HOWTO: Iptables for newbies. PART II: Securing your Network

Maxwell · Tux's lil' helper Joined: 10 Dec 2003 Posts: 97

Hello

I have an Asus notebook and i use it in several networks, each of them using a different proxy. I'm thinking on setting all my icq, msn clients and firefox to use a direct connection to internet and use iptables to direct traffic to somewhere usefull (like the different proxies...).

But then i suppose i'll need a proxy running in my notebook...

So i ask for your advice: how should i configurate iptables to do this and do i need squid running? Light and fast solutions are appreciated!!

Thans in advance
_________________
Freedom works. Use it!
Linux, by Gentoo

yaneurabeya · Veteran Joined: 13 May 2004 Posts: 1754 Location: Seattle

Interesting. Gotta try out this sometime soon cause I hate being unfirewalled (even though I do run Gentoo =\...).

mr.isomer · n00b Joined: 16 Feb 2004 Posts: 47

Ok I hope someone can help me out with this:

I use broadband to connect no ppp0... just eth0 ... how do I edit the script?

Do I set this:

EXTIF='eth0'

and get rid of INTIF ???

Great HOWTO BTW... I just hope it mentioned this

Jerri · Guru Joined: 03 Apr 2003 Posts: 353

Looking at this bit of code

mr.isomer · n00b Joined: 16 Feb 2004 Posts: 47

Jerri · Guru Joined: 03 Apr 2003 Posts: 353

mr.isomer,

I modified the script so that I could use it on my web server (one nic - outside the firewall). I'm not sure weather or not this was a useful thing to do, as far as security goes, since this script accepts connections from the internet (ssh, http, https). However, I guess closing uneeded ports can't hurt.

Nard` · Apprentice Joined: 23 Jan 2005 Posts: 250

This is proboably a stupid question, but read through all the posts and i'm trying to establish one thing:

Is the script written in the starting post meant to be run at boot (in which case i should rc-update del iptables) or just once?

also, should this script/iptables init.d script be run after or before network devices being brought up? for security i'd say before but it might cause some problems referencing interfaces that aren't "up" yet

Thanks

EDIT: How are you transferring this script? I've been copying it from this into my router via ssh yet the md5sum is different every time I do it, don't know how to do it accurately...
_________________
Programming is the process of putting bugs in.
Debugging is the process of attempting to take bugs out, doing an ugly hack, hitting your computer, then claiming insurance.

krunk · Guru Joined: 27 Jul 2003 Posts: 316

The iptables init.d script should not be placed in your run time. (rc-update del iptables)

You can create your own init script and put in local if you want it to start at boot.

It should be started after the interfaces are brought up or the dynamic interface parsing will not work ($INTNET, $EXTNET, etc).

The first thing the script does is set POLICY to deny, which serves as a safety net. It also does not enable ip_forwarding till the very end, so you are not actually forwarding any traffic till after the rules have been set.
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone

]

Dual G5
iPod 3rd generation

Nard` · Apprentice Joined: 23 Jan 2005 Posts: 250

Thanks, possibly (you've proboably already thought of this...) found a few problems:

You drop all packets, but then immediately after that you flush everything! During the (admittedly short time) beetween when you do that and you set the rules up you have a time whereby packets are non filtered. I'm proboably missing something there...

Also, i've been looking through it (and granted haven't looked at in too much detail yet) i'm not seeing what advantages these rules offer over say denying all incoming connections except on specified ports (and maybye limit that to just some ip's?). Or maybye that's exactly what it does (and logs it, which is nice despite perhaps it being slightly annoying they get lumped along with the kernel log, but thats not your fault, and could be changed by using ulog)

Oh and:

krunk · Guru Joined: 27 Jul 2003 Posts: 316

Hehe,

--On the flushing, that is a very good point and oversight of mine. To be honest, I've switched platforms many months ago and stopped maintaining this tutorial after it was posted to the Gentoo Wiki where the community could easily improve as necessary. I have some vague memory that rule flushing does not remove the policies, but I could be completely off base on that.

---That's pretty much what it does....however it also has a good bit of egress filtering. Some would say this is an overkill security measure on a home system and they may be right. However, my philosophy was even in an uber secure network your 5 year old daughter can slap that floppy her teacher gave her in and circumvent it all. With this in mind, I always thought it made sense to place rules that would prevent such a worm or virus from sending itself out to the world from an infected network (if more admins practiced this, many worms viruses would be far less effective).

--Logging: Actually, I used syslog-ng (and metalog at one point) to place all the iptables rules into /var/log/iptables.log and when debugging placed all ACCEPT logs in /var/log/iptables-accept.log or some such. Since methods vary from logger to logger, I left that up to the user.

Thanks for the input, and please by all means check out the posting on the Wiki and improve on the script. I was a true iptables newbie when I started reading for this and I'm sure there's a lot of improvements that can be made and possible oversights as well.

_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone

]

Dual G5
iPod 3rd generation

Nard` · Apprentice Joined: 23 Jan 2005 Posts: 250

On closer inspection, I think i'm wrong about the flushing, on my system at least:

krunk · Guru Joined: 27 Jul 2003 Posts: 316

Try this:

Run the script from a clean slate.

Type: iptables -L > myrules.txt

Take only the top part (where the POLICY is set and the rules are flushed) and put it in a separate file named flush.sh

Run the flush.sh (make sure you have local access as this should kill all networking).

Than run iptables -L > flushed.txt

Now diff the two (or visually compare). You should have listings like

[INPUT POLICY: DENY]

[OUTPUT POLICY: DENY]

or some such (I don't have a linux system to test on anymore). This would show that the rule flushing is working correctly. If you end up with POLICY: ALLOW or some such, than you have indeed spotted a small window/hole in the script.

-james
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone

]

Dual G5
iPod 3rd generation

Morimando · Guru Joined: 14 Feb 2005 Posts: 339 Location: Germany

mightbe i have done something completely wrong but i always get

krunk · Guru Joined: 27 Jul 2003 Posts: 316

You run a script file like so:

SerfurJ · l33t Joined: 10 Apr 2004 Posts: 824 Location: Texas

Jerri,

for some reason after using your script, "iptables -F" messes up my internet connection. any idea why? is there anything else i need to do to reset my configuration? i'm guessing

krunk · Guru Joined: 27 Jul 2003 Posts: 316

In a pinch, you can run /etc/init.d/iptables start than stop to reset everything.

But the loop at the top of my script that deletes all chains and rules should do it too.
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone

]

Dual G5
iPod 3rd generation

SerfurJ · l33t Joined: 10 Apr 2004 Posts: 824 Location: Texas

that did it. but before it would let me start /etc/init.d/iptables, i had to save the rules myself

woZa · Posted: Fri Mar 11, 2005 11:54 am Post subject:

Nice howto... Thanks.

Got things working well apart from printing. Clients can't access the cups server... anyone ever get this working???
_________________
A few months struggling with gentoo is better than a lifetime struggling with windoze!

woZa · Posted: Fri Mar 11, 2005 12:20 pm Post subject:

SerfurJ · l33t Joined: 10 Apr 2004 Posts: 824 Location: Texas

krunk,

nice tutorial, thanks.

suggestion: it would've been easier for me to follow your tutorial if there were three parts to the lesson. the second would be getting your script up to this level of complexity:

HriBB · Posted: Wed Mar 23, 2005 11:43 pm Post subject:

If you are getting this error...

nadamsieee · Posted: Mon Mar 28, 2005 3:21 pm Post subject:

How do I basically undo this script entirely? I had a very simple, working config, then decided to try this.

Everything seemed great until I rebooted. Then I could not start KDE because the firewall wouldn't allow the connection, nmap no longer works because its not allowed to scan, and my simple little script that just enabled NAT now breaks the Internet connection completely.

You might want to add a disclaimer that these rules are a bit too strict for a desktop system...
_________________
nadams (at) ieee (dot) org

SerfurJ · l33t Joined: 10 Apr 2004 Posts: 824 Location: Texas

nadamsieee,

see my first posts on this thread:
https://forums.gentoo.org/viewtopic-p-2171669.html#2171669

Barshamm · n00b Joined: 03 Jul 2004 Posts: 2 Location: Halas, Norrath

Excellent work, this REALLY helps me a lot!

lost+found · Posted: Sun May 08, 2005 8:57 am Post subject:

i'm using the script (page2 of this thread) on a standalone pc by removing/commenting out lines, sections, things containing $INT*...
Bwa HA HA !!!

:lol:

P.S. i put the script in /etc/ppp/ip-up, to let pppd execute it every dialup.
P.P.S. test your TruStealth status here: ShieldsUP!!