[IP ?] what ip must be filtered ?

[IP ?] what ip must be filtered ?

[Tanen]

Hello,

I'm confused, i try to set up my Firewall, with iptables sure :)
The problem, an easy problem to solve for you, but a big for me, it's the
next :
I have an Dedicated server, Linux, on an internal local network, who have as
ip 192.168.0.1, and other puters have 192.168.0.2 *.3 *.4 etc ... BUT the
dedicated box, use the reuters of my connection to be connected to internet.
This reuters have as ip 192.168.0.100, and my external ip have as ip
63.*.*.*, my problem is to know, WHAT ip i must filter, to prevent of any
attack or hack, the reuters is forwarding the needed port (http,
pop/imap/smpt) to the dedicated box. All work fine sure. But what IP i must
filtered, and authorised for have my firewall working fine ? actualy when
i'm filtering my local ip, or my external ip, my mail server, isn't getting
any mail from www, someone can help me please ?

Thanks you.

Re: [IP ?] what ip must be filtered ?

[Antony Stone]

On Thursday 11 December 2003 8:58 am, Tanen wrote:

> Hello,
>
> I'm confused, i try to set up my Firewall, with iptables sure :)
> The problem, an easy problem to solve for you, but a big for me, it's the
> next :
> I have an Dedicated server, Linux, on an internal local network, who have
> as ip 192.168.0.1, and other puters have 192.168.0.2 *.3 *.4 etc ... BUT
> the dedicated box, use the reuters of my connection to be connected to
> internet. This reuters have as ip 192.168.0.100, and my external ip have as
> ip 63.*.*.*, my problem is to know, WHAT ip i must filter, to prevent of
> any attack or hack, the reuters is forwarding the needed port (http,
> pop/imap/smpt) to the dedicated box. All work fine sure. But what IP i must
> filtered, and authorised for have my firewall working fine ? actualy when
> i'm filtering my local ip, or my external ip, my mail server, isn't getting
> any mail from www, someone can help me please ?

The simplest way to do what you want is not to think about IP addresses so 
much as which interface they're connected to.

Let's assume that your firewall has 192.168.0.100 on eth0 (private, internal) 
and 63.x.y.z on eth1 (public, external)

Then a good start to your ruleset would be:

iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j 
ACCEPT
iptables -A POSTROUTING -t nat -o eth1 -j SNAT --to 63.x.y.z

An improvement on the above rules would be to be more restrictive about what 
traffic you allow from internal clients to the Internet, however this is a 
start.

If you don't understand anything about the above rules feel free to ask again.

Antony.

-- 
It is also possible that putting the birds in a laboratory setting 
inadvertently renders them relatively incompetent.

 - Daniel C Dennet

                                                     Please reply to the list;
                                                           please don't CC me.

RE : [IP ?] what ip must be filtered ?

[Tanen]

Hellon
Thanks for your help,
This dedicated box, is on my local network, but don't be a reuters, just a
server, i have a hard reuters, with hard firewall integrate in this reuters.
My question is not realy clear, i try again to explain it :
I want block, all attack, and all flood or other shit related to the
hackers, of my server, for this, i have only forward few ports on my
hardware reuters, 80, 110, 25, 143, 21, 53, 443, 993, all others are blocked
by the hardware firewall. Now i want prevent any thing would be attempt by
using this ports. So i want create an firewall for prevent this, and
authorise ALL traffic in the local network, but filtering the outgoing
packets from the server, for not allow any other things that the things
requested by the puters itself. I'm not sure to be clear if no, i can try
again to explain it, but i'm not speaking english very well, that's not my
main language. I'm a realy begginer to Iptables, and a novice to Linux. Ihe
local network, but filtering the outgoing packets from the server, for not
allow any other things that the things requested by the puters itself. I'm
not sure to be clear if no, i can try again to explain it, but i'm not
speaking english very well, that's not my main language. I'm a realy
begginer to Iptables, and a novice to Linux. I'm listening ALL help ... :)
and any help would be appreciated.

Thanks in advance for any help from anyone :)

Sincerely,
Tanen.

---> -----Message d'origine-----
---> De : netfilter-admin@lists.netfilter.org [mailto:netfilter-
---> admin@lists.netfilter.org] De la part de Antony Stone
---> Envoyé : jeudi 11 décembre 2003 12:23
---> À : netfilter@lists.netfilter.org
---> Objet : Re: [IP ?] what ip must be filtered ?
---> 
---> On Thursday 11 December 2003 8:58 am, Tanen wrote:
---> 
---> > Hello,
---> >
---> > I'm confused, i try to set up my Firewall, with iptables sure :)
---> > The problem, an easy problem to solve for you, but a big for me, it's
---> the
---> > next :
---> > I have an Dedicated server, Linux, on an internal local network, who
---> have
---> > as ip 192.168.0.1, and other puters have 192.168.0.2 *.3 *.4 etc ...
---> BUT
---> > the dedicated box, use the reuters of my connection to be connected
---> to
---> > internet. This reuters have as ip 192.168.0.100, and my external ip
---> have as
---> > ip 63.*.*.*, my problem is to know, WHAT ip i must filter, to prevent
---> of
---> > any attack or hack, the reuters is forwarding the needed port (http,
---> > pop/imap/smpt) to the dedicated box. All work fine sure. But what IP
---> i must
---> > filtered, and authorised for have my firewall working fine ? actualy
---> when
---> > i'm filtering my local ip, or my external ip, my mail server, isn't
---> getting
---> > any mail from www, someone can help me please ?
---> 
---> The simplest way to do what you want is not to think about IP addresses
---> so
---> much as which interface they're connected to.
---> 
---> Let's assume that your firewall has 192.168.0.100 on eth0 (private,
---> internal)
---> and 63.x.y.z on eth1 (public, external)
---> 
---> Then a good start to your ruleset would be:
---> 
---> iptables -P FORWARD DROP
---> iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
---> iptables -A FORWARD -i eth1 -o eth0 -m state --state
---> ESTABLISHED,RELATED -j
---> ACCEPT
---> iptables -A POSTROUTING -t nat -o eth1 -j SNAT --to 63.x.y.z
---> 
---> An improvement on the above rules would be to be more restrictive about
---> what
---> traffic you allow from internal clients to the Internet, however this
---> is a
---> start.
---> 
---> If you don't understand anything about the above rules feel free to ask
---> again.
---> 
---> Antony.
---> 
---> --
---> It is also possible that putting the birds in a laboratory setting
---> inadvertently renders them relatively incompetent.
---> 
--->  - Daniel C Dennet
---> 
--->                                                      Please reply to
---> the list;
--->                                                            please don't
---> CC me.
---> 

Re: RE : [IP ?] what ip must be filtered ?

[John A. Sullivan III]

On Thu, 2003-12-11 at 06:42, Tanen wrote:
> Hellon
> Thanks for your help,
> This dedicated box, is on my local network, but don't be a reuters, just a
> server, i have a hard reuters, with hard firewall integrate in this reuters.
> My question is not realy clear, i try again to explain it :
> I want block, all attack, and all flood or other shit related to the
> hackers, of my server, for this, i have only forward few ports on my
> hardware reuters, 80, 110, 25, 143, 21, 53, 443, 993, all others are blocked
> by the hardware firewall. Now i want prevent any thing would be attempt by
> using this ports. So i want create an firewall for prevent this, and
> authorise ALL traffic in the local network, but filtering the outgoing
> packets from the server, for not allow any other things that the things
> requested by the puters itself. I'm not sure to be clear if no, i can try
> again to explain it, but i'm not speaking english very well, that's not my
> main language. I'm a realy begginer to Iptables, and a novice to Linux. Ihe
> local network, but filtering the outgoing packets from the server, for not
> allow any other things that the things requested by the puters itself. I'm
> not sure to be clear if no, i can try again to explain it, but i'm not
> speaking english very well, that's not my main language. I'm a realy
> begginer to Iptables, and a novice to Linux. I'm listening ALL help ... :)
> and any help would be appreciated.
> <snip>---> > i'm filtering my local ip, or my external ip, my mail server, isn't
> ---> getting
> ---> > any mail from www, someone can help me please ?
> ---> 
> ---> The simplest way to do what you want is not to think about IP addresses
> ---> so
> ---> much as which interface they're connected to.
> ---> 
> ---> Let's assume that your firewall has 192.168.0.100 on eth0 (private,
> ---> internal)
> ---> and 63.x.y.z on eth1 (public, external)
> ---> 
> ---> Then a good start to your ruleset would be:
> ---> 
> ---> iptables -P FORWARD DROP
> ---> iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
> ---> iptables -A FORWARD -i eth1 -o eth0 -m state --state
> ---> ESTABLISHED,RELATED -j
> ---> ACCEPT
> ---> iptables -A POSTROUTING -t nat -o eth1 -j SNAT --to 63.x.y.z
> ---> 
> ---> An improvement on the above rules would be to be more restrictive about
> ---> what
> ---> traffic you allow from internal clients to the Internet, however this
> ---> is a
> ---> start.
> ---> 
> ---> If you don't understand anything about the above rules feel free to ask
> ---> again.
> ---> 
> ---> Antony.
<snip>

Let me try to rephrase your question first so we can try to understand
it better.
You have a physical router with a firewall between your internal network
and the Internet.  This is NOT the iptables firewall.  It is forwarding
ports to your internal network.  Are you saying that on that network you
have an iptables firewall and you want to use it to restrict inbound
traffic to only be the reply packets to sessions the internal computers
have initiated?

If this is true, then your first problem is a routing one.  How do you
get all packets to pass through the iptables device.  Probably the
cleanest way is to create a new network so that the iptables device has
two interfaces - one connected to the router and the other to an
entirely different network - different IP address.  Then you can set the
default gateway of the local computers to the iptables computer.

An alternative is to forward all traffic from the router to the iptables
server and set the default gateway of all the local computers to be the
iptables server.  You must be careful to make sure that no one is
listening to redirection packets or the traffic flow will be diverted
from the iptables server to be directly between the hardware router and
the local computers.  You will generate a constant stream of redirection
notifications on you network unless you also turn off the ability to
send ICMP redirects.

Once you have your routing straight, then we can worry about filtering
packets.  As already described, the easiest way to assure that only
outbound initiated traffic is allowed is set DENY policies and then
allow:
iptables -A FORWARD -i eth1 -m state --state NEW - j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED, ESTABLISHED -j
ACCEPT

Do I correctly understand that you have an e-mail server? Are you sure
that you do not need to allow inbound initiated traffic to this device?
In other words, do other devices on the Internet send e-mail to it
without it first asking for the e-mail? If so, then you will need to add
rules to allow this inbound initiated traffic.  It would be wisest to
put this "public" server on a separate network connected to the iptables
server, a DMZ, to keep it away from the internal computers.

Finally, you will need to worry about malicious traffic traveling on the
allowed ports.  Here is an example of some rules that I load with
iptables-restore -n (thus the different syntax) for such protection.  I
am sure they could be greatly improved:

*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:FORWARD ACCEPT
:POSTROUTING ACCEPT
-I PREROUTING 1 -p 6 -j ProtectionMangleTCP
-I PREROUTING 1 -p 1 -j ProtectionMangleICMP
-A ProtectionMangleBadTCP -p 6 -m tcp --tcp-flags SYN,ACK SYN,ACK -m
state --state NEW -m limit --limit 1/s -j LOG --log-level warning
--log-prefix "[SYN,ACK First Packet] "
-A ProtectionMangleBadTCP -p 6 -m tcp --tcp-flags SYN,ACK SYN,ACK -m
state --state NEW -j DROP
-A ProtectionMangleBadTCP -m limit --limit 1/s -j LOG --log-level
warning --log-prefix "[Suspect TCP Flags] "
-A ProtectionMangleBadTCP -j DROP
-A ProtectionMangleTCP -p 6 -m tcp --tcp-flags SYN,ACK SYN,ACK -m state
--state NEW -j ProtectionMangleBadTCP
-A ProtectionMangleTCP -p 6 -m tcp --tcp-flags ALL ALL -j
ProtectionMangleBadTCP 
-A ProtectionMangleTCP -p 6 -m tcp --tcp-flags ALL NONE -j
ProtectionMangleBadTCP
-A ProtectionMangleTCP -p 6 -m tcp --tcp-flags SYN,FIN SYN,FIN -j
ProtectionMangleBadTCP
-A ProtectionMangleTCP -p 6 -m tcp --tcp-flags SYN,RST SYN,RST -j
ProtectionMangleBadTCP
-A ProtectionMangleTCP -p 6 -m tcp --tcp-flags RST,FIN RST,FIN -j
ProtectionMangleBadTCP
-A ProtectionMangleTCP -p 6 -m tcp --tcp-flags ACK,FIN FIN -j
ProtectionMangleBadTCP
-A ProtectionMangleTCP -p 6 -m tcp --tcp-flags ACK,PSH PSH -j
ProtectionMangleBadTCP
-A ProtectionMangleTCP -p 6 -m tcp --tcp-flags URG,ACK URG -j
ProtectionMangleBadTCP
-A ProtectionMangleICMP -p 1 -m icmp --icmp-type 8 -d 255.255.255.255 -m
limit --limit 1/s -j LOG --log-level warning --log-prefix "[Broadcast
Ping] "
-A ProtectionMangleICMP -p 1 -m icmp --icmp-type 8 -d 255.255.255.255 -j
DROP
-A ProtectionMangleICMP -p 1 -m icmp --icmp-type 8 -m limit --limit
200/s --limit-burst 500 -j RETURN
-A ProtectionMangleICMP -p 1 -m icmp --icmp-type 8 -m limit --limit 1/s
-j LOG --log-level warning --log-prefix "[Ping Flood] "
-A ProtectionMangleICMP -p 1 -m icmp --icmp-type 8 -j DROP

mangle
-I PREROUTING 1 -f -i eth1 -j DROP # fragments
-A PREROUTING -i ! $PUBLICIF -s $PRIVATENETWORK -j DROP # anti-spoofing
COMMIT

You may also want to look at some of the settings available to you via
/proc to handle spoofing, source route bridging, icmp redirects, etc.

You may want to take a tour through Oskar Andreasson's fine tutorial on
the netfilter web site.
You can also find an iptables slide show in the training section at
http://iscs.sourceforge.net

Have I understood your questions properly?

-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net