Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
iptables does not block smb broadcasts?!
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Proteus
Guru
Guru


Joined: 14 Jul 2002
Posts: 346
Location: Hamburg, Germany

PostPosted: Thu Jan 09, 2003 10:26 pm    Post subject: iptables does not block smb broadcasts?! Reply with quote

Hi everyone!

I set up a firewall/router using the following rules (sorry if this is too long, don't know if its important):

Code:

#!/sbin/runscript

IPTABLES=/sbin/iptables

IPTABLESSAVE=/var/lib/iptables/iptables-save
IPTABLESRESTORE=/var/lib/iptables/iptables-restore

FIREWALL=/etc/firewall.rules

DNS1=194.25.0.68
DNS2=194.25.0.60

#interfaces:
# eth0: 192.168.1.1 (trusted LAN)
# eth1: 192.168.0.50 (untrusted router)

# eth0
IIP=192.168.1.1
IINTERFACE=eth0
LOCAL_NETWORK=192.168.1.0/24

# eth1
OIP=192.168.0.50
OINTERFACE=eth1

#SERVICES="http smtp"
SERVICES="ssh http"

opts="${opts} showstatus panic save restore showoptions rules"

depend() {
  need net
}

rules() {
  stop

  ebegin "Setting /proc options."
  /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
  /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
  /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  /bin/echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
  /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
  /bin/echo "0" > /proc/sys/net/ipv4/tcp_timestamps
  /bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies

  einfo "Enabling IP-forwarding"
  /bin/echo "1" > /proc/sys/net/ipv4/ip_forward

  #Reduce DoS'ing ability by reducing timeouts
  /bin/echo "30"   > /proc/sys/net/ipv4/tcp_fin_timeout
  /bin/echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
  /bin/echo "0"    > /proc/sys/net/ipv4/tcp_window_scaling
  /bin/echo "0"    > /proc/sys/net/ipv4/tcp_sack

  einfo "Setting Firewall rules"

  einfo "Setting default rule to drop"
  $IPTABLES -P FORWARD DROP
  $IPTABLES -P INPUT   DROP

  #myfilter chain:
  #this chain contains rules common to our FORWARD and INPUT chains, all in one place.
  #first, we create a new "myfilter" chain;
  #then, we add a rule to accept ESTABLISHED and RELATED connections from anywhere;
  #then, we add a rule to accept NEW connections coming in from anywhere but our untrusted eth1 interface;
  #then, we add a rule to log any incoming INVALID packets;
  #then, we add a rule to reject any incoming tcp connection with tcp-reset for fast, stealthy disconnect;
  #then, we add a rule to reject any not-yet-handled connections with icmp-port-unreachable.
  #everything else falls off the end of this chain and goes back to the next rule (if any) in the
  #parent INPUT or FORWARD chain.

  $IPTABLES -N myfilter
  $IPTABLES -A myfilter -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A myfilter -m state --state NEW -i ! eth1 -j ACCEPT
  $IPTABLES -A myfilter -m state --state INVALID -j LOG --log-prefix "INVALID:" --log-level warning
  $IPTABLES -A myfilter -p tcp -j REJECT --reject-with tcp-reset
  $IPTABLES -A myfilter -j REJECT --reject-with icmp-port-unreachable

  einfo "Setting rules for Broadcasts"

  #SMB-Traffic
  $IPTABLES -N SMB
  $IPTABLES -A SMB -p tcp --dport 137 -j DROP
  $IPTABLES -A SMB -p tcp --dport 138 -j DROP
  $IPTABLES -A SMB -p tcp --dport 139 -j DROP
  $IPTABLES -A SMB -p tcp --dport 445 -j DROP
  $IPTABLES -A SMB -p udp --dport 137 -j DROP
  $IPTABLES -A SMB -p udp --dport 138 -j DROP
  $IPTABLES -A SMB -p udp --dport 139 -j DROP
  $IPTABLES -A SMB -p udp --dport 445 -j DROP
 
  $IPTABLES -A SMB -p tcp --sport 137 -j DROP
  $IPTABLES -A SMB -p tcp --sport 138 -j DROP
  $IPTABLES -A SMB -p tcp --sport 139 -j DROP
  $IPTABLES -A SMB -p tcp --sport 445 -j DROP
  $IPTABLES -A SMB -p udp --sport 137 -j DROP
  $IPTABLES -A SMB -p udp --sport 138 -j DROP
  $IPTABLES -A SMB -p udp --sport 139 -j DROP
  $IPTABLES -A SMB -p udp --sport 445 -j DROP

  #INPUT chain:
  #first, we loop through our SERVICES variable and add a rule for each public service on our firewall;
  #then, we add a rule to log any pings to our firewall box from the Internet (max 1/minute);
  #then, we add a rule to accept up to 2 pings per second to our firewall box from the Internet;
  #then, we direct any traffic that doesn't match these rules to our standard myfilter chain.
  #everything else falls off the end of this chain and gets a default policy of DENY.

  local x
  for x in $SERVICES
  do
   $IPTABLES -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
  done 

  $IPTABLES -A INPUT -p icmp -i eth1 --icmp-type echo-request -m limit --limit 1/minute -j LOG --log-prefix "PING:" --log-level notice
  $IPTABLES -A INPUT -p icmp -i eth1 --icmp-type echo-request -m limit --limit 2/second -j ACCEPT
  $IPTABLES -A INPUT -j myfilter
   

  $IPTABLES -A INPUT -i eth1 -j SMB
  $IPTABLES -A OUTPUT -o eth1 -j SMB
  $IPTABLES -A FORWARD -i eth1 -j SMB
  $IPTABLES -A FORWARD -o eth1 -j SMB

  $IPTABLES -A INPUT -i eth0 -j SMB
  $IPTABLES -A OUTPUT -o eth0 -j SMB
  $IPTABLES -A FORWARD -i eth0 -j SMB
  $IPTABLES -A FORWARD -o eth0 -j SMB


  #FORWARD chain:
  #simply forward all FORWARD traffic to our myfilter chain.
  #if any traffic were to make it through the myfilter chain, it would fall off the end of the FORWARD
  #chain and get a default policy of DENY.

  $IPTABLES -A FORWARD -j myfilter

  $IPTABLES -A FORWARD -j SMB

  #Set up SNAT
  $IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.50

  eend $?
}

start() {
  ebegin "Starting firewall"
  if [ -e "${FIREWALL}" ]; then
    restore
  else
    einfo "${FIREWALL} does not exists. Using default rules."
    rules
  fi
  eend $?
}

stop() {
  ebegin "Stopping firewall"
  $IPTABLES -F INPUT
  $IPTABLES -P INPUT ACCEPT
  $IPTABLES -F FORWARD
  $IPTABLES -P FORWARD ACCEPT
  $IPTABLES -F OUTPUT
  $IPTABLES -P OUTPUT ACCEPT
  $IPTABLES -t nat -F POSTROUTING
  $IPTABLES -t nat -F PREROUTING
  $IPTABLES -F myfilter
  $IPTABLES -X myfilter
  $IPTABLES -F SMB
  $IPTABLES -X SMB
  eend $?
}

showstatus() {
  ebegin "Status"
  $IPTABLES -L -n -v --line-numbers
  einfo "NAT status"
  $IPTABLES -L -n -v --line-numbers -t nat
  eend $?
}

panic() {
  ebegin "Setting panic rules"
  $IPTABLES -F
  $IPTABLES -X
  $IPTABLES -t nat -F
  $IPTABLES -P FORWARD DROP
  $IPTABLES -P INPUT   DROP
  $IPTABLES -P OUTPUT  DROP
  $IPTABLES -A INPUT -i lo -j ACCEPT
  $IPTABLES -A OUTPUT -o lo -j ACCEPT
  eend $?
}

save() {
  ebegin "Saving Firewall rules"
  $IPTABLESSAVE > $FIREWALL
  eend $?
}

restore() {
  ebegin "Restoring Firewall rules"
  $IPTABLESRESTORE < $FIREWALL
  eend $?
}

restart() {
  svc_stop; svc_start
}

showoptions() {
  echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"
  echo "start)      will restore setting if exists else force rules"
  echo "stop)       delete all rules and set all to accept"
  echo "rules)      force settings of new rules"
  echo "save)       will store settings in ${FIREWALL}"
  echo "restore)    will restore settings from ${FIREWALL}"
  echo "showstatus) Shows the status"
}


As you have probably seen already this is a mixture of some how-tos found on the Internet.

I really have tried to learn everything there is about iptables but I still have some questions:

1.) Do I understand it correctly that this script should be able to block any traffic not initiated by the internal LAN?

2.) In what exact sequence go packets through my router?
(i.e. INPUT -> PREROUTING -> POSTROUTING -> OUTPUT ????)
Couldn't find any documentation that really explains this for me.

3.) How do I have to setup metalog to actually log the packets that get caught by a log rule?

4.) When I do a
Quote:
cat /proc/net/ip_conntrack
I get the following output:

Quote:
udp 17 28 src=192.168.1.3 dst=192.168.1.255 sport=137 dport=137 [UNREPLIED] src=192.168.1.255 dst=192.168.1.3 sport=137 dport=137 use=1
udp 17 26 src=192.168.1.3 dst=192.168.1.255 sport=138 dport=138 [UNREPLIED] src=192.168.1.255 dst=192.168.1.3 sport=138 dport=138 use=1


Does this mean that my SMB Broadcast filtering is not working? I thought that all SMB packets get dropped instantly.

Thanks in advance for any answers, I really apprechiate it.
_________________
Greetings,
Proteus
Back to top
View user's profile Send private message
Maz
n00b
n00b


Joined: 18 Jul 2002
Posts: 43
Location: Montpeller, France

PostPosted: Fri Jan 10, 2003 6:18 am    Post subject: Reply with quote

First, I'm no iptables guru, so don't take my answer too seriously.

1) I'm not sure what you are meaning. If you mean "block any traffic from untrusted router to trusted LAN", then I think it should.
Btw, why do you explicitly add drop rules, when anyway, default rule is to drop ? You are making the script less readable for nothing.
A little clarification, -j means jump. so, if you append twice a rule with different j, you will never get in the second. -j roots the packets to a new chain, it does not filter it though it, and then pass is to the next rule. Of course, there is one exception (always is :wink: ), -j LOG is just a filter, not a redirection.

2) It is not linear, there is problem of routing packets received or originated from the box. destined to the box, or just rerouted, etc ...
Found a good diagram here: http://www.docum.org/stef.coene/qos/kptd/

3) Sorry, I have no idea

4) I think you see the packet received, then dropped. Making a firewall does not make traffic disappear :).

On a personal note, while I appreciate the work you putted in your firewall, I think you are overdoing things.

Hopes it helps
_________________
Maz
Back to top
View user's profile Send private message
Proteus
Guru
Guru


Joined: 14 Jul 2002
Posts: 346
Location: Hamburg, Germany

PostPosted: Fri Jan 10, 2003 11:16 am    Post subject: Reply with quote

First: Thank you very much for your answer.

Question 1 was meant exactly as you interpreted it. Sorry for being unclear :oops:

With the additional "drop" rules do you mean those for smb traffic?
The problem was that smb traffic seemed to go unharmed and now it seems better. But I never really knew what -j meant ;-) Thanks for that.

Which rule do you think is not active due to me "jumping" around too much? I thought the packets would traverse through the "myfilter" chain and then through the "SMB" chain.

The link for 2) seems to be really good. Hope I can get a better Idea of how things work.

Your answer to 4) gives me a warm fuzzy feeling ;-) because then it works as it should...

Last: I do apprechiate your comment that I am overdoing things. This must be true because its my first time and I really want to make sure that this thing does what it should do.
But I am curious and want to learn: What exactly should I do to make this script more compact and easier to read? (Besides not adding dropping rules that possibly never get executed anyway (?) )

Maz - you may not be an iptables guru but I learned from you. Thanks.
_________________
Greetings,
Proteus
Back to top
View user's profile Send private message
Maz
n00b
n00b


Joined: 18 Jul 2002
Posts: 43
Location: Montpeller, France

PostPosted: Sat Jan 11, 2003 11:50 am    Post subject: Reply with quote

I told you that you your packet would not return from a user defined chain, I was WRONG (of course :)). From the Netfilter Howto :
Quote:

When a packet matches a rule whose target is a user-defined chain, the packet begins traversing the rules in that user-defined chain. If that chain doesn't decide the fate of the packet, then once traversal on that chain has finished, traversal resumes on the next rule in the current chain.


So, your packet will go through all rules, unless it matches a rule with a terminal jump (ACCEPT or DROP are the only default ones I think). I'm sorry for the wrong informatin.

Otherwise, here what I would do, in your case, without all proc options (maybe some missing, since I'm not you):
Code:

# Various temp variables
local x

# Drop every incoming and forwarded packets by default
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP

# Create a chain for new local connections
# root all new connection there
# see what to do with them

$IPTABLES -N new_connection
$IPTABLES -A INPUT -m state --state NEW -j new_connection

# Accept some local services for everyone
  for x in $SERVICES
  do
   $IPTABLES -A new_connection -p tcp --dport ${x} -j ACCEPT
  done

# Accept some more local services for trusted network card
# Note, not trust Source IP, in case of spoofing
  for x in $SERVICES_FOR_TRUSTED
  do
   $IPTABLES -A new_connection -i $IINTERFACE -p tcp --dport ${x} -j ACCEPT
  done

# Reject cleanly all else
# need compiled in kernel
  $IPTABLES -A new_connection -j REJECT

# end of new connection

# Create a chain for new forwarded connections
$IPTABLES -N new_forward
$IPTABLES -A FORWARD -m state --state NEW -j new_forward
#accept trusted to connect outside
$IPTABLES -A new_forward -i $IINTERFACE -j ACCEPT
# example : allow one machine on trusted to act as a web server
# example to ilustrate why it may be usefull to create a new chain
# obelix being a dns resoled as 192.168.1.6
# $IPTABLES -A new_forward -d obelix -p tcp --dport http -j ACCEPT

# End of new forwarded

# Finally, accept the established or related packets
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log invalid packets
$IPTABLES -A established -m state --state INVALID -j LOG --log-prefix "INVALID:" --log-level warning

# Everything else coming or forwarded by the box will be dropped by default

# end of all incoming and forwarded

# Sanity if the box should not connect to anything but smtp
$IPTABLES -N new_output
$IPTABLES -A OUTPUT -m state --state NEW -j new_output

# Accept mail relaying through smtp
$IPTABLES -A new_output -p tcp --dport smtp -j ACCEPT
# log and drop all else
$IPTABLES -A new_output  -j LOG --log-prefix "Outside connection attempted :" --log-level warning
$IPTABLES -A new_output  -j DROP

# end of output


I don't understand the snat you are doing, so I didn't included in it. Didn't put proc tweaks, and ping limits, I will let you. Otherwise, should do exactly what you were doing. I didn't test nor reread very carefully, so do it if you want to try it out. The script is not complete, lacks your head, and start/stop , etc ...
_________________
Maz
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum