can someone check this simple firewall?

can someone check this simple firewall?

[Payal Rathod]

Hi,
I have designed a simple firewall ruleset. Can someone please check
them? 
It is kept at http://payal.staticky.com/firewall-1.txt

[Thanks Ralf, I will reply to your mail a bit later when someone
cross-checks this too.]

The objective is as follows,

		eth0=1.2.3.4	
  +----------+      +----------+        +--------------+
  | INTERNET +------+ LINUX    +--------+ WINDOWS      |
  |          |      | FIREWALL |        |   CLIENTS    |
  +----------+      +----------+        +--------------+
		 eth1=192.168.10.100	192.168.10.0/25

Linux box is connected to net thru a permanent ip (1.2.3.4)

LAN users can go anywhere on net as well as Linux box.
So can the Linux box.
But from outside people can connect only to port 21, 22, 80 and can ping
the Linux box (to check whether it is alive or not). Rest everything is
blocked.

Can someone please check my ruleset and tell me whether it will achieve
my obective. I can test that box for very less time so have to do all
the work from a different machine and then copy that file to that Linux
box. Hence any help in finding problems will be appreciated.

Thanks and bye.
With warm regards,
-Payal

-- 
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.

Re: can someone check this simple firewall?

[Gavin Hamill]

On Thu, Aug 14, 2003 at 11:58:10PM +0530, Payal Rathod wrote:
> Hi,
> I have designed a simple firewall ruleset. Can someone please check
> them? 
> It is kept at http://payal.staticky.com/firewall-1.txt

Just a couple of points...

You might want to include the interfaces in your rules... e.g.

$IPTABLES -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT

Also, -s 0/0 is the default, and does not need to be specified...

Finally, the udp INPUT rules serve no purpose for FTP, SSH or HTTP :)

Cheers,
Gavin.

Matching misc TCP header fields

[Elver Loho]

Any quick hints on how to match misc TCP header fields such as the window 
size? This new "worm" out there that sends portscans from spoofed IP 
addresses setting window size to 55808 is pretty interesting. I've captured 
some interesting traffic with that window size using tcpdump. How to do the 
same using netfilter? Quick search on the manpage didn't reveal anything 
related. Same result with a quick google query.


Elver

Re: Matching misc TCP header fields

[Maciej Soltysiak]

> Any quick hints on how to match misc TCP header fields such as the window
> size? This new "worm" out there that sends portscans from spoofed IP
> addresses setting window size to 55808 is pretty interesting.
Funny that you mention it, out of the blue and curiosity I once made a
tcp window match, but never told anyone as that kind of match seemed
useless.

> some interesting traffic with that window size using tcpdump. How to do the
> same using netfilter? Quick search on the manpage didn't reveal anything
> related. Same result with a quick google query.
If you are interested I will look for it on my hdd.

Regards,
Maciej

Re: can someone check this simple firewall?

[Ralf Spenneberg]

Am Don, 2003-08-14 um 20.28 schrieb Payal Rathod:
> Hi,
> I have designed a simple firewall ruleset. Can someone please check
> them? 
> It is kept at http://payal.staticky.com/firewall-1.txt
1. FTP, SSH and HTTP are only TCP. You can remove the UDP rules.
2. You should never see any packets coming from 127.0.0.1 going to any
other IP-address than 127.0.0.1. To allow localhost traffic just do
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

3. Last output rule seems bogus. You probably mean -d 0/0 but you can
omit that since it is the default value.

4. First and last rule in the Forward chain do the same. Drop one of
them. (I would drop the first one ;-)

5. You can use connection tracking for the INPUT and OUTPUT chains as
well.


Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

Re: can someone check this simple firewall?

[Chris Wilson]

Hi Ralf, hi Payal,

> 2. You should never see any packets coming from 127.0.0.1 going to any
> other IP-address than 127.0.0.1.

I don't believe that to be the case. I think that any communication from 
the machine back to itself, addressed to any of its IP addresses, will be 
routed over the loopback interface rather than any Ethernet or other 
device. 

> To allow localhost traffic just do
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT

But these rules are correct.

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |