 07 November 2002 5:05 pm, Dan Egli wrote:

> I'm a bit lost here, so hopefully someone can work with me on this. I
> created a firewall script that is intended to  block most attempts for
> access to the system, while allowing certain protocols (i.e. http, Telet,
> ftp, ssh, etc..) to go through. It also needs to do Masquerading.
>
> P.S. I edited the file on a WinXP machine so it's in DOS text format. Sorry
> folks.

I can't open the attachment.   Amusing enough when I save it and ask 'file' 
what format it is, I get the response:
fwscript: MPEG 1.0 layer 3 audio stream data,  40 kBit/s layer 2 audio stream 
data,  48 kBit/s, 44.1 kHz, stereo

(I assume you didn't read out loud your firewall rules and record them in 
audio format :-)

Please repost your ruleset in the body of the email.

Thanks,

Antony.

-- 

There are two possible outcomes.

If the result confirms the hypothesis, then you've made a measurement.
If the result is contrary to the hypothesis, then you've made a discovery.

 - Enrico Fermi

Re: Bad Filter Set?

[Dan Egli]

As Requested: Firewall Rule Set:
#!/bin/bash

# # first make sure the modules are loaded. ip_conntrack_ftp should load

# them all

modprobe ip_conntrack_ftp

# setup variables

INET="64.122.31.38"

EXTNET="64.122.31.36"

EXTBCST="64.122.31.39"

PRIVNET="192.168.0.2"

USERCHAINS=" EXT-input EXT-output \

tcp-state-flags connection-tracking \

source-address-check destination-address-check \

local-dns-server-query remote-dns-server-responce \

local-tcp-client-request remote-tcp-server-responce \

remote-tcp-client-request local-tcp-server-responce \

local-udp-client-request remote-udp-server-responce \

remote-udp-client-responce \

EXT-icmp-out EXT-icmp-in \

EXT-log-in EXT-log-out \

log-tcp-state "

PRIV="0:1023"

UNPRIV="1024:65535"

BCAST_SRC="0.0.0.0"

BCAST_DEST="255.255.255.255"

CLASS_A="10.0.0.0/24"

CLASS_B="172.16.0.0/16"

CLASS_C="192.168.0.0/16"

CLASS_D="224.0.0.0/4"

CLASS_E="240.0.0.0/5"

LOOPBACK="127.0.0.0/8"

TRACE_SRC_PORTS="32769:65535"

TRACE_DEST_PORTS="33434:33523"

# Setup kernel based protection measures

# no echo broadcasts

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# no source routed packets

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do

echo 0 > $f

done

# TCP SYN cookie protection

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# no ICMP redirects

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do

echo 0 > $f

done

# no redirect messages FROM US

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do

echo 0 > $f

done

# loose spoofed packets

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

echo 0 > $f

done

# log packets with invalid addresses

for f in /proc/sys/net/ipv4/conf/*/log_martians; do

echo 1 > $f

done

# next, flush the tables

/sbin/iptables --flush

/sbin/iptables -t nat --flush

/sbin/iptables -t mangle --flush

# traffic on loopback interface is fine.

/sbin/iptables -A INPUT -i lo -j ACCEPT

/sbin/iptables -A OUTPUT -o lo -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -j ACCEPT

/sbin/iptables -A OUTPUT -o eth0 -j ACCEPT

# /sbin/iptables -A INPUT -i eth1 -j DROP

# /sbin/iptables -A OUTPUT -o eth1 -j DROP

# at this point we have a wide open firewall

# default policy is reject packets

/sbin/iptables -t nat --policy PREROUTING ACCEPT

/sbin/iptables -t nat --policy OUTPUT ACCEPT

/sbin/iptables -t nat --policy POSTROUTING ACCEPT

/sbin/iptables -t mangle --policy PREROUTING ACCEPT

/sbin/iptables -t mangle --policy OUTPUT ACCEPT

# remove any existing user defined chains

/sbin/iptables --delete-chain

/sbin/iptables -t nat --delete-chain

/sbin/iptables -t mangle --delete-chain

# create the chains we need.

for i in $USERCHAINS; do

/sbin/iptables -N $i

done

# dns queries

/sbin/iptables -A OUTPUT -p udp --sport 53 -j ACCEPT

/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT

/sbin/iptables -A INPUT -p udp --sport 53 -j ACCEPT

# dns queries over TCP

/sbin/iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

/sbin/iptables -A OUTPUT -p tcp --sport 53 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --sport 53 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

# eventually forward dns queries to specific servers and close this down

# some

#local tcp client, remote server

/sbin/iptables -A EXT-output -p tcp --sport $UNPRIV -j
local-tcp-client-request

/sbin/iptables -A EXT-input -p tcp ! --syn --dport $UNPRIV -j
remote-tcp-server-responce

#local tcp client chains

/sbin/iptables -A local-tcp-client-request -p tcp --dport 22 --syn -m
state --state NEW -j ACCEPT

/sbin/iptables -A remote-tcp-server-responce -p tcp ! --syn --dport 22 -j
ACCEPT

#http/https/ftp controls

/sbin/iptables -A local-tcp-client-request -p tcp -m multiport \

--destination-port 80,443,21 --syn -m state --state NEW -j ACCEPT

/sbin/iptables -A local-tcp-client-request -p tcp -m
multiport --destination-port 80,443,21 -j ACCEPT

/sbin/iptables -A remote-tcp-server-responce -p tcp -m
multiport --source-port 80,443,21 -j ACCEPT

# pop clients

/sbin/iptables -A local-tcp-client-request -p tcp -d $INET --dport
110 --syn -m state \

--state NEW -j ACCEPT

#/sbin/iptables -A local-tcp-client-request -p tcp -d $PRIVNET --dport
110 --syn -m state \

# --state NEW -j ACCEPT

/sbin/iptables -A local-tcp-client-request -p tcp -d $INET --dport 110 -j
ACCEPT

#/sbin/iptables -A local-tcp-client-request -p tcp -d $PRIVNET --dport
110 -j ACCEPT

#/sbin/iptables -A remote-tcp-server-responce -p tcp ! --syn -s
$PRIVNET --sport 110 \

# -j ACCEPT

/sbin/iptables -A remote-tcp-server-responce -p tcp ! --syn -s $INET --sport
110 \

-j ACCEPT

#smtp mail

/sbin/iptables -A local-tcp-client-request -p tcp --dport 25 --syn -m state
\

--state NEW -j ACCEPT

/sbin/iptables -A local-tcp-client-request -p tcp --dport 25 -j ACCEPT

/sbin/iptables -A remote-tcp-server-responce -p tcp ! --syn --sport 25 -j
ACCEPT

#Usenet / NNTP

/sbin/iptables -A local-tcp-client-request -p tcp --dport 119 --syn -m state
\

--state NEW -j ACCEPT

/sbin/iptables -A local-tcp-client-request -p tcp --dport 119 -j ACCEPT

/sbin/iptables -A remote-tcp-server-responce -p tcp ! --syn --sport 119 -j
ACCEPT

#ftp passive mode data channel connection

/sbin/iptables -A local-tcp-client-request -p tcp --dport $UNPRIV --syn -m
state --state NEW -j ACCEPT

/sbin/iptables -A local-tcp-client-request -p tcp --dport $UNPRIV -j ACCEPT

/sbin/iptables -A remote-tcp-server-responce -p tcp ! --syn --sport
$UNPRIV -j ACCEPT

# TCP querys from outside world to us

/sbin/iptables -A EXT-input -p tcp --sport $UNPRIV -j
remote-tcp-client-request

/sbin/iptables -A EXT-output -p tcp --dport $UNPRIV -j
local-tcp-server-responce

# kludge for incoming FTP data channel from remote servers

# using PORT mode instead of PASV mode.

/sbin/iptables -A EXT-input -p tcp --sport 20 --dport $UNPRIV -j ACCEPT

/sbin/iptables -A EXT-output -p tcp --sport $UNPRIV --dport 20 -j ACCEPT

# enable SSH channel

/sbin/iptables -A remote-tcp-client-request -p tcp --dport 22 -m
state --state NEW \

-j ACCEPT

/sbin/iptables -A remote-tcp-client-request -p tcp --dport 22 -j ACCEPT

/sbin/iptables -A local-tcp-server-responce -p tcp --sport 22 -j ACCEPT

# Local UDP client, Remote Server

/sbin/iptables -A EXT-output -p udp --sport $UNPRIV -j
local-udp-client-request

/sbin/iptables -A EXT-input -p udp --dport $UNPRIV -j
remote-udp-server-responce

# NTP

/sbin/iptables -A local-udp-client-request -p udp --dport 123 -m state \

--state NEW -j ACCEPT

/sbin/iptables -A local-udp-client-request -p udp --dport 123 -j ACCEPT

/sbin/iptables -A remote-udp-client-responce -p udp --sport 123 -j ACCEPT

# ICMP - Most traffic Disabled. But we need to allow certain types

# of messages through

/sbin/iptables -A EXT-input -p icmp -j EXT-icmp-in

/sbin/iptables -A EXT-output -p icmp -j EXT-icmp-out

# icmp firewall chain

#log and drop initial icmp fragments (i.e. we recieve part 4 but have not
recieved part 1)

/sbin/iptables -A EXT-icmp-in --fragment -j DROP

/sbin/iptables -A EXT-icmp-out --fragment -j LOG --log-prefix "Fragmemted
ICMP packet: "

/sbin/iptables -A EXT-icmp-out --fragment -j DROP

# state checking for ICMP

/sbin/iptables -A EXT-icmp-out -p icmp -m state --state NEW -j ACCEPT

/sbin/iptables -A EXT-icmp-out -p icmp --icmp-type echo-request -j ACCEPT

/sbin/iptables -A EXT-icmp-in -p icmp --icmp-type echo-reply -j ACCEPT

# allow inbound pings

/sbin/iptables -A EXT-icmp-in -p icmp --icmp-type echo-request -m
state --state NEW -j ACCEPT

/sbin/iptables -A EXT-icmp-in -p icmp --icmp-type echo-request -j ACCEPT

/sbin/iptables -A EXT-icmp-out -p icmp --icmp-type echo-reply -j ACCEPT

# We need to know destination unreachable, thats an icmp type

/sbin/iptables -A EXT-icmp-out -p icmp --icmp-type fragmentation-needed -j
ACCEPT

/sbin/iptables -A EXT-icmp-in -p icmp --icmp-type destination-unreachable -j
ACCEPT

# Paramater problem messages should also be accepted

/sbin/iptables -A EXT-icmp-in -p icmp --icmp-type parameter-problem -j
ACCEPT

/sbin/iptables -A EXT-icmp-out -p icmp --icmp-type parameter-problem -j
ACCEPT

# we also want to allow timeout messages for timeouts during routing

/sbin/iptables -A EXT-icmp-in -p icmp --icmp-type time-exceeded -j ACCEPT

/sbin/iptables -A EXT-icmp-out -p icmp --icmp-type time-exceeded -j ACCEPT

# and of course, we need to make notes of when we have been quenched, or
when we Quench

/sbin/iptables -A EXT-icmp-out -p icmp --icmp-type source-quench -j ACCEPT

/sbin/iptables -A EXT-icmp-in -p icmp --icmp-type source-quench -j ACCEPT

# Now, we want to log invalid TCP/IP State Flag combinations.

# We can NEVER have ALL flags cleared or set

/sbin/iptables -A tcp-state-flags -p tcp --tcp-flags ALL NONE -j
log-tcp-state

#SYN and FIN cannot co-exist

/sbin/iptables -A tcp-state-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j
log-tcp-state

#SYN and RST also cannot coexist

/sbin/iptables -A tcp-state-flags -p tcp --tcp-flags SYN,RST SYN,RST -j
log-tcp-state

#FIN+RST = INVALID

/sbin/iptables -A tcp-state-flags -p tcp --tcp-flags FIN,RST FIN,RST -j
log-tcp-state

# Fin only, no ACK = BAD!

/sbin/iptables -A tcp-state-flags -p tcp --tcp-flags ACK,FIN FIN -j
log-tcp-state

# PSH only, no ACK = BAD

/sbin/iptables -A tcp-state-flags -p tcp --tcp-flags ACK,PSH PSH -j
log-tcp-state

#URG only, no ACK = BAD

/sbin/iptables -A tcp-state-flags -p tcp --tcp-flags ACK,URG URG -j
log-tcp-state

#log and drop packets with a bad tcp state flag set

/sbin/iptables -A log-tcp-state -p tcp -j LOG --log-prefix "ILLEGAL TCP
STATE: " --log-ip-options --log-tcp-options

/sbin/iptables -A log-tcp-state -j DROP



#bypass rule filtering for ESTABLISHED exchanges. If we let it get started,
we should let it finish!

/sbin/iptables -A connection-tracking -m state --state
ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A connection-tracking -m state --state INVALID -j
LOG --log-prefix "INVALID Packet: "

/sbin/iptables -A connection-tracking -m state --state INVALID -j DROP

#####################################

# refuse packets claiming to be from private networks unless they come in on
our local interface, eth0 and showing a Class C

# Private network address

/sbin/iptables -A source-address-check -s $CLASS_A -j DROP

/sbin/iptables -A source-address-check -s $CLASS_B -j DROP

/sbin/iptables -A source-address-check -s $CLASS_C -i ! eth0 -j DROP

/sbin/iptables -A source-address-check -s $CLASS_D -j DROP

/sbin/iptables -A source-address-check -s $CLASS_E -j DROP

/sbin/iptables -A source-address-check -s $LOOPBACK -j DROP

# kill broadcasts also

/sbin/iptables -A source-address-check -s 0.0.0.0/8 -j DROP

/sbin/iptables -A source-address-check -s 169.254.0.0/16 -j DROP

/sbin/iptables -A source-address-check -s 192.168.0.0/24

######################

# dest address checks

/sbin/iptables -A destination-address-check -d $BCAST_DEST -i ! eth0 -j DROP

/sbin/iptables -A destination-address-check -d $EXTBCST -j DROP

/sbin/iptables -A destination-address-check -d $EXTNET -j DROP

/sbin/iptables -A destination-address-check -p ! udp -d $CLASS_D -j DROP

#avoid ports subject to protocol and system administration problems

/sbin/iptables -A destination-address-check -p tcp -m
multiport --destination-port 2049,2000,1080,3128 --syn -j DROP

# unprivledged UDP ports for NFS and LOCKD

/sbin/iptables -A destination-address-check -p udp -m
multiport --destination-port 2049,4045 -j DROP

#logging rules prior to dropping by default policy of DROP

#icmp rules

/sbin/iptables -A EXT-log-in -p icmp --icmp-type ! echo-request -m limit -j
LOG

#tcp rules

#deny ports 0-19, and log it

/sbin/iptables -A EXT-log-in -p tcp --dport 0:19 -j LOG

#20-23 are used by valid services

/sbin/iptables -A EXT-log-in -p tcp --dport 24 -j LOG

#25 = SMTP, Valid


/sbin/iptables -A EXT-log-in -p tcp --dport 26:79 -j LOG

#finger was disallowed, WWW is allowed

/sbin/iptables -A EXT-log-in -p tcp --dport 81:109 -j LOG

# 110 = Pop3 - Still in use on some systems

/sbin/iptables -A EXT-log-in -p tcp --dport 112:136 -j LOG

# we BETTER allow NetBIOS

/sbin/iptables -A EXT-log-in -p tcp --dport 140:142 -j LOG

# imap is allowed!

/sbin/iptables -A EXT-log-in -p tcp --dport 144:442 -j LOG

#443 = Https! We need it!

/sbin/iptables -A EXT-log-in -p tcp --dport 444:65535 -j LOG



#udp Rules

#no services before 111

/sbin/iptables -A EXT-log-in -p udp --dport 0:110 -j LOG

#sunrpc we want

/sbin/iptables -A EXT-log-in -p udp --dport 112:160 -j LOG

#keep snmp incase we ever use it

/sbin/iptables -A EXT-log-in -p udp --dport 163:634 -j LOG

#keep NFS, Skip PCAnywhere!

/sbin/iptables -A EXT-log-in -p udp --dport 636:31336 -j LOG

#skip TraceRoute's default ports

/sbin/iptables -A EXT-log-in -p udp --sport $TRACE_SRC_PORTS --dport
$TRACE_DEST_PORTS -j LOG

# skip the rest!

/sbin/iptables -A EXT-log-in -p udp --dport 33434:65535

#outgoing packets

#don't log rejected outbound ICMP destination-unreachable packets

/sbin/iptables -A EXT-log-out -p icmp --icmp-type destination-unreachable -j
DROP

# Log & Drop the rest

/sbin/iptables -A EXT-log-out -j LOG



############################################################################
##################

# Ok. Now we need to install the chains we built into the default INPUT and
OUTPUT chains



# if TCP, check for common stealth scan TCP state pattens

/sbin/iptables -A INPUT -p tcp -j tcp-state-flags

/sbin/iptables -A OUTPUT -p tcp -j tcp-state-flags

#bypass firewall filgers for established exchanges

/sbin/iptables -A INPUT -j connection-tracking

/sbin/iptables -A OUTPUT -j connection-tracking



#test for illegal source and destinations addresses in inbound packets

/sbin/iptables -A INPUT -p ! tcp -j source-address-check

/sbin/iptables -A INPUT -p tcp --syn -j source-address-check

/sbin/iptables -A INPUT -j destination-address-check

#test for illegal destination addresses in outbound packets

/sbin/iptables -A OUTPUT -j destination-address-check

#begin standard firewall tests for packets addressed to this host

/sbin/iptables -A INPUT -i eth1 -d $INET -j EXT-input

#multicast traffic

/sbin/iptables -A INPUT -i eth1 -p udp -d $CLASS_D -j ACCEPT

/sbin/iptables -A OUTPUT -o eth1 -p udp -d $CLASS_D -j ACCEPT

#begin standard firewall tests for packets sent from this host

#source address spoofing by this host is not allowed due to the test on

#the source address in this rule

/sbin/iptables -A OUTPUT -o eth1 -s $INET -j EXT-output

#log anything of interest that fell through,

# before the default policy drops the packet

/sbin/iptables -A INPUT -j EXT-log-in

/sbin/iptables -A OUTPUT -j EXT-log-out

#firewall is now initialized

exit 0




----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, November 09, 2002 7:41 AM
Subject: Re: Bad Filter Set?


> On Thursday 07 November 2002 5:05 pm, Dan Egli wrote:
>
> > I'm a bit lost here, so hopefully someone can work with me on this. I
> > created a firewall script that is intended to  block most attempts for
> > access to the system, while allowing certain protocols (i.e. http,
Telet,
> > ftp, ssh, etc..) to go through. It also needs to do Masquerading.
> >
> > P.S. I edited the file on a WinXP machine so it's in DOS text format.
Sorry
> > folks.
>
> I can't open the attachment.   Amusing enough when I save it and ask
'file'
> what format it is, I get the response:
> fwscript: MPEG 1.0 layer 3 audio stream data,  40 kBit/s layer 2 audio
stream
> data,  48 kBit/s, 44.1 kHz, stereo
>
> (I assume you didn't read out loud your firewall rules and record them in
> audio format :-)
>
> Please repost your ruleset in the body of the email.
>
> Thanks,
>
> Antony.
>
> --
>
> There are two possible outcomes.
>
> If the result confirms the hypothesis, then you've made a measurement.
> If the result is contrary to the hypothesis, then you've made a discovery.
>
>  - Enrico Fermi
>
>

Re: Bad Filter Set?

[Antony Stone]

On Saturday 09 November 2002 4:43 pm, Dan Egli wrote:

> As Requested: Firewall Rule Set:

This is a *really* long (= complicatedf) firewall ruleset, given the 
requirements you posted earlier.

I really do recommend that you start from something simple and build it up 
gradually instead of starting out with something so difficult to debug as 
this.

There are a number of things in your script which I'd comment on:

> USERCHAINS=" EXT-input EXT-output \
> tcp-state-flags connection-tracking \
> source-address-check destination-address-check \
> local-dns-server-query remote-dns-server-responce \
> local-tcp-client-request remote-tcp-server-responce \
> remote-tcp-client-request local-tcp-server-responce \
> local-udp-client-request remote-udp-server-responce \
> remote-udp-client-responce \
> EXT-icmp-out EXT-icmp-in \
> EXT-log-in EXT-log-out \
> log-tcp-state "

Why on earth do you have so many user defined chains ?   Did you try putting 
rules into INPUT or FORWARD and get problems ?   Or do you just like having 
lots of chains with a rule pointing to each one ?

> # at this point we have a wide open firewall

Correct - don't you think that is a bad thing ?   It would be better to start 
with a closed firewall and slowly open it to allow traffic you want.   You 
should never have a "wide open firewall", even for a short time during 
startup.

> # default policy is reject packets
> /sbin/iptables -t nat --policy PREROUTING ACCEPT
> /sbin/iptables -t nat --policy OUTPUT ACCEPT
> /sbin/iptables -t nat --policy POSTROUTING ACCEPT
> /sbin/iptables -t mangle --policy PREROUTING ACCEPT
> /sbin/iptables -t mangle --policy OUTPUT ACCEPT

These rules do not do what the comment above them says.   Nowhere can I see 
that you have set a (recommended) default DROP policy on the filter tables in 
the INPUT and FORWARD chains.   The comment on the above rules might lull you 
into a false sense of security if you do not also read the rules and realise 
that they do not reject packets.

 
Finally, looking through your entire ruleset, I cannot see any references to 
the FORWARD chain, therefore you will not be allowing or filtering any 
packets through your firewall - which is what I think you wanted to do ?   
All the rules I can see are for INPUT and OUTPUT so they relate only to the 
firewall machine itself.
 

I really do recommend that you start with a simple ruleset which is 
sufficiently secure to plug into the Internet, and then build it up from 
there.

Try this:

# default drop policy into and through the firewall
iptables -P INPUT DROP
iptables -P FORWARD DROP

# allow established and related connections through
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow anything from internal net to Internet - can be tightened up later,
# but at least at least we only allow outbound stuff
iptables -A FORWARD -i eth0 -j ACCEPT

# masquerade all outbound packets so we get the replies back
iptables -A POSTROUTING -t nat -o eth1 -j SNAT --to 64.122.31.38

# allow packets to be routed through the machine
echo 1 >/proc/sys/net/ipv4/ip_forward
 

Antony.

-- 

If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.

Re: Bad Filter Set?

[Dan Egli]

I took the firewall script based on an "optimized firewall" from an IPTABLES
book (Linux Firewalls was the title). I know near 0 about IPTables, which is
why I used the book as an example. I also wanted to be able to enable or
disable certain services without adding or removing lines, because I
*THOUGHT* it was best that way. Please realize I'm coming from a Windows
environment. I want to learn as much as I can about IPTables, but the only
book I've seen (the one I mentioned earlier) seems very complicated. I've
read through the how-tos, but for someone like me they just don't seem to
click. I could not define exactly why, just that when I read them I quickly
get lost with all the stuff about DNAT vs. SNAT vs. whatever and how each
packet works with those.

And as to the default policy comment, it was originally that they all
said -j DROP, but that killed the network completely. When I set them to -j
ACCEPT (I know, bad idea) it unlocks the network. This is kinda a hacked
script that I went through to just get the network up and running again.

If you could provide a different How-To than the one written by Rusty, I'd
happily look at it. And in the mean time, if you can please provide a script
that will do what I stated?? To clarify, I need a script (commented would
help!) that does the following:

1) Block all ports EXCEPT:
FTP, SSH, TELNET (yes there is a reason for telnet!), SMTP, DNS, NNTP, NTP,
ROUTED (520), PRINTER (515), POP3, IMAP, HTTP, HTTPS, and ports 4000 & 5000
(special programs run on those ports and they need to be open).

2) Forward Inbound traffic from port 5000 to IP 192.168.0.5. Should be a
Transparent NAT (If I hit 192.168.0.1 port 5000, then the firewall forwards
it to 192.168.0.5 5000,  and any packets sent from 192.168.0.5:5000 [which
would only be in reply to an inbound packet] should appear as coming from
192.168.0.1:5000). Here's a basic setup of the machine so you have that to
go on:

EXTERNAL IP:  64.122.31.38 on eth1
internal IP: 192.168.0.1 on eth0

3) Perform basic IP Masquerading for unlisted machines on the 192.168.0.x
net. So if a machine addressed as 192.168.0.26 requests www.yahoo.com, it
goes in from eth0, then goes out eth1 as from eth1's address, and the return
comes in eth1 and goes back out eth0 to the correct machine.

4) Log any blocked traffic in the syslog.

Your help is greatly appreciated!

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, November 09, 2002 10:29 AM
Subject: Re: Bad Filter Set?


> On Saturday 09 November 2002 4:43 pm, Dan Egli wrote:
>
> > As Requested: Firewall Rule Set:
>
> This is a *really* long (= complicatedf) firewall ruleset, given the
> requirements you posted earlier.
>
> I really do recommend that you start from something simple and build it up
> gradually instead of starting out with something so difficult to debug as
> this.
>
> There are a number of things in your script which I'd comment on:
>
> > USERCHAINS=" EXT-input EXT-output \
> > tcp-state-flags connection-tracking \
> > source-address-check destination-address-check \
> > local-dns-server-query remote-dns-server-responce \
> > local-tcp-client-request remote-tcp-server-responce \
> > remote-tcp-client-request local-tcp-server-responce \
> > local-udp-client-request remote-udp-server-responce \
> > remote-udp-client-responce \
> > EXT-icmp-out EXT-icmp-in \
> > EXT-log-in EXT-log-out \
> > log-tcp-state "
>
> Why on earth do you have so many user defined chains ?   Did you try
putting
> rules into INPUT or FORWARD and get problems ?   Or do you just like
having
> lots of chains with a rule pointing to each one ?
>
> > # at this point we have a wide open firewall
>
> Correct - don't you think that is a bad thing ?   It would be better to
start
> with a closed firewall and slowly open it to allow traffic you want.   You
> should never have a "wide open firewall", even for a short time during
> startup.
>
> > # default policy is reject packets
> > /sbin/iptables -t nat --policy PREROUTING ACCEPT
> > /sbin/iptables -t nat --policy OUTPUT ACCEPT
> > /sbin/iptables -t nat --policy POSTROUTING ACCEPT
> > /sbin/iptables -t mangle --policy PREROUTING ACCEPT
> > /sbin/iptables -t mangle --policy OUTPUT ACCEPT
>
> These rules do not do what the comment above them says.   Nowhere can I
see
> that you have set a (recommended) default DROP policy on the filter tables
in
> the INPUT and FORWARD chains.   The comment on the above rules might lull
you
> into a false sense of security if you do not also read the rules and
realise
> that they do not reject packets.
>
>
> Finally, looking through your entire ruleset, I cannot see any references
to
> the FORWARD chain, therefore you will not be allowing or filtering any
> packets through your firewall - which is what I think you wanted to do ?
> All the rules I can see are for INPUT and OUTPUT so they relate only to
the
> firewall machine itself.
>
>
> I really do recommend that you start with a simple ruleset which is
> sufficiently secure to plug into the Internet, and then build it up from
> there.
>
> Try this:
>
> # default drop policy into and through the firewall
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
>
> # allow established and related connections through
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # allow anything from internal net to Internet - can be tightened up
later,
> # but at least at least we only allow outbound stuff
> iptables -A FORWARD -i eth0 -j ACCEPT
>
> # masquerade all outbound packets so we get the replies back
> iptables -A POSTROUTING -t nat -o eth1 -j SNAT --to 64.122.31.38
>
> # allow packets to be routed through the machine
> echo 1 >/proc/sys/net/ipv4/ip_forward
>
>
> Antony.
>
> --
>
> If you want to be happy for an hour, get drunk.
> If you want to be happy for a year, get married.
> If you want to be happy for a lifetime, get a garden.
>
>

Re: Bad Filter Set?

[Anders Fugmann]

Dan Egli wrote:
> 
> 1) Block all ports EXCEPT:
> FTP, SSH, TELNET (yes there is a reason for telnet!), SMTP, DNS, NNTP, NTP,
> ROUTED (520), PRINTER (515), POP3, IMAP, HTTP, HTTPS, and ports 4000 & 5000
> (special programs run on those ports and they need to be open).
You do realize that many of these protocols are very insecure, and 
should not be opend to the public. Also do you really want to allow 
everyone (on the intra- and inter-net ) to use your printers?

> 
> 2) Forward Inbound traffic from port 5000 to IP 192.168.0.5. Should be a
> Transparent NAT (If I hit 192.168.0.1 port 5000, then the firewall forwards
> it to 192.168.0.5 5000,  and any packets sent from 192.168.0.5:5000 [which
> would only be in reply to an inbound packet] should appear as coming from
> 192.168.0.1:5000). Here's a basic setup of the machine so you have that to
> go on:
This is impossible. A machine with IP 192.168.0.6 cannot be redirected 
to 192.168.0.5 through 192.168.0.1. But in the example below, all 
connections to 64.122.31.38:5000 (through eth1) will be redirected to 
192.168.0.5.

> 
> EXTERNAL IP:  64.122.31.38 on eth1
> internal IP: 192.168.0.1 on eth0
> 
> 3) Perform basic IP Masquerading for unlisted machines on the 192.168.0.x
> net. So if a machine addressed as 192.168.0.26 requests www.yahoo.com, it
> goes in from eth0, then goes out eth1 as from eth1's address, and the return
> comes in eth1 and goes back out eth0 to the correct machine.
> 
> 4) Log any blocked traffic in the syslog.
> 
> Your help is greatly appreciated!
> 
Here is your rules. I have not tested them, so minor changes may be 
nessesary.
--------------------------------

# Set default policies.
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Flush all tables.
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t NAT -F PREROUTING
iptables -t NAT -F POSTROUTING
iptables -t NAT -F OUTPUT

iptables -A INPUT -p tcp -m multiport --dports \
   SMTP,DNS,NNTP,NTP,ROUTED,520,PRINTER,POP3,IMAP,HTTP,\
   HTTPS,4000,5000 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j LOG

iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j LOG

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5000 \
   -j DNAT --to-destination 192.168.0.5:5000

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 64.122.31.38

echo 1 > /proc/sys/net/ipv4/ip_forward
-------------------------

Regards
Anders Fugmann

Re: Bad Filter Set?

[Dan Egli]

On Mon, 11 Nov 2002, Anders Fugmann wrote:

> Dan Egli wrote:
> > 
> > 1) Block all ports EXCEPT:
> > FTP, SSH, TELNET (yes there is a reason for telnet!), SMTP, DNS, NNTP, NTP,
> > ROUTED (520), PRINTER (515), POP3, IMAP, HTTP, HTTPS, and ports 4000 & 5000
> > (special programs run on those ports and they need to be open).
> You do realize that many of these protocols are very insecure, and 
> should not be opend to the public. Also do you really want to allow 
> everyone (on the intra- and inter-net ) to use your printers?

Ok. This is true, so let me clarify. the INTERNAL net should have access 
to all those. The EXTERNAL side needs:
SMTP, FTP, TELNET, SSH, 4000 & 5000
> 
> > 
> > 2) Forward Inbound traffic from port 5000 to IP 192.168.0.5. Should be a
> > Transparent NAT (If I hit 192.168.0.1 port 5000, then the firewall forwards
> > it to 192.168.0.5 5000,  and any packets sent from 192.168.0.5:5000 [which
> > would only be in reply to an inbound packet] should appear as coming from
> > 192.168.0.1:5000). Here's a basic setup of the machine so you have that to
> > go on:
> This is impossible. A machine with IP 192.168.0.6 cannot be redirected 
> to 192.168.0.5 through 192.168.0.1. But in the example below, all 
> connections to 64.122.31.38:5000 (through eth1) will be redirected to 
> 192.168.0.5.
That is what I wanted. On the internal side all machines will have access 
to the 192.168.0.5 machine directly, no need for nat. It was only for 
external that this was needed. 

> > 
> > EXTERNAL IP:  64.122.31.38 on eth1
> > internal IP: 192.168.0.1 on eth0
> > 
> > 3) Perform basic IP Masquerading for unlisted machines on the 192.168.0.x
> > net. So if a machine addressed as 192.168.0.26 requests www.yahoo.com, it
> > goes in from eth0, then goes out eth1 as from eth1's address, and the return
> > comes in eth1 and goes back out eth0 to the correct machine.
> > 
> > 4) Log any blocked traffic in the syslog.
> > 
> > Your help is greatly appreciated!
> > 
> Here is your rules. I have not tested them, so minor changes may be 
> nessesary.
> --------------------------------
> 
> # Set default policies.
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
> 
> # Flush all tables.
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD
> iptables -t NAT -F PREROUTING
> iptables -t NAT -F POSTROUTING
> iptables -t NAT -F OUTPUT
> 
> iptables -A INPUT -p tcp -m multiport --dports \
>    SMTP,DNS,NNTP,NTP,ROUTED,520,PRINTER,POP3,IMAP,HTTP,\
>    HTTPS,4000,5000 -j ACCEPT
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -j LOG
> 
> iptables -A FORWARD -i eth0 -j ACCEPT
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -j LOG
> 
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5000 \
>    -j DNAT --to-destination 192.168.0.5:5000
> 
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 64.122.31.38
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> -------------------------
> 
> Regards
> Anders Fugmann
> 
> 
> 

Re: Bad Filter Set?

[Anders Fugmann]

Dan Egli wrote:
> Ok. This is true, so let me clarify. the INTERNAL net should have access 
> to all those. The EXTERNAL side needs:
> SMTP, FTP, TELNET, SSH, 4000 & 5000
Ok. I have modified the sctipt to accomodate this.
--------------------------------

# Set default policies.
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Flush all tables.
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t NAT -F PREROUTING
iptables -t NAT -F POSTROUTING
iptables -t NAT -F OUTPUT

iptables -A INPUT -p tcp -m multiport --dports \
     smtp,ftp,telnet,ssh,4000,5000
iptables -A INPUT -p tcp -i eth0 -m multiport --dports \
    telnet,domain,nntp,ntp,printer,pop3,imap,http,https \
    -j ACCEPT
iptables -A INPUT -p udp -i eth0 -m multiport --dports \
    domain,ntp,route  -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j LOG

iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j LOG

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5000 \
    -j DNAT --to-destination 192.168.0.5:5000

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 64.122.31.38

echo 1 > /proc/sys/net/ipv4/ip_forward
-------------------------

Regards
Anders Fugmann