HOWTO: Iptables for newbies. PART II: Securing your Network

[krunk]

Iptables for Newbies
Part II: Hardening Your Firwall
(part one can be found here: Part I: Getting up and running)
First Draft

*NOTE* It takes me a bit of time putting these together. So if it helped an you'd like to see the series continue put a quick post so I know it's being used and not just glanced at.
*NOTE* --2004-09-17-- I've let this howto lag for while, partly due to a lot of work and partly due to laziness. However, I've gotten a lot of responses, feedback, and input recently and it seems to be picking up popularity so I intend to give it an overhaul this week.

cheers!

In the following howto we're going to further secure our now functional firewall. By the time we are through we should have a set of tested rules and policies that will prevent not only attacks to our own computer, but also attacks from our computer to the internet. Protecting others from the possibility of being attacked by one of our compromised computers is an essential and often overlooked aspect of security and common internet courtesy. I would even say for the SOHO network this is the most important aspect. Normally virus infection is only a minor nussence to a small network and rarely results in data loss....for us 100% *nix users it practically doesn't even exist. However, since small soho networks are often less secure then larger ones they are a favorite target for crackers looking for a “launchpad” for DoS attacks or other underhanded skullduggary.

The follwing is offered in a piece meal fashion in a sequence which enables the easiest step by step testing. Each step may require that something be inserted before, after, or in the middle of our existing script. This was done so that (hopefully) your network will only go down for a brief period during setup. I've done it this way because I have assumed many of you (like me) have a stand alone linux firewall/server. Since my preferred method is ssh, the network going down can be a PITA involving crawling under tables and such. If your daring, you can just copy the script at the end and run it. It should be fully functional, but I have only tested it on my system so ymmv.

• **change log**
  1. Added ip_conntrack_ftp and ip_nat_ftp modules to eliminate PASV error when emerging.
  2. Eliminated filtering on the nat chain. I was having some "unpredictable results" and this cleared it up. It should not affect security at all since the filter chain is still, well, filtered.

• Necessary Tools
  3. Corrected typo error at end of script: changed 'iptables' to $IPT
  
  * ifconfig
  * iptables
  * grep
  * sed

Setting up environment variables

We will define our networks interfaces and various tools used in the script:

Code: Select all

vim myfw

Code: Select all

#!/bin/bash

# External interface
EXTIF='ppp0'
# Internal interface
INTIF1='eth0'
INTIF2='eth1'

# Loop device/localhost
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"

# Text tools variables
IPT='/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'

# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
# The above EXTBC is for those lucky enough to have a straight up ethernet.
# For pppoe users we just hard set it to a all expansive value
EXTBC=255.255.255.255
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
#echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"

# Setting up environment variables for internal interface one
INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET1="$INTIP1/$INTMSK1"
echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"

#Setting up environment variables for internal interface two
INTIP2="`$IFC $INTIF2|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC2="`$IFC $INTIF2|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK2="`$IFC $INTIF2|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET2="$INTIP2/$INTMSK2"

*NOTE* I have commented out the external broadcast from the above script due to the ppp0 connection not having one. This would normally be used to prevent "egress broadcasts" or outgoing broadcast (I will talk more on this later). As a solution I set EXTBC to 255.255.255.255, as I believe this will accomplish the same goal. If anyone has insight into the hitch let me know.

Ok, now lets exit out of vim and test to ensure that our environment variables are being correctly set:
chmod 700 myfw;./myfw

Your output should be similar to this:

Code: Select all

EXTIP=204.223.98.5 EXTBC=255.255.255.255 EXTMSK=255.255.255.255 EXTNET=204.223.98.5/255.255.255.255
INTIP1=192.168.0.78 INTBC1=192.168.0.255 INTMSK1=255.255.0.0 INTNET1=192.168.0.78/255.255.0.0
INTIP2=192.168.1.78 INTBC2=192.168.1.255 INTMSK2=255.255.255.0 INTNET2=192.168.1.78/255.255.255.0

Ok now we're going to set up the ACCEPTS which will allow us to communicate with our server. In reality this is very ill advised. A solid firewall policy should DENY than ACCEPT. But if you do that you lose all connections while your testing so your not sure if your ACCEPT rules work at all. So, though we are entering this first, it will be the second to last rule set in the final script.

Code: Select all

$IPT -t nat -A PREROUTING                       -j ACCEPT
# $IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j SNAT --to $EXTIP
# Comment out next line (that has "MASQUERADE") to not NAT internal network
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j MASQUERADE
$IPT -t nat -A POSTROUTING                      -j ACCEPT
$IPT -t nat -A OUTPUT                           -j ACCEPT
                                                                               
$IPT -A INPUT   -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
                                                                               
iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Next we are going to define a couple of custom chains which will log drop and reject events. This way we don't have to enter a separate line for each command entered. The logs will be sent to where your syslog default log messages are sent (usually /var/log/messages). Later I'm going to write a grep/sed script that will parse and organize these for easy viewing and set it as a daily cron job.

This should be inserted immediately after the above definitions. When you are done, run the script again. It should have no affect on functionality of the network since we're just setting definitions. But it will ensure that we have no errors thusfar.

Code: Select all

# We are now going to create a few custom chains that will result in
# logging of dropped packets. This will enable us to avoid having to
# enter a log command prior to every drop we wish to log. The
# first will be first log drops the other will log rejects.
                                                                                                                                                       
# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl   2> /dev/null
$IPT -A DROPl   -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl   -j DROP
                                                                                                                                                       
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT

Ok, now that we see our devices are being detected properly, we are going to insert a flush commands. So that when our rules are assigned it will be done cleanly. These lines should be inserted after our utilities definitions, the last one being: SED='/bin/sed'

Code: Select all

# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS
do
    $IPT -t $i -F
done
                                                                                                                                                       
for i in $CHAINS
do
    $IPT -t $i -X
done

Now we're ready to start laying down some rules. First we are going to accept all packets from our loopback device if the ip address matches that of any of our local interfaces:

Code: Select all

$IPT -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $INTIP1  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $INTIP2  -j ACCEPT

Now we will block broadcasts both incoming and outgoing. This is can prevent DoS attacks against us, as well as preventing our clients from being used to DoS someone else. This is part of what's called "Egress Protection". It's a do unto your neighbour sort of philosophy. If all SysAdmins followed this policy, than many of the more severe and costly DoS attacks would either not have occurred or been extremely limited.

Code: Select all

# Blocking Broadcasts
$IPT -A INPUT   -i $EXTIF -d   $EXTBC  -j DROPl
$IPT -A INPUT   -i $INTIF1 -d   $INTBC1  -j DROPl
$IPT -A INPUT   -i $INTIF2 -d   $INTBC2  -j DROPl
$IPT -A OUTPUT  -o $EXTIF -d   $EXTBC  -j DROPl
$IPT -A OUTPUT  -o $INTIF1 -d   $INTBC1  -j DROPl
$IPT -A OUTPUT  -o $INTIF2 -d   $INTBC2  -j DROPl
$IPT -A FORWARD -o $EXTIF -d   $EXTBC  -j DROPl
$IPT -A FORWARD -o $INTIF1 -d   $INTBC1  -j DROPl
$IPT -A FORWARD -o $INTIF2 -d   $INTBC2  -j DROPl

Now test the script once more to ensure we have no syntax errors. Also notice that we are using our newly defined DROPl chain. This means that the dropped packets will be logged. Next we are going to block WAN access our LAN if not specifically intended for our ips assigne ip:

Code: Select all

# Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into  our external interface does not originate from our isp assigned
# ip address, drop it like a hot potato
                                                                               
$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl

We're going to apply the same logic to our internal lan. In other words, any packets not originating from our predefined internal network will be rejected:

Code: Select all

# Now we will block internal addresses originating from anything buy our
# two predefined interfaces.....just remember that if you jack your
# your laptop or another pc into one of these NIC's directly, you'll need
# to ensure that they either have the same ip or that you add a line explicitly
# that IP as well
                                                                               
# Interface one/internal net one
$IPT -A INPUT   -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A OUTPUT  -o $INTIF1 -d ! $INTNET1 -j DROPl
$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl

# Interface two/internal net two
$IPT -A INPUT   -i $INTIF2 -s ! $INTNET2 -j DROPl
$IPT -A OUTPUT  -o $INTIF2 -d ! $INTNET2 -j DROPl
$IPT -A FORWARD -i $INTIF2 -s ! $INTNET2 -j DROPl
$IPT -A FORWARD -o $INTIF2 -d ! $INTNET2 -j DROPl

Next we do some more Egress checking of outgoing packets and stop all icmp requests except for pinging:

Code: Select all

# An additional Egress check
                                                                               
$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl
                                                                               
# Block outbound ICMP (except for PING)
                                                                               
$IPT -A OUTPUT  -o $EXTIF -p icmp \
  --icmp-type ! 8 -j DROPl
$IPT -A FORWARD -o $EXTIF -p icmp \
    --icmp-type ! 8 -j DROPl

Ok, where moving along now and we should test the script for errors. Assuming an all clear we're going to start plugging some of the more bothersome port holes:

Code: Select all

# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346
# Common Trojans 12345 65535
COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 432

# TCP ports:
# 98 is Linuxconf
# 512-5!5 is rexec, rlogin, rsh, printer(lpd)
#   [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
                                                                               
# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
9 6346 3128 8000 8008 8080 12345 65535"

After defining the environment variables all we have to do is a simple for loop to assign rules to them all:

Code: Select all

echo -n "FW: Blocking attacks to TCP port"
for i in $TCPBLOCK;
do
echo -n "$i "
  $IPT -A INPUT   -p tcp --dport $i  -j DROPl
  $IPT -A OUTPUT  -p tcp --dport $i  -j DROPl
  $IPT -A FORWARD -p tcp --dport $i  -j DROPl
done
echo ""
                                                                               
echo -n "FW: Blocking attacks to UDP port "
for i in $UDPBLOCK;
do
  echo -n "$i "
    $IPT -A INPUT   -p udp --dport $i  -j DROPl
    $IPT -A OUTPUT  -p udp --dport $i  -j DROPl
    $IPT -A FORWARD -p udp --dport $i  -j DROPl
done
echo ""

Ok, now with iptables each time we run the script it simply appends these to already existing chains...so things are probably getting a bit messy. For that reason we're going to jump to the beginning of our script....right after the enviroment variables for sed and grep, but before those of EXTIP and EXTBC and add a loop that deletes and flushes. This ensure we're working from a clean state. We didn't want to do that before because we couldn't have tested our script without either shutting down our connection or dropping our firewall completely. This script first sets all policies to DROP, than flushes and deletes our chains. In order to ensure that we can still ssh back into our server after a script restart we are going to append an INPUT chain for ssh. This should always be placed at the end of the script for now. This done in order to prevent a window from opening up while we reset rules which is a common error made:

Code: Select all

# Deny than accept: this keeps holes from opening up
# while we close ports and such
                                                                               
$IPT        -P INPUT       DROP
$IPT        -P OUTPUT      DROP
$IPT        -P FORWARD     DROP
                                                                               
# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
    $IPT -t $i -F
done
                                                                               
for i in $CHAINS;
do
    $IPT -t $i -X
done

$IPT -A INPUT   -i $INTIF1 -p tcp                      --dport 22 \
   --syn -m state --state NEW -j ACCEPT

Right afterwards we are going to activate the sysctl's for tcp_syncookies, icmp_echo_ignore_broadcasts, rp_filter, and accept_source_route. Heretofore many of the rules we've been "testing" haven't been able to actually work. In essence we were simply doing syntax error tests. Now our rules will be "for real":

Code: Select all

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
                                                                               
# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
done
                                                                               
echo 1 > /proc/sys/net/ipv4/ip_forward

Now we're going to add ftp connection tracking so that we won't get PASV errors when emerging packages:

Code: Select all

# Opening up ftp connection tracking
MODULES="ip_nat_ftp ip_conntrack_ftp"
for i in $MODULES;
do
  echo "Inserting module $i"
  modprobe $i
done

Now back to end of our script, we are going to open up services for systems behind our firewall. I have included services such as IRC, MSN, ICQ, and NFS, FTP, domain, and time. And some others. The important thing to note is that these will ONLY be availabe BEHIND the firewall. So this will not enable someone to ftp into your LAN:

Code: Select all

IRC='ircd'
MSN=1863
ICQ=5190
NFS='sunrpc'
# We have to sync!!
PORTAGE='rsync'
OpenPGP_HTTP_Keyserver=11371
                                                                               
# All services ports are read from /etc/services
                                                                               
TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE \
            $IRC $MSN $ICQ $OpenPGP_HTTP_Keyserver"
UDPSERV="domain time"

echo -n "FW: Allowing inside systems to use service:"
for i in $TCPSERV;
do
   echo -n "$i "
   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  \
    --dport $i --syn -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \
    --dport $i --syn -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 \
    --dport $i --syn -m state --state NEW -j ACCEPT
                                                                               
done
echo ""
                                                                               
echo -n "FW: Allowing inside systems to use service:"
for i in $UDPSERV;
do
    echo -n "$i "
    $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP  \
        --dport $i -m state --state NEW -j ACCEPT
    $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 \
        --dport $i -m state --state NEW -j ACCEPT
    $IPT -A FORWARD -i $INTIF2 -p udp -s $INTNET2 \
done
echo ""

Now we're done all that's left is allowing us to ping the outside world by opening up pinging out of the firewall:

Code: Select all

# Allow to ping out
$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP  \
    --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 \
    --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF2 -p icmp -s $INTNET2 \
    --icmp-type 8 -m state --state NEW -j ACCEPT
                                                                               
# Allow firewall to ping internal systems
$IPT -A OUTPUT  -o $INTIF1 -p icmp -s $INTNET1 \
    --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT  -o $INTIF2 -p icmp -s $INTNET2 \
    --icmp-type 8 -m state --state NEW -j ACCEPT

Now we are going to default to DROP and Log anything that's left in case we overlooked something. The ACCEPT entry's we made at the very beginning would come right before this in the final script:

Code: Select all

# Log & block whatever is left
$IPT -A INPUT             -j DROPl
$IPT -A OUTPUT            -j REJECTl
$IPT -A FORWARD           -j DROPl

And your done. I had a friend nmap and nessus my connection with this rule set and as far as both of them were concerned the only thing it was even slightly sure about was that the ip existed...other than that nothing. I can IRC, MSN, ICQ, ane emerge sync to my hearts content.

*CREDITS* I take absolutely NO credit for this, I gathered most from other tutorials and implemented some fixes and loops from yet other howtos to make things more comprehensive and/or efficient. ABSOLUTELY NONE of this should be credited to me.


PART III will cover setting up some essential SOHO services like NFS and CUPS in a security conscious manner.

Now here's the full script in all it's glory (I also put the ssh forwarding in a more appropriate place):

Code: Select all

# External interface
EXTIF=ppp0
# Internal interface
INTIF1=eth1
INTIF2=eth2
                                                                               
# Loop device/localhost
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"
                                                                               
# Text tools variables
IPT='/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'
                                                                               
# Last but not least, the users
JAMES=192.168.1.77
TERESA=192.168.2.77
                                                                               
# Deny than accept: this keeps holes from opening up
# while we close ports and such
                                                                               
$IPT        -P INPUT       DROP
$IPT        -P OUTPUT      DROP
$IPT        -P FORWARD     DROP
                                                                               
# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
    $IPT -t $i -F
done
                                                                               
for i in $CHAINS;
do
    $IPT -t $i -X
done
                                                                               
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
                                                                               
# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
done
                                                                               
echo 1 > /proc/sys/net/ipv4/ip_forward
                                                                               
                                                                               
# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
EXTBC="255.255.255.255"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
#echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
                                                                               
# Due to absence of EXTBC I manually set it to 255.255.255.255
# this (hopefully) will server the same purpose
                                                                               
                                                                               
# Setting up environment variables for internal interface one
INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET1="$INTIP1/$INTMSK1"
echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"
                                                                               
#Setting up environment variables for internal interface two
INTIP2="`$IFC $INTIF2|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC2="`$IFC $INTIF2|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK2="`$IFC $INTIF2|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET2="$INTIP2/$INTMSK2"
echo "INTIP2=$INTIP2 INTBC2=$INTBC2 INTMSK2=$INTMSK2 INTNET2=$INTNET2"
                                                                               
# We are now going to create a few custom chains that will result in
# logging of dropped packets. This will enable us to avoid having to
# enter a log command prior to every drop we wish to log. The
# first will be first log drops the other will log rejects.
                                                                               
# Do not complain if chain already exists (so restart is clean)
                                                                               
# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl   2> /dev/null
$IPT -A DROPl   -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl   -j DROP
                                                                               
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT
                                                                               
# Now we are going to accpet all traffic from our loopback device
# if the IP matches any of our interfaces.
                                                                               
$IPT -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $INTIP1  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $INTIP2  -j ACCEPT
                                                                               
# Blocking Broadcasts
$IPT -A INPUT   -i $EXTIF -d   $EXTBC  -j DROPl
$IPT -A INPUT   -i $INTIF1 -d   $INTBC1  -j DROPl
$IPT -A INPUT   -i $INTIF2 -d   $INTBC2  -j DROPl
$IPT -A OUTPUT  -o $EXTIF -d   $EXTBC  -j DROPl
$IPT -A OUTPUT  -o $INTIF1 -d   $INTBC1  -j DROPl
$IPT -A OUTPUT  -o $INTIF2 -d   $INTBC2  -j DROPl
$IPT -A FORWARD -o $EXTIF -d   $EXTBC  -j DROPl
$IPT -A FORWARD -o $INTIF1 -d   $INTBC1  -j DROPl
$IPT -A FORWARD -o $INTIF2 -d   $INTBC2  -j DROPl
                                                                               
# Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into  our external interface does not originate from our isp assigned
# ip address, drop it like a hot potato
                                                                               
$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl
                                                                               
# Now we will block internal addresses originating from anything butour
# two predefined interfaces.....just remember that if you jack your
# your laptop or another pc into one of these NIC's directly, you'll need # to ensure that they either have the same ip or that you add a line explicitly
# that IP as well                                                                                
# Interface one/internal net one
$IPT -A INPUT   -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A OUTPUT  -o $INTIF1 -d ! $INTNET1 -j DROPl
$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl
                                                                               
# Interface two/internal net two
$IPT -A INPUT   -i $INTIF2 -s ! $INTNET2 -j DROPl
$IPT -A OUTPUT  -o $INTIF2 -d ! $INTNET2 -j DROPl
$IPT -A FORWARD -i $INTIF2 -s ! $INTNET2 -j DROPl
$IPT -A FORWARD -o $INTIF2 -d ! $INTNET2 -j DROPl
                                                                               
# An additional Egress check
                                                                               
$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl
                                                                               
# Block outbound ICMP (except for PING)
                                                                               
$IPT -A OUTPUT  -o $EXTIF -p icmp \
  --icmp-type ! 8 -j DROPl
$IPT -A FORWARD -o $EXTIF -p icmp \
    --icmp-type ! 8 -j DROPl
                                                                               
# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346
# Common Trojans 12345 65535
COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
                                                                               
# TCP ports:
# 98 is Linuxconf
# 512-5!5 is rexec, rlogin, rsh, printer(lpd)
#   [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
                                                                               
# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
                                                                               
echo -n "FW: Blocking attacks to TCP port"
for i in $TCPBLOCK;
do
echo -n "$i "
  $IPT -A INPUT   -p tcp --dport $i  -j DROPl
  $IPT -A OUTPUT  -p tcp --dport $i  -j DROPl
  $IPT -A FORWARD -p tcp --dport $i  -j DROPl
done
echo ""
                                                                               
echo -n "FW: Blocking attacks to UDP port "
for i in $UDPBLOCK;
do
  echo -n "$i "
    $IPT -A INPUT   -p udp --dport $i  -j DROPl
    $IPT -A OUTPUT  -p udp --dport $i  -j DROPl
    $IPT -A FORWARD -p udp --dport $i  -j DROPl
done
echo ""

# Opening up ftp connection tracking
MODULES="ip_nat_ftp ip_conntrack_ftp"
for i in $MODULES;
do
  echo "Inserting module $i"
  modprobe $i
done
                                                                            
# Defining some common chat clients. Remove these from your accepted list for better security.
IRC='ircd'
MSN=1863
ICQ=5190
NFS='sunrpc'
# We have to sync!!
PORTAGE='rsync'
OpenPGP_HTTP_Keyserver=11371
                                                                               
# All services ports are read from /etc/services
                                                                               
TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE \             $IRC $MSN $ICQ $OpenPGP_HTTP_Keyserver"
UDPSERV="domain time"
                                                                               
echo -n "FW: Allowing inside systems to use service:"
for i in $TCPSERV;
do
   echo -n "$i "
   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  \
    --dport $i --syn -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \
    --dport $i --syn -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 \
    --dport $i --syn -m state --state NEW -j ACCEPT
                                                                               
done
echo ""
                                                                               
echo -n "FW: Allowing inside systems to use service:"
for i in $UDPSERV;
do
    echo -n "$i "
    $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP  \
        --dport $i -m state --state NEW -j ACCEPT
    $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 \
        --dport $i -m state --state NEW -j ACCEPT
    $IPT -A FORWARD -i $INTIF2 -p udp -s $INTNET2 \
        --dport $i -m state --state NEW -j ACCEPT
done
echo ""
                                                                               
# Allow to ping out
$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP  \
    --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 \
    --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF2 -p icmp -s $INTNET2 \
    --icmp-type 8 -m state --state NEW -j ACCEPT
                                                                               
# Allow firewall to ping internal systems
$IPT -A OUTPUT  -o $INTIF1 -p icmp -s $INTNET1 \
    --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT  -o $INTIF2 -p icmp -s $INTNET2 \
    --icmp-type 8 -m state --state NEW -j ACCEPT
                                                                                                                                                    
$IPT -A INPUT   -i $INTIF1 -p tcp                      --dport 22 \
   --syn -m state --state NEW -j ACCEPT
                                                                               
$IPT -t nat -A PREROUTING                       -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j MASQUERADE
$IPT -t nat -A POSTROUTING                      -j ACCEPT
$IPT -t nat -A OUTPUT                           -j ACCEPT
                                                                               
$IPT -A INPUT   -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
                                                                               
$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
                                                                               
# block and log what me may have forgot
$IPT -A INPUT             -j DROPl
$IPT -A OUTPUT            -j REJECTl
$IPT -A FORWARD           -j DROPl

[Fear]

I really like these Tutorial, it helps me allot to understand and use iptables. I got a ppp0 connection to the internet aswell and I'd like to use iptables to savely connect my 2 desktops and 2 laptops to the internet useing an old PII 300MHZ as the Gentoo box with a 2.6.1 Kernel.

Found maybe 1 glitch in your script:

Code: Select all

echo -n "FW: Allowing inside systems to use service:" 
for i in $TCPSERV; 
do 
   echo -n "$i " 
   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  \ 
    --dport $i --syn -m state --state NEW -j ACCEPT 
   $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \ <-- double??
   $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \ 
    --dport $i --syn -m state --state NEW -j ACCEPT 
   $IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 \ 
    --dport $i --syn -m state --state NEW -j ACCEPT 
                                                                                
done 

Keep up the good work.

[Andersson]

*CREDITS* I take absolutely NO credit for this, I gathered most from other tutorials and implemented some fixes and loops from yet other howtos to make things more comprehensive and/or efficient. ABSOLUTELY NONE of this should be credited to me.

Come on! At least take credit for putting the guide together!

PART III will cover setting up some essential SOHO services like NFS and CUPS in a security conscious manner.

What exactly is SOHO? You use that word a lot yet I haven't heard it before. Small Office, Home and Other networks perhaps? Anyway, I'm looking forward to the next part.

[mr.isomer]

ok i am having problems with this line

Code: Select all

# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl   2> /dev/null
$IPT -A DROPl   -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl   -j DROP
                                                                               
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT 

Also should it not be DROP insted of DROPl and REJECT instead of REJECTl??

regardless is still get:

iptables: No chain/target/match by that name
iptables: No chain/target/match by that name

[Andersson]

They look good to me. DROPl and REJECTl are the new chains being created. Only the last command (after -j on line 4 and 8) should be the normal DROP / REJECT.

What errors do you get if you leave the lines like in the original?

[krunk]

I really like these Tutorial, it helps me allot to understand and use iptables. I got a ppp0 connection to the internet aswell and I'd like to use iptables to savely connect my 2 desktops and 2 laptops to the internet useing an old PII 300MHZ as the Gentoo box with a 2.6.1 Kernel.

Found maybe 1 glitch in your script:

Code: Select all

echo -n "FW: Allowing inside systems to use service:" 
for i in $TCPSERV; 
do 
   echo -n "$i " 
   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  \ 
    --dport $i --syn -m state --state NEW -j ACCEPT 
   $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \ <-- double??
   $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \ 
    --dport $i --syn -m state --state NEW -j ACCEPT 
   $IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 \ 
    --dport $i --syn -m state --state NEW -j ACCEPT 
                                                                                
done 

Keep up the good work.

Thank you, I must have made an error in the transfer. In fact, that line should have caused either errors or unexpected results. If I interpret correctly, I believe it would have allowed all tcp ports from interface one with source of internal net one to be forwarded rather than just our defined ones. Not a hole really, but not ast tight as intended.

Code: Select all

# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl   2> /dev/null
$IPT -A DROPl   -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl   -j DROP
                                                                               
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT

Yes this is a chain definition. Any time it is appended it drops the packet and creates a log entry with a prefix of "DROPl:" or "REJECTl:", this allow us to append this in lieu of DROP and not have to create another iptable command for each log entry. The output appears in /var/log/messages and looks something like this:

Code: Select all

Apr 12 18:30:44 tuxmac DROPl:IN=ppp0 OUT= MAC= SRC=<Packet Source IP> DST=<Packet Destination IP> LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=11203 DF PROTO=TCP SPT=4556 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0

Some have no entry, like MAC= ....this means there is no value for that variable. (this makes since when you consider that ppp0 is a "virtual device") . You can use these logs to help you form new rules, such as if a packet is being dropped that you want to let through. You just use the -s switch for source, --dport for destination port. Etc.


Please let me know if you run into any hitches. I have found that the /etc/init.d/iptables script doesn't seem to restore them properly (they seem to set their own "pre-rules"). It also insists on starting before net.ppp0, which screws everything up. I'm working on revising the scripts, but for now just manually run the script after boot up......


Please let me know if you have any errors and remember to put specific error output in post.


*NOTE* I have CUPS up and working well.....it put up a good fight though. NFS is next, which is proving to a bit more of a challenge due to dynamic port assignment by portmapper. There is a decent thread on the topic on the forums: search--> iptables NFS

If you absolutely, MUST have CUPS NOW, send me a pm and I'll send my updated script to you.

[krunk]

They look good to me. DROPl and REJECTl are the new chains being created. Only the last command (after -j on line 4 and should be the normal DROP / REJECT.

What errors do you get if you leave the lines like in the original?

Could you quote the line please?

My intention was to LOG every drop and reject.

[Andersson]

NFS is next, which is proving to a bit more of a challenge due to dynamic port assignment by portmapper. There is a decent thread on the topic on the forums: search--> iptables NFS

I was just going to point you to the nfs howto at tldp, but it seems to be the same advice as in the post here ( http://forums.gentoo.org/viewtopic.php?t=77748 ).

[Rug]

Thanks for posting this - it got me started on setting things up, and really helped me. One thing that you do want to mention though - this only works if you have a static IP from your ISP. I get a DHCP IP from the ISP, so I can't set fixed rules that use EXTIP. I could set them up so that any IP in the range given by the ISP would work, but then I need to trust the other home networks on the cable modem line - which I most definately don't want to do, since I know some of them are compromised. Anybody dealt with this? I'm still getting a feeling for iptables - does it have the ability to take as a parameter "whatever is the ip address currently assigned to interface X" ?

Thanks again for the guide!

[krunk]

Thanks for posting this - it got me started on setting things up, and really helped me. One thing that you do want to mention though - this only works if you have a static IP from your ISP. I get a DHCP IP from the ISP, so I can't set fixed rules that use EXTIP. I could set them up so that any IP in the range given by the ISP would work, but then I need to trust the other home networks on the cable modem line - which I most definately don't want to do, since I know some of them are compromised. Anybody dealt with this? I'm still getting a feeling for iptables - does it have the ability to take as a parameter "whatever is the ip address currently assigned to interface X" ?

Thanks again for the guide!

There are som other things you must add for dhcp...to free up the necessary ports I believe. But running the script after you have an ip *should* work if I'm not mistaken. The script greps all the ips from the interface at the beginning and the rules are based on that reading...someone please correct me if I'm wrong.

[jjasghar]

hey simply put what's the iptables command that opens a port?

Code: Select all

iptables -A INPUT -p tcp -m tcp --dport 3632 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 3632 -j ACCEPT

????

i really would like distcc running, and also ssh from the outside and man i'm so lost.

[Andersson]

hey simply put what's the iptables command that opens a port?

Code: Select all

iptables -A INPUT -p tcp -m tcp --dport 3632 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 3632 -j ACCEPT

You don't need the -m. Does distcc work if you open all ports?

...and also ssh from the outside...

ssh uses port 22, but you could use this, it's from the gentoo security guide I think.

Code: Select all

# Incoming traffic
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
# Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT

# Outgoing traffic
$IPTABLES -N allow-ssh-traffic-out
$IPTABLES -F allow-ssh-traffic-out
$IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT

# Apply the chains...
$IPTABLES -A INPUT -j allow-ssh-traffic-in
$IPTABLES -A OUTPUT -j allow-ssh-traffic-out

[jjasghar]

hey simply put what's the iptables command that opens a port?

Code: Select all

iptables -A INPUT -p tcp -m tcp --dport 3632 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 3632 -j ACCEPT

You don't need the -m. Does distcc work if you open all ports?

...and also ssh from the outside...

ssh uses port 22, but you could use this, it's from the gentoo security guide I think.

Code: Select all

# Incoming traffic
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
# Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT

# Outgoing traffic
$IPTABLES -N allow-ssh-traffic-out
$IPTABLES -F allow-ssh-traffic-out
$IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT

# Apply the chains...
$IPTABLES -A INPUT -j allow-ssh-traffic-in
$IPTABLES -A OUTPUT -j allow-ssh-traffic-out

this is going to sound pathetic but how do i allow all traffic? i tried flushing all the connections and i lost my connections. i nmaped and it still showed everything closed. do you want to see my /etc/iptables.conf?

[icywolf]

I used that tutorial (with part 1) so thank you!

[Andersson]

this is going to sound pathetic but how do i allow all traffic? i tried flushing all the connections and i lost my connections. i nmaped and it still showed everything closed. do you want to see my /etc/iptables.conf?

You probably still have the default set to DROP. After you flush, try this:

Code: Select all

$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT

If that doesn't work, post your config. By the way, you're not using a router do you? This firewall is on the same machine where you want distcc and ssh?

By the way, in this example and the one above, $IPTABLES=/sbin/iptables.

[jjasghar]

ok, this is my ideal setup is my router/home server run iptables this /etc/iptables.conf and allow incoming ssh, ftp, http, distcc on the private side

/etc/iptables.conf

Code: Select all

# Generated by iptables-save v1.2.9 on Sun Apr 18 13:57:12 2004
*filter
:INPUT DROP [100:14702]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [219:18340]
-A INPUT -m state --state RELATED -j ACCEPT 
-A INPUT -i ! eth0 -m state --state NEW -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT 
COMMIT
# Completed on Sun Apr 18 13:57:12 2004
# Generated by iptables-save v1.2.9 on Sun Apr 18 13:57:12 2004
*nat
:PREROUTING ACCEPT [79:20611]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Sun Apr 18 13:57:12 2004
# Generated by iptables-save v1.2.9 on Sun Apr 18 13:57:12 2004
*mangle
:PREROUTING ACCEPT [269:42348]
:INPUT ACCEPT [269:42348]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [219:18340]
:POSTROUTING ACCEPT [219:18340]
COMMIT
# Completed on Sun Apr 18 13:57:12 2004

what does this all mean?!?
but i figure that i need to write a bash script to do this and i'm learning about it...slowly.

i'm reading a book called Linux Firewalls Second Edition by Robert L. Ziegler, horribly writen but informaitave.

[tdphys]

Ack ... Why would this not work?!
Here's the honest to goodness command line I entered and the opposing error message

Code: Select all

 iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables: No chain/target/match by that name

Thanks

[Souperman]

What exactly is SOHO? You use that word a lot yet I haven't heard it before. Small Office, Home and Other networks perhaps? Anyway, I'm looking forward to the next part.

Small Office/Home Office.

[tdphys]

As per my previous post, there was a few things I missed compiling into my kernel, recompiling with the right options did the trick....

again...

[AltBuTT]

On my local network there's a Win XP (we don't always choose our roomate's OS) and my linux box is the gateway. I'm using samba to share files.

I try to set a good firewall. The script block ports 137:139 (netbios) that windows use to share network. It also appear that Win XP broadcast on the network.

Code: Select all

DROPl:IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:40:f4:64:d9:c2:08:00 SRC=192.164.0.79 DST=192.164.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=63116 PROTO=UDP SPT=137 DPT=137 LEN=58

Is that a security hole if before blocking boradcast in the script I accept all connection from that user on ports 137:139 ?

Code: Select all

#Since USER is under Windows, he must access to netbios ports
$IPT -A INPUT -i $INTIF1 -s $USER -p tcp --dport 137:139 -j ACCEPT
$IPT -A INPUT -i $INTIF1 -s $USER -p udp --dport 137:139 -j ACCEPT

It seems to work but I don't no if its a good thing.
If not, is there a good way to do that ? (except throwing the XP box out)

[amanset]

If that doesn't work, post your config. By the way, you're not using a router do you? This firewall is on the same machine where you want distcc and ssh?

By the way, in this example and the one above, $IPTABLES=/sbin/iptables.

Sorry for asking, but I am having the same problem and those three lines you suggested didn't work for me. I am trying to let my NAT'd PCs have full net access. I have used this script, adapted from part one of the tutorial:

Code: Select all

 #!/bin/bash
IPTABLES='/sbin/iptables'

# Set interface values
EXTIF='eth0'
INTIF1='eth1'


# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# forward LAN traffic from $INTIF1 to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT

#echo -e "       - Allowing HTTP Traffic"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT --protocol tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD --protocol tcp --dport 80 -j ACCEPT

$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT



# block out all other Internet access on $EXTIF
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
#$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP

Yet all that appears to work right now is port 80, the one I specifically stated as a test. I've obviously missed something out somewhere, I don't suppose you know what?

[lokelo]

Ok, just configured and modified the script to work with a single internal interface and an ethernet external interface and i'm getting an error with syncookies

Code: Select all

line 42: /proc/sys/net/ipv4/tcp_syncookies: No such file or directory

what do i do to install this?

[Souperman]

You need to enable it in your kernel .config. I'm not sure exactly where it is, but if you 'make menuconfig' and drill down the networking options you should see it.

[Lepaca Kliffoth]

I was wondering if I can use this script. I've got a desktop connected to the internet through adsl and I want it to share the connection with a laptop. The laptop's conneted to my desktop with a cross-over cable. How should I modify the script?

[tomaw]

Any chance anyone has an example that will enforce a local transparent proxy? Just want to set a forced privoxy...

/edit

Also, it seems this stops spamd from working...?