* RE: can someone check this simple firewall?
@ 2003-08-13 22:39 Daniel Chemko
2003-08-15 17:55 ` Payal Rathod
0 siblings, 1 reply; 7+ messages in thread
From: Daniel Chemko @ 2003-08-13 22:39 UTC (permalink / raw)
To: Payal Rathod, netfilter
#!/bin/sh
LAN_IP_RANGE="192.168.10.0/24"
LAN_IP="192.168.10.100"
#LAN_BCAST_ADRESS="192.168.10.100"
LOCALHOST_IP="127.0.0.1"
STATIC_IP="1.2.3.4"
INET_IFACE="eth0"
LAN_IFACE="eth1"
IPTABLES="/sbin/iptables"
#/sbin/depmod -a
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_MASQUERADE
->> You probably want at least:
->> modprobe ipt_conntrack_ftp
->> modprobe ipt_nat_ftp
$IPTABLES -F
$IPTABLES -F -t nat
->> Set this AFTER you have setup all your rules, otherwise you have a
hole for hackers to reach through while applying rules
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source
$STATIC_IP
# MAKE DEFAULT AS DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
->> OUTPUT description below
$IPTABLES -P FORWARD DROP
# ACCEPT ANY CONNECTION FROM LAN
# ACCEPT CONNECTION TO ONLY 21, 22, 80 FROM OUTSIDE
# DENY REST
# ALLOW PING FROM EVERYWHERE
$IPTABLES -A INPUT -s $LAN_IP_RANGE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -s $LOCALHOST_IP -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -s $LOCALHOST_IP -d 0/0 -j ACCEPT
->> Should instead be a related rule:
->> $IPTABLES -A INPUT -i lo -j ACCEPT # All Outbounds are ok
->> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #
Allow valid responses back in
->>Only TCP connections, not UDP and -s 0/0 is redundant
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 --dport 80 -j ACCEPT
->> This will not work for responses. Use this as well:
->> $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT if you want
internet pings from the firewall to work
$IPTABLES -A INPUT -p icmp -s $LAN_IP_RANGE -j ACCEPT
# ALLOW LAN CLIENTS TO GO ANYWHERE ON NET
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p icmp -s $LAN_IP_RANGE -j ACCEPT
->> $IPTABLES -A FORWARD -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.10.0/24 -m state --state NEW -j ACCEPT
->> What is covered in this line that the first forward line does not??
# ALLOW ANY CONNECTION FROM LINUX SERVER TO INTERNET
->> This section is not needed. Set:
->> iptables -P OUTPUT ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT
$IPTABLES -A OUTPUT -p icmp s 0/0 -j ACCEPT
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: can someone check this simple firewall?
2003-08-13 22:39 can someone check this simple firewall? Daniel Chemko
@ 2003-08-15 17:55 ` Payal Rathod
2003-08-14 19:36 ` Can someone please explain to a newbie? Stephen J. McCracken
0 siblings, 1 reply; 7+ messages in thread
From: Payal Rathod @ 2003-08-15 17:55 UTC (permalink / raw)
To: Daniel Chemko; +Cc: netfilter
Thanks a lot for the detailed explanation.
Comments inline.
On Wed, Aug 13, 2003 at 03:39:39PM -0700, Daniel Chemko wrote:
> ->> You probably want at least:
> ->> modprobe ipt_conntrack_ftp
> ->> modprobe ipt_nat_ftp
ok.
> $IPTABLES -F
> $IPTABLES -F -t nat
>
> ->> Set this AFTER you have setup all your rules, otherwise you have a
> hole for hackers to reach through while applying rules
?????? But this will erase all the rules which we have set if you do it
at last.
> ->> Should instead be a related rule:
> ->> $IPTABLES -A INPUT -i lo -j ACCEPT # All Outbounds are ok
> ->> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #
Got it. Great.
> ->>Only TCP connections, not UDP and -s 0/0 is redundant
> $IPTABLES -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
[...]
Ok. A bit OT here, but why not UDP? /etc/services lists udp also for the
same.
> $IPTABLES -A INPUT -p udp -s 0/0 --dport 80 -j ACCEPT
> ->> This will not work for responses. Use this as well:
> ->> $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT if you want
> internet pings from the firewall to work
> $IPTABLES -A INPUT -p icmp -s $LAN_IP_RANGE -j ACCEPT
What is wrong with my rules?
> ->> This section is not needed. Set:
> ->> iptables -P OUTPUT ACCEPT
Ok. Then why not the same for FORWARD chain too? Since we are forwarding
everything from LAN outside as well?
If we want people to just do ftp and nothing else, will this be ok,
iptables -P FORWARD DROP
iptables -A FORWARD -p tcp -s 192.168.10.0/24 -d 0/0 --dport 21 -j ACCEPT
Thanks a lot for the wonderful explanation.
With warm regards,
-Payal
--
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Can someone please explain to a newbie?
2003-08-15 17:55 ` Payal Rathod
@ 2003-08-14 19:36 ` Stephen J. McCracken
0 siblings, 0 replies; 7+ messages in thread
From: Stephen J. McCracken @ 2003-08-14 19:36 UTC (permalink / raw)
To: netfilter
I am using giptables to help setup iptables on two RH7.3 boxes. These
two are sibling proxies in our organization. The two have basically
identical rulesets, but one gets many of the following logged to the
syslog while the other very few:
Aug 11 13:57:10 webfilter2 kernel: giptables-end-of-firewall: IN=
OUT=eth0 SRC=10.129.130.5 DST=10.129.184.28 LEN=40 TOS=0x00 PREC=0x00
TTL=64 ID=33149 DF PROTO=TCP SPT=8080 DPT=1100 WINDOW=5840 RES=0x00 ACK
FIN URGP=0
Aug 11 13:57:12 webfilter2 kernel: giptables-end-of-firewall: IN=
OUT=eth0 SRC=10.129.130.5 DST=10.129.184.31 LEN=40 TOS=0x00 PREC=0x00
TTL=64 ID=37565 DF PROTO=TCP SPT=8080 DPT=1660 WINDOW=5840 RES=0x00 ACK
FIN URGP=0
Aug 11 14:02:43 webfilter2 kernel: giptables-end-of-firewall: IN=
OUT=eth0 SRC=10.129.130.5 DST=10.129.184.22 LEN=40 TOS=0x00 PREC=0x00
TTL=64 ID=646 DF PROTO=TCP SPT=8080 DPT=2163 WINDOW=5840 RES=0x00 ACK
FIN URGP=0
Aug 11 14:04:21 webfilter2 kernel: giptables-end-of-firewall: IN=
OUT=eth0 SRC=10.129.130.5 DST=10.129.134.27 LEN=40 TOS=0x00 PREC=0x00
TTL=64 ID=47763 DF PROTO=TCP SPT=8080 DPT=1308 WINDOW=5840 RES=0x00 ACK
FIN URGP=0
But I have the following rules generated by giptables:
iptables -A interface0_in -p tcp -s 10.129.134.0/23 --sport 1024:65535
-d 10.129.130.5 --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A interface0_out -p tcp -s 10.129.130.5 --sport 8080 -d
10.129.134.0/23 --dport 1024:65535 -m state --state ESTABLISHED -j
ACCEPT
iptables -A interface0_in -p tcp -s 10.129.184.0/23 --sport 1024:65535
-d 10.129.130.5 --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A interface0_out -p tcp -s 10.129.130.5 --sport 8080 -d
10.129.184.0/23 --dport 1024:65535 -m state --state ESTABLISHED -j
ACCEPT
iptables -A interface0_in -p tcp -s 172.16.0.0/25 --sport 1024:65535 -d
10.129.130.5 --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A interface0_out -p tcp -s 10.129.130.5 --sport 8080 -d
172.16.0.0/25 --dport 1024:65535
-m state --state ESTABLISHED -j ACCEPT
^ permalink raw reply [flat|nested] 7+ messages in thread
* can someone check this simple firewall?
@ 2003-08-14 18:28 Payal Rathod
2003-08-13 18:58 ` Gavin Hamill
2003-08-14 10:18 ` Ralf Spenneberg
0 siblings, 2 replies; 7+ messages in thread
From: Payal Rathod @ 2003-08-14 18:28 UTC (permalink / raw)
To: netfilter
Hi,
I have designed a simple firewall ruleset. Can someone please check
them?
It is kept at http://payal.staticky.com/firewall-1.txt
[Thanks Ralf, I will reply to your mail a bit later when someone
cross-checks this too.]
The objective is as follows,
eth0=1.2.3.4
+----------+ +----------+ +--------------+
| INTERNET +------+ LINUX +--------+ WINDOWS |
| | | FIREWALL | | CLIENTS |
+----------+ +----------+ +--------------+
eth1=192.168.10.100 192.168.10.0/25
Linux box is connected to net thru a permanent ip (1.2.3.4)
LAN users can go anywhere on net as well as Linux box.
So can the Linux box.
But from outside people can connect only to port 21, 22, 80 and can ping
the Linux box (to check whether it is alive or not). Rest everything is
blocked.
Can someone please check my ruleset and tell me whether it will achieve
my obective. I can test that box for very less time so have to do all
the work from a different machine and then copy that file to that Linux
box. Hence any help in finding problems will be appreciated.
Thanks and bye.
With warm regards,
-Payal
--
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: can someone check this simple firewall?
2003-08-14 18:28 can someone check this simple firewall? Payal Rathod
@ 2003-08-13 18:58 ` Gavin Hamill
2003-08-14 10:18 ` Ralf Spenneberg
1 sibling, 0 replies; 7+ messages in thread
From: Gavin Hamill @ 2003-08-13 18:58 UTC (permalink / raw)
To: netfilter
On Thu, Aug 14, 2003 at 11:58:10PM +0530, Payal Rathod wrote:
> Hi,
> I have designed a simple firewall ruleset. Can someone please check
> them?
> It is kept at http://payal.staticky.com/firewall-1.txt
Just a couple of points...
You might want to include the interfaces in your rules... e.g.
$IPTABLES -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
Also, -s 0/0 is the default, and does not need to be specified...
Finally, the udp INPUT rules serve no purpose for FTP, SSH or HTTP :)
Cheers,
Gavin.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: can someone check this simple firewall?
2003-08-14 18:28 can someone check this simple firewall? Payal Rathod
2003-08-13 18:58 ` Gavin Hamill
@ 2003-08-14 10:18 ` Ralf Spenneberg
2003-08-14 11:01 ` Chris Wilson
1 sibling, 1 reply; 7+ messages in thread
From: Ralf Spenneberg @ 2003-08-14 10:18 UTC (permalink / raw)
To: Payal Rathod; +Cc: Netfilter
Am Don, 2003-08-14 um 20.28 schrieb Payal Rathod:
> Hi,
> I have designed a simple firewall ruleset. Can someone please check
> them?
> It is kept at http://payal.staticky.com/firewall-1.txt
1. FTP, SSH and HTTP are only TCP. You can remove the UDP rules.
2. You should never see any packets coming from 127.0.0.1 going to any
other IP-address than 127.0.0.1. To allow localhost traffic just do
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
3. Last output rule seems bogus. You probably mean -d 0/0 but you can
omit that since it is the default value.
4. First and last rule in the Forward chain do the same. Drop one of
them. (I would drop the first one ;-)
5. You can use connection tracking for the INPUT and OUTPUT chains as
well.
Cheers,
Ralf
--
Ralf Spenneberg
RHCE, RHCX
Book: Intrusion Detection für Linux Server http://www.spenneberg.com
IPsec-Howto http://www.ipsec-howto.org
Honeynet Project Mirror: http://honeynet.spenneberg.org
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: can someone check this simple firewall?
2003-08-14 10:18 ` Ralf Spenneberg
@ 2003-08-14 11:01 ` Chris Wilson
0 siblings, 0 replies; 7+ messages in thread
From: Chris Wilson @ 2003-08-14 11:01 UTC (permalink / raw)
To: Ralf Spenneberg; +Cc: Payal Rathod, Netfilter
Hi Ralf, hi Payal,
> 2. You should never see any packets coming from 127.0.0.1 going to any
> other IP-address than 127.0.0.1.
I don't believe that to be the case. I think that any communication from
the machine back to itself, addressed to any of its IP addresses, will be
routed over the loopback interface rather than any Ethernet or other
device.
> To allow localhost traffic just do
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
But these rules are correct.
Cheers, Chris.
--
___ __ _
/ __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2003-08-15 17:55 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-08-13 22:39 can someone check this simple firewall? Daniel Chemko
2003-08-15 17:55 ` Payal Rathod
2003-08-14 19:36 ` Can someone please explain to a newbie? Stephen J. McCracken
-- strict thread matches above, loose matches on Subject: below --
2003-08-14 18:28 can someone check this simple firewall? Payal Rathod
2003-08-13 18:58 ` Gavin Hamill
2003-08-14 10:18 ` Ralf Spenneberg
2003-08-14 11:01 ` Chris Wilson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox