Re: security question

Re: security question

[Martín Chikilian]

a.westendoerpf@gmx.de wrote:

> Hi *!

> I have the following setup. Please tell me if I have some security
> issues here.

> A linux box with two ethernet interfaces to work as a masquerading
> router. One of them (eth0) is connected to a dsl-modem, the other is a
> wlan card (eth1). All client systems get this box a default gateway
> via dhcp.

> My goal is to drop everything coming from the wlan by default. I do
> this with:

> # iptables -t nat -P PREROUTING  DROP

I don't know if i understand well what you wrote, but i think that your rule applies to drop packets being PREROUTED by default. What is the goal of this??
What you mean with "is to drop everything coming from the wlan by default" ??
You want to drop packets destined TO wlan by default???

> I want the all www-requests of the client systems to be redirected to
> the local Apache on the box. I do this with:

> # iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 - REDIRECT

The corect rule for this is the next one:
iptables -t nat -A POSTROUTING -p tcp --dport 80 -i eth1 -j REDIRECT

Note the POSTROUTING chain must be used (I think)

> As I need DNS for these www-requests I have to let DNS be accepted:

> # iptables -t nat -A PREROUTING -p udp --dport 53 -i eth1 -j ACCEPT

> Then, in the POSTROUTING chain I need all the packets that made it
> here to be masqueraded:

> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

> If I want to allow a specific wlan client to get outside connections I
> use:

> # iptables -t nat -I PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX
> -i the1 -j ACCEPT

> to let him through.

> Beside of MAC-spoofing, is this setup safe? Can someone get though the
> PREROUTING chain, without being "MAC-inserted".

Sure there are ways to bypass this restriction, but it is pretty difficult, imho ;-)

> What can I do to block incoming connection attempts? I only want to
> allow ssh from outside (internet) to the box.
Through wlan?? You can do:
iptables --policy INPUT DROP	/* DROP by default incoming packets
iptables --append INPUT --in-interface eth1 --destination-port ssh --jump ACCEPT

Note that if you drop incoming packets by default, you also need to add a few rules:
iptables --append INPUT --in-interface eth1 --match multiport --ports http,https,ftp,ftp-data,ssh,... --jump ACCEPT
You must add the ports that you and your clients commonly use.

Any other doubt, contact the list.

Ciao, Martin

Re: security question

[Antony Stone]

On Thursday 03 June 2004 4:06 pm, Martín Chikilian wrote:

> a.westendoerpf@gmx.de wrote:
> >
> > My goal is to drop everything coming from the wlan by default. I do
> > this with:
> >
> > # iptables -t nat -P PREROUTING  DROP

That is a terrible thing to do - it will drop all sorts of packets you don't 
want dropped.   Do not filter packets in the nat tables - filter them in the 
filter tables.

I know it may look innocuous enough, but don't do it - it will mess up your 
network.

Regards,

Antony.

-- 
Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

                                                     Please reply to the list;
                                                           please don't CC me.

Transparant proxy

[david]

Dear all,
can anybody tell me how to set rules in iptables if i want to use
transparant proxy.

Thank's
David Kandou

Re: Transparant proxy

[Emilio Casbas]

david@suarapembaruan.co.id wrote:

>Dear all,
>can anybody tell me how to set rules in iptables if i want to use
>transparant proxy.
>
>Thank's
>David Kandou
>
>
>
>
>  
>
iptables -t nat -A prerouting -i eth0 -p tcp --dport 80 -j REDIRECT 
--to-port 3128

This command make your kernel intercept  HTTP connections and send them
to proxy port.


Emilio C.

Re: Transparant proxy

[david]

I will try it,

Thank's
DK

> david@suarapembaruan.co.id wrote:
>
>>Dear all,
>>can anybody tell me how to set rules in iptables if i want to use
>> transparant proxy.
>>
>>Thank's
>>David Kandou
>>
>>
>>
>>
>>
>>
> iptables -t nat -A prerouting -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> This command make your kernel intercept  HTTP connections and send them
> to proxy port.
>
>
> Emilio C.

Re: Transparant proxy

[Djalma Fadel Junior]

On Fri, 04 Jun 2004 09:09:11 +0200
Emilio Casbas <ecasbas@unav.es> wrote:

> david@suarapembaruan.co.id wrote:
> 
> >Dear all,
> >can anybody tell me how to set rules in iptables if i want to use
> >transparant proxy.
> >
> iptables -t nat -A prerouting -i eth0 -p tcp --dport 80 -j REDIRECT 
> --to-port 3128
> 

but, if the user sets manually another proxy in his browser, he doesn't get in this rule and all ACLs in proxy are inutil.

how could redirect that connections through my proxy?


thanks in advance,

D. Fadel Jr.

Re: Transparant proxy

[Emilio Casbas]

Djalma Fadel Junior wrote:

>On Fri, 04 Jun 2004 09:09:11 +0200
>Emilio Casbas <ecasbas@unav.es> wrote:
>
>  
>
>>david@suarapembaruan.co.id wrote:
>>
>>    
>>
>>>Dear all,
>>>can anybody tell me how to set rules in iptables if i want to use
>>>transparant proxy.
>>>
>>>      
>>>
>>iptables -t nat -A prerouting -i eth0 -p tcp --dport 80 -j REDIRECT 
>>--to-port 3128
>>
>>    
>>
>
>but, if the user sets manually another proxy in his browser, he doesn't get in this rule and all ACLs in proxy are inutil.
>
>how could redirect that connections through my proxy?
>
>
>thanks in advance,
>
>D. Fadel Jr.
>
>  
>

Deny in the firewall all connections to internet
that don't become from the transparent proxy.
The transparent proxy is the unique intermediary
between your users and internet.

Emilio C.

Re: Transparant proxy

[Sheldon Hearn]

On Fri, 2004-06-04 at 10:24, david@suarapembaruan.co.id wrote:

> can anybody tell me how to set rules in iptables if i want to use
> transparant proxy.

That depends on what you mean by transparent proxy.  You may be looking
for the tproxy patch, which was included in patch-o-matic CVS on May 11,
or alternatively is available at:

http://www.balabit.com/products/oss/tproxy/

Ciao,
Sheldon.

Re: Transparant proxy

[Ming Fu]

Hi,

Does anyone have experience of tproxy to work with IPv6?

Thanks,

Sheldon Hearn wrote:

>On Fri, 2004-06-04 at 10:24, david@suarapembaruan.co.id wrote:
>
>  
>
>>can anybody tell me how to set rules in iptables if i want to use
>>transparant proxy.
>>    
>>
>
>That depends on what you mean by transparent proxy.  You may be looking
>for the tproxy patch, which was included in patch-o-matic CVS on May 11,
>or alternatively is available at:
>
>http://www.balabit.com/products/oss/tproxy/
>
>Ciao,
>Sheldon.
>
>
>  
>