[CLUE-Tech] Firewall
Dave Anselmi
anselmi at americanisp.net
Fri Feb 22 19:09:21 MST 2002
I don't usually answer these kinds of posts. I can't tell you how to improve
your script until you tell me what it's supposed to do (formally, what security
policy it is supposed to implement). Of course it is very rare to find a system
where the security policy was written before (or even in conjunction with) the
implementation.
But this script is short, so a few things come to mind.
Chris wrote:
> Hey guys I was wondering if you could help me out. I'm trying to set up a
> firewall for the first time. Just something simple. Here is what I have so
> far.
>
> ============================================================================
> /sbin/modprobe iptable_nat
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables -N block
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
> iptables -A block -j DROP
>
> iptables -A INPUT -j block
> iptables -A FORWARD -j block
> iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit
> 1/s -j ACCEPT
> iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j
> ACCEPT
> ============================================================================
Your block chain implies that you want very similar policy for this box
(firewall) and all your internal machines. You might consider locking down the
firewall more than the others.
IIRC, these rules are processed in order, so all your FORWARD rules after the
first are irrelevant (because the block chain drops everything before any other
rules run). I could be wrong about this.
The limit rules didn't make much sense to me when I read the HOWTO. But my
guess is that you'll never notice whether they work or not unless you're running
a sniffer, too.
> Does everything look ok so far?
>
> With this set up, I am unable to ssh to my machine from work. How can I
> allow certain ip's to connect, and how can I let certain services pass
> through. I want to let two ips pass connect.
Well, of course you can't ssh. There's no rule to accept incoming ssh
connections. Think about whether these connections should go to the firewall or
to internal machines. Then write the appropriate accept rule and put it before
(or in) your block chain.
> Also say if i want to make a change to entry for nat. How do I reload it
> without having to reboot?
Rebooting has nothing to do with it. These are just some commands that get
run. Changing what you have is simply a matter of running more commands. If
you mean you want to change the script and then run the script to cause the
changes, there are two ways I've seen it done:
- Write the script so it clears out everything at the beginning. This script
assumes that all the tables are empty when it starts.
- Write the script so you can pass in start and stop parameters. Start does
what you have already, stop undoes it.
In either case, think about the state of your interfaces when you turn your
rules off. Do you want them wide open, or turned off?
Dave
More information about the clue-tech
mailing list