Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: Iptables for newbies. PART II: Securing your Network
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Sat Apr 10, 2004 8:29 am    Post subject: HOWTO: Iptables for newbies. PART II: Securing your Network Reply with quote

Iptables for Newbies
Part II: Hardening Your Firwall
(part one can be found here: Part I: Getting up and running)
First Draft

*NOTE* It takes me a bit of time putting these together. So if it helped an you'd like to see the series continue put a quick post so I know it's being used and not just glanced at. :D
*NOTE* --2004-09-17-- I've let this howto lag for while, partly due to a lot of work and partly due to laziness. However, I've gotten a lot of responses, feedback, and input recently and it seems to be picking up popularity so I intend to give it an overhaul this week.

cheers!

In the following howto we're going to further secure our now functional firewall. By the time we are through we should have a set of tested rules and policies that will prevent not only attacks to our own computer, but also attacks from our computer to the internet. Protecting others from the possibility of being attacked by one of our compromised computers is an essential and often overlooked aspect of security and common internet courtesy. I would even say for the SOHO network this is the most important aspect. Normally virus infection is only a minor nussence to a small network and rarely results in data loss....for us 100% *nix users it practically doesn't even exist. However, since small soho networks are often less secure then larger ones they are a favorite target for crackers looking for a “launchpad” for DoS attacks or other underhanded skullduggary.

The follwing is offered in a piece meal fashion in a sequence which enables the easiest step by step testing. Each step may require that something be inserted before, after, or in the middle of our existing script. This was done so that (hopefully) your network will only go down for a brief period during setup. I've done it this way because I have assumed many of you (like me) have a stand alone linux firewall/server. Since my preferred method is ssh, the network going down can be a PITA involving crawling under tables and such. If your daring, you can just copy the script at the end and run it. It should be fully functional, but I have only tested it on my system so ymmv.
    **change log**
    1. Added ip_conntrack_ftp and ip_nat_ftp modules to eliminate PASV error when emerging.
    2. Eliminated filtering on the nat chain. I was having some "unpredictable results" and this cleared it up. It should not affect security at all since the filter chain is still, well, filtered. :)

    Necessary Tools
    3. Corrected typo error at end of script: changed 'iptables' to $IPT

    * ifconfig
    * iptables
    * grep
    * sed


Setting up environment variables

We will define our networks interfaces and various tools used in the script:
Code:
vim myfw



Code:
#!/bin/bash

# External interface
EXTIF='ppp0'
# Internal interface
INTIF1='eth0'
INTIF2='eth1'

# Loop device/localhost
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"

# Text tools variables
IPT='/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'

# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
# The above EXTBC is for those lucky enough to have a straight up ethernet.
# For pppoe users we just hard set it to a all expansive value
EXTBC=255.255.255.255
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
#echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"

# Setting up environment variables for internal interface one
INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET1="$INTIP1/$INTMSK1"
echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"

#Setting up environment variables for internal interface two
INTIP2="`$IFC $INTIF2|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC2="`$IFC $INTIF2|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK2="`$IFC $INTIF2|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET2="$INTIP2/$INTMSK2"


*NOTE* I have commented out the external broadcast from the above script due to the ppp0 connection not having one. This would normally be used to prevent "egress broadcasts" or outgoing broadcast (I will talk more on this later). As a solution I set EXTBC to 255.255.255.255, as I believe this will accomplish the same goal. If anyone has insight into the hitch let me know.

Ok, now lets exit out of vim and test to ensure that our environment variables are being correctly set:
chmod 700 myfw;./myfw

Your output should be similar to this:
Code:
EXTIP=204.223.98.5 EXTBC=255.255.255.255 EXTMSK=255.255.255.255 EXTNET=204.223.98.5/255.255.255.255
INTIP1=192.168.0.78 INTBC1=192.168.0.255 INTMSK1=255.255.0.0 INTNET1=192.168.0.78/255.255.0.0
INTIP2=192.168.1.78 INTBC2=192.168.1.255 INTMSK2=255.255.255.0 INTNET2=192.168.1.78/255.255.255.0


Ok now we're going to set up the ACCEPTS which will allow us to communicate with our server. In reality this is very ill advised. A solid firewall policy should DENY than ACCEPT. But if you do that you lose all connections while your testing so your not sure if your ACCEPT rules work at all. So, though we are entering this first, it will be the second to last rule set in the final script.

Code:
$IPT -t nat -A PREROUTING                       -j ACCEPT
# $IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j SNAT --to $EXTIP
# Comment out next line (that has "MASQUERADE") to not NAT internal network
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j MASQUERADE
$IPT -t nat -A POSTROUTING                      -j ACCEPT
$IPT -t nat -A OUTPUT                           -j ACCEPT
                                                                               
$IPT -A INPUT   -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
                                                                               
iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


Next we are going to define a couple of custom chains which will log drop and reject events. This way we don't have to enter a separate line for each command entered. The logs will be sent to where your syslog default log messages are sent (usually /var/log/messages). Later I'm going to write a grep/sed script that will parse and organize these for easy viewing and set it as a daily cron job.

This should be inserted immediately after the above definitions. When you are done, run the script again. It should have no affect on functionality of the network since we're just setting definitions. But it will ensure that we have no errors thusfar.
Code:

# We are now going to create a few custom chains that will result in
# logging of dropped packets. This will enable us to avoid having to
# enter a log command prior to every drop we wish to log. The
# first will be first log drops the other will log rejects.
                                                                                                                                                       
# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl   2> /dev/null
$IPT -A DROPl   -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl   -j DROP
                                                                                                                                                       
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT


Ok, now that we see our devices are being detected properly, we are going to insert a flush commands. So that when our rules are assigned it will be done cleanly. These lines should be inserted after our utilities definitions, the last one being: SED='/bin/sed'

Code:

# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS
do
    $IPT -t $i -F
done
                                                                                                                                                       
for i in $CHAINS
do
    $IPT -t $i -X
done


Now we're ready to start laying down some rules. First we are going to accept all packets from our loopback device if the ip address matches that of any of our local interfaces:
Code:

$IPT -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $INTIP1  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $INTIP2  -j ACCEPT

Now we will block broadcasts both incoming and outgoing. This is can prevent DoS attacks against us, as well as preventing our clients from being used to DoS someone else. This is part of what's called "Egress Protection". It's a do unto your neighbour sort of philosophy. If all SysAdmins followed this policy, than many of the more severe and costly DoS attacks would either not have occurred or been extremely limited.
Code:

# Blocking Broadcasts
$IPT -A INPUT   -i $EXTIF -d   $EXTBC  -j DROPl
$IPT -A INPUT   -i $INTIF1 -d   $INTBC1  -j DROPl
$IPT -A INPUT   -i $INTIF2 -d   $INTBC2  -j DROPl
$IPT -A OUTPUT  -o $EXTIF -d   $EXTBC  -j DROPl
$IPT -A OUTPUT  -o $INTIF1 -d   $INTBC1  -j DROPl
$IPT -A OUTPUT  -o $INTIF2 -d   $INTBC2  -j DROPl
$IPT -A FORWARD -o $EXTIF -d   $EXTBC  -j DROPl
$IPT -A FORWARD -o $INTIF1 -d   $INTBC1  -j DROPl
$IPT -A FORWARD -o $INTIF2 -d   $INTBC2  -j DROPl


Now test the script once more to ensure we have no syntax errors. Also notice that we are using our newly defined DROPl chain. This means that the dropped packets will be logged. Next we are going to block WAN access our LAN if not specifically intended for our ips assigne ip:
Code:

# Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into  our external interface does not originate from our isp assigned
# ip address, drop it like a hot potato
                                                                               
$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl


We're going to apply the same logic to our internal lan. In other words, any packets not originating from our predefined internal network will be rejected:

Code:

# Now we will block internal addresses originating from anything buy our
# two predefined interfaces.....just remember that if you jack your
# your laptop or another pc into one of these NIC's directly, you'll need
# to ensure that they either have the same ip or that you add a line explicitly
# that IP as well
                                                                               
# Interface one/internal net one
$IPT -A INPUT   -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A OUTPUT  -o $INTIF1 -d ! $INTNET1 -j DROPl
$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl

# Interface two/internal net two
$IPT -A INPUT   -i $INTIF2 -s ! $INTNET2 -j DROPl
$IPT -A OUTPUT  -o $INTIF2 -d ! $INTNET2 -j DROPl
$IPT -A FORWARD -i $INTIF2 -s ! $INTNET2 -j DROPl
$IPT -A FORWARD -o $INTIF2 -d ! $INTNET2 -j DROPl

Next we do some more Egress checking of outgoing packets and stop all icmp requests except for pinging:

Code:

# An additional Egress check
                                                                               
$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl
                                                                               
# Block outbound ICMP (except for PING)
                                                                               
$IPT -A OUTPUT  -o $EXTIF -p icmp \
  --icmp-type ! 8 -j DROPl
$IPT -A FORWARD -o $EXTIF -p icmp \
    --icmp-type ! 8 -j DROPl


Ok, where moving along now and we should test the script for errors. Assuming an all clear we're going to start plugging some of the more bothersome port holes:
Code:

# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346
# Common Trojans 12345 65535
COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 432

# TCP ports:
# 98 is Linuxconf
# 512-5!5 is rexec, rlogin, rsh, printer(lpd)
#   [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
                                                                               
# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
9 6346 3128 8000 8008 8080 12345 65535"


After defining the environment variables all we have to do is a simple for loop to assign rules to them all:
Code:

echo -n "FW: Blocking attacks to TCP port"
for i in $TCPBLOCK;
do
echo -n "$i "
  $IPT -A INPUT   -p tcp --dport $i  -j DROPl
  $IPT -A OUTPUT  -p tcp --dport $i  -j DROPl
  $IPT -A FORWARD -p tcp --dport $i  -j DROPl
done
echo ""
                                                                               
echo -n "FW: Blocking attacks to UDP port "
for i in $UDPBLOCK;
do
  echo -n "$i "
    $IPT -A INPUT   -p udp --dport $i  -j DROPl
    $IPT -A OUTPUT  -p udp --dport $i  -j DROPl
    $IPT -A FORWARD -p udp --dport $i  -j DROPl
done
echo ""


Ok, now with iptables each time we run the script it simply appends these to already existing chains...so things are probably getting a bit messy. For that reason we're going to jump to the beginning of our script....right after the enviroment variables for sed and grep, but before those of EXTIP and EXTBC and add a loop that deletes and flushes. This ensure we're working from a clean state. We didn't want to do that before because we couldn't have tested our script without either shutting down our connection or dropping our firewall completely. This script first sets all policies to DROP, than flushes and deletes our chains. In order to ensure that we can still ssh back into our server after a script restart we are going to append an INPUT chain for ssh. This should always be placed at the end of the script for now. This done in order to prevent a window from opening up while we reset rules which is a common error made:
Code:

# Deny than accept: this keeps holes from opening up
# while we close ports and such
                                                                               
$IPT        -P INPUT       DROP
$IPT        -P OUTPUT      DROP
$IPT        -P FORWARD     DROP
                                                                               
# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
    $IPT -t $i -F
done
                                                                               
for i in $CHAINS;
do
    $IPT -t $i -X
done

$IPT -A INPUT   -i $INTIF1 -p tcp                      --dport 22 \
   --syn -m state --state NEW -j ACCEPT


Right afterwards we are going to activate the sysctl's for tcp_syncookies, icmp_echo_ignore_broadcasts, rp_filter, and accept_source_route. Heretofore many of the rules we've been "testing" haven't been able to actually work. In essence we were simply doing syntax error tests. Now our rules will be "for real":
Code:

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
                                                                               
# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
done
                                                                               
echo 1 > /proc/sys/net/ipv4/ip_forward


Now we're going to add ftp connection tracking so that we won't get PASV errors when emerging packages:
Code:

# Opening up ftp connection tracking
MODULES="ip_nat_ftp ip_conntrack_ftp"
for i in $MODULES;
do
  echo "Inserting module $i"
  modprobe $i
done

Now back to end of our script, we are going to open up services for systems behind our firewall. I have included services such as IRC, MSN, ICQ, and NFS, FTP, domain, and time. And some others. The important thing to note is that these will ONLY be availabe BEHIND the firewall. So this will not enable someone to ftp into your LAN:
Code:

IRC='ircd'
MSN=1863
ICQ=5190
NFS='sunrpc'
# We have to sync!!
PORTAGE='rsync'
OpenPGP_HTTP_Keyserver=11371
                                                                               
# All services ports are read from /etc/services
                                                                               
TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE \
            $IRC $MSN $ICQ $OpenPGP_HTTP_Keyserver"
UDPSERV="domain time"

echo -n "FW: Allowing inside systems to use service:"
for i in $TCPSERV;
do
   echo -n "$i "
   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  \
    --dport $i --syn -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \
    --dport $i --syn -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 \
    --dport $i --syn -m state --state NEW -j ACCEPT
                                                                               
done
echo ""
                                                                               
echo -n "FW: Allowing inside systems to use service:"
for i in $UDPSERV;
do
    echo -n "$i "
    $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP  \
        --dport $i -m state --state NEW -j ACCEPT
    $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 \
        --dport $i -m state --state NEW -j ACCEPT
    $IPT -A FORWARD -i $INTIF2 -p udp -s $INTNET2 \
done
echo ""


Now we're done all that's left is allowing us to ping the outside world by opening up pinging out of the firewall:
Code:

# Allow to ping out
$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP  \
    --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 \
    --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF2 -p icmp -s $INTNET2 \
    --icmp-type 8 -m state --state NEW -j ACCEPT
                                                                               
# Allow firewall to ping internal systems
$IPT -A OUTPUT  -o $INTIF1 -p icmp -s $INTNET1 \
    --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT  -o $INTIF2 -p icmp -s $INTNET2 \
    --icmp-type 8 -m state --state NEW -j ACCEPT


Now we are going to default to DROP and Log anything that's left in case we overlooked something. The ACCEPT entry's we made at the very beginning would come right before this in the final script:
Code:

# Log & block whatever is left
$IPT -A INPUT             -j DROPl
$IPT -A OUTPUT            -j REJECTl
$IPT -A FORWARD           -j DROPl


And your done. I had a friend nmap and nessus my connection with this rule set and as far as both of them were concerned the only thing it was even slightly sure about was that the ip existed...other than that nothing. I can IRC, MSN, ICQ, ane emerge sync to my hearts content.

*CREDITS* I take absolutely NO credit for this, I gathered most from other tutorials and implemented some fixes and loops from yet other howtos to make things more comprehensive and/or efficient. ABSOLUTELY NONE of this should be credited to me. :)


PART III will cover setting up some essential SOHO services like NFS and CUPS in a security conscious manner.

Now here's the full script in all it's glory (I also put the ssh forwarding in a more appropriate place):
Code:

# External interface
EXTIF=ppp0
# Internal interface
INTIF1=eth1
INTIF2=eth2
                                                                               
# Loop device/localhost
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"
                                                                               
# Text tools variables
IPT='/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'
                                                                               
# Last but not least, the users
JAMES=192.168.1.77
TERESA=192.168.2.77
                                                                               
# Deny than accept: this keeps holes from opening up
# while we close ports and such
                                                                               
$IPT        -P INPUT       DROP
$IPT        -P OUTPUT      DROP
$IPT        -P FORWARD     DROP
                                                                               
# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
    $IPT -t $i -F
done
                                                                               
for i in $CHAINS;
do
    $IPT -t $i -X
done
                                                                               
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
                                                                               
# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
done
                                                                               
echo 1 > /proc/sys/net/ipv4/ip_forward
                                                                               
                                                                               
# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
EXTBC="255.255.255.255"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
#echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
                                                                               
# Due to absence of EXTBC I manually set it to 255.255.255.255
# this (hopefully) will server the same purpose
                                                                               
                                                                               
# Setting up environment variables for internal interface one
INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET1="$INTIP1/$INTMSK1"
echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"
                                                                               
#Setting up environment variables for internal interface two
INTIP2="`$IFC $INTIF2|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC2="`$IFC $INTIF2|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK2="`$IFC $INTIF2|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET2="$INTIP2/$INTMSK2"
echo "INTIP2=$INTIP2 INTBC2=$INTBC2 INTMSK2=$INTMSK2 INTNET2=$INTNET2"
                                                                               
# We are now going to create a few custom chains that will result in
# logging of dropped packets. This will enable us to avoid having to
# enter a log command prior to every drop we wish to log. The
# first will be first log drops the other will log rejects.
                                                                               
# Do not complain if chain already exists (so restart is clean)
                                                                               
# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl   2> /dev/null
$IPT -A DROPl   -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl   -j DROP
                                                                               
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT
                                                                               
# Now we are going to accpet all traffic from our loopback device
# if the IP matches any of our interfaces.
                                                                               
$IPT -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $INTIP1  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $INTIP2  -j ACCEPT
                                                                               
# Blocking Broadcasts
$IPT -A INPUT   -i $EXTIF -d   $EXTBC  -j DROPl
$IPT -A INPUT   -i $INTIF1 -d   $INTBC1  -j DROPl
$IPT -A INPUT   -i $INTIF2 -d   $INTBC2  -j DROPl
$IPT -A OUTPUT  -o $EXTIF -d   $EXTBC  -j DROPl
$IPT -A OUTPUT  -o $INTIF1 -d   $INTBC1  -j DROPl
$IPT -A OUTPUT  -o $INTIF2 -d   $INTBC2  -j DROPl
$IPT -A FORWARD -o $EXTIF -d   $EXTBC  -j DROPl
$IPT -A FORWARD -o $INTIF1 -d   $INTBC1  -j DROPl
$IPT -A FORWARD -o $INTIF2 -d   $INTBC2  -j DROPl
                                                                               
# Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into  our external interface does not originate from our isp assigned
# ip address, drop it like a hot potato
                                                                               
$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl
                                                                               
# Now we will block internal addresses originating from anything butour
# two predefined interfaces.....just remember that if you jack your
# your laptop or another pc into one of these NIC's directly, you'll need # to ensure that they either have the same ip or that you add a line explicitly
# that IP as well                                                                               
# Interface one/internal net one
$IPT -A INPUT   -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A OUTPUT  -o $INTIF1 -d ! $INTNET1 -j DROPl
$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl
                                                                               
# Interface two/internal net two
$IPT -A INPUT   -i $INTIF2 -s ! $INTNET2 -j DROPl
$IPT -A OUTPUT  -o $INTIF2 -d ! $INTNET2 -j DROPl
$IPT -A FORWARD -i $INTIF2 -s ! $INTNET2 -j DROPl
$IPT -A FORWARD -o $INTIF2 -d ! $INTNET2 -j DROPl
                                                                               
# An additional Egress check
                                                                               
$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl
                                                                               
# Block outbound ICMP (except for PING)
                                                                               
$IPT -A OUTPUT  -o $EXTIF -p icmp \
  --icmp-type ! 8 -j DROPl
$IPT -A FORWARD -o $EXTIF -p icmp \
    --icmp-type ! 8 -j DROPl
                                                                               
# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346
# Common Trojans 12345 65535
COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
                                                                               
# TCP ports:
# 98 is Linuxconf
# 512-5!5 is rexec, rlogin, rsh, printer(lpd)
#   [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
                                                                               
# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
                                                                               
echo -n "FW: Blocking attacks to TCP port"
for i in $TCPBLOCK;
do
echo -n "$i "
  $IPT -A INPUT   -p tcp --dport $i  -j DROPl
  $IPT -A OUTPUT  -p tcp --dport $i  -j DROPl
  $IPT -A FORWARD -p tcp --dport $i  -j DROPl
done
echo ""
                                                                               
echo -n "FW: Blocking attacks to UDP port "
for i in $UDPBLOCK;
do
  echo -n "$i "
    $IPT -A INPUT   -p udp --dport $i  -j DROPl
    $IPT -A OUTPUT  -p udp --dport $i  -j DROPl
    $IPT -A FORWARD -p udp --dport $i  -j DROPl
done
echo ""

# Opening up ftp connection tracking
MODULES="ip_nat_ftp ip_conntrack_ftp"
for i in $MODULES;
do
  echo "Inserting module $i"
  modprobe $i
done
                                                                           
# Defining some common chat clients. Remove these from your accepted list for better security.
IRC='ircd'
MSN=1863
ICQ=5190
NFS='sunrpc'
# We have to sync!!
PORTAGE='rsync'
OpenPGP_HTTP_Keyserver=11371
                                                                               
# All services ports are read from /etc/services
                                                                               
TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE \             $IRC $MSN $ICQ $OpenPGP_HTTP_Keyserver"
UDPSERV="domain time"
                                                                               
echo -n "FW: Allowing inside systems to use service:"
for i in $TCPSERV;
do
   echo -n "$i "
   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  \
    --dport $i --syn -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \
    --dport $i --syn -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 \
    --dport $i --syn -m state --state NEW -j ACCEPT
                                                                               
done
echo ""
                                                                               
echo -n "FW: Allowing inside systems to use service:"
for i in $UDPSERV;
do
    echo -n "$i "
    $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP  \
        --dport $i -m state --state NEW -j ACCEPT
    $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 \
        --dport $i -m state --state NEW -j ACCEPT
    $IPT -A FORWARD -i $INTIF2 -p udp -s $INTNET2 \
        --dport $i -m state --state NEW -j ACCEPT
done
echo ""
                                                                               
# Allow to ping out
$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP  \
    --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 \
    --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF2 -p icmp -s $INTNET2 \
    --icmp-type 8 -m state --state NEW -j ACCEPT
                                                                               
# Allow firewall to ping internal systems
$IPT -A OUTPUT  -o $INTIF1 -p icmp -s $INTNET1 \
    --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT  -o $INTIF2 -p icmp -s $INTNET2 \
    --icmp-type 8 -m state --state NEW -j ACCEPT
                                                                                                                                                   
$IPT -A INPUT   -i $INTIF1 -p tcp                      --dport 22 \
   --syn -m state --state NEW -j ACCEPT
                                                                               
$IPT -t nat -A PREROUTING                       -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j MASQUERADE
$IPT -t nat -A POSTROUTING                      -j ACCEPT
$IPT -t nat -A OUTPUT                           -j ACCEPT
                                                                               
$IPT -A INPUT   -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
                                                                               
$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
                                                                               
# block and log what me may have forgot
$IPT -A INPUT             -j DROPl
$IPT -A OUTPUT            -j REJECTl
$IPT -A FORWARD           -j DROPl

_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation


Last edited by krunk on Tue Aug 17, 2004 12:20 pm; edited 7 times in total
Back to top
View user's profile Send private message
Fear
n00b
n00b


Joined: 12 Apr 2004
Posts: 1
Location: The Netherlands

PostPosted: Mon Apr 12, 2004 3:35 pm    Post subject: Very Nice Reply with quote

I really like these Tutorial, it helps me allot to understand and use iptables. I got a ppp0 connection to the internet aswell and I'd like to use iptables to savely connect my 2 desktops and 2 laptops to the internet useing an old PII 300MHZ as the Gentoo box with a 2.6.1 Kernel.

Found maybe 1 glitch in your script:

Code:
echo -n "FW: Allowing inside systems to use service:"
for i in $TCPSERV;
do
   echo -n "$i "
   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  \
    --dport $i --syn -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \ <-- double??
   $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \
    --dport $i --syn -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 \
    --dport $i --syn -m state --state NEW -j ACCEPT
                                                                               
done


Keep up the good work.
_________________
Fear
Linux n00b
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Mon Apr 12, 2004 7:31 pm    Post subject: Re: HOWTO: Iptables for newbies. PART II: Securing your Netw Reply with quote

krunk wrote:
*CREDITS* I take absolutely NO credit for this, I gathered most from other tutorials and implemented some fixes and loops from yet other howtos to make things more comprehensive and/or efficient. ABSOLUTELY NONE of this should be credited to me. :)

Come on! At least take credit for putting the guide together! :)
krunk wrote:
PART III will cover setting up some essential SOHO services like NFS and CUPS in a security conscious manner.

What exactly is SOHO? You use that word a lot yet I haven't heard it before. Small Office, Home and Other networks perhaps? :D Anyway, I'm looking forward to the next part.
Back to top
View user's profile Send private message
mr.isomer
n00b
n00b


Joined: 16 Feb 2004
Posts: 47

PostPosted: Mon Apr 12, 2004 10:51 pm    Post subject: Reply with quote

ok i am having problems with this line

Code:
# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl   2> /dev/null
$IPT -A DROPl   -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl   -j DROP
                                                                               
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT


Also should it not be DROP insted of DROPl and REJECT instead of REJECTl??

regardless is still get:

Quote:
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Mon Apr 12, 2004 10:57 pm    Post subject: Reply with quote

They look good to me. DROPl and REJECTl are the new chains being created. Only the last command (after -j on line 4 and 8) should be the normal DROP / REJECT.

What errors do you get if you leave the lines like in the original?
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Mon Apr 12, 2004 11:56 pm    Post subject: Re: Very Nice Reply with quote

Fear wrote:
I really like these Tutorial, it helps me allot to understand and use iptables. I got a ppp0 connection to the internet aswell and I'd like to use iptables to savely connect my 2 desktops and 2 laptops to the internet useing an old PII 300MHZ as the Gentoo box with a 2.6.1 Kernel.

Found maybe 1 glitch in your script:

Code:
echo -n "FW: Allowing inside systems to use service:"
for i in $TCPSERV;
do
   echo -n "$i "
   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  \
    --dport $i --syn -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \ <-- double??
   $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \
    --dport $i --syn -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 \
    --dport $i --syn -m state --state NEW -j ACCEPT
                                                                               
done


Keep up the good work.


Thank you, I must have made an error in the transfer. In fact, that line should have caused either errors or unexpected results. If I interpret correctly, I believe it would have allowed all tcp ports from interface one with source of internal net one to be forwarded rather than just our defined ones. Not a hole really, but not ast tight as intended. :)


Code:
# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl   2> /dev/null
$IPT -A DROPl   -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl   -j DROP
                                                                               
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT


Yes this is a chain definition. Any time it is appended it drops the packet and creates a log entry with a prefix of "DROPl:" or "REJECTl:", this allow us to append this in lieu of DROP and not have to create another iptable command for each log entry. The output appears in /var/log/messages and looks something like this:

Code:
Apr 12 18:30:44 tuxmac DROPl:IN=ppp0 OUT= MAC= SRC=<Packet Source IP> DST=<Packet Destination IP> LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=11203 DF PROTO=TCP SPT=4556 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0


Some have no entry, like MAC= ....this means there is no value for that variable. (this makes since when you consider that ppp0 is a "virtual device") . You can use these logs to help you form new rules, such as if a packet is being dropped that you want to let through. You just use the -s switch for source, --dport for destination port. Etc.


Please let me know if you run into any hitches. I have found that the /etc/init.d/iptables script doesn't seem to restore them properly (they seem to set their own "pre-rules"). It also insists on starting before net.ppp0, which screws everything up. I'm working on revising the scripts, but for now just manually run the script after boot up......


Please let me know if you have any errors and remember to put specific error output in post.


*NOTE* I have CUPS up and working well.....it put up a good fight though. :) NFS is next, which is proving to a bit more of a challenge due to dynamic port assignment by portmapper. There is a decent thread on the topic on the forums: search--> iptables NFS

If you absolutely, MUST have CUPS NOW, send me a pm and I'll send my updated script to you.
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Tue Apr 13, 2004 12:00 am    Post subject: Reply with quote

Andersson wrote:
They look good to me. DROPl and REJECTl are the new chains being created. Only the last command (after -j on line 4 and 8) should be the normal DROP / REJECT.

What errors do you get if you leave the lines like in the original?


Could you quote the line please?

My intention was to LOG every drop and reject.
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Tue Apr 13, 2004 12:52 am    Post subject: Re: Very Nice Reply with quote

krunk wrote:
NFS is next, which is proving to a bit more of a challenge due to dynamic port assignment by portmapper. There is a decent thread on the topic on the forums: search--> iptables NFS

I was just going to point you to the nfs howto at tldp, but it seems to be the same advice as in the post here ( https://forums.gentoo.org/viewtopic.php?t=77748 ).
Back to top
View user's profile Send private message
Rug
n00b
n00b


Joined: 17 Apr 2004
Posts: 1

PostPosted: Sat Apr 17, 2004 2:57 pm    Post subject: Useful info! Reply with quote

Thanks for posting this - it got me started on setting things up, and really helped me. One thing that you do want to mention though - this only works if you have a static IP from your ISP. I get a DHCP IP from the ISP, so I can't set fixed rules that use EXTIP. I could set them up so that any IP in the range given by the ISP would work, but then I need to trust the other home networks on the cable modem line - which I most definately don't want to do, since I know some of them are compromised. Anybody dealt with this? I'm still getting a feeling for iptables - does it have the ability to take as a parameter "whatever is the ip address currently assigned to interface X" ?

Thanks again for the guide!
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Sat Apr 17, 2004 3:18 pm    Post subject: Re: Useful info! Reply with quote

Rug wrote:
Thanks for posting this - it got me started on setting things up, and really helped me. One thing that you do want to mention though - this only works if you have a static IP from your ISP. I get a DHCP IP from the ISP, so I can't set fixed rules that use EXTIP. I could set them up so that any IP in the range given by the ISP would work, but then I need to trust the other home networks on the cable modem line - which I most definately don't want to do, since I know some of them are compromised. Anybody dealt with this? I'm still getting a feeling for iptables - does it have the ability to take as a parameter "whatever is the ip address currently assigned to interface X" ?

Thanks again for the guide!


There are som other things you must add for dhcp...to free up the necessary ports I believe. But running the script after you have an ip *should* work if I'm not mistaken. The script greps all the ips from the interface at the beginning and the rules are based on that reading...someone please correct me if I'm wrong.
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
jjasghar
Guru
Guru


Joined: 07 Mar 2004
Posts: 342
Location: $HOME=/usa/tx/austin

PostPosted: Wed Apr 21, 2004 5:29 pm    Post subject: Reply with quote

hey simply put what's the iptables command that opens a port?

Code:

iptables -A INPUT -p tcp -m tcp --dport 3632 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 3632 -j ACCEPT


????

i really would like distcc running, and also ssh from the outside and man i'm so lost.
_________________
#include <LinuxUser #324070>
main()
{
printf("and i'm sorry my spellign sucs.");
}
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Wed Apr 21, 2004 6:05 pm    Post subject: Reply with quote

jjasghar wrote:
hey simply put what's the iptables command that opens a port?
Code:
iptables -A INPUT -p tcp -m tcp --dport 3632 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 3632 -j ACCEPT


You don't need the -m. Does distcc work if you open all ports?

jjasghar wrote:
...and also ssh from the outside...


ssh uses port 22, but you could use this, it's from the gentoo security guide I think.
Code:

# Incoming traffic
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
# Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT

# Outgoing traffic
$IPTABLES -N allow-ssh-traffic-out
$IPTABLES -F allow-ssh-traffic-out
$IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT

# Apply the chains...
$IPTABLES -A INPUT -j allow-ssh-traffic-in
$IPTABLES -A OUTPUT -j allow-ssh-traffic-out
Back to top
View user's profile Send private message
jjasghar
Guru
Guru


Joined: 07 Mar 2004
Posts: 342
Location: $HOME=/usa/tx/austin

PostPosted: Wed Apr 21, 2004 8:10 pm    Post subject: Reply with quote

Andersson wrote:
jjasghar wrote:
hey simply put what's the iptables command that opens a port?
Code:
iptables -A INPUT -p tcp -m tcp --dport 3632 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 3632 -j ACCEPT


You don't need the -m. Does distcc work if you open all ports?

jjasghar wrote:
...and also ssh from the outside...


ssh uses port 22, but you could use this, it's from the gentoo security guide I think.
Code:

# Incoming traffic
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
# Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT

# Outgoing traffic
$IPTABLES -N allow-ssh-traffic-out
$IPTABLES -F allow-ssh-traffic-out
$IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT

# Apply the chains...
$IPTABLES -A INPUT -j allow-ssh-traffic-in
$IPTABLES -A OUTPUT -j allow-ssh-traffic-out



this is going to sound pathetic but how do i allow all traffic? i tried flushing all the connections and i lost my connections. i nmaped and it still showed everything closed. do you want to see my /etc/iptables.conf?
_________________
#include <LinuxUser #324070>
main()
{
printf("and i'm sorry my spellign sucs.");
}
Back to top
View user's profile Send private message
icywolf
n00b
n00b


Joined: 19 Jul 2003
Posts: 52

PostPosted: Wed Apr 21, 2004 8:26 pm    Post subject: Reply with quote

I used that tutorial (with part 1) so thank you!
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Wed Apr 21, 2004 11:43 pm    Post subject: Reply with quote

jjasghar wrote:
this is going to sound pathetic but how do i allow all traffic? i tried flushing all the connections and i lost my connections. i nmaped and it still showed everything closed. do you want to see my /etc/iptables.conf?

You probably still have the default set to DROP. After you flush, try this:
Code:
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT

If that doesn't work, post your config. By the way, you're not using a router do you? This firewall is on the same machine where you want distcc and ssh?

By the way, in this example and the one above, $IPTABLES=/sbin/iptables.
Back to top
View user's profile Send private message
jjasghar
Guru
Guru


Joined: 07 Mar 2004
Posts: 342
Location: $HOME=/usa/tx/austin

PostPosted: Thu Apr 22, 2004 12:03 am    Post subject: Reply with quote

ok, this is my ideal setup is my router/home server run iptables this /etc/iptables.conf and allow incoming ssh, ftp, http, distcc on the private side

/etc/iptables.conf
Code:
# Generated by iptables-save v1.2.9 on Sun Apr 18 13:57:12 2004
*filter
:INPUT DROP [100:14702]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [219:18340]
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -i ! eth0 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
COMMIT
# Completed on Sun Apr 18 13:57:12 2004
# Generated by iptables-save v1.2.9 on Sun Apr 18 13:57:12 2004
*nat
:PREROUTING ACCEPT [79:20611]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Apr 18 13:57:12 2004
# Generated by iptables-save v1.2.9 on Sun Apr 18 13:57:12 2004
*mangle
:PREROUTING ACCEPT [269:42348]
:INPUT ACCEPT [269:42348]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [219:18340]
:POSTROUTING ACCEPT [219:18340]
COMMIT
# Completed on Sun Apr 18 13:57:12 2004


what does this all mean?!?
but i figure that i need to write a bash script to do this and i'm learning about it...slowly.

i'm reading a book called Linux Firewalls Second Edition by Robert L. Ziegler, horribly writen but informaitave.
_________________
#include <LinuxUser #324070>
main()
{
printf("and i'm sorry my spellign sucs.");
}
Back to top
View user's profile Send private message
tdphys
n00b
n00b


Joined: 10 Oct 2003
Posts: 53
Location: Alberta

PostPosted: Wed Apr 28, 2004 2:53 pm    Post subject: Reply with quote

Ack ... Why would this not work?!
Here's the honest to goodness command line I entered and the opposing error message

Code:
 iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables: No chain/target/match by that name


Thanks
Back to top
View user's profile Send private message
Souperman
Guru
Guru


Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa

PostPosted: Fri Apr 30, 2004 7:05 pm    Post subject: Re: HOWTO: Iptables for newbies. PART II: Securing your Netw Reply with quote

Andersson wrote:
What exactly is SOHO? You use that word a lot yet I haven't heard it before. Small Office, Home and Other networks perhaps? :D Anyway, I'm looking forward to the next part.

Small Office/Home Office. ;)
_________________
moo
Back to top
View user's profile Send private message
tdphys
n00b
n00b


Joined: 10 Oct 2003
Posts: 53
Location: Alberta

PostPosted: Sat May 01, 2004 3:39 am    Post subject: Reply with quote

As per my previous post, there was a few things I missed compiling into my kernel, recompiling with the right options did the trick....

again... :)
Back to top
View user's profile Send private message
AltBuTT
n00b
n00b


Joined: 02 May 2004
Posts: 1
Location: Montreal, Quebec

PostPosted: Wed May 05, 2004 8:17 pm    Post subject: Netbios Ports Reply with quote

On my local network there's a Win XP (we don't always choose our roomate's OS) and my linux box is the gateway. I'm using samba to share files.

I try to set a good firewall. The script block ports 137:139 (netbios) that windows use to share network. It also appear that Win XP broadcast on the network.
Code:
DROPl:IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:40:f4:64:d9:c2:08:00 SRC=192.164.0.79 DST=192.164.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=63116 PROTO=UDP SPT=137 DPT=137 LEN=58


Is that a security hole if before blocking boradcast in the script I accept all connection from that user on ports 137:139 ?

Code:

#Since USER is under Windows, he must access to netbios ports
$IPT -A INPUT -i $INTIF1 -s $USER -p tcp --dport 137:139 -j ACCEPT
$IPT -A INPUT -i $INTIF1 -s $USER -p udp --dport 137:139 -j ACCEPT


It seems to work but I don't no if its a good thing.
If not, is there a good way to do that ? (except throwing the XP box out)
Back to top
View user's profile Send private message
amanset
n00b
n00b


Joined: 02 Nov 2002
Posts: 16
Location: Stockholm, Sweden

PostPosted: Sat May 15, 2004 3:39 am    Post subject: Reply with quote

Andersson wrote:

If that doesn't work, post your config. By the way, you're not using a router do you? This firewall is on the same machine where you want distcc and ssh?

By the way, in this example and the one above, $IPTABLES=/sbin/iptables.


Sorry for asking, but I am having the same problem and those three lines you suggested didn't work for me. I am trying to let my NAT'd PCs have full net access. I have used this script, adapted from part one of the tutorial:

Code:

 #!/bin/bash
IPTABLES='/sbin/iptables'

# Set interface values
EXTIF='eth0'
INTIF1='eth1'


# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# forward LAN traffic from $INTIF1 to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT

#echo -e "       - Allowing HTTP Traffic"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT --protocol tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD --protocol tcp --dport 80 -j ACCEPT

$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT



# block out all other Internet access on $EXTIF
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
#$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP


Yet all that appears to work right now is port 80, the one I specifically stated as a test. I've obviously missed something out somewhere, I don't suppose you know what?
Back to top
View user's profile Send private message
lokelo
Tux's lil' helper
Tux's lil' helper


Joined: 16 Dec 2002
Posts: 101
Location: Maryland, USA

PostPosted: Mon May 17, 2004 2:23 am    Post subject: Reply with quote

Ok, just configured and modified the script to work with a single internal interface and an ethernet external interface and i'm getting an error with syncookies

Code:

line 42: /proc/sys/net/ipv4/tcp_syncookies: No such file or directory


what do i do to install this?
Back to top
View user's profile Send private message
Souperman
Guru
Guru


Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa

PostPosted: Mon May 17, 2004 6:40 am    Post subject: Reply with quote

You need to enable it in your kernel .config. I'm not sure exactly where it is, but if you 'make menuconfig' and drill down the networking options you should see it.
_________________
moo
Back to top
View user's profile Send private message
Lepaca Kliffoth
l33t
l33t


Joined: 28 Apr 2004
Posts: 737
Location: Florence, Italy

PostPosted: Sat May 22, 2004 10:20 am    Post subject: Reply with quote

I was wondering if I can use this script. I've got a desktop connected to the internet through adsl and I want it to share the connection with a laptop. The laptop's conneted to my desktop with a cross-over cable. How should I modify the script?
_________________
It isn't enough to win - everyone else must lose, and you also have to rub it in their face (maybe chop off an arm too for good measure).
Animebox!
Back to top
View user's profile Send private message
tomaw
Guru
Guru


Joined: 26 Mar 2003
Posts: 429
Location: UK

PostPosted: Mon May 24, 2004 8:14 pm    Post subject: Reply with quote

Any chance anyone has an example that will enforce a local transparent proxy? Just want to set a forced privoxy...

/edit

Also, it seems this stops spamd from working...?
_________________
Tom Wesley
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2, 3, 4, 5  Next
Page 1 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum