| View previous topic :: View next topic |
| Author |
Message |
Seather
Apprentice
Joined: 23 May 2003
Posts: 194
Location: South Africa
|
 Posted: Mon Oct 20, 2003 5:53 pm Post subject: Securing iptables firewall some more |
 |
|
I'm at the moment trying to secure my network as much as possible, and think one of the main things would be my [software] router's firewall, that should keep most outsider attempts and attacks out.
This is my current network layout:
| Code: |
----------------------------
| internet |
----------------------------
|
----------------------------
| adsl router/modem |
----------------------------
|
--------------------------------
| ppp0 / eth1 (dynamic IP) |
| dydns to scygro.ath.cx |
| |
| router firewall gentoo box |
| |
| eth0 |
| (192.168.0.45) |
| |
--------------------------------
|
--------------------------------
| CNET 24port switch |
--------------------------------
| | | |
-------------------- | | ----------------------
| | | |
[ webserver ] [ ftp/mail server ] [ personal desktop ] [ 8 other desktop boxes ]
[ 192.168.0.254 ] [ 192.168.0.69 ] [ 192.168.0.16 ] [ 192.168.0.* ]
|
I'll start securing things at my router/gateway/firewall/gentoo box of course, and that by securing the firewall a bit more. Maybe someone can offer advice or adjustments to it please? It would be greatly appreciated. This is my current firewall ruleset:
| Code: |
#!/bin/bash
IPTABLES=/sbin/iptables
EXTIF="ppp0"
INTIF="eth0"
IFCONFIG=/sbin/ifconfig
WEBSERVER="192.168.0.254"
FTPSERVER="192.168.0.69"
# Flush tables and set policies
echo "Clearing any existing rules and setting default policy.."
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -F INPUT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -F OUTPUT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -F FORWARD
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -F OUTPUT
# Enable IP forwarding
echo "Enabling Forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Enable Dynamic IP
echo "Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Allow everything and anything to DNS servers
$IPTABLES -A FORWARD -d 196.25.1.1 -j ACCEPT
$IPTABLES -A FORWARD -d 196.25.1.9 -j ACCEPT
# Block everything except things that should be used
$IPTABLES -A FORWARD -s 192.168.0.171 -p tcp -m multiport --source-ports 80,3,123,22,21,23,110,25 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.171 -p udp -m multiport --source-ports 80,3,123,22,21,23,110,25 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.171 -p tcp -m multiport --destination-ports 80,3,123,22,21,23,110,25 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.171 -p udp -m multiport --destination-ports 80,3,123,22,21,23,110,25 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.171 -p icmp -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.171 -j DROP
# Set internal IP
INTIP=`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d ' ' -f 1`
echo "Internal interface is $INTIF with ip address: $INTIP"
# Allow routing connections through
echo "Allowing routing connections"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Block some ports, just for now
echo "Blocking ports"
$IPTABLES -t filter -A INPUT -i $EXTIF -p tcp -m multiport --destination-ports 22,3128,1080 -j DROP
# Set up gateway/routing
echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# Port forward http requests to the web server
echo "Set up http forwarding to $WEBSERVER"
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT --to $WEBSERVER
$IPTABLES -I FORWARD -i $EXTIF -o $INTIF -d $WEBSERVER -p tcp --dport 80 -m state --state NEW -j ACCEPT
# Port forward ftp requests to the ftp server
echo "Set up ftp forwarding to $FTPSERVER"
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 21 -j DNAT --to $FTPSERVER
$IPTABLES -I FORWARD -i $EXTIF -o $INTIF -d $FTPSERVER -p tcp --dport 21 -m state --state NEW -j ACCEPT
# Allow some ports over the local network
$IPTABLES -t filter -A INPUT -p tcp -m multiport --destination-ports 22,3128 -i $INTIF -j ACCEPT
# Allow stuff that is supposed to go out from here
$IPTABLES -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block everything else incoming over external interface
$IPTABLES -t filter -A INPUT -i $EXTIF -j DROP
|
I'm especially worried because, soon I'll have to give a work colleage a shell account on my webserver...and this guy...well yeah, and he knows what he's doing  But also want to try cut off any possible threats from outside.
Any comments suggestions advice or help will be greatly appreciated! Thanks! |
|
| Back to top |
|
 |
neilhwatson
l33t
Joined: 06 Feb 2003
Posts: 719
Location: Canada
|
| Posted: Mon Oct 20, 2003 6:12 pm Post subject: |
|
|
A firewall should always have default policies set to DENY. Your's are set to ACCEPT. Very risky.
_________________
The true guru is a teacher.
Neil Watson |
|
| Back to top |
|
|
pilgrim337
n00b
Joined: 07 Oct 2003
Posts: 63
|
| Posted: Mon Oct 20, 2003 9:40 pm Post subject: |
|
|
You should put your servers on a DMZ of sort (i.e. install another NIC onto your firewall, put the servers on the interface that allows incoming connections and put the Desktops on the other). This creates a tri-homed network:
[img:4430374c2e]http://www.isaserver.org/images/tutorials/dmz_scenarios/image002.gif[/img:4430374c2e]
To be the most secure you should have two firewalls (Internet -> Firewall1 -> DMZ -> Firewall2 -> Workstations):
[img:4430374c2e]http://www.isaserver.org/images/tutorials/dmz_scenarios/image005.gif[/img:4430374c2e]
But since you're going to use similar firewalls a tri-homed network is sufficient.
You should have your Servers on a separate network so that people that have accounts on them (or people that "get" accounts on them) do not have access to your desktops (which in my case has more important data than my servers). The basic idea, is that anything that can be accessed from the Internet WILL get comprimised.
Here's an intro to DMZs http://www.isaserver.org/tutorials/ISA_Server_DMZ_Scenarios.html (yes I know it's from a M$ site, but it's the first one google came back with  )
_________________
-Pilgrim
"The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents."
-Nathaniel Borenstein |
|
| Back to top |
|
|
Seather
Apprentice
Joined: 23 May 2003
Posts: 194
Location: South Africa
|
| Posted: Mon Oct 20, 2003 9:53 pm Post subject: |
|
|
Thanks pilgrim337 I will look into that looks fairly interesting and actually makes a lot of sense and will help a lot...
In the meanwhile though, neilhwatson, technically my INPUT's default policy is set to DROP, just, with a rule not with the policy settings but I changed that. What I really want to do asap is set FORWARD's default policy to DROP, however, the moment I do that my forwarding to web and http servers doesn't work anymore...Even with my attempted -j ACCEPT rules together with them.
Anyone might have any idea how I can allow those DNAT forwarding with the FORWARD policy set to DROP?
Thanks! |
|
| Back to top |
|
|
Beekster
Apprentice
Joined: 26 Nov 2002
Posts: 268
Location: Sydney
|
| Posted: Tue Oct 21, 2003 2:56 am Post subject: |
|
|
I think you will need some prerouting rules together with your forward fules.
Have a look at this site.
It generates scripts, and the options expand as you add needed features. It should let you get a working iptables script, that is well commented for understanding. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
