View previous topic :: View next topic |
Author |
Message |
Proteus Guru
Joined: 14 Jul 2002 Posts: 346 Location: Hamburg, Germany
|
Posted: Thu Jan 09, 2003 10:26 pm Post subject: iptables does not block smb broadcasts?! |
|
|
Hi everyone!
I set up a firewall/router using the following rules (sorry if this is too long, don't know if its important):
Code: |
#!/sbin/runscript
IPTABLES=/sbin/iptables
IPTABLESSAVE=/var/lib/iptables/iptables-save
IPTABLESRESTORE=/var/lib/iptables/iptables-restore
FIREWALL=/etc/firewall.rules
DNS1=194.25.0.68
DNS2=194.25.0.60
#interfaces:
# eth0: 192.168.1.1 (trusted LAN)
# eth1: 192.168.0.50 (untrusted router)
# eth0
IIP=192.168.1.1
IINTERFACE=eth0
LOCAL_NETWORK=192.168.1.0/24
# eth1
OIP=192.168.0.50
OINTERFACE=eth1
#SERVICES="http smtp"
SERVICES="ssh http"
opts="${opts} showstatus panic save restore showoptions rules"
depend() {
need net
}
rules() {
stop
ebegin "Setting /proc options."
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/bin/echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
/bin/echo "0" > /proc/sys/net/ipv4/tcp_timestamps
/bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies
einfo "Enabling IP-forwarding"
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
#Reduce DoS'ing ability by reducing timeouts
/bin/echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
/bin/echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
/bin/echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
/bin/echo "0" > /proc/sys/net/ipv4/tcp_sack
einfo "Setting Firewall rules"
einfo "Setting default rule to drop"
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
#myfilter chain:
#this chain contains rules common to our FORWARD and INPUT chains, all in one place.
#first, we create a new "myfilter" chain;
#then, we add a rule to accept ESTABLISHED and RELATED connections from anywhere;
#then, we add a rule to accept NEW connections coming in from anywhere but our untrusted eth1 interface;
#then, we add a rule to log any incoming INVALID packets;
#then, we add a rule to reject any incoming tcp connection with tcp-reset for fast, stealthy disconnect;
#then, we add a rule to reject any not-yet-handled connections with icmp-port-unreachable.
#everything else falls off the end of this chain and goes back to the next rule (if any) in the
#parent INPUT or FORWARD chain.
$IPTABLES -N myfilter
$IPTABLES -A myfilter -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A myfilter -m state --state NEW -i ! eth1 -j ACCEPT
$IPTABLES -A myfilter -m state --state INVALID -j LOG --log-prefix "INVALID:" --log-level warning
$IPTABLES -A myfilter -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A myfilter -j REJECT --reject-with icmp-port-unreachable
einfo "Setting rules for Broadcasts"
#SMB-Traffic
$IPTABLES -N SMB
$IPTABLES -A SMB -p tcp --dport 137 -j DROP
$IPTABLES -A SMB -p tcp --dport 138 -j DROP
$IPTABLES -A SMB -p tcp --dport 139 -j DROP
$IPTABLES -A SMB -p tcp --dport 445 -j DROP
$IPTABLES -A SMB -p udp --dport 137 -j DROP
$IPTABLES -A SMB -p udp --dport 138 -j DROP
$IPTABLES -A SMB -p udp --dport 139 -j DROP
$IPTABLES -A SMB -p udp --dport 445 -j DROP
$IPTABLES -A SMB -p tcp --sport 137 -j DROP
$IPTABLES -A SMB -p tcp --sport 138 -j DROP
$IPTABLES -A SMB -p tcp --sport 139 -j DROP
$IPTABLES -A SMB -p tcp --sport 445 -j DROP
$IPTABLES -A SMB -p udp --sport 137 -j DROP
$IPTABLES -A SMB -p udp --sport 138 -j DROP
$IPTABLES -A SMB -p udp --sport 139 -j DROP
$IPTABLES -A SMB -p udp --sport 445 -j DROP
#INPUT chain:
#first, we loop through our SERVICES variable and add a rule for each public service on our firewall;
#then, we add a rule to log any pings to our firewall box from the Internet (max 1/minute);
#then, we add a rule to accept up to 2 pings per second to our firewall box from the Internet;
#then, we direct any traffic that doesn't match these rules to our standard myfilter chain.
#everything else falls off the end of this chain and gets a default policy of DENY.
local x
for x in $SERVICES
do
$IPTABLES -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done
$IPTABLES -A INPUT -p icmp -i eth1 --icmp-type echo-request -m limit --limit 1/minute -j LOG --log-prefix "PING:" --log-level notice
$IPTABLES -A INPUT -p icmp -i eth1 --icmp-type echo-request -m limit --limit 2/second -j ACCEPT
$IPTABLES -A INPUT -j myfilter
$IPTABLES -A INPUT -i eth1 -j SMB
$IPTABLES -A OUTPUT -o eth1 -j SMB
$IPTABLES -A FORWARD -i eth1 -j SMB
$IPTABLES -A FORWARD -o eth1 -j SMB
$IPTABLES -A INPUT -i eth0 -j SMB
$IPTABLES -A OUTPUT -o eth0 -j SMB
$IPTABLES -A FORWARD -i eth0 -j SMB
$IPTABLES -A FORWARD -o eth0 -j SMB
#FORWARD chain:
#simply forward all FORWARD traffic to our myfilter chain.
#if any traffic were to make it through the myfilter chain, it would fall off the end of the FORWARD
#chain and get a default policy of DENY.
$IPTABLES -A FORWARD -j myfilter
$IPTABLES -A FORWARD -j SMB
#Set up SNAT
$IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.50
eend $?
}
start() {
ebegin "Starting firewall"
if [ -e "${FIREWALL}" ]; then
restore
else
einfo "${FIREWALL} does not exists. Using default rules."
rules
fi
eend $?
}
stop() {
ebegin "Stopping firewall"
$IPTABLES -F INPUT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F PREROUTING
$IPTABLES -F myfilter
$IPTABLES -X myfilter
$IPTABLES -F SMB
$IPTABLES -X SMB
eend $?
}
showstatus() {
ebegin "Status"
$IPTABLES -L -n -v --line-numbers
einfo "NAT status"
$IPTABLES -L -n -v --line-numbers -t nat
eend $?
}
panic() {
ebegin "Setting panic rules"
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
eend $?
}
save() {
ebegin "Saving Firewall rules"
$IPTABLESSAVE > $FIREWALL
eend $?
}
restore() {
ebegin "Restoring Firewall rules"
$IPTABLESRESTORE < $FIREWALL
eend $?
}
restart() {
svc_stop; svc_start
}
showoptions() {
echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"
echo "start) will restore setting if exists else force rules"
echo "stop) delete all rules and set all to accept"
echo "rules) force settings of new rules"
echo "save) will store settings in ${FIREWALL}"
echo "restore) will restore settings from ${FIREWALL}"
echo "showstatus) Shows the status"
}
|
As you have probably seen already this is a mixture of some how-tos found on the Internet.
I really have tried to learn everything there is about iptables but I still have some questions:
1.) Do I understand it correctly that this script should be able to block any traffic not initiated by the internal LAN?
2.) In what exact sequence go packets through my router?
(i.e. INPUT -> PREROUTING -> POSTROUTING -> OUTPUT ????)
Couldn't find any documentation that really explains this for me.
3.) How do I have to setup metalog to actually log the packets that get caught by a log rule?
4.) When I do a Quote: | cat /proc/net/ip_conntrack | I get the following output:
Quote: | udp 17 28 src=192.168.1.3 dst=192.168.1.255 sport=137 dport=137 [UNREPLIED] src=192.168.1.255 dst=192.168.1.3 sport=137 dport=137 use=1
udp 17 26 src=192.168.1.3 dst=192.168.1.255 sport=138 dport=138 [UNREPLIED] src=192.168.1.255 dst=192.168.1.3 sport=138 dport=138 use=1 |
Does this mean that my SMB Broadcast filtering is not working? I thought that all SMB packets get dropped instantly.
Thanks in advance for any answers, I really apprechiate it. _________________ Greetings,
Proteus |
|
Back to top |
|
|
Maz n00b
Joined: 18 Jul 2002 Posts: 43 Location: Montpeller, France
|
Posted: Fri Jan 10, 2003 6:18 am Post subject: |
|
|
First, I'm no iptables guru, so don't take my answer too seriously.
1) I'm not sure what you are meaning. If you mean "block any traffic from untrusted router to trusted LAN", then I think it should.
Btw, why do you explicitly add drop rules, when anyway, default rule is to drop ? You are making the script less readable for nothing.
A little clarification, -j means jump. so, if you append twice a rule with different j, you will never get in the second. -j roots the packets to a new chain, it does not filter it though it, and then pass is to the next rule. Of course, there is one exception (always is ), -j LOG is just a filter, not a redirection.
2) It is not linear, there is problem of routing packets received or originated from the box. destined to the box, or just rerouted, etc ...
Found a good diagram here: http://www.docum.org/stef.coene/qos/kptd/
3) Sorry, I have no idea
4) I think you see the packet received, then dropped. Making a firewall does not make traffic disappear .
On a personal note, while I appreciate the work you putted in your firewall, I think you are overdoing things.
Hopes it helps _________________ Maz |
|
Back to top |
|
|
Proteus Guru
Joined: 14 Jul 2002 Posts: 346 Location: Hamburg, Germany
|
Posted: Fri Jan 10, 2003 11:16 am Post subject: |
|
|
First: Thank you very much for your answer.
Question 1 was meant exactly as you interpreted it. Sorry for being unclear
With the additional "drop" rules do you mean those for smb traffic?
The problem was that smb traffic seemed to go unharmed and now it seems better. But I never really knew what -j meant Thanks for that.
Which rule do you think is not active due to me "jumping" around too much? I thought the packets would traverse through the "myfilter" chain and then through the "SMB" chain.
The link for 2) seems to be really good. Hope I can get a better Idea of how things work.
Your answer to 4) gives me a warm fuzzy feeling because then it works as it should...
Last: I do apprechiate your comment that I am overdoing things. This must be true because its my first time and I really want to make sure that this thing does what it should do.
But I am curious and want to learn: What exactly should I do to make this script more compact and easier to read? (Besides not adding dropping rules that possibly never get executed anyway (?) )
Maz - you may not be an iptables guru but I learned from you. Thanks. _________________ Greetings,
Proteus |
|
Back to top |
|
|
Maz n00b
Joined: 18 Jul 2002 Posts: 43 Location: Montpeller, France
|
Posted: Sat Jan 11, 2003 11:50 am Post subject: |
|
|
I told you that you your packet would not return from a user defined chain, I was WRONG (of course ). From the Netfilter Howto :
Quote: |
When a packet matches a rule whose target is a user-defined chain, the packet begins traversing the rules in that user-defined chain. If that chain doesn't decide the fate of the packet, then once traversal on that chain has finished, traversal resumes on the next rule in the current chain.
|
So, your packet will go through all rules, unless it matches a rule with a terminal jump (ACCEPT or DROP are the only default ones I think). I'm sorry for the wrong informatin.
Otherwise, here what I would do, in your case, without all proc options (maybe some missing, since I'm not you):
Code: |
# Various temp variables
local x
# Drop every incoming and forwarded packets by default
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
# Create a chain for new local connections
# root all new connection there
# see what to do with them
$IPTABLES -N new_connection
$IPTABLES -A INPUT -m state --state NEW -j new_connection
# Accept some local services for everyone
for x in $SERVICES
do
$IPTABLES -A new_connection -p tcp --dport ${x} -j ACCEPT
done
# Accept some more local services for trusted network card
# Note, not trust Source IP, in case of spoofing
for x in $SERVICES_FOR_TRUSTED
do
$IPTABLES -A new_connection -i $IINTERFACE -p tcp --dport ${x} -j ACCEPT
done
# Reject cleanly all else
# need compiled in kernel
$IPTABLES -A new_connection -j REJECT
# end of new connection
# Create a chain for new forwarded connections
$IPTABLES -N new_forward
$IPTABLES -A FORWARD -m state --state NEW -j new_forward
#accept trusted to connect outside
$IPTABLES -A new_forward -i $IINTERFACE -j ACCEPT
# example : allow one machine on trusted to act as a web server
# example to ilustrate why it may be usefull to create a new chain
# obelix being a dns resoled as 192.168.1.6
# $IPTABLES -A new_forward -d obelix -p tcp --dport http -j ACCEPT
# End of new forwarded
# Finally, accept the established or related packets
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log invalid packets
$IPTABLES -A established -m state --state INVALID -j LOG --log-prefix "INVALID:" --log-level warning
# Everything else coming or forwarded by the box will be dropped by default
# end of all incoming and forwarded
# Sanity if the box should not connect to anything but smtp
$IPTABLES -N new_output
$IPTABLES -A OUTPUT -m state --state NEW -j new_output
# Accept mail relaying through smtp
$IPTABLES -A new_output -p tcp --dport smtp -j ACCEPT
# log and drop all else
$IPTABLES -A new_output -j LOG --log-prefix "Outside connection attempted :" --log-level warning
$IPTABLES -A new_output -j DROP
# end of output
|
I don't understand the snat you are doing, so I didn't included in it. Didn't put proc tweaks, and ping limits, I will let you. Otherwise, should do exactly what you were doing. I didn't test nor reread very carefully, so do it if you want to try it out. The script is not complete, lacks your head, and start/stop , etc ... _________________ Maz |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|