[CLUE-Tech] Firewall

Chris r0x0rman at yahoo.com
Sat Feb 23 10:42:58 MST 2002 

Its just an extremely basic firewall.  I'm setting it up for the first time
so I decided to block most everything and add stuff as needed.  I know the
script that I posted will block me when I to ssh.  I tried to make this
change:

iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A block -j DROP

to

iptables -N block
iptables -A block `-s ! workip' -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A block -j DRO

this allowed me to connect from work, but would not let machines on my lan
at home get out.  Today I'm going to read the man pages and figure it out.
I found out how to flush chains with a command, but it did not seem to work
with the nat table.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

I need to do some more research and then I can ask you guys some questions.
Here is what I want to do:

Let everything through that comes in on eth1(my lan)
Modify the script above so that only certain ips can connect to certain
services through eth0.

-----Original Message-----
From: clue-tech-admin at clue.denver.co.us
[mailto:clue-tech-admin at clue.denver.co.us]On Behalf Of Dave Anselmi
Sent: Friday, February 22, 2002 7:09 PM
To: clue-tech at clue.denver.co.us
Subject: Re: [CLUE-Tech] Firewall


I don't usually answer these kinds of posts.  I can't tell you how to
improve
your script until you tell me what it's supposed to do (formally, what
security
policy it is supposed to implement).  Of course it is very rare to find a
system
where the security policy was written before (or even in conjunction with)
the
implementation.

But this script is short, so a few things come to mind.

Chris wrote:

> Hey guys I was wondering if you could help me out.  I'm trying to set up a
> firewall for the first time.  Just something simple.  Here is what I have
so
> far.
>
>
============================================================================
> /sbin/modprobe iptable_nat
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables -N block
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
> iptables -A block -j DROP
>
> iptables -A INPUT -j block
> iptables -A FORWARD -j block
> iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m
limit --limit
> 1/s -j ACCEPT
> iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
1/s -j
> ACCEPT
>
============================================================================

Your block chain implies that you want very similar policy for this box
(firewall) and all your internal machines.  You might consider locking down
the
firewall more than the others.

IIRC, these rules are processed in order, so all your FORWARD rules after
the
first are irrelevant (because the block chain drops everything before any
other
rules run).  I could be wrong about this.

The limit rules didn't make much sense to me when I read the HOWTO.  But my
guess is that you'll never notice whether they work or not unless you're
running
a sniffer, too.


> Does everything look ok so far?
>
> With this set up, I am unable to ssh to my machine from work.  How can I
> allow certain ip's to connect, and how can I let certain services pass
> through.  I want to let two ips pass connect.

Well, of course you can't ssh.  There's no rule to accept incoming ssh
connections.  Think about whether these connections should go to the
firewall or
to internal machines.  Then write the appropriate accept rule and put it
before
(or in) your block chain.


> Also say if i want to make a change to entry for nat.  How do I reload it
> without having to reboot?

Rebooting has nothing to do with it.  These are just some commands that get
run.  Changing what you have is simply a matter of running more commands.
If
you mean you want to change the script and then run the script to cause the
changes, there are two ways I've seen it done:

- Write the script so it clears out everything at the beginning.  This
script
assumes that all the tables are empty when it starts.

- Write the script so you can pass in start and stop parameters.  Start does
what you have already, stop undoes it.

In either case, think about the state of your interfaces when you turn your
rules off.  Do you want them wide open, or turned off?

Dave


_______________________________________________
CLUE-Tech mailing list
CLUE-Tech at clue.denver.co.us
http://clue.denver.co.us/mailman/listinfo/clue-tech

More information about the clue-tech mailing list