[CLUE-Tech] DHCP server with firewall..
Brandon N
bneill at yahoo.com
Fri Aug 3 20:56:40 MDT 2001
Just out of curiousity, why are you blocking any ports internally?
For the record, I use gShield (see freshmeat) for configuring iptables.
It has a simple configuration, and seems very robust so far.
Brandon
--- Jeremiah Stanley <miah at miah.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey all, I'm looking for some explanation of why what I'm doing here
> isn't
> working. I'm trying to have my gateway/proxy server to my @Home cable
> service act as a DHCP server to my internal network. I have two nics
> (eth0
> and eth1). I have dhcpd setup on working flawlessly, until I turn the
> firewall on. I've included the script I'm using as reference and here
> is
> the line that I think will open up the ports for DHCP to work on my
> internal network only.
>
> $IPTABLES -A INPUT -p udp -i $INT_IF -s 0/0 -d 0/0 --dport 67:68 -j
> ACCEPT
>
> Which I read as "on the INPUT chain under the protocol udp on the
> internal
> interface coming from any address and going to any address accept
> connections and transmission on the ports 67 and 68". Let me know if
> I'm
> doing something blatantly silly.
>
> Thanks,
> JStanley
> - --
> If only sitting was required, all frogs would be Buddhas...
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7avAvAd8Nj1SHkdcRAo24AJ9bb75yAiAojqh+QcIZOxXYBndqYACfYeK+
> Sh4n9ekwhm+4MP4gjyegDuk=
> =KWUG
> -----END PGP SIGNATURE-----
> > #!/bin/sh
>
>
#------------------------------------------------------------------------------
> # IPtables Firewall Script - A Basic IP Firewall Script for 2.4.x
> Kernels
> #
> # Cobbled together by Dave "Sticks" Fitches -
> http://www.sticks.f2s.com/
> # Project started 12th of May 2001 at some ungodly hour of the night
> # Finished to a decent level of satisfaction.... ???
> #
> # Bits borrowed from BoingWorld - http://www.boingworld.com
> # Thanks to RaverX - #linuxhelp @ oz.org for:
> # - The 'echo' reports throughout the execution of the script
> # - Adding syncookie protection, source address verification,
> # and ICMP dead error message protection.
> # - Help getting my logging working
> # - advising about tcp-reset to thoroughly drop TCP packets
> # and screw nmap users...
> #
> # But they claim absolutely NO responsibility for failures of this
> script...
> # Come to think of it, neither do I! Use at your own risk!!
> # That said, anything that does work, I'll take credit for!! :)
> #
> # Observant people will also recognise segments ripped from my old
> # IPchains Firewall scripts... It's called recycling, and it's the
> # ecologically sound thing to do... :D
>
#------------------------------------------------------------------------------
>
> echo "[?] iptables.cable.firewall v.2.1 / 2001.05.16 by Sticks ..."
>
>
#------------------------------------------------------------------------------
> # Change these to suit your own setup
>
> echo -n " [.] Configuring Variables : "
>
> # Your LAN's IP range and localhost IP. /24 means to only use the
> first 24
> # bits of the 32 bit IP adress. the same as netmask 255.255.255.0
>
> LAN_IP_RANGE="192.168.1.0/24" # LAN IP Subnet
> LAN_IP="192.168.1.1/32" # LAN IP
> LAN_BCAST_ADRESS="192.168.1.255/32" # Broadcast IP for LAN
> LOCALHOST_IP="127.0.0.1/32" # LocalHost IP
> EXT_IF="eth1" # External Interface
> INT_IF="eth0" # Internal Interface
> IPTABLES="/sbin/iptables" # Path for IPTables
>
> # EXT_IP is used by me to allow myself to do anything to myself,
> might
> # be a security risc but sometimes I want this. If you don't have a
> static
> # IP, I suggest not using this option at all for now but it's still
> # enabled per default and will add some really nifty security bugs
> for all
> # those who skips reading the documentation=)
>
> # Your Static Internet address goes here...
> EXT_IP="24.178.96.233/32"
>
> # If you use PPP, SLIP or DHCP, then best to do Dynamic IP
> addressing.
> # You need to make this ruleset understand your IP address everytime
> you get a new IP.
> # To do this, use the following one-line script.
> # (Please note: The different single and double quote characters
> MATTER)
> # I know there are probably easier ways to do this, but this works
> and looks fancy! :)
> #EXT_IP="`ifconfig eth1 | grep 'inet addr' | awk '{print $2}' | sed
> -e 's/.*://'`/32"
>
> # Write the current IP to a file (a hold over from my dial-up days)
> echo $EXT_IP > ~/my.ip
>
> echo "Done!"
>
> echo " [?] IPtables location : $IPTABLES"
> echo " [?] External Interface : $EXT_IF"
> echo " [?] External IP Address : $EXT_IP"
> echo " [?] LAN Interface : $INT_IF"
> echo " [?] LAN IP Address : $LAN_IP"
>
>
#------------------------------------------------------------------------------
> # Clear all IPtable rules.
>
> echo -n " [!] Clearing any prior IPtable rules ... "
>
> # Reset the default policies in the filter table.
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
>
> # Reset the default policies in the nat table.
> $IPTABLES -t nat -P PREROUTING ACCEPT
> $IPTABLES -t nat -P POSTROUTING ACCEPT
> $IPTABLES -t nat -P OUTPUT ACCEPT
>
> # Flush all the rules in the filter and nat tables.
> $IPTABLES -F
> $IPTABLES -t nat -F
>
>
> # Erase all chains that's not default in filter and nat table.
> $IPTABLES -X
> $IPTABLES -t nat -X
>
> echo "Done!"
>
>
#------------------------------------------------------------------------------
> # Load all required IPtables modules
> #
> # For some reason I have problems with modprobe - probably my own
> stupidity,
> # so I'll be using insmod to load what I need...
> # In some instances, these modules may already be loaded by the
> kernel,
> # We'll assume NOT though to allow for everything.
>
> echo -n " [x] Load modules required for IRC/FTP Operation through NAT
> .. "
>
> # Needed to initially load modules
> /sbin/depmod -a
>
> # I didn't like loading modules that way, let the kernle do it...
>
> # Adds some iptables targets like LOG, REJECT and MASQUARADE.
> #/sbin/insmod
> /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ipt_LOG.o
> #/sbin/insmod
> /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ipt_REJECT.o
> #/sbin/insmod
> /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o
> #/sbin/insmod
> /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/iptable_nat.o
> #/sbin/insmod
> /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_nat_ftp.o
> #/sbin/insmod
> /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_nat_irc.o
> ports=1024,1025,1026,6666,6667,6668,6669,7000
>
> /sbin/modprobe ipt_LOG
> /sbin/modprobe ipt_REJECT
> /sbin/modprobe ipt_MASQUERADE
> /sbin/modprobe iptable_nat
> /sbin/modprobe ip_nat_ftp
> /sbin/modprobe ip_nat_irc
> #ports=1024,1025,1026,6666,6667,6668,6669,7000
> /sbin/modprobe ip_conntrack_irc
> #ports=1024,1025,1026,6666,6667,6668,6669,7000
> /sbin/modprobe ip_conntrack_ftp
>
> # Support for owner matching - I don't use it so it's remarked out,
> # You might want to use it so I leave it here for reference.
> # Owner Matching will allow only certain users to make certain
> connections...
> #/sbin/modprobe ipt_owner
>
> # Support for connection tracking of FTP and IRC.
> # Important for allowing IRC DCC Sends to work as well as
> # FTP Passive Transfers...
> #/sbin/insmod
> /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
> #/sbin/insmod
> /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_conntrack_irc.o
> ports=1024,1025,1026,6666,6667,6668,6669,7000
>
> echo "Done!"
>
>
#------------------------------------------------------------------------------
>
> echo -n " [x] Setting up /proc/sys/net/ipv4 rules ... "
>
> #CRITCAL: Enable IP forwarding since it is disabled by default.
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> #Turn on source address verification in kernel
> if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
> then
> for f in /proc/sys/net/ipv4/conf/*/rp_filter
> do
> echo 2 > $f
> done
> fi
>
> #Turn on syn cookies protection in kernel
> if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
> then
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> fi
>
> #ICMP Dead Error Messages protection
> if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
> then
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> fi
>
> # Dynamic IP users:
> # If you get your IP address dynamically from SLIP, PPP, or DHCP,
> enable this
> # option. This enables dynamic-ip address hacking in IP MASQ, making
> the connection
> # with Diald and similar programs much easier.
> if [ -e /proc/sys/net/ipv4/ip_dynaddr ]
> then
> echo 1 > /proc/sys/net/ipv4/ip_dynaddr
> fi
>
> echo "Done!"
>
>
#------------------------------------------------------------------------------
> # Set the default policies for the INPUT, FORWARD and OUTPUT chains
> # As I've stated in previous ramblings, I use DROP (Formerly DENY in
> IPChains)
> # because I don't want to make life EASY for crackers to h4x0r my
> b0x3n! :)
>
> echo -n " [x] Drop everything while we establish the Firewall
> Policies ... "
>
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
>
> echo "Done!"
>
>
#------------------------------------------------------------------------------
> # Create separate chains for ICMP, TCP and UDP to traverse
>
> echo " [x] Defining seperate chains for :"
>
> $IPTABLES -N icmp_packets
> $IPTABLES -N tcp_packets
> $IPTABLES -N udpincoming_packets
>
>
#------------------------------------------------------------------------------
> # Allowed ICMP Types
>
> echo -n " - ICMP ... "
>
> # Allow Echo Replies - Lets us ping people and get ping replies.
> # Without allowing this, pings are pretty useless :)
> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
>
> # Allow Destination Unreachable messages to reach us.
> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
>
> # Allow Redirects - Lets your system be told when a shorter route
> # to a destination is available.
> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
>
> # This allows Time Exceeded ICMP packets. Without this TraceRoute
> will NOT work.
> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
>
> # NOTE: icmp-type 8 is Ping Request. I'm NOT allowing this! This will
> result in
> # people being UNABLE to ping me via normal means. (Won't effect IRC
> Pings)
> # If I WAS going to allow them, I'd use THIS line...
> # $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
>
> echo "Done!"
>
>
#------------------------------------------------------------------------------
> # The allowed chain for TCP connections
> #
> # This chain will be utilised if someone tries to connect to an
> allowed
> # port from the internet. If they are opening the connection, or if
> it's
> # already established we ACCEPT the packages, if not we kill it. This
> is
> # where the state matching is performed also, we allow ESTABLISHED
> and
> # RELATED packets.
>
> echo -n " - TCP ... "
>
> $IPTABLES -N allowed
> $IPTABLES -A allowed -p TCP --syn -j ACCEPT
> $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> # Here is where stuff that is AIMED at the allowed ports, but isn't
> part
> # of an established or related connection get logged and killed.
> # Note: We use 'REJECT --reject-with tcp-reset' to defeat nmap users!
> $IPTABLES -A allowed -m limit --limit 3/minute --limit-burst 3 -j LOG
> --log-level 5 --log-prefix "Netfilter: "
> $IPTABLES -A allowed -p TCP -j REJECT --reject-with tcp-reset
>
>
#------------------------------------------------------------------------------
> # Allowed TCP ports
> # Defining allowed Ports
> #
> # This is where we tell the firewall what ports we'll allow inbound
> connections on.
> # As I don't want to run any servers on my machine, except for identd
> (maybe) I
> # won't allow the other connections. You might want to, so I leave
> them here for
> # reference purposes.
>
> echo -n "TCP Allowed Ports ... "
>
> # This is for FTP Connectiosn
> # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
>
> # This is for SSH (Secure Shell) Connections
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
>
> # This is for HTTP (WWW Server) Connections
> # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
>
> # This is for Identd and can't be blocked or IRC won't work!!
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
>
> echo "Done!"
>
>
#------------------------------------------------------------------------------
> # Allowed UDP ports
> # Defining "udpincoming_packets"
>
> echo -n " - UDP Allowed Incoming Ports ... "
>
> # This, of course, is for DNS lookups. Kind of Essential.
> $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j
> ACCEPT
>
> # This is for the NTP protocol - So I can set the time from an
> accurate
> # remote source using ntpd.
> #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j
> ACCEPT
>
> # This is for alot of Streaming Media and Audio/Video Conferencing
> Programs
> $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j
> ACCEPT
>
> # This is required to allow ICQ to work.
> $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j
> ACCEPT
>
> echo "Done!"
>
>
#------------------------------------------------------------------------------
> # PREROUTING chain.
> #
> # Do some checks for obviously spoofed IP's
>
> echo -n " [x] Define PreRouting Chain ... "
>
> # DROPs anything coming IN from the net using the 192.168.* IP
> addresses
> $IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 192.168.0.0/16 -j DROP
>
> # I've remarked this as my cable modem and O at H utilise these IPs...
> Idiots!
> # Otherwise it would DROP anything coming from the net using the 10.*
> IP addresses
> #$IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 10.0.0.0/8 -j DROP
>
> # DROPs anything coming in from the net using the 172.16.* IP
> addresses
> $IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 172.16.0.0/12 -j DROP
>
> # DROPs anything coming in from the LAN using an IP which is NOT part
> of the internal network
> # $IPTABLES -t nat -A PREROUTING -i $INT_IF -s ! $LAN_IP_RANGE -j
> DROP
>
> echo "Done!"
>
>
#------------------------------------------------------------------------------
>
#------------------------------------------------------------------------------
> # INPUT chain
> #
> # Here we establish the basic INPUT chain and filter the packets
> # onto the correct chains. This points to all the rules we've
> # defined above. This is the heart of the firewall...
>
> echo -n " [x] Define Input Chain ... "
>
> # If the incoming packet from the Internet is an ICMP packet,
> # check it against the rules defined in 'icmp_packets'
> $IPTABLES -A INPUT -p ICMP -i $EXT_IF -j icmp_packets
>
> # If the incoming packet from the Internet is a TCP packet,
> # check it against the rules defined in 'tcp_packets'
> $IPTABLES -A INPUT -p TCP -i $EXT_IF -j tcp_packets
>
> # If the incoming packet from the Internet is a UDP packet,
> # check it against the rules defined in 'udpincoming_packets'
> $IPTABLES -A INPUT -p UDP -i $EXT_IF -j udpincoming_packets
>
> # Anything that makes it through THOSE checks, then gets checked
> # against these rules...
>
> # Allow anything from the LAN to the LAN Broadcast address
> $IPTABLES -A INPUT -p ALL -i $INT_IF -d $LAN_BCAST_ADRESS -j ACCEPT
>
> # Allow DHCP internally... Ports 67 & 68 from anywhere to anywhere
> $IPTABLES -A INPUT -p udp -i $INT_IF -s 0/0 -d 0/0 --dport 67:68 -j
> ACCEPT
>
> # Allow anything from anywhere to the localhost (127.0.0.1)
> $IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
>
> # Allow anything inbound to the Internal IP for the server
> $IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
>
> # Allow anything destined for the server internet IP that is
> ESTABLISHED and RELATED from any other connection.
> $IPTABLES -A INPUT -p ALL -d $EXT_IP -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> echo "Done!"
>
> # Filter out all the bullshit stuff received from Optus at Home
> # This is mainly to kill them from appearing in the logs as
> # they get dropped later anyway.
>
> echo -n " [x] Filter Bullshit packets from Optus at Home ... "
>
> # Drop before logging - Multicast Packets
> $IPTABLES -A INPUT -i $EXT_IF -s 10.201.218.1 -d 224.0.0.1 -j DROP
>
> echo "Done!"
>
> # Log any input packets that make it this far. (ie; don't make it
> through
> # the firewall, coz they get logged then the default policy of DROP
> is applied)
>
> echo -n " [*] Initiate Logging for failed inbound packets ... "
>
> # This sets limits on the logging. No matched event will be logged
> more
> # than 3 times in a minute. This stops your log being filled up if
> someone floods you...
> $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
> --log-level 5 --log-prefix "Netfilter: "
>
> # DROP TCP packets thoroughly - NMap will NOT see these as 'filtered'
> $IPTABLES -A INPUT -i $EXT_IF -p tcp -s 0/0 -d 0/0 -j REJECT
> --reject-with tcp-reset
>
> # DROP UDP packets. (Not really needed, but included anyway)
> $IPTABLES -A INPUT -i $EXT_IF -s 0/0 -d 0/0 -j DROP
>
> echo "Done!"
>
>
#------------------------------------------------------------------------------
>
#------------------------------------------------------------------------------
> # OUTPUT chain
> #
> # Here we establish the basic OUTPUT chain.
>
> echo -n " [x] Define OUTPUT chain ... "
>
> # Allow anything to go out from the localhost IP
> $IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
>
> # Allow anything to go out from the LAN address
> $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
>
> # Allow anything to go out from the net address
> $IPTABLES -A OUTPUT -p ALL -s $EXT_IP -j ACCEPT
>
> # Log any input packets that make it this far. (ie; don't make it
> through
> # the firewall, coz they get logged then the default policy of DROP
> is applied)
> $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
> --log-level 5 --log-prefix "Netfilter: "
>
> echo "Done!"
>
>
#------------------------------------------------------------------------------
>
#------------------------------------------------------------------------------
> # FORWARD chain
> #
> # Enable simple IP FORWARDing and Masquerading
> #
> # NOTE: The following is an example for an internal LAN, where the
> lan
> # runs on eth1, and the Internet is on eth0. At least, thats how MINE
> works...
> #
> # Change this to match your own setup...
>
> echo -n " [x] Enable IP FORWARDing and Masquerading/NAT ... "
>
> # Allow NAT/Masquerading
> $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
>
> # Allow anything from the LAN to anywhere
> $IPTABLES -A FORWARD -i $INT_IF -j ACCEPT
>
> # Allow everything in a state ESTABLISHED or RELATED from anywhere
> $IPTABLES -A FORWARD -p ALL -d $LAN_IP_RANGE -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> # Log any input packets that make it this far. (ie; don't make it
> through
> # the firewall, coz they get logged then the default policy of DROP
> is applied)
> $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
> --log-level 5 --log-prefix "Netfilter: "
>
> echo "Done!"
>
>
#------------------------------------------------------------------------------
>
> echo "[!] Firewall in place - Operation Completed!"
>
>
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
More information about the clue-tech
mailing list