* Bad Filter Set? @ 2002-11-07 17:05 Dan Egli 2002-11-09 14:41 ` Antony Stone 0 siblings, 1 reply; 8+ messages in thread From: Dan Egli @ 2002-11-07 17:05 UTC (permalink / raw) To: netfilter [-- Attachment #1: Type: text/plain, Size: 1005 bytes --] I'm a bit lost here, so hopefully someone can work with me on this. I created a firewall script that is intended to block most attempts for access to the system, while allowing certain protocols (i.e. http, Telet, ftp, ssh, etc..) to go through. It also needs to do Masquerading. I am very new to IpTables (or even firewalls in general) so I'm not completely 100% surprised when this script fails. However, it seems to close down ALL access to the machine, even on ports that were specifically allowed!? I'm attaching my firewall script to this email. Someone please tell me what I did wrong? Remember, this filter needs to do two things (in addition to blocking the ports). 1) Needs to perform generalized IP Masquerading. 2)(this part is not done and so is not in the script) Needs to forward all incoming traffic on ports: 8000, 8080, and 8021 to the machine 192.168.0.5. The port #s will not change. Thanks! Dan P.S. I edited the file on a WinXP machine so it's in DOS text format. Sorry folks. [-- Attachment #2: fwscript --] [-- Type: application/octet-stream, Size: 30034 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Bad Filter Set? 2002-11-07 17:05 Bad Filter Set? Dan Egli @ 2002-11-09 14:41 ` Antony Stone 2002-11-09 16:43 ` Dan Egli 0 siblings, 1 reply; 8+ messages in thread From: Antony Stone @ 2002-11-09 14:41 UTC (permalink / raw) To: netfilter On Thursday 07 November 2002 5:05 pm, Dan Egli wrote: > I'm a bit lost here, so hopefully someone can work with me on this. I > created a firewall script that is intended to block most attempts for > access to the system, while allowing certain protocols (i.e. http, Telet, > ftp, ssh, etc..) to go through. It also needs to do Masquerading. > > P.S. I edited the file on a WinXP machine so it's in DOS text format. Sorry > folks. I can't open the attachment. Amusing enough when I save it and ask 'file' what format it is, I get the response: fwscript: MPEG 1.0 layer 3 audio stream data, 40 kBit/s layer 2 audio stream data, 48 kBit/s, 44.1 kHz, stereo (I assume you didn't read out loud your firewall rules and record them in audio format :-) Please repost your ruleset in the body of the email. Thanks, Antony. -- There are two possible outcomes. If the result confirms the hypothesis, then you've made a measurement. If the result is contrary to the hypothesis, then you've made a discovery. - Enrico Fermi ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Bad Filter Set? 2002-11-09 14:41 ` Antony Stone @ 2002-11-09 16:43 ` Dan Egli 2002-11-09 17:29 ` Antony Stone 0 siblings, 1 reply; 8+ messages in thread From: Dan Egli @ 2002-11-09 16:43 UTC (permalink / raw) To: Antony Stone, netfilter As Requested: Firewall Rule Set: #!/bin/bash # # first make sure the modules are loaded. ip_conntrack_ftp should load # them all modprobe ip_conntrack_ftp # setup variables INET="64.122.31.38" EXTNET="64.122.31.36" EXTBCST="64.122.31.39" PRIVNET="192.168.0.2" USERCHAINS=" EXT-input EXT-output \ tcp-state-flags connection-tracking \ source-address-check destination-address-check \ local-dns-server-query remote-dns-server-responce \ local-tcp-client-request remote-tcp-server-responce \ remote-tcp-client-request local-tcp-server-responce \ local-udp-client-request remote-udp-server-responce \ remote-udp-client-responce \ EXT-icmp-out EXT-icmp-in \ EXT-log-in EXT-log-out \ log-tcp-state " PRIV="0:1023" UNPRIV="1024:65535" BCAST_SRC="0.0.0.0" BCAST_DEST="255.255.255.255" CLASS_A="10.0.0.0/24" CLASS_B="172.16.0.0/16" CLASS_C="192.168.0.0/16" CLASS_D="224.0.0.0/4" CLASS_E="240.0.0.0/5" LOOPBACK="127.0.0.0/8" TRACE_SRC_PORTS="32769:65535" TRACE_DEST_PORTS="33434:33523" # Setup kernel based protection measures # no echo broadcasts echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # no source routed packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # TCP SYN cookie protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # no ICMP redirects for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done # no redirect messages FROM US for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done # loose spoofed packets for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f done # log packets with invalid addresses for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done # next, flush the tables /sbin/iptables --flush /sbin/iptables -t nat --flush /sbin/iptables -t mangle --flush # traffic on loopback interface is fine. /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT /sbin/iptables -A INPUT -i eth0 -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT # /sbin/iptables -A INPUT -i eth1 -j DROP # /sbin/iptables -A OUTPUT -o eth1 -j DROP # at this point we have a wide open firewall # default policy is reject packets /sbin/iptables -t nat --policy PREROUTING ACCEPT /sbin/iptables -t nat --policy OUTPUT ACCEPT /sbin/iptables -t nat --policy POSTROUTING ACCEPT /sbin/iptables -t mangle --policy PREROUTING ACCEPT /sbin/iptables -t mangle --policy OUTPUT ACCEPT # remove any existing user defined chains /sbin/iptables --delete-chain /sbin/iptables -t nat --delete-chain /sbin/iptables -t mangle --delete-chain # create the chains we need. for i in $USERCHAINS; do /sbin/iptables -N $i done # dns queries /sbin/iptables -A OUTPUT -p udp --sport 53 -j ACCEPT /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p udp --sport 53 -j ACCEPT # dns queries over TCP /sbin/iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --sport 53 -j ACCEPT /sbin/iptables -A INPUT -p tcp --sport 53 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT # eventually forward dns queries to specific servers and close this down # some #local tcp client, remote server /sbin/iptables -A EXT-output -p tcp --sport $UNPRIV -j local-tcp-client-request /sbin/iptables -A EXT-input -p tcp ! --syn --dport $UNPRIV -j remote-tcp-server-responce #local tcp client chains /sbin/iptables -A local-tcp-client-request -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT /sbin/iptables -A remote-tcp-server-responce -p tcp ! --syn --dport 22 -j ACCEPT #http/https/ftp controls /sbin/iptables -A local-tcp-client-request -p tcp -m multiport \ --destination-port 80,443,21 --syn -m state --state NEW -j ACCEPT /sbin/iptables -A local-tcp-client-request -p tcp -m multiport --destination-port 80,443,21 -j ACCEPT /sbin/iptables -A remote-tcp-server-responce -p tcp -m multiport --source-port 80,443,21 -j ACCEPT # pop clients /sbin/iptables -A local-tcp-client-request -p tcp -d $INET --dport 110 --syn -m state \ --state NEW -j ACCEPT #/sbin/iptables -A local-tcp-client-request -p tcp -d $PRIVNET --dport 110 --syn -m state \ # --state NEW -j ACCEPT /sbin/iptables -A local-tcp-client-request -p tcp -d $INET --dport 110 -j ACCEPT #/sbin/iptables -A local-tcp-client-request -p tcp -d $PRIVNET --dport 110 -j ACCEPT #/sbin/iptables -A remote-tcp-server-responce -p tcp ! --syn -s $PRIVNET --sport 110 \ # -j ACCEPT /sbin/iptables -A remote-tcp-server-responce -p tcp ! --syn -s $INET --sport 110 \ -j ACCEPT #smtp mail /sbin/iptables -A local-tcp-client-request -p tcp --dport 25 --syn -m state \ --state NEW -j ACCEPT /sbin/iptables -A local-tcp-client-request -p tcp --dport 25 -j ACCEPT /sbin/iptables -A remote-tcp-server-responce -p tcp ! --syn --sport 25 -j ACCEPT #Usenet / NNTP /sbin/iptables -A local-tcp-client-request -p tcp --dport 119 --syn -m state \ --state NEW -j ACCEPT /sbin/iptables -A local-tcp-client-request -p tcp --dport 119 -j ACCEPT /sbin/iptables -A remote-tcp-server-responce -p tcp ! --syn --sport 119 -j ACCEPT #ftp passive mode data channel connection /sbin/iptables -A local-tcp-client-request -p tcp --dport $UNPRIV --syn -m state --state NEW -j ACCEPT /sbin/iptables -A local-tcp-client-request -p tcp --dport $UNPRIV -j ACCEPT /sbin/iptables -A remote-tcp-server-responce -p tcp ! --syn --sport $UNPRIV -j ACCEPT # TCP querys from outside world to us /sbin/iptables -A EXT-input -p tcp --sport $UNPRIV -j remote-tcp-client-request /sbin/iptables -A EXT-output -p tcp --dport $UNPRIV -j local-tcp-server-responce # kludge for incoming FTP data channel from remote servers # using PORT mode instead of PASV mode. /sbin/iptables -A EXT-input -p tcp --sport 20 --dport $UNPRIV -j ACCEPT /sbin/iptables -A EXT-output -p tcp --sport $UNPRIV --dport 20 -j ACCEPT # enable SSH channel /sbin/iptables -A remote-tcp-client-request -p tcp --dport 22 -m state --state NEW \ -j ACCEPT /sbin/iptables -A remote-tcp-client-request -p tcp --dport 22 -j ACCEPT /sbin/iptables -A local-tcp-server-responce -p tcp --sport 22 -j ACCEPT # Local UDP client, Remote Server /sbin/iptables -A EXT-output -p udp --sport $UNPRIV -j local-udp-client-request /sbin/iptables -A EXT-input -p udp --dport $UNPRIV -j remote-udp-server-responce # NTP /sbin/iptables -A local-udp-client-request -p udp --dport 123 -m state \ --state NEW -j ACCEPT /sbin/iptables -A local-udp-client-request -p udp --dport 123 -j ACCEPT /sbin/iptables -A remote-udp-client-responce -p udp --sport 123 -j ACCEPT # ICMP - Most traffic Disabled. But we need to allow certain types # of messages through /sbin/iptables -A EXT-input -p icmp -j EXT-icmp-in /sbin/iptables -A EXT-output -p icmp -j EXT-icmp-out # icmp firewall chain #log and drop initial icmp fragments (i.e. we recieve part 4 but have not recieved part 1) /sbin/iptables -A EXT-icmp-in --fragment -j DROP /sbin/iptables -A EXT-icmp-out --fragment -j LOG --log-prefix "Fragmemted ICMP packet: " /sbin/iptables -A EXT-icmp-out --fragment -j DROP # state checking for ICMP /sbin/iptables -A EXT-icmp-out -p icmp -m state --state NEW -j ACCEPT /sbin/iptables -A EXT-icmp-out -p icmp --icmp-type echo-request -j ACCEPT /sbin/iptables -A EXT-icmp-in -p icmp --icmp-type echo-reply -j ACCEPT # allow inbound pings /sbin/iptables -A EXT-icmp-in -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT /sbin/iptables -A EXT-icmp-in -p icmp --icmp-type echo-request -j ACCEPT /sbin/iptables -A EXT-icmp-out -p icmp --icmp-type echo-reply -j ACCEPT # We need to know destination unreachable, thats an icmp type /sbin/iptables -A EXT-icmp-out -p icmp --icmp-type fragmentation-needed -j ACCEPT /sbin/iptables -A EXT-icmp-in -p icmp --icmp-type destination-unreachable -j ACCEPT # Paramater problem messages should also be accepted /sbin/iptables -A EXT-icmp-in -p icmp --icmp-type parameter-problem -j ACCEPT /sbin/iptables -A EXT-icmp-out -p icmp --icmp-type parameter-problem -j ACCEPT # we also want to allow timeout messages for timeouts during routing /sbin/iptables -A EXT-icmp-in -p icmp --icmp-type time-exceeded -j ACCEPT /sbin/iptables -A EXT-icmp-out -p icmp --icmp-type time-exceeded -j ACCEPT # and of course, we need to make notes of when we have been quenched, or when we Quench /sbin/iptables -A EXT-icmp-out -p icmp --icmp-type source-quench -j ACCEPT /sbin/iptables -A EXT-icmp-in -p icmp --icmp-type source-quench -j ACCEPT # Now, we want to log invalid TCP/IP State Flag combinations. # We can NEVER have ALL flags cleared or set /sbin/iptables -A tcp-state-flags -p tcp --tcp-flags ALL NONE -j log-tcp-state #SYN and FIN cannot co-exist /sbin/iptables -A tcp-state-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j log-tcp-state #SYN and RST also cannot coexist /sbin/iptables -A tcp-state-flags -p tcp --tcp-flags SYN,RST SYN,RST -j log-tcp-state #FIN+RST = INVALID /sbin/iptables -A tcp-state-flags -p tcp --tcp-flags FIN,RST FIN,RST -j log-tcp-state # Fin only, no ACK = BAD! /sbin/iptables -A tcp-state-flags -p tcp --tcp-flags ACK,FIN FIN -j log-tcp-state # PSH only, no ACK = BAD /sbin/iptables -A tcp-state-flags -p tcp --tcp-flags ACK,PSH PSH -j log-tcp-state #URG only, no ACK = BAD /sbin/iptables -A tcp-state-flags -p tcp --tcp-flags ACK,URG URG -j log-tcp-state #log and drop packets with a bad tcp state flag set /sbin/iptables -A log-tcp-state -p tcp -j LOG --log-prefix "ILLEGAL TCP STATE: " --log-ip-options --log-tcp-options /sbin/iptables -A log-tcp-state -j DROP #bypass rule filtering for ESTABLISHED exchanges. If we let it get started, we should let it finish! /sbin/iptables -A connection-tracking -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A connection-tracking -m state --state INVALID -j LOG --log-prefix "INVALID Packet: " /sbin/iptables -A connection-tracking -m state --state INVALID -j DROP ##################################### # refuse packets claiming to be from private networks unless they come in on our local interface, eth0 and showing a Class C # Private network address /sbin/iptables -A source-address-check -s $CLASS_A -j DROP /sbin/iptables -A source-address-check -s $CLASS_B -j DROP /sbin/iptables -A source-address-check -s $CLASS_C -i ! eth0 -j DROP /sbin/iptables -A source-address-check -s $CLASS_D -j DROP /sbin/iptables -A source-address-check -s $CLASS_E -j DROP /sbin/iptables -A source-address-check -s $LOOPBACK -j DROP # kill broadcasts also /sbin/iptables -A source-address-check -s 0.0.0.0/8 -j DROP /sbin/iptables -A source-address-check -s 169.254.0.0/16 -j DROP /sbin/iptables -A source-address-check -s 192.168.0.0/24 ###################### # dest address checks /sbin/iptables -A destination-address-check -d $BCAST_DEST -i ! eth0 -j DROP /sbin/iptables -A destination-address-check -d $EXTBCST -j DROP /sbin/iptables -A destination-address-check -d $EXTNET -j DROP /sbin/iptables -A destination-address-check -p ! udp -d $CLASS_D -j DROP #avoid ports subject to protocol and system administration problems /sbin/iptables -A destination-address-check -p tcp -m multiport --destination-port 2049,2000,1080,3128 --syn -j DROP # unprivledged UDP ports for NFS and LOCKD /sbin/iptables -A destination-address-check -p udp -m multiport --destination-port 2049,4045 -j DROP #logging rules prior to dropping by default policy of DROP #icmp rules /sbin/iptables -A EXT-log-in -p icmp --icmp-type ! echo-request -m limit -j LOG #tcp rules #deny ports 0-19, and log it /sbin/iptables -A EXT-log-in -p tcp --dport 0:19 -j LOG #20-23 are used by valid services /sbin/iptables -A EXT-log-in -p tcp --dport 24 -j LOG #25 = SMTP, Valid /sbin/iptables -A EXT-log-in -p tcp --dport 26:79 -j LOG #finger was disallowed, WWW is allowed /sbin/iptables -A EXT-log-in -p tcp --dport 81:109 -j LOG # 110 = Pop3 - Still in use on some systems /sbin/iptables -A EXT-log-in -p tcp --dport 112:136 -j LOG # we BETTER allow NetBIOS /sbin/iptables -A EXT-log-in -p tcp --dport 140:142 -j LOG # imap is allowed! /sbin/iptables -A EXT-log-in -p tcp --dport 144:442 -j LOG #443 = Https! We need it! /sbin/iptables -A EXT-log-in -p tcp --dport 444:65535 -j LOG #udp Rules #no services before 111 /sbin/iptables -A EXT-log-in -p udp --dport 0:110 -j LOG #sunrpc we want /sbin/iptables -A EXT-log-in -p udp --dport 112:160 -j LOG #keep snmp incase we ever use it /sbin/iptables -A EXT-log-in -p udp --dport 163:634 -j LOG #keep NFS, Skip PCAnywhere! /sbin/iptables -A EXT-log-in -p udp --dport 636:31336 -j LOG #skip TraceRoute's default ports /sbin/iptables -A EXT-log-in -p udp --sport $TRACE_SRC_PORTS --dport $TRACE_DEST_PORTS -j LOG # skip the rest! /sbin/iptables -A EXT-log-in -p udp --dport 33434:65535 #outgoing packets #don't log rejected outbound ICMP destination-unreachable packets /sbin/iptables -A EXT-log-out -p icmp --icmp-type destination-unreachable -j DROP # Log & Drop the rest /sbin/iptables -A EXT-log-out -j LOG ############################################################################ ################## # Ok. Now we need to install the chains we built into the default INPUT and OUTPUT chains # if TCP, check for common stealth scan TCP state pattens /sbin/iptables -A INPUT -p tcp -j tcp-state-flags /sbin/iptables -A OUTPUT -p tcp -j tcp-state-flags #bypass firewall filgers for established exchanges /sbin/iptables -A INPUT -j connection-tracking /sbin/iptables -A OUTPUT -j connection-tracking #test for illegal source and destinations addresses in inbound packets /sbin/iptables -A INPUT -p ! tcp -j source-address-check /sbin/iptables -A INPUT -p tcp --syn -j source-address-check /sbin/iptables -A INPUT -j destination-address-check #test for illegal destination addresses in outbound packets /sbin/iptables -A OUTPUT -j destination-address-check #begin standard firewall tests for packets addressed to this host /sbin/iptables -A INPUT -i eth1 -d $INET -j EXT-input #multicast traffic /sbin/iptables -A INPUT -i eth1 -p udp -d $CLASS_D -j ACCEPT /sbin/iptables -A OUTPUT -o eth1 -p udp -d $CLASS_D -j ACCEPT #begin standard firewall tests for packets sent from this host #source address spoofing by this host is not allowed due to the test on #the source address in this rule /sbin/iptables -A OUTPUT -o eth1 -s $INET -j EXT-output #log anything of interest that fell through, # before the default policy drops the packet /sbin/iptables -A INPUT -j EXT-log-in /sbin/iptables -A OUTPUT -j EXT-log-out #firewall is now initialized exit 0 ----- Original Message ----- From: "Antony Stone" <Antony@Soft-Solutions.co.uk> To: <netfilter@lists.netfilter.org> Sent: Saturday, November 09, 2002 7:41 AM Subject: Re: Bad Filter Set? > On Thursday 07 November 2002 5:05 pm, Dan Egli wrote: > > > I'm a bit lost here, so hopefully someone can work with me on this. I > > created a firewall script that is intended to block most attempts for > > access to the system, while allowing certain protocols (i.e. http, Telet, > > ftp, ssh, etc..) to go through. It also needs to do Masquerading. > > > > P.S. I edited the file on a WinXP machine so it's in DOS text format. Sorry > > folks. > > I can't open the attachment. Amusing enough when I save it and ask 'file' > what format it is, I get the response: > fwscript: MPEG 1.0 layer 3 audio stream data, 40 kBit/s layer 2 audio stream > data, 48 kBit/s, 44.1 kHz, stereo > > (I assume you didn't read out loud your firewall rules and record them in > audio format :-) > > Please repost your ruleset in the body of the email. > > Thanks, > > Antony. > > -- > > There are two possible outcomes. > > If the result confirms the hypothesis, then you've made a measurement. > If the result is contrary to the hypothesis, then you've made a discovery. > > - Enrico Fermi > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Bad Filter Set? 2002-11-09 16:43 ` Dan Egli @ 2002-11-09 17:29 ` Antony Stone 2002-11-11 6:20 ` Dan Egli 0 siblings, 1 reply; 8+ messages in thread From: Antony Stone @ 2002-11-09 17:29 UTC (permalink / raw) To: netfilter On Saturday 09 November 2002 4:43 pm, Dan Egli wrote: > As Requested: Firewall Rule Set: This is a *really* long (= complicatedf) firewall ruleset, given the requirements you posted earlier. I really do recommend that you start from something simple and build it up gradually instead of starting out with something so difficult to debug as this. There are a number of things in your script which I'd comment on: > USERCHAINS=" EXT-input EXT-output \ > tcp-state-flags connection-tracking \ > source-address-check destination-address-check \ > local-dns-server-query remote-dns-server-responce \ > local-tcp-client-request remote-tcp-server-responce \ > remote-tcp-client-request local-tcp-server-responce \ > local-udp-client-request remote-udp-server-responce \ > remote-udp-client-responce \ > EXT-icmp-out EXT-icmp-in \ > EXT-log-in EXT-log-out \ > log-tcp-state " Why on earth do you have so many user defined chains ? Did you try putting rules into INPUT or FORWARD and get problems ? Or do you just like having lots of chains with a rule pointing to each one ? > # at this point we have a wide open firewall Correct - don't you think that is a bad thing ? It would be better to start with a closed firewall and slowly open it to allow traffic you want. You should never have a "wide open firewall", even for a short time during startup. > # default policy is reject packets > /sbin/iptables -t nat --policy PREROUTING ACCEPT > /sbin/iptables -t nat --policy OUTPUT ACCEPT > /sbin/iptables -t nat --policy POSTROUTING ACCEPT > /sbin/iptables -t mangle --policy PREROUTING ACCEPT > /sbin/iptables -t mangle --policy OUTPUT ACCEPT These rules do not do what the comment above them says. Nowhere can I see that you have set a (recommended) default DROP policy on the filter tables in the INPUT and FORWARD chains. The comment on the above rules might lull you into a false sense of security if you do not also read the rules and realise that they do not reject packets. Finally, looking through your entire ruleset, I cannot see any references to the FORWARD chain, therefore you will not be allowing or filtering any packets through your firewall - which is what I think you wanted to do ? All the rules I can see are for INPUT and OUTPUT so they relate only to the firewall machine itself. I really do recommend that you start with a simple ruleset which is sufficiently secure to plug into the Internet, and then build it up from there. Try this: # default drop policy into and through the firewall iptables -P INPUT DROP iptables -P FORWARD DROP # allow established and related connections through iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # allow anything from internal net to Internet - can be tightened up later, # but at least at least we only allow outbound stuff iptables -A FORWARD -i eth0 -j ACCEPT # masquerade all outbound packets so we get the replies back iptables -A POSTROUTING -t nat -o eth1 -j SNAT --to 64.122.31.38 # allow packets to be routed through the machine echo 1 >/proc/sys/net/ipv4/ip_forward Antony. -- If you want to be happy for an hour, get drunk. If you want to be happy for a year, get married. If you want to be happy for a lifetime, get a garden. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Bad Filter Set? 2002-11-09 17:29 ` Antony Stone @ 2002-11-11 6:20 ` Dan Egli 2002-11-11 13:35 ` Anders Fugmann 0 siblings, 1 reply; 8+ messages in thread From: Dan Egli @ 2002-11-11 6:20 UTC (permalink / raw) To: netfilter I took the firewall script based on an "optimized firewall" from an IPTABLES book (Linux Firewalls was the title). I know near 0 about IPTables, which is why I used the book as an example. I also wanted to be able to enable or disable certain services without adding or removing lines, because I *THOUGHT* it was best that way. Please realize I'm coming from a Windows environment. I want to learn as much as I can about IPTables, but the only book I've seen (the one I mentioned earlier) seems very complicated. I've read through the how-tos, but for someone like me they just don't seem to click. I could not define exactly why, just that when I read them I quickly get lost with all the stuff about DNAT vs. SNAT vs. whatever and how each packet works with those. And as to the default policy comment, it was originally that they all said -j DROP, but that killed the network completely. When I set them to -j ACCEPT (I know, bad idea) it unlocks the network. This is kinda a hacked script that I went through to just get the network up and running again. If you could provide a different How-To than the one written by Rusty, I'd happily look at it. And in the mean time, if you can please provide a script that will do what I stated?? To clarify, I need a script (commented would help!) that does the following: 1) Block all ports EXCEPT: FTP, SSH, TELNET (yes there is a reason for telnet!), SMTP, DNS, NNTP, NTP, ROUTED (520), PRINTER (515), POP3, IMAP, HTTP, HTTPS, and ports 4000 & 5000 (special programs run on those ports and they need to be open). 2) Forward Inbound traffic from port 5000 to IP 192.168.0.5. Should be a Transparent NAT (If I hit 192.168.0.1 port 5000, then the firewall forwards it to 192.168.0.5 5000, and any packets sent from 192.168.0.5:5000 [which would only be in reply to an inbound packet] should appear as coming from 192.168.0.1:5000). Here's a basic setup of the machine so you have that to go on: EXTERNAL IP: 64.122.31.38 on eth1 internal IP: 192.168.0.1 on eth0 3) Perform basic IP Masquerading for unlisted machines on the 192.168.0.x net. So if a machine addressed as 192.168.0.26 requests www.yahoo.com, it goes in from eth0, then goes out eth1 as from eth1's address, and the return comes in eth1 and goes back out eth0 to the correct machine. 4) Log any blocked traffic in the syslog. Your help is greatly appreciated! ----- Original Message ----- From: "Antony Stone" <Antony@Soft-Solutions.co.uk> To: <netfilter@lists.netfilter.org> Sent: Saturday, November 09, 2002 10:29 AM Subject: Re: Bad Filter Set? > On Saturday 09 November 2002 4:43 pm, Dan Egli wrote: > > > As Requested: Firewall Rule Set: > > This is a *really* long (= complicatedf) firewall ruleset, given the > requirements you posted earlier. > > I really do recommend that you start from something simple and build it up > gradually instead of starting out with something so difficult to debug as > this. > > There are a number of things in your script which I'd comment on: > > > USERCHAINS=" EXT-input EXT-output \ > > tcp-state-flags connection-tracking \ > > source-address-check destination-address-check \ > > local-dns-server-query remote-dns-server-responce \ > > local-tcp-client-request remote-tcp-server-responce \ > > remote-tcp-client-request local-tcp-server-responce \ > > local-udp-client-request remote-udp-server-responce \ > > remote-udp-client-responce \ > > EXT-icmp-out EXT-icmp-in \ > > EXT-log-in EXT-log-out \ > > log-tcp-state " > > Why on earth do you have so many user defined chains ? Did you try putting > rules into INPUT or FORWARD and get problems ? Or do you just like having > lots of chains with a rule pointing to each one ? > > > # at this point we have a wide open firewall > > Correct - don't you think that is a bad thing ? It would be better to start > with a closed firewall and slowly open it to allow traffic you want. You > should never have a "wide open firewall", even for a short time during > startup. > > > # default policy is reject packets > > /sbin/iptables -t nat --policy PREROUTING ACCEPT > > /sbin/iptables -t nat --policy OUTPUT ACCEPT > > /sbin/iptables -t nat --policy POSTROUTING ACCEPT > > /sbin/iptables -t mangle --policy PREROUTING ACCEPT > > /sbin/iptables -t mangle --policy OUTPUT ACCEPT > > These rules do not do what the comment above them says. Nowhere can I see > that you have set a (recommended) default DROP policy on the filter tables in > the INPUT and FORWARD chains. The comment on the above rules might lull you > into a false sense of security if you do not also read the rules and realise > that they do not reject packets. > > > Finally, looking through your entire ruleset, I cannot see any references to > the FORWARD chain, therefore you will not be allowing or filtering any > packets through your firewall - which is what I think you wanted to do ? > All the rules I can see are for INPUT and OUTPUT so they relate only to the > firewall machine itself. > > > I really do recommend that you start with a simple ruleset which is > sufficiently secure to plug into the Internet, and then build it up from > there. > > Try this: > > # default drop policy into and through the firewall > iptables -P INPUT DROP > iptables -P FORWARD DROP > > # allow established and related connections through > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > # allow anything from internal net to Internet - can be tightened up later, > # but at least at least we only allow outbound stuff > iptables -A FORWARD -i eth0 -j ACCEPT > > # masquerade all outbound packets so we get the replies back > iptables -A POSTROUTING -t nat -o eth1 -j SNAT --to 64.122.31.38 > > # allow packets to be routed through the machine > echo 1 >/proc/sys/net/ipv4/ip_forward > > > Antony. > > -- > > If you want to be happy for an hour, get drunk. > If you want to be happy for a year, get married. > If you want to be happy for a lifetime, get a garden. > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Bad Filter Set? 2002-11-11 6:20 ` Dan Egli @ 2002-11-11 13:35 ` Anders Fugmann 2002-11-12 23:31 ` Dan Egli 0 siblings, 1 reply; 8+ messages in thread From: Anders Fugmann @ 2002-11-11 13:35 UTC (permalink / raw) To: Dan Egli; +Cc: netfilter Dan Egli wrote: > > 1) Block all ports EXCEPT: > FTP, SSH, TELNET (yes there is a reason for telnet!), SMTP, DNS, NNTP, NTP, > ROUTED (520), PRINTER (515), POP3, IMAP, HTTP, HTTPS, and ports 4000 & 5000 > (special programs run on those ports and they need to be open). You do realize that many of these protocols are very insecure, and should not be opend to the public. Also do you really want to allow everyone (on the intra- and inter-net ) to use your printers? > > 2) Forward Inbound traffic from port 5000 to IP 192.168.0.5. Should be a > Transparent NAT (If I hit 192.168.0.1 port 5000, then the firewall forwards > it to 192.168.0.5 5000, and any packets sent from 192.168.0.5:5000 [which > would only be in reply to an inbound packet] should appear as coming from > 192.168.0.1:5000). Here's a basic setup of the machine so you have that to > go on: This is impossible. A machine with IP 192.168.0.6 cannot be redirected to 192.168.0.5 through 192.168.0.1. But in the example below, all connections to 64.122.31.38:5000 (through eth1) will be redirected to 192.168.0.5. > > EXTERNAL IP: 64.122.31.38 on eth1 > internal IP: 192.168.0.1 on eth0 > > 3) Perform basic IP Masquerading for unlisted machines on the 192.168.0.x > net. So if a machine addressed as 192.168.0.26 requests www.yahoo.com, it > goes in from eth0, then goes out eth1 as from eth1's address, and the return > comes in eth1 and goes back out eth0 to the correct machine. > > 4) Log any blocked traffic in the syslog. > > Your help is greatly appreciated! > Here is your rules. I have not tested them, so minor changes may be nessesary. -------------------------------- # Set default policies. iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Flush all tables. iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -t NAT -F PREROUTING iptables -t NAT -F POSTROUTING iptables -t NAT -F OUTPUT iptables -A INPUT -p tcp -m multiport --dports \ SMTP,DNS,NNTP,NTP,ROUTED,520,PRINTER,POP3,IMAP,HTTP,\ HTTPS,4000,5000 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -j LOG iptables -A FORWARD -i eth0 -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -j LOG iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5000 \ -j DNAT --to-destination 192.168.0.5:5000 iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 64.122.31.38 echo 1 > /proc/sys/net/ipv4/ip_forward ------------------------- Regards Anders Fugmann ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Bad Filter Set? 2002-11-11 13:35 ` Anders Fugmann @ 2002-11-12 23:31 ` Dan Egli 2002-11-13 0:31 ` Anders Fugmann 0 siblings, 1 reply; 8+ messages in thread From: Dan Egli @ 2002-11-12 23:31 UTC (permalink / raw) To: Anders Fugmann; +Cc: netfilter On Mon, 11 Nov 2002, Anders Fugmann wrote: > Dan Egli wrote: > > > > 1) Block all ports EXCEPT: > > FTP, SSH, TELNET (yes there is a reason for telnet!), SMTP, DNS, NNTP, NTP, > > ROUTED (520), PRINTER (515), POP3, IMAP, HTTP, HTTPS, and ports 4000 & 5000 > > (special programs run on those ports and they need to be open). > You do realize that many of these protocols are very insecure, and > should not be opend to the public. Also do you really want to allow > everyone (on the intra- and inter-net ) to use your printers? Ok. This is true, so let me clarify. the INTERNAL net should have access to all those. The EXTERNAL side needs: SMTP, FTP, TELNET, SSH, 4000 & 5000 > > > > > 2) Forward Inbound traffic from port 5000 to IP 192.168.0.5. Should be a > > Transparent NAT (If I hit 192.168.0.1 port 5000, then the firewall forwards > > it to 192.168.0.5 5000, and any packets sent from 192.168.0.5:5000 [which > > would only be in reply to an inbound packet] should appear as coming from > > 192.168.0.1:5000). Here's a basic setup of the machine so you have that to > > go on: > This is impossible. A machine with IP 192.168.0.6 cannot be redirected > to 192.168.0.5 through 192.168.0.1. But in the example below, all > connections to 64.122.31.38:5000 (through eth1) will be redirected to > 192.168.0.5. That is what I wanted. On the internal side all machines will have access to the 192.168.0.5 machine directly, no need for nat. It was only for external that this was needed. > > > > EXTERNAL IP: 64.122.31.38 on eth1 > > internal IP: 192.168.0.1 on eth0 > > > > 3) Perform basic IP Masquerading for unlisted machines on the 192.168.0.x > > net. So if a machine addressed as 192.168.0.26 requests www.yahoo.com, it > > goes in from eth0, then goes out eth1 as from eth1's address, and the return > > comes in eth1 and goes back out eth0 to the correct machine. > > > > 4) Log any blocked traffic in the syslog. > > > > Your help is greatly appreciated! > > > Here is your rules. I have not tested them, so minor changes may be > nessesary. > -------------------------------- > > # Set default policies. > iptables -P INPUT DROP > iptables -P OUTPUT ACCEPT > iptables -P FORWARD DROP > > # Flush all tables. > iptables -F INPUT > iptables -F OUTPUT > iptables -F FORWARD > iptables -t NAT -F PREROUTING > iptables -t NAT -F POSTROUTING > iptables -t NAT -F OUTPUT > > iptables -A INPUT -p tcp -m multiport --dports \ > SMTP,DNS,NNTP,NTP,ROUTED,520,PRINTER,POP3,IMAP,HTTP,\ > HTTPS,4000,5000 -j ACCEPT > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A INPUT -j LOG > > iptables -A FORWARD -i eth0 -j ACCEPT > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -j LOG > > iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5000 \ > -j DNAT --to-destination 192.168.0.5:5000 > > iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 64.122.31.38 > > echo 1 > /proc/sys/net/ipv4/ip_forward > ------------------------- > > Regards > Anders Fugmann > > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Bad Filter Set? 2002-11-12 23:31 ` Dan Egli @ 2002-11-13 0:31 ` Anders Fugmann 0 siblings, 0 replies; 8+ messages in thread From: Anders Fugmann @ 2002-11-13 0:31 UTC (permalink / raw) To: Dan Egli; +Cc: netfilter Dan Egli wrote: > Ok. This is true, so let me clarify. the INTERNAL net should have access > to all those. The EXTERNAL side needs: > SMTP, FTP, TELNET, SSH, 4000 & 5000 Ok. I have modified the sctipt to accomodate this. -------------------------------- # Set default policies. iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Flush all tables. iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -t NAT -F PREROUTING iptables -t NAT -F POSTROUTING iptables -t NAT -F OUTPUT iptables -A INPUT -p tcp -m multiport --dports \ smtp,ftp,telnet,ssh,4000,5000 iptables -A INPUT -p tcp -i eth0 -m multiport --dports \ telnet,domain,nntp,ntp,printer,pop3,imap,http,https \ -j ACCEPT iptables -A INPUT -p udp -i eth0 -m multiport --dports \ domain,ntp,route -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -j LOG iptables -A FORWARD -i eth0 -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -j LOG iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5000 \ -j DNAT --to-destination 192.168.0.5:5000 iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 64.122.31.38 echo 1 > /proc/sys/net/ipv4/ip_forward ------------------------- Regards Anders Fugmann ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2002-11-13 0:31 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2002-11-07 17:05 Bad Filter Set? Dan Egli 2002-11-09 14:41 ` Antony Stone 2002-11-09 16:43 ` Dan Egli 2002-11-09 17:29 ` Antony Stone 2002-11-11 6:20 ` Dan Egli 2002-11-11 13:35 ` Anders Fugmann 2002-11-12 23:31 ` Dan Egli 2002-11-13 0:31 ` Anders Fugmann
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.