[CLUE-Tech] Firewall
Chris
r0x0rman at yahoo.com
Sat Feb 23 12:30:57 MST 2002
haha please. I doubt anyone would learn anything from this. Here is how I
have it at the moment. I'm going to change some stuff. I'm kinda playing
with it right now. Doing stuff like blocking access from from my lan to
certain services. I guess I should post it so anyone can tell me if they
see anything glaringly wrong. and remember this is my first basic firewall.
I know its probably not ultra super secure.
# Load the NAT module (this pulls in all the others).
/sbin/modprobe iptable_nat
# Flush all chains
iptables -F block
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
# Enable NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
# table=block
iptables -N block
#iptables -A block -s 208.61.167.222 -j ACCEPT
#iptables -A block -s 198.178.8.81 -j ACCEPT
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A block -j DROP
# Services
iptables -A INPUT -s 198.178.8.81 -p tcp --dport 110 -j ACCEPT -i eth0 #
pop3
iptables -A INPUT -s 198.178.8.81 -p tcp --dport 25 -j ACCEPT -i eth0 #
smtp
iptables -A INPUT -s 198.178.8.81 -p tcp --dport 80 -j ACCEPT -i eth0 #
httpd
iptables -A INPUT -s 198.178.8.81 -p tcp --dport 22 -j ACCEPT -i eth0 # ssh
iptables -A INPUT -s 198.178.8.81 -p tcp --dport 21 -j ACCEPT -i eth0 # ftp
# table=INPUT,FORWARD
iptables -A INPUT -j block
iptables -A FORWARD -j block
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit
1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j
ACCEPT
-----Original Message-----
From: clue-tech-admin at clue.denver.co.us
[mailto:clue-tech-admin at clue.denver.co.us]On Behalf Of Kevin Cullis
Sent: Saturday, February 23, 2002 12:16 PM
To: clue-tech at clue.denver.co.us
Subject: Re: [CLUE-Tech] Firewall
Chris,
Don't do this to me, ARRRGGGHHH, keeping me hanging like this, what did
you do? ;-) Hey, post your solution so that others can learn.
Kevin
Chris wrote:
>
> I got it working how I want so you can ignore my post.
>
> -----Original Message-----
> From: clue-tech-admin at clue.denver.co.us
> [mailto:clue-tech-admin at clue.denver.co.us]On Behalf Of Chris
> Sent: Saturday, February 23, 2002 10:43 AM
> To: clue-tech at clue.denver.co.us
> Subject: RE: [CLUE-Tech] Firewall
>
> Its just an extremely basic firewall. I'm setting it up for the first
time
> so I decided to block most everything and add stuff as needed. I know the
> script that I posted will block me when I to ssh. I tried to make this
> change:
>
> iptables -N block
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
> iptables -A block -j DROP
>
> to
>
> iptables -N block
> iptables -A block `-s ! workip' -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
> iptables -A block -j DRO
>
> this allowed me to connect from work, but would not let machines on my lan
> at home get out. Today I'm going to read the man pages and figure it out.
> I found out how to flush chains with a command, but it did not seem to
work
> with the nat table.
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> I need to do some more research and then I can ask you guys some
questions.
> Here is what I want to do:
>
> Let everything through that comes in on eth1(my lan)
> Modify the script above so that only certain ips can connect to certain
> services through eth0.
>
> -----Original Message-----
> From: clue-tech-admin at clue.denver.co.us
> [mailto:clue-tech-admin at clue.denver.co.us]On Behalf Of Dave Anselmi
> Sent: Friday, February 22, 2002 7:09 PM
> To: clue-tech at clue.denver.co.us
> Subject: Re: [CLUE-Tech] Firewall
>
> I don't usually answer these kinds of posts. I can't tell you how to
> improve
> your script until you tell me what it's supposed to do (formally, what
> security
> policy it is supposed to implement). Of course it is very rare to find a
> system
> where the security policy was written before (or even in conjunction with)
> the
> implementation.
>
> But this script is short, so a few things come to mind.
>
> Chris wrote:
>
> > Hey guys I was wondering if you could help me out. I'm trying to set up
a
> > firewall for the first time. Just something simple. Here is what I
have
> so
> > far.
> >
> >
>
============================================================================
> > /sbin/modprobe iptable_nat
> >
> > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> >
> > iptables -N block
> > iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
> > iptables -A block -j DROP
> >
> > iptables -A INPUT -j block
> > iptables -A FORWARD -j block
> > iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
> > iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m
> limit --limit
> > 1/s -j ACCEPT
> > iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
> 1/s -j
> > ACCEPT
> >
>
============================================================================
>
> Your block chain implies that you want very similar policy for this box
> (firewall) and all your internal machines. You might consider locking
down
> the
> firewall more than the others.
>
> IIRC, these rules are processed in order, so all your FORWARD rules after
> the
> first are irrelevant (because the block chain drops everything before any
> other
> rules run). I could be wrong about this.
>
> The limit rules didn't make much sense to me when I read the HOWTO. But
my
> guess is that you'll never notice whether they work or not unless you're
> running
> a sniffer, too.
>
> > Does everything look ok so far?
> >
> > With this set up, I am unable to ssh to my machine from work. How can I
> > allow certain ip's to connect, and how can I let certain services pass
> > through. I want to let two ips pass connect.
>
> Well, of course you can't ssh. There's no rule to accept incoming ssh
> connections. Think about whether these connections should go to the
> firewall or
> to internal machines. Then write the appropriate accept rule and put it
> before
> (or in) your block chain.
>
> > Also say if i want to make a change to entry for nat. How do I reload
it
> > without having to reboot?
>
> Rebooting has nothing to do with it. These are just some commands that
get
> run. Changing what you have is simply a matter of running more commands.
> If
> you mean you want to change the script and then run the script to cause
the
> changes, there are two ways I've seen it done:
>
> - Write the script so it clears out everything at the beginning. This
> script
> assumes that all the tables are empty when it starts.
>
> - Write the script so you can pass in start and stop parameters. Start
does
> what you have already, stop undoes it.
>
> In either case, think about the state of your interfaces when you turn
your
> rules off. Do you want them wide open, or turned off?
>
> Dave
>
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
--
"Success is never final, failure is never fatal" - Kevin Cullis
---
Kevin Cullis
kcullis at coloradoexcellence.org
303-893-CPEX (2739)
Colorado Performance Excellence, Inc
http://www.coloradoexcellence.org
_______________________________________________
CLUE-Tech mailing list
CLUE-Tech at clue.denver.co.us
http://clue.denver.co.us/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list