View previous topic :: View next topic |
Author |
Message |
Maxwell Tux's lil' helper
Joined: 10 Dec 2003 Posts: 97
|
Posted: Fri Jan 28, 2005 1:14 am Post subject: Notebook and proxies |
|
|
Hello
I have an Asus notebook and i use it in several networks, each of them using a different proxy. I'm thinking on setting all my icq, msn clients and firefox to use a direct connection to internet and use iptables to direct traffic to somewhere usefull (like the different proxies...).
But then i suppose i'll need a proxy running in my notebook...
So i ask for your advice: how should i configurate iptables to do this and do i need squid running? Light and fast solutions are appreciated!!
Thans in advance _________________ Freedom works. Use it!
Linux, by Gentoo |
|
Back to top |
|
|
yaneurabeya Veteran
Joined: 13 May 2004 Posts: 1754 Location: Seattle
|
Posted: Thu Feb 03, 2005 5:10 am Post subject: |
|
|
Interesting. Gotta try out this sometime soon cause I hate being unfirewalled (even though I do run Gentoo =\...). |
|
Back to top |
|
|
mr.isomer n00b
Joined: 16 Feb 2004 Posts: 47
|
Posted: Tue Feb 15, 2005 12:23 am Post subject: |
|
|
Ok I hope someone can help me out with this:
I use broadband to connect no ppp0... just eth0 ... how do I edit the script?
Do I set this:
EXTIF='eth0'
and get rid of INTIF ???
Great HOWTO BTW... I just hope it mentioned this |
|
Back to top |
|
|
Jerri Guru
Joined: 03 Apr 2003 Posts: 353
|
Posted: Tue Feb 15, 2005 5:25 am Post subject: |
|
|
Looking at this bit of code
Code: | # External interface
EXTIF=ppp0
# Internal interface
INTIF1=eth1
INTIF2=eth2 |
we see that the external interface is configured for ppp0, and there are 2 ethernet cards used for the internal network.
If you are creating a router/firewall with broadband... using two network cards, one for external, one internal, you will want the following:
Code: | # External interface
EXTIF=etho
# Internal interface
INTIF1=eth1 |
then remove all instances of INTIF2 (unless of course, you wish to use multiple network cards for your internal network). |
|
Back to top |
|
|
mr.isomer n00b
Joined: 16 Feb 2004 Posts: 47
|
Posted: Thu Feb 17, 2005 3:43 am Post subject: |
|
|
Jerri wrote: | Looking at this bit of code
Code: | # External interface
EXTIF=ppp0
# Internal interface
INTIF1=eth1
INTIF2=eth2 |
we see that the external interface is configured for ppp0, and there are 2 ethernet cards used for the internal network.
If you are creating a router/firewall with broadband... using two network cards, one for external, one internal, you will want the following:
Code: | # External interface
EXTIF=etho
# Internal interface
INTIF1=eth1 |
then remove all instances of INTIF2 (unless of course, you wish to use multiple network cards for your internal network). |
thanks I'll try that... i only have 1 NIC tho... i guess this may not be for me... |
|
Back to top |
|
|
Jerri Guru
Joined: 03 Apr 2003 Posts: 353
|
Posted: Fri Feb 18, 2005 2:15 am Post subject: |
|
|
mr.isomer,
I modified the script so that I could use it on my web server (one nic - outside the firewall). I'm not sure weather or not this was a useful thing to do, as far as security goes, since this script accepts connections from the internet (ssh, http, https). However, I guess closing uneeded ports can't hurt.
Code: | #!/bin/sh
# ********** VARIABLE DEFINITIONS **********
#
# External interface
EXTIF="eth0"
# Loop device/localhost
LPDIF="lo"
LPDIP="127.0.0.1"
LPDMSK="255.0.0.0"
LPDNET="$LPDIP/$LPDMSK"
# Text tools variables
IPT="/sbin/iptables"
IFC="/sbin/ifconfig"
G="/bin/grep"
SED="/bin/sed"
AWK="/bin/awk"
# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":"); split(a[2],a," ");print a[1];exit}'`"
EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTMSK="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"
EXTNET="$EXTIP/$EXTMSK"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
# ********** INITIALIZATION **********
#
# Deny then accept: this keeps holes from opening up
# while we close ports and such
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
$IPT -t $i -F
done
for i in $CHAINS;
do
$IPT -t $i -X
done
# enable syncookies & ignore icmp broadcasts
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Log Martians
for i in /proc/sys/net/ipv4/conf/*/log_martians ; do
echo 1 > $i
done
##################
# LOGGING CHAINS #
##################
# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl 2> /dev/null
$IPT -A DROPl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP BLOCKED:'
$IPT -A DROPl -j DROP
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT BLOCKED:'
$IPT -A REJECTl -j REJECT
# ********** SANE COMMON RULES **********
#
# Now we are going to accept all traffic from or to our loopback device
# if the IP matches any of our interfaces.
$IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -d $LPDIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -d $EXTIP -j ACCEPT
# Allow to ping out
$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT
#######################################
# ALLOWING INSIDE TO OUTSIDE SERVICES #
#######################################
# Add port numbers that you would like to open
# from localhost to the internet
NOIP="8245"
BITTORNADO="6881:6999"
EXTRA_SERV="nntp rsync"
EXTRA_PORT="8245 1863 5190 11371 10000 1046"
TCPSERV="$EXTRA_SERV $EXTRA_PORT domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time"
UDPSERV="domain time"
echo "---------------------------------------------------------------------"
echo "FW: Allowing inside systems to use services (tcp): "
for i in $TCPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""
echo "---------------------------------------------------------------------"
echo "FW: Allowing inside systems to use services (udp): "
for i in $UDPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
done
echo ""
#################################
# ALLOWING EXTERNAL ACCESS TO #
# SERVICES ON FIREWALL #
# #
# !!! Security Risk !!! #
#################################
#Allowing external systems to use tcp services on localhost:
$IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport "ssh" --syn -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport "http" --syn -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport "https" --syn -m state --state NEW -j ACCEPT
##############################
# allow existing connections #
##############################
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#######################################
# block / log what me may have forgot #
# #
# useful for debugging #
#######################################
#$IPT -A INPUT -j DROPl
#$IPT -A OUTPUT -j REJECTl
#$IPT -A FORWARD -j DROPl
|
|
|
Back to top |
|
|
Nard` Apprentice
Joined: 23 Jan 2005 Posts: 250
|
Posted: Mon Mar 07, 2005 12:29 pm Post subject: |
|
|
This is proboably a stupid question, but read through all the posts and i'm trying to establish one thing:
Is the script written in the starting post meant to be run at boot (in which case i should rc-update del iptables) or just once?
also, should this script/iptables init.d script be run after or before network devices being brought up? for security i'd say before but it might cause some problems referencing interfaces that aren't "up" yet
Thanks
EDIT: How are you transferring this script? I've been copying it from this into my router via ssh yet the md5sum is different every time I do it, don't know how to do it accurately... _________________ Programming is the process of putting bugs in.
Debugging is the process of attempting to take bugs out, doing an ugly hack, hitting your computer, then claiming insurance. |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Mon Mar 07, 2005 3:53 pm Post subject: |
|
|
The iptables init.d script should not be placed in your run time. (rc-update del iptables)
You can create your own init script and put in local if you want it to start at boot.
It should be started after the interfaces are brought up or the dynamic interface parsing will not work ($INTNET, $EXTNET, etc).
The first thing the script does is set POLICY to deny, which serves as a safety net. It also does not enable ip_forwarding till the very end, so you are not actually forwarding any traffic till after the rules have been set. _________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation |
|
Back to top |
|
|
Nard` Apprentice
Joined: 23 Jan 2005 Posts: 250
|
Posted: Mon Mar 07, 2005 4:18 pm Post subject: |
|
|
Thanks, possibly (you've proboably already thought of this...) found a few problems:
You drop all packets, but then immediately after that you flush everything! During the (admittedly short time) beetween when you do that and you set the rules up you have a time whereby packets are non filtered. I'm proboably missing something there...
Also, i've been looking through it (and granted haven't looked at in too much detail yet) i'm not seeing what advantages these rules offer over say denying all incoming connections except on specified ports (and maybye limit that to just some ip's?). Or maybye that's exactly what it does (and logs it, which is nice despite perhaps it being slightly annoying they get lumped along with the kernel log, but thats not your fault, and could be changed by using ulog)
Oh and:
Code: |
# Last but not least, the users
JAMES=192.168.1.77
TERESA=192.168.2.77
|
What's the point of that, it's only referenced once: in it's declaration
EDIT: forgot to mention, great tutorial _________________ Programming is the process of putting bugs in.
Debugging is the process of attempting to take bugs out, doing an ugly hack, hitting your computer, then claiming insurance. |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Mon Mar 07, 2005 4:36 pm Post subject: |
|
|
Hehe,
--On the flushing, that is a very good point and oversight of mine. To be honest, I've switched platforms many months ago and stopped maintaining this tutorial after it was posted to the Gentoo Wiki where the community could easily improve as necessary. I have some vague memory that rule flushing does not remove the policies, but I could be completely off base on that.
---That's pretty much what it does....however it also has a good bit of egress filtering. Some would say this is an overkill security measure on a home system and they may be right. However, my philosophy was even in an uber secure network your 5 year old daughter can slap that floppy her teacher gave her in and circumvent it all. With this in mind, I always thought it made sense to place rules that would prevent such a worm or virus from sending itself out to the world from an infected network (if more admins practiced this, many worms viruses would be far less effective).
--Logging: Actually, I used syslog-ng (and metalog at one point) to place all the iptables rules into /var/log/iptables.log and when debugging placed all ACCEPT logs in /var/log/iptables-accept.log or some such. Since methods vary from logger to logger, I left that up to the user.
Thanks for the input, and please by all means check out the posting on the Wiki and improve on the script. I was a true iptables newbie when I started reading for this and I'm sure there's a lot of improvements that can be made and possible oversights as well. _________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation |
|
Back to top |
|
|
Nard` Apprentice
Joined: 23 Jan 2005 Posts: 250
|
Posted: Mon Mar 07, 2005 4:49 pm Post subject: |
|
|
On closer inspection, I think i'm wrong about the flushing, on my system at least:
Code: |
chameleon# cat /proc/net/ip_tables_names
nat
filter
|
so INPUT,OUTPUT,FORWARD, remain intact. Actually that raises the worrying question about whether rules already in iptables prior to running the script could overide the ones in the script, but in a good setup that shouldn't really happen. _________________ Programming is the process of putting bugs in.
Debugging is the process of attempting to take bugs out, doing an ugly hack, hitting your computer, then claiming insurance. |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Mon Mar 07, 2005 7:07 pm Post subject: |
|
|
Try this:
Run the script from a clean slate.
Type: iptables -L > myrules.txt
Take only the top part (where the POLICY is set and the rules are flushed) and put it in a separate file named flush.sh
Run the flush.sh (make sure you have local access as this should kill all networking).
Than run iptables -L > flushed.txt
Now diff the two (or visually compare). You should have listings like
[INPUT POLICY: DENY]
[OUTPUT POLICY: DENY]
or some such (I don't have a linux system to test on anymore). This would show that the rule flushing is working correctly. If you end up with POLICY: ALLOW or some such, than you have indeed spotted a small window/hole in the script.
-james _________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation |
|
Back to top |
|
|
Morimando Guru
Joined: 14 Feb 2005 Posts: 339 Location: Germany
|
Posted: Tue Mar 08, 2005 10:50 am Post subject: |
|
|
mightbe i have done something completely wrong but i always get
Code: | root@Doomsday morimando # $IPT -A FORWARD -o $INTIF1 -d $INTBC1 -j DROPl
bash: -A: command not found
root@Doomsday morimando # $IPT -A FORWARD -o $INTIF2 -d $INTBC2 -j DROPl
bash: -A: command not found
|
such errors when trying to follow your HowTo. However the first parts works smooth, its halfway through the 2nd where it starts, maybe i shouldn't have run all the code that you put in and did not explain how to run it in a scriptfile? i thought that would be okay? _________________ That young girl is one of the least benightedly unintelligent organic life forms it has been my profound lack of pleasure not to be able to avoid meeting.
-- Marvin |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Tue Mar 08, 2005 4:14 pm Post subject: |
|
|
You run a script file like so:
or
_________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation |
|
Back to top |
|
|
SerfurJ l33t
Joined: 10 Apr 2004 Posts: 824 Location: Texas
|
Posted: Wed Mar 09, 2005 5:30 pm Post subject: |
|
|
Jerri,
for some reason after using your script, "iptables -F" messes up my internet connection. any idea why? is there anything else i need to do to reset my configuration? i'm guessing Code: | echo 0 /proc/sys/net/ipv4/<file> | , but i don't know what the defaults were.
thanks. |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Wed Mar 09, 2005 5:37 pm Post subject: |
|
|
In a pinch, you can run /etc/init.d/iptables start than stop to reset everything.
But the loop at the top of my script that deletes all chains and rules should do it too. _________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation |
|
Back to top |
|
|
SerfurJ l33t
Joined: 10 Apr 2004 Posts: 824 Location: Texas
|
Posted: Wed Mar 09, 2005 7:07 pm Post subject: |
|
|
that did it. but before it would let me start /etc/init.d/iptables, i had to save the rules myself
Code: | iptables-save > /var/lib/iptables/rules-save |
thanks. |
|
Back to top |
|
|
woZa Guru
Joined: 18 Nov 2003 Posts: 340 Location: The Steel City - UK
|
Posted: Fri Mar 11, 2005 11:54 am Post subject: |
|
|
Nice howto... Thanks.
Got things working well apart from printing. Clients can't access the cups server... anyone ever get this working??? _________________ A few months struggling with gentoo is better than a lifetime struggling with windoze! |
|
Back to top |
|
|
woZa Guru
Joined: 18 Nov 2003 Posts: 340 Location: The Steel City - UK
|
Posted: Fri Mar 11, 2005 12:20 pm Post subject: |
|
|
Code: | # Allow clients to connect to CUPS server
$IPT -A INPUT -i $INTIF -p tcp --dport 631 -j ACCEPT
$IPT -A OUTPUT -o $INTIF -p tcp --sport 631 -j ACCEPT |
seems to do the trick... _________________ A few months struggling with gentoo is better than a lifetime struggling with windoze! |
|
Back to top |
|
|
SerfurJ l33t
Joined: 10 Apr 2004 Posts: 824 Location: Texas
|
Posted: Fri Mar 11, 2005 8:24 pm Post subject: |
|
|
krunk,
nice tutorial, thanks.
suggestion: it would've been easier for me to follow your tutorial if there were three parts to the lesson. the second would be getting your script up to this level of complexity:
Code: | #!/bin/bash
IPTABLES='/sbin/iptables'
# set interface values
INET_IFACE='eth0'
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
# set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
# block netbios noise (for windows networks)
$IPTABLES -A INPUT -p UDP -i $INET_IFACE --dport 135:139 -j DROP
### trusted hosts ###
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -s xxx.xxx.xxx.xxx -j ACCEPT
$IPTABLES -A INPUT -s xxx.xxx.xxx.xxx -j ACCEPT
# Allow traffic from established connections
$IPTABLES -A INPUT -i $INET_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
### services available to subnets ###
# allow access to the HTTP server
$IPTABLES -A INPUT -s xxx.xxx.xxx.xxx/24 --protocol tcp --dport 80 -j ACCEPT
### services available to internet ###
# allow access to the SSH server
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT |
that way, someone like me (who doesn't need to build a complex router) would just stop after lesson two. |
|
Back to top |
|
|
HriBB n00b
Joined: 15 Feb 2005 Posts: 13 Location: Slovenia, Kranj
|
Posted: Wed Mar 23, 2005 11:43 pm Post subject: |
|
|
If you are getting this error... Code: | kernel: ip_conntrack: table full, dropping packet. |
Do this... Code: | echo "number" > /proc/sys/net/ipv4/ip_conntrack/ip_conntrack_max |
Does anyone know how to flush /proc/net/ip_conntrack ? _________________ http://hribb.homelinux.com/ |
|
Back to top |
|
|
nadamsieee Guru
Joined: 30 May 2003 Posts: 340 Location: Atlanta, GA, USA
|
Posted: Mon Mar 28, 2005 3:21 pm Post subject: |
|
|
How do I basically undo this script entirely? I had a very simple, working config, then decided to try this.
Everything seemed great until I rebooted. Then I could not start KDE because the firewall wouldn't allow the connection, nmap no longer works because its not allowed to scan, and my simple little script that just enabled NAT now breaks the Internet connection completely.
You might want to add a disclaimer that these rules are a bit too strict for a desktop system... _________________ nadams (at) ieee (dot) org |
|
Back to top |
|
|
SerfurJ l33t
Joined: 10 Apr 2004 Posts: 824 Location: Texas
|
|
Back to top |
|
|
Barshamm n00b
Joined: 03 Jul 2004 Posts: 2 Location: Halas, Norrath
|
Posted: Tue May 03, 2005 3:09 am Post subject: |
|
|
Excellent work, this REALLY helps me a lot! |
|
Back to top |
|
|
lost+found Guru
Joined: 15 Nov 2004 Posts: 509 Location: North~Sea~Coa~s~~t~~~
|
Posted: Sun May 08, 2005 8:57 am Post subject: |
|
|
i'm using the script (page2 of this thread) on a standalone pc by removing/commenting out lines, sections, things containing $INT*...
Bwa HA HA !!!
P.S. i put the script in /etc/ppp/ip-up, to let pppd execute it every dialup.
P.P.S. test your TruStealth status here: ShieldsUP!! |
|
Back to top |
|
|
|