thoughts on a newbie tutorial i'll be giving shortly

thoughts on a newbie tutorial i'll be giving shortly

[Robert P. J. Day]

  as a really low-level iptables intro i'm giving this monday,
i'm going to show and explain something like the following.
it's deliberately simplified as i have only about a half hour,
but i'm interested in whether anyone here has any kind of 
visceral reaction to this configuration -- whether i'm suggesting
anything violently insecure or anything like that.  (i've removed
a lot of preliminary variable setting, just wanting to show the
salient stuff.)

------------------------

ALLOWED_INCOMING_SERVICES="ssh http"
DISALLOWED_OUTGOING_SERVICES="telnet"

#######################################################
# Set the chain policies.
#######################################################

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT	# Purists probably hate this.


#######################################################
# Start with some REALLY basic rules.
#######################################################

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#######################################################
# Kill really bad outgoing services.
#######################################################

for s in $DISALLOWED_OUTGOING_SERVICES ; do
	$IPT -A OUTPUT -p tcp --dport $s -j DROP
done

#######################################################
# Allow a very small set of incoming services.
#######################################################

for s in $ALLOWED_INCOMING_SERVICES ; do
	$IPT -A INPUT -p tcp -s 192.168.1.0/24 --dport $s -j ACCEPT
done

------------------------------

  yes, it could be fancier, but it's meant to be a starting
point for total newbies.  

  thoughts?

rday

RE: thoughts on a newbie tutorial i'll be giving shortly

[Knight, Steve]

Hi rob

As a total newbie :) at least to iptables, I think what you have there is
great.

Just my 0.02, if it's worth that much considering I cant even get DNS
lookups from my fw working.....

steve



-----Original Message-----
From: Robert P. J. Day [mailto:rpjday@mindspring.com] 
Sent: 30 October 2003 12.31
To: iptables mailing list
Subject: thoughts on a newbie tutorial i'll be giving shortly



  as a really low-level iptables intro i'm giving this monday,
i'm going to show and explain something like the following.
it's deliberately simplified as i have only about a half hour,
but i'm interested in whether anyone here has any kind of 
visceral reaction to this configuration -- whether i'm suggesting
anything violently insecure or anything like that.  (i've removed
a lot of preliminary variable setting, just wanting to show the
salient stuff.)

------------------------

ALLOWED_INCOMING_SERVICES="ssh http"
DISALLOWED_OUTGOING_SERVICES="telnet"

#######################################################
# Set the chain policies.
#######################################################

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT	# Purists probably hate this.


#######################################################
# Start with some REALLY basic rules.
#######################################################

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#######################################################
# Kill really bad outgoing services.
#######################################################

for s in $DISALLOWED_OUTGOING_SERVICES ; do
	$IPT -A OUTPUT -p tcp --dport $s -j DROP
done

#######################################################
# Allow a very small set of incoming services.
#######################################################

for s in $ALLOWED_INCOMING_SERVICES ; do
	$IPT -A INPUT -p tcp -s 192.168.1.0/24 --dport $s -j ACCEPT
done

------------------------------

  yes, it could be fancier, but it's meant to be a starting
point for total newbies.  

  thoughts?

rday




.


-----------------------------------------------------------------------
Information in this email may be privileged, confidential and is 
intended exclusively for the addressee.  The views expressed may
not be official policy, but the personal views of the originator.
If you have received it in error, please notify the sender by return
e-mail and delete it from your system.  You should not reproduce, 
distribute, store, retransmit, use or disclose its contents to anyone.
 
Please note we reserve the right to monitor all e-mail
communication through our internal and external networks.
-----------------------------------------------------------------------

RE: thoughts on a newbie tutorial i'll be giving shortly

[Robert P. J. Day]

On Thu, 30 Oct 2003, Knight, Steve wrote:

> Hi rob
> 
> As a total newbie :) at least to iptables, I think what you have there is
> great.
> 
> Just my 0.02, if it's worth that much considering I cant even get DNS
> lookups from my fw working.....

i saw your earlier postings, haven't looked closely at the symptoms,
but based on my little tutorial, i'm not sure why it wouldn't work
if, as i did, you:

1) allow pretty much everything out
2) allow all RELATED,ESTABLISHED stuff back in

  what i posted is based on protecting a single host.  it sounds
like you have a separate firewall protecting an internal network,
is that right?

rday

RE: thoughts on a newbie tutorial i'll be giving shortly

[Rob Sterenborg]

> Just my 0.02, if it's worth that much considering I cant even 
> get DNS lookups from my fw working.....

You have probably set policy to DROP for the OUTPUT chain.
iptables -A OUTPUT -p udp --dport 53 [-d ip_dns] -j ACCEPT
Some would say to also do this for the tcp proto, but this should work.


Gr,
Rob

RE: thoughts on a newbie tutorial i'll be giving shortly

[Robert P. J. Day]

On Thu, 30 Oct 2003, Rob Sterenborg wrote:

> > Just my 0.02, if it's worth that much considering I cant even 
> > get DNS lookups from my fw working.....
> 
> You have probably set policy to DROP for the OUTPUT chain.
> iptables -A OUTPUT -p udp --dport 53 [-d ip_dns] -j ACCEPT
> Some would say to also do this for the tcp proto, but this should work.

there are definitely two schools of thought: 1) those who set a
policy of ACCEPT on OUTPUT and just do all the filtering on INPUT, 
and 2) those who want to be really specific on both INPUT and
OUTPUT.

if you want to be really restrictive on your OUTPUT chain, that's
fine.  but for testing purposes, you might want to open it up,
make sure everything works, *then* lock it down and see what
breaks.  at least you'll be closer to isolating the problem.

rday

RE: thoughts on a newbie tutorial i'll be giving shortly

[Knight, Steve]

Thanks to both the Robs [and the other contributors I hope I've thanked
already!] :D

At the moment, it's a single host - but it will eventually be acting as the
single gateway for a 192.168.x.x LAN + DMZ, and I will be implementing a
fairly strict ruleset on the FORWARD chain [there are some monkeys who'd be
Kazaaing and IRCing in a moment if I didn't] - which is why I'm trying all
sorts of mojo on the INPUT/OUTPUT chains right now so I can get comfortable
with the syntax.

Ive relented for the moment [for testing purposes] to OUTPUT ACCEPT policy
and of course it's working as expected, but I'm intrigued as to why the
rules didn't work.

I almost feel like apologising for the lame questions, as the majority of
contributors to this list are clearly seasoned veterans, but I really am
determined to get myself up to speed [hence the purchase of the Ziegler
bible] with iptables and *nix security more as a personal mission [to become
as comfortable with *nix as I am with Windows], than a business need [if it
was only business I'd have used ISA or Checkpoint, which I have my certs
in].

Cheers

Steve


-----------------------------------------------------------------------
Information in this email may be privileged, confidential and is 
intended exclusively for the addressee.  The views expressed may
not be official policy, but the personal views of the originator.
If you have received it in error, please notify the sender by return
e-mail and delete it from your system.  You should not reproduce, 
distribute, store, retransmit, use or disclose its contents to anyone.
 
Please note we reserve the right to monitor all e-mail
communication through our internal and external networks.
-----------------------------------------------------------------------

RE: thoughts on a newbie tutorial i'll be giving shortly

[Robert P. J. Day]

On Thu, 30 Oct 2003, Knight, Steve wrote:

> Thanks to both the Robs [and the other contributors I hope I've thanked
> already!] :D
> 
> At the moment, it's a single host - but it will eventually be acting as the
> single gateway for a 192.168.x.x LAN + DMZ, and I will be implementing a
> fairly strict ruleset on the FORWARD chain [there are some monkeys who'd be
> Kazaaing and IRCing in a moment if I didn't] - which is why I'm trying all
> sorts of mojo on the INPUT/OUTPUT chains right now so I can get comfortable
> with the syntax.
> 
> Ive relented for the moment [for testing purposes] to OUTPUT ACCEPT policy
> and of course it's working as expected, but I'm intrigued as to why the
> rules didn't work.

so add a logging rule like:

  iptables -A INPUT -p tcp --dport 53 -j LOG

or something to that effect to see what happens to that traffic
when it comes in, then tail the file /var/log/messages.  at least
you'll see the traffic.

rday

RE: thoughts on a newbie tutorial i'll be giving shortly

[Rob Sterenborg]

> there are definitely two schools of thought: 1) those who set 

I know ;o)

> if you want to be really restrictive on your OUTPUT chain, 
> that's fine.  but for testing purposes, you might want to 
> open it up, make sure everything works, *then* lock it down 
> and see what breaks.  at least you'll be closer to isolating 
> the problem.

I was referring to the last statement, not your question (which makes
this OT btw, but I wanted to answer Steve) :
> > Just my 0.02, if it's worth that much considering I cant even get 
> > DNS lookups from my fw working.....

In your case I'd not set policy to DROP for OUPUT.
IMHO it would be overkill for an introduction of approx. 30 minutes.


Gr,
Rob

RE: thoughts on a newbie tutorial i'll be giving shortly

[Knight, Steve]

Cheers guys - this is really helpful stuff. I've set it to OUTPUT ACCEPT and
will ensure all works as expected then work my way from there, plus lots of
logging. 

Thanks heaps

s


-----Original Message-----
From: Rob Sterenborg [mailto:rob@sterenborg.info] 
Sent: 30 October 2003 3.56
To: 'Robert P. J. Day'
Cc: 'iptables mailing list'
Subject: RE: thoughts on a newbie tutorial i'll be giving shortly


> there are definitely two schools of thought: 1) those who set 

I know ;o)

> if you want to be really restrictive on your OUTPUT chain, 
> that's fine.  but for testing purposes, you might want to 
> open it up, make sure everything works, *then* lock it down 
> and see what breaks.  at least you'll be closer to isolating 
> the problem.

I was referring to the last statement, not your question (which makes
this OT btw, but I wanted to answer Steve) :
> > Just my 0.02, if it's worth that much considering I cant even get 
> > DNS lookups from my fw working.....

In your case I'd not set policy to DROP for OUPUT.
IMHO it would be overkill for an introduction of approx. 30 minutes.


Gr,
Rob




.


-----------------------------------------------------------------------
Information in this email may be privileged, confidential and is 
intended exclusively for the addressee.  The views expressed may
not be official policy, but the personal views of the originator.
If you have received it in error, please notify the sender by return
e-mail and delete it from your system.  You should not reproduce, 
distribute, store, retransmit, use or disclose its contents to anyone.
 
Please note we reserve the right to monitor all e-mail
communication through our internal and external networks.
-----------------------------------------------------------------------

Re: thoughts on a newbie tutorial i'll be giving shortly

[Tarek W.]

http://ticallion.nuit.ca/pub/iptables/ is something u should be looking
at... it's a tutorial on irc I gave a while ago... purpose of which is
to really make the user able to (ab/)use iptables.

u should look at it to either "grep -P" interesting things or inspect
carefully for things to avoid :P

either way, people r invited to send flames/comments/wanton written
violence to tarek [at] cyberia -dot- net /dot/ lb. errata should come
out this week...

happy hacking,
Tarek

On Thu, 2003-10-30 at 14:30, Robert P. J. Day wrote:
> 
>   as a really low-level iptables intro i'm giving this monday,
> i'm going to show and explain something like the following.
> it's deliberately simplified as i have only about a half hour,
> but i'm interested in whether anyone here has any kind of 
> visceral reaction to this configuration -- whether i'm suggesting
> anything violently insecure or anything like that.  (i've removed
> a lot of preliminary variable setting, just wanting to show the
> salient stuff.)
<snip>

RE: thoughts on a newbie tutorial i'll be giving shortly

[George Vieira]

that's interesting..(off that URL) "I've been using iptables since RHL 7.0, a bit before that"

RedHat 7.0 came with 2.2 kernel... how you get iptables compilable on it?? ;)

Thanks,
____________________________________________
George Vieira 

> -----Original Message-----
> From: Tarek W. [mailto:ticallion@hotpop.com]
> Sent: Friday, 31 October 2003 11:08 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: thoughts on a newbie tutorial i'll be giving shortly
> 
> 

RE: thoughts on a newbie tutorial i'll be giving shortly

[Daniel Chemko]

Way to jump on the guys back! Especially after he went through the
horror that was -Redhat 7.0-!

Speaking of nostalgia, I'm finally decommissioning my home firewall
which I built on top of Redhat 7.1 when rh7.1 was brand new. It used to
be 7.0, but for obvious reasons, I did not stick with that particular
version. Anyways, I'm combining the firewall and the file server to
conserve heat if you can believe it. Reboots: 3 (I really love Linux).
Running 4 PC's from my apartment really gets warm after a while!

PS: Please no gratuitous no server software on the firewall jokes! I am
hurting enough as it is.

Re: thoughts on a newbie tutorial i'll be giving shortly

[Arnt Karlsen]

On Thu, 30 Oct 2003 07:30:47 -0500 (EST), 
"Robert P. J. Day" <rpjday@mindspring.com> wrote in message 
<Pine.LNX.4.44.0310300725550.18040-100000@localhost.localdomain>:

> 
>   as a really low-level iptables intro i'm giving this monday,
> i'm going to show and explain something like the following.
> it's deliberately simplified as i have only about a half hour,
> but i'm interested in whether anyone here has any kind of 
> visceral reaction to this configuration -- whether i'm suggesting
> anything violently insecure or anything like that.  (i've removed
> a lot of preliminary variable setting, just wanting to show the
> salient stuff.)
> 
> ------------------------
> 
> ALLOWED_INCOMING_SERVICES="ssh http"
> DISALLOWED_OUTGOING_SERVICES="telnet"
> 
> #######################################################
> # Set the chain policies.
> #######################################################
> 
> $IPT -P INPUT DROP
> $IPT -P FORWARD DROP
> $IPT -P OUTPUT ACCEPT	# Purists probably hate this.
> 
> 
> #######################################################
> # Start with some REALLY basic rules.
> #######################################################
> 
> $IPT -A INPUT -i lo -j ACCEPT
> $IPT -A OUTPUT -o lo -j ACCEPT
> 
> $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> #######################################################
> # Kill really bad outgoing services.
> #######################################################
> 
> for s in $DISALLOWED_OUTGOING_SERVICES ; do
> 	$IPT -A OUTPUT -p tcp --dport $s -j DROP
> done

.." -j DROP " times out boxes in your lan, you may want " -j REJECT". 
 
> #######################################################
> # Allow a very small set of incoming services.
> #######################################################
> 
> for s in $ALLOWED_INCOMING_SERVICES ; do
> 	$IPT -A INPUT -p tcp -s 192.168.1.0/24 --dport $s -j ACCEPT
> done
> 
> ------------------------------
> 
>   yes, it could be fancier, but it's meant to be a starting
> point for total newbies.  
> 
>   thoughts?
> 
> rday
> 
> 


-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: thoughts on a newbie tutorial i'll be giving shortly

[Arnt Karlsen]

On Fri, 31 Oct 2003 11:36:52 +1100, 
"George Vieira" <georgev@citadelcomputer.com.au> wrote in message 
<09B04A55822EFF4DA48D2E0BB2941D4A28AC99@wardrive.citadelcomputer.com.au
>:

> that's interesting..(off that URL) "I've been using iptables since RHL
> 7.0, a bit before that"
> 
> RedHat 7.0 came with 2.2 kernel... how you get iptables compilable on
> it?? ;)

..by _delaying_ RH-7.0?  Myself, I stayed on RH-6.2 until I heard 
RH-7.1 was stable.  ;-)

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

RE: thoughts on a newbie tutorial i'll be giving shortly

[Tarek W.]

I didn't remember exactly when I started using it... hence, the
reference to RHL 7.0.

http://mirrors.kernel.org/redhat/redhat/linux/7.0/en/ -> 13-Jul-2002
03:32

http://netfilter.org/files/iptables-1.0.0.tar.bz2 -> 04-Jan-2002 23:54

have u heard of vanilla kernels?! some people use RHL for the structured
fs layout and the care developers give sysadmins in sysVinit scripts for
one, using custom kernels in case the concept is foreign to u.

and just for people like u, in the errata, I'll change "ever since RHL
7.0" to "ever since I started using RHL 7.0", might even add "in 2003"
just cos I'd rather have constructive criticism.

happy hacking everybody,
Tarek

On Fri, 2003-10-31 at 02:36, George Vieira wrote:
> that's interesting..(off that URL) "I've been using iptables since RHL 7.0, a bit before that"
> 
> RedHat 7.0 came with 2.2 kernel... how you get iptables compilable on it?? ;)
> 
> Thanks,
> ____________________________________________
> George Vieira 
> 
> > -----Original Message-----
> > From: Tarek W. [mailto:ticallion@hotpop.com]
> > Sent: Friday, 31 October 2003 11:08 AM
> > To: netfilter@lists.netfilter.org
> > Subject: Re: thoughts on a newbie tutorial i'll be giving shortly
> > 
> >