Solved

Firewall question.

Posted on 1998-11-29
18
312 Views
Last Modified: 2010-03-18
I nead some help with my firewall rules.

I have 2 machines connected to internet.
Each machine have 2 network cards and are connected to a local net through eth1.

I like to filter out everything on eth0 eccept. samba, mail, www, ftp, ident, ssh, icq, quake (on port 27500 and 28000). I like to filter out ping but I like to be able to ping other machines. (and I like my other machine to be able to ping me)

Than I have a machine (10.0.0.4) which are connectet to internet through my machine (ip-masquerading). Now I wounder how to set up those rules  with ip-chains.

I don't understand the howto so well. I have started with those rules:

/sbin/ipchains -A input -s 10.0.0.2/32 echo-request -p icmp -j ACCEPT
/sbin/ipchains -A input -s 10.0.0.3/32 echo-request -p icmp -j ACCEPT
/sbin/ipchains -A input -s 10.0.0.4/32 echo-request -p icmp -j ACCEPT
/sbin/ipchains -A input -s y.y.y.y/32 echo-request -p icmp -j ACCEPT
/sbin/ipchains -A input -s 0/0 echo-request -p icmp -j REJECT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :80 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :20 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :21 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :22 -j ACCEPT    
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :25 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :137 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :138 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :139 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :113 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :512 -j ACCEPT
/sbin/ipchains -A input -s evil-crackur/32 -j REJECT
/sbin/ipchains -A input -s evil-crackur/32 -j REJECT
/sbin/ipchains -A input -p TCP -y -d x.x.x.x/32 :1024 -j REJECT


echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/ipchains -A forward -j MASQ -s 10.0.0.4/24 -d 0.0.0.0/0
/usr/sbin/ipmasqadm autofw -A -p tcp 8000 10.0.0.4:80
/usr/sbin/ipmasqadm autofw -A -p tcp 8020 10.0.0.4:20
/usr/sbin/ipmasqadm autofw -A -p tcp 8021 10.0.0.4:21
/usr/sbin/ipmasqadm autofw -A -p tcp 8022 10.0.0.4:22    


x.x.x.x is the ip-number of my machine (eth0) . y.y.y.y is the ip of eth0 of my other machine.

10.0.0.x is the numbers of my local net.
I like to filter out all udp that is not needed. (not dns) to my eth0 . I get many  unvanted connections to my portmap. And I like only the 10.0.0.x machines to be able to connect to my portmap.

How do I set this up. What have I forgotten. How many more rules do I need to get my machine quite safe? Is my rules abowe ok?

Can some one help me settting up my rules???

Is /etcrc.d/rc.local a good place to put the rules in?
0
Comment
Question by:wqclatre
  • 8
  • 3
  • 2
  • +5
18 Comments
 
LVL 1

Expert Comment

by:iNFaMouS
ID: 1587718
maybe an easier way to work that out are the /etc/hosts.deny and /etc/hosts.allow files.
You can setup wanted/unwanted connections in those, for example you can add in /etc/hosts.deny ALL: ALL and setup the wanted services in /etc/hosts.allow (for example ALL: LOCAL (or 127.0.0.1) and ALL: <the IP of your other machine> and <service (for example in.telnetd or http)>: ALL EXCEPT <ip mask> and so on..
really useful and easier than the firewall buisness. I reckon that a well setup firewall is only needed for people with a complete paranoia and/or a BIG network.

Greetings
0
 
LVL 2

Author Comment

by:wqclatre
ID: 1587719
Well, I'm paranoid! I still like to set up a firewall....
0
 
LVL 2

Author Comment

by:wqclatre
ID: 1587720
BTW! how do do I filter out ping with /etc/hosts.deny???
I'm tired of smurf-ping.
0
 
LVL 2

Expert Comment

by:irp
ID: 1587721
Not used ipchains, but if it's anything like ipfwadm, a rule starting A is an accounting rule, you propably want to use F for firewall/forward. Try that !
0
 
LVL 1

Expert Comment

by:adrianwatkins
ID: 1587722
host.deny aint going to help you when the traffic is passing through the box and it does not involve any service on the unit.

Firewall rules look like Accounting to me.
0
 
LVL 2

Author Comment

by:wqclatre
ID: 1587723
-A means add to chain. And -F means flush (Delete all rules in  chain or all chain) and that's defenitly not what I want to do.
0
 
LVL 2

Expert Comment

by:irp
ID: 1587724
For most, if not all services you will need two way filters. i.e. you can send a packet out and generally you will need to allow the return packet. I'm not familiar with ipchains, but you probably need to allow echo-reply from the host you want to ping to the host you ping from. Also it's best to allow in anything to a port number above 1024 from allowed services (i.e. 80/23/20/21/25 etc.) as this will be the response to web transfer, telnet etc. You can see this if you telnet to a machine and run netstat, it will show you the ports in use both ends.
0
 
LVL 2

Author Comment

by:wqclatre
ID: 1587725
I don't think it's a good idea to alow telnet. And If I fiterout everything exxept 80/23/20/21/25 the DNS doesn't work and I don't think that it's so good. And why shall I alow ports over 1024 ?
When does they need them? Isn't it a good idea to filterout X11 connections? Well I think that i found out most of my problems but I'm not sure if my rules is ok (Now I have more rules than abowe). I have a big problem. I can't do a ls / . I can do a ls anywhere else. What can this problem be? What shall I allow?

0
 
LVL 2

Expert Comment

by:irp
ID: 1587726
The port numbers mentioned were intended as an example,not a recommendation on what to allow. With regard to ports above 1024, these are outgoing ports from the client, which then become incoming for responses from the server. Ie. web transfer goes out to port 80 on the server, from the next available outgoing port number, e.g 1031. Then the webserver sends data back from it's port 80 to your port 1031, hence you need to allow this data through or you'd never see any web pages. The most secure way of filtering is to deny everything, then build up services that you need. If you don't need X11, filter it although I'm not sure on port numbers etc, I think it uses icmp packets, but don't quote me. What is your problem with ls, surely this is not related to IP filters ? Maybe another question is in order with more details, after awarding me the points of course !!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 2

Author Comment

by:wqclatre
ID: 1587727
Well.. the problem is related to the ip-filter because it works when I flush the chains and doesn't work otherwise. (or it works but not in the /  I can do a ls /home but not a ls /)
(I have some more rules than those abowe.
0
 
LVL 1

Expert Comment

by:canacar
ID: 1587728
you can find a fine script for firewalling and masquerading
using ipchains at:
http://www.nerdherd.net.ipchains

it addresses almost all of your questions (except the remote ping bit)
and seems quite customizable

Can
0
 

Expert Comment

by:vladoz
ID: 1587729
if you think that firewall will prevent smurf forget it. You'll revceive all packets and this will stop transimiting them back. But who cares your incoming link is full.
0
 
LVL 1

Accepted Solution

by:
gashalot earned 600 total points
ID: 1587730
I maintain a large firewall that handles the traffic for 3 T1's at our office and does accounting for it.  Your rule set is very complex, but I do the same thing for my hosts.  I have read your configuration and have a few comments to make on it.

First of all: be sure you know that any incoming packet comes into the firewall system and moves down the list of rules until it reaches a rule that matches it.  It is then handled based on that rule and forgotten (except for the packet # and byte counter which are updated).

To configure your network first start like this
ipchains -P input -j DENY

This will force all input to be denied by default.  Then you can start adding the rules that you wish to the chains.  To do this use the
ipchains -I input ......
command.  This inserts the new chain above the others, so it will override the others below it.

Your question is worded vaguely, but from what I can understand you need to only open up a few ports on this machine and need to masquerade for the other hosts.

As for your rules you are using all of them correctly, but I should note on a few things I see that might cause problems:

When you are specifying a port to accept to just do it like this -d x.x.x.x port[:port] .
If you use the : flag you are saying allow the ports between port1:port2 and allow connections on port1 and port2 as well.  No netmask is needed for single hosts.

For your masquerading I am unsure if the ipmasqadm will work w/ ipchains, but I don't think it does.  It looks like you are forwarding the traffic on the ports to another IP address on your internal network, I am not sure how this is handled but I will look into it for you.

I have included a basic command for a rule below so you can see how to set it up.

ipchains -I input -p icmp|tcp|udp -s 0/0 -d x.x.x.x/32 -j ACCEPT|DENY

A lot of your rules have no source address, which is recommended even if it 0/0.  Hope this helps you.
0
 
LVL 2

Author Comment

by:wqclatre
ID: 1587731
Well... it was a long time ago since I asked thsi question and I think I've solved all my problems already but thanks.
0
 
LVL 2

Author Comment

by:wqclatre
ID: 1587732
You don't mean
ipchains -A input -p icmp|tcp|udp -s 0/0 -d x.x.x.x/32 -j ACCEPT|DENY ?
0
 
LVL 1

Expert Comment

by:gashalot
ID: 1587733
Nope, you need -I, this way you're inserting rules above the others, this way if you do a global accept for a host and then put in a deny the deny overrides the accept.  If you did a -A you will accept the packet because you're appending that deny rule to the bottom where it won't be examined.
0
 

Expert Comment

by:jkline73
ID: 2638293
Can someone please tell me how to redirect traffice from the outside to the inside.  I have x.x.x.x on the outside and 10.0.0.0/8 on the inside.  I want to redirect x.x.x.4/xx to 10.0.0.92/8.  Can someone help?

Thanks
0
 
LVL 2

Author Comment

by:wqclatre
ID: 2638472
Sure...

use ipmasqadm

/usr/sbin/ipmasqadm portfw -a -P tcp -L Q.X.Y.Z 8000 -R 10.0.0.4 80 -p 1

Forwards port 8000 on q.x.y.z to port 80 on 10.0.0.4.

You can alos use redir (or uredir for udp) (search on freshmeat)
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now