[CLUE-Tech] DHCP server with firewall..
Jeremiah Stanley
miah at miah.org
Fri Aug 3 12:40:43 MDT 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey all, I'm looking for some explanation of why what I'm doing here isn't
working. I'm trying to have my gateway/proxy server to my @Home cable
service act as a DHCP server to my internal network. I have two nics (eth0
and eth1). I have dhcpd setup on working flawlessly, until I turn the
firewall on. I've included the script I'm using as reference and here is
the line that I think will open up the ports for DHCP to work on my
internal network only.
$IPTABLES -A INPUT -p udp -i $INT_IF -s 0/0 -d 0/0 --dport 67:68 -j ACCEPT
Which I read as "on the INPUT chain under the protocol udp on the internal
interface coming from any address and going to any address accept
connections and transmission on the ports 67 and 68". Let me know if I'm
doing something blatantly silly.
Thanks,
JStanley
- --
If only sitting was required, all frogs would be Buddhas...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7avAvAd8Nj1SHkdcRAo24AJ9bb75yAiAojqh+QcIZOxXYBndqYACfYeK+
Sh4n9ekwhm+4MP4gjyegDuk=
=KWUG
-----END PGP SIGNATURE-----
-------------- next part --------------
#!/bin/sh
#------------------------------------------------------------------------------
# IPtables Firewall Script - A Basic IP Firewall Script for 2.4.x Kernels
#
# Cobbled together by Dave "Sticks" Fitches - http://www.sticks.f2s.com/
# Project started 12th of May 2001 at some ungodly hour of the night
# Finished to a decent level of satisfaction.... ???
#
# Bits borrowed from BoingWorld - http://www.boingworld.com
# Thanks to RaverX - #linuxhelp @ oz.org for:
# - The 'echo' reports throughout the execution of the script
# - Adding syncookie protection, source address verification,
# and ICMP dead error message protection.
# - Help getting my logging working
# - advising about tcp-reset to thoroughly drop TCP packets
# and screw nmap users...
#
# But they claim absolutely NO responsibility for failures of this script...
# Come to think of it, neither do I! Use at your own risk!!
# That said, anything that does work, I'll take credit for!! :)
#
# Observant people will also recognise segments ripped from my old
# IPchains Firewall scripts... It's called recycling, and it's the
# ecologically sound thing to do... :D
#------------------------------------------------------------------------------
echo "[?] iptables.cable.firewall v.2.1 / 2001.05.16 by Sticks ..."
#------------------------------------------------------------------------------
# Change these to suit your own setup
echo -n " [.] Configuring Variables : "
# Your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
LAN_IP_RANGE="192.168.1.0/24" # LAN IP Subnet
LAN_IP="192.168.1.1/32" # LAN IP
LAN_BCAST_ADRESS="192.168.1.255/32" # Broadcast IP for LAN
LOCALHOST_IP="127.0.0.1/32" # LocalHost IP
EXT_IF="eth1" # External Interface
INT_IF="eth0" # Internal Interface
IPTABLES="/sbin/iptables" # Path for IPTables
# EXT_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you don't have a static
# IP, I suggest not using this option at all for now but it's still
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)
# Your Static Internet address goes here...
EXT_IP="24.178.96.233/32"
# If you use PPP, SLIP or DHCP, then best to do Dynamic IP addressing.
# You need to make this ruleset understand your IP address everytime you get a new IP.
# To do this, use the following one-line script.
# (Please note: The different single and double quote characters MATTER)
# I know there are probably easier ways to do this, but this works and looks fancy! :)
#EXT_IP="`ifconfig eth1 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`/32"
# Write the current IP to a file (a hold over from my dial-up days)
echo $EXT_IP > ~/my.ip
echo "Done!"
echo " [?] IPtables location : $IPTABLES"
echo " [?] External Interface : $EXT_IF"
echo " [?] External IP Address : $EXT_IP"
echo " [?] LAN Interface : $INT_IF"
echo " [?] LAN IP Address : $LAN_IP"
#------------------------------------------------------------------------------
# Clear all IPtable rules.
echo -n " [!] Clearing any prior IPtable rules ... "
# Reset the default policies in the filter table.
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
# Reset the default policies in the nat table.
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
# Flush all the rules in the filter and nat tables.
$IPTABLES -F
$IPTABLES -t nat -F
# Erase all chains that's not default in filter and nat table.
$IPTABLES -X
$IPTABLES -t nat -X
echo "Done!"
#------------------------------------------------------------------------------
# Load all required IPtables modules
#
# For some reason I have problems with modprobe - probably my own stupidity,
# so I'll be using insmod to load what I need...
# In some instances, these modules may already be loaded by the kernel,
# We'll assume NOT though to allow for everything.
echo -n " [x] Load modules required for IRC/FTP Operation through NAT .. "
# Needed to initially load modules
/sbin/depmod -a
# I didn't like loading modules that way, let the kernle do it...
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ipt_LOG.o
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ipt_REJECT.o
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/iptable_nat.o
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_nat_ftp.o
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_nat_irc.o ports=1024,1025,1026,6666,6667,6668,6669,7000
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
#ports=1024,1025,1026,6666,6667,6668,6669,7000
/sbin/modprobe ip_conntrack_irc
#ports=1024,1025,1026,6666,6667,6668,6669,7000
/sbin/modprobe ip_conntrack_ftp
# Support for owner matching - I don't use it so it's remarked out,
# You might want to use it so I leave it here for reference.
# Owner Matching will allow only certain users to make certain connections...
#/sbin/modprobe ipt_owner
# Support for connection tracking of FTP and IRC.
# Important for allowing IRC DCC Sends to work as well as
# FTP Passive Transfers...
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
#/sbin/insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ports=1024,1025,1026,6666,6667,6668,6669,7000
echo "Done!"
#------------------------------------------------------------------------------
echo -n " [x] Setting up /proc/sys/net/ipv4 rules ... "
#CRITCAL: Enable IP forwarding since it is disabled by default.
echo 1 > /proc/sys/net/ipv4/ip_forward
#Turn on source address verification in kernel
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 2 > $f
done
fi
#Turn on syn cookies protection in kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
#ICMP Dead Error Messages protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
# Dynamic IP users:
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
# option. This enables dynamic-ip address hacking in IP MASQ, making the connection
# with Diald and similar programs much easier.
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]
then
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
fi
echo "Done!"
#------------------------------------------------------------------------------
# Set the default policies for the INPUT, FORWARD and OUTPUT chains
# As I've stated in previous ramblings, I use DROP (Formerly DENY in IPChains)
# because I don't want to make life EASY for crackers to h4x0r my b0x3n! :)
echo -n " [x] Drop everything while we establish the Firewall Policies ... "
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
echo "Done!"
#------------------------------------------------------------------------------
# Create separate chains for ICMP, TCP and UDP to traverse
echo " [x] Defining seperate chains for :"
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
#------------------------------------------------------------------------------
# Allowed ICMP Types
echo -n " - ICMP ... "
# Allow Echo Replies - Lets us ping people and get ping replies.
# Without allowing this, pings are pretty useless :)
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
# Allow Destination Unreachable messages to reach us.
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
# Allow Redirects - Lets your system be told when a shorter route
# to a destination is available.
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
# This allows Time Exceeded ICMP packets. Without this TraceRoute will NOT work.
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# NOTE: icmp-type 8 is Ping Request. I'm NOT allowing this! This will result in
# people being UNABLE to ping me via normal means. (Won't effect IRC Pings)
# If I WAS going to allow them, I'd use THIS line...
# $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
echo "Done!"
#------------------------------------------------------------------------------
# The allowed chain for TCP connections
#
# This chain will be utilised if someone tries to connect to an allowed
# port from the internet. If they are opening the connection, or if it's
# already established we ACCEPT the packages, if not we kill it. This is
# where the state matching is performed also, we allow ESTABLISHED and
# RELATED packets.
echo -n " - TCP ... "
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
# Here is where stuff that is AIMED at the allowed ports, but isn't part
# of an established or related connection get logged and killed.
# Note: We use 'REJECT --reject-with tcp-reset' to defeat nmap users!
$IPTABLES -A allowed -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 5 --log-prefix "Netfilter: "
$IPTABLES -A allowed -p TCP -j REJECT --reject-with tcp-reset
#------------------------------------------------------------------------------
# Allowed TCP ports
# Defining allowed Ports
#
# This is where we tell the firewall what ports we'll allow inbound connections on.
# As I don't want to run any servers on my machine, except for identd (maybe) I
# won't allow the other connections. You might want to, so I leave them here for
# reference purposes.
echo -n "TCP Allowed Ports ... "
# This is for FTP Connectiosn
# $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
# This is for SSH (Secure Shell) Connections
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
# This is for HTTP (WWW Server) Connections
# $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
# This is for Identd and can't be blocked or IRC won't work!!
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
echo "Done!"
#------------------------------------------------------------------------------
# Allowed UDP ports
# Defining "udpincoming_packets"
echo -n " - UDP Allowed Incoming Ports ... "
# This, of course, is for DNS lookups. Kind of Essential.
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
# This is for the NTP protocol - So I can set the time from an accurate
# remote source using ntpd.
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
# This is for alot of Streaming Media and Audio/Video Conferencing Programs
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
# This is required to allow ICQ to work.
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
echo "Done!"
#------------------------------------------------------------------------------
# PREROUTING chain.
#
# Do some checks for obviously spoofed IP's
echo -n " [x] Define PreRouting Chain ... "
# DROPs anything coming IN from the net using the 192.168.* IP addresses
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 192.168.0.0/16 -j DROP
# I've remarked this as my cable modem and O at H utilise these IPs... Idiots!
# Otherwise it would DROP anything coming from the net using the 10.* IP addresses
#$IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 10.0.0.0/8 -j DROP
# DROPs anything coming in from the net using the 172.16.* IP addresses
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 172.16.0.0/12 -j DROP
# DROPs anything coming in from the LAN using an IP which is NOT part of the internal network
# $IPTABLES -t nat -A PREROUTING -i $INT_IF -s ! $LAN_IP_RANGE -j DROP
echo "Done!"
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# INPUT chain
#
# Here we establish the basic INPUT chain and filter the packets
# onto the correct chains. This points to all the rules we've
# defined above. This is the heart of the firewall...
echo -n " [x] Define Input Chain ... "
# If the incoming packet from the Internet is an ICMP packet,
# check it against the rules defined in 'icmp_packets'
$IPTABLES -A INPUT -p ICMP -i $EXT_IF -j icmp_packets
# If the incoming packet from the Internet is a TCP packet,
# check it against the rules defined in 'tcp_packets'
$IPTABLES -A INPUT -p TCP -i $EXT_IF -j tcp_packets
# If the incoming packet from the Internet is a UDP packet,
# check it against the rules defined in 'udpincoming_packets'
$IPTABLES -A INPUT -p UDP -i $EXT_IF -j udpincoming_packets
# Anything that makes it through THOSE checks, then gets checked
# against these rules...
# Allow anything from the LAN to the LAN Broadcast address
$IPTABLES -A INPUT -p ALL -i $INT_IF -d $LAN_BCAST_ADRESS -j ACCEPT
# Allow DHCP internally... Ports 67 & 68 from anywhere to anywhere
$IPTABLES -A INPUT -p udp -i $INT_IF -s 0/0 -d 0/0 --dport 67:68 -j ACCEPT
# Allow anything from anywhere to the localhost (127.0.0.1)
$IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
# Allow anything inbound to the Internal IP for the server
$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
# Allow anything destined for the server internet IP that is ESTABLISHED and RELATED from any other connection.
$IPTABLES -A INPUT -p ALL -d $EXT_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Done!"
# Filter out all the bullshit stuff received from Optus at Home
# This is mainly to kill them from appearing in the logs as
# they get dropped later anyway.
echo -n " [x] Filter Bullshit packets from Optus at Home ... "
# Drop before logging - Multicast Packets
$IPTABLES -A INPUT -i $EXT_IF -s 10.201.218.1 -d 224.0.0.1 -j DROP
echo "Done!"
# Log any input packets that make it this far. (ie; don't make it through
# the firewall, coz they get logged then the default policy of DROP is applied)
echo -n " [*] Initiate Logging for failed inbound packets ... "
# This sets limits on the logging. No matched event will be logged more
# than 3 times in a minute. This stops your log being filled up if someone floods you...
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 5 --log-prefix "Netfilter: "
# DROP TCP packets thoroughly - NMap will NOT see these as 'filtered'
$IPTABLES -A INPUT -i $EXT_IF -p tcp -s 0/0 -d 0/0 -j REJECT --reject-with tcp-reset
# DROP UDP packets. (Not really needed, but included anyway)
$IPTABLES -A INPUT -i $EXT_IF -s 0/0 -d 0/0 -j DROP
echo "Done!"
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# OUTPUT chain
#
# Here we establish the basic OUTPUT chain.
echo -n " [x] Define OUTPUT chain ... "
# Allow anything to go out from the localhost IP
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
# Allow anything to go out from the LAN address
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
# Allow anything to go out from the net address
$IPTABLES -A OUTPUT -p ALL -s $EXT_IP -j ACCEPT
# Log any input packets that make it this far. (ie; don't make it through
# the firewall, coz they get logged then the default policy of DROP is applied)
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 5 --log-prefix "Netfilter: "
echo "Done!"
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# FORWARD chain
#
# Enable simple IP FORWARDing and Masquerading
#
# NOTE: The following is an example for an internal LAN, where the lan
# runs on eth1, and the Internet is on eth0. At least, thats how MINE works...
#
# Change this to match your own setup...
echo -n " [x] Enable IP FORWARDing and Masquerading/NAT ... "
# Allow NAT/Masquerading
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
# Allow anything from the LAN to anywhere
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT
# Allow everything in a state ESTABLISHED or RELATED from anywhere
$IPTABLES -A FORWARD -p ALL -d $LAN_IP_RANGE -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log any input packets that make it this far. (ie; don't make it through
# the firewall, coz they get logged then the default policy of DROP is applied)
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 5 --log-prefix "Netfilter: "
echo "Done!"
#------------------------------------------------------------------------------
echo "[!] Firewall in place - Operation Completed!"
More information about the clue-tech
mailing list