Solved: IP-Maswuerade problem

Are you running DNS on your machine or accessing somebody elses?
Can you access outside hosts from inside your network. What is ipnr (is this in your /etc/hosts). Use nslookup to test DNS resolution. Give me some more info and I'll try to help you.

pucko

ASKER

OK!

Machine A eth0: 10.0.0.2
eth1: 130.236.A.B

/etc/hosts:

10.0.0.2 pucko.local pucko
10.0.0.3 documentation.local doc
10.0.0.4 abbie.local abbie
127.0.0.1 ab.doubleclick.net
resolve.conf:

domain foo.se
search foo.se
nameserver 130.236.C.D

Macine B eth0: 10.0.0.2

/etc/hosts
10.0.0.2 pucko.local pucko
10.0.0.3 documentation.local doc
10.0.0.4 abbie.local abbie
127.0.0.1 ab.doubleclick.net
resolve.conf

domain foo.se
search foo.se
nameserver 130.236.C.D

From machine B:

[root@abbie /etc]# ping 130.236.C.D
PING 130.236.230.9 (130.236.C.D): 56 data bytes
64 bytes from 130.236.230.9: icmp_seq=0 ttl=61 time=4.1 ms
64 bytes from 130.236.230.9: icmp_seq=1 ttl=61 time=4.8 ms
64 bytes from 130.236.230.9: icmp_seq=2 ttl=61 time=6.1 ms

But I didn't get any response if I do a ping ns.foo (the snameserver with ip 130.236.C.D)

IF I do a ping ns.foo frpm machine B and a /sbin/ipchains -M -L at the same time I get:

IP masquerading entries
prot expire source destination ports
UDP 04:55.10 abbie.local ns.foo 1039 (61086) -> domain
UDP 03:23.60 abbie.local ns.foo netbios-ns (61088) -> netbios-ns

It doesn't matter if I put ns.foo in the /etc/hosts

And tcpdump says:

22:30:07.747766 abbie.local.1039 > ns.foo.domain: 62981+ (30)
22:30:12.748167 arp who-has pucko.local tell abbie.local
22:30:12.748672 arp reply pucko.local is-at 0:80:ad:38:d:94

It works fine if I install a caching nameserver on macine A and pug 10.0.0.2 as nameserver at macihne B. But that is not the solution I like to have,,,

zblaxell

Uhhh...I assume machine B's IP address for eth0 is actually 10.0.0.4 (you say 10.0.0.2 above, but that won't work).

I would delete the first two forwarding rules and just leave the last one. Given what you've described of the networking the other two rules should be unused, but if they aren't then they probably aren't doing what you want either. Are any packets being accepted by the other two rules while you are waiting for a nameserver response? Use 'ipchains -L -xvn' to see packet counts.

pucko

ASKER

Yes... it shall be 10.0.0.4. And It doesn't matter if I remove the other rules.

and ipchains -L -xvn gives:

Chain input (policy ACCEPT: 404 packets, 42832 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
1811 277759 ACCEPT all ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 n/a
60 7404 ACCEPT all ------ 0xFF 0x00 lo 0.0.0.0/0 0.0.0.0/0 n/a
0 0 DENY tcp ----l- 0xFF 0x00 eth1 0.0.0.0/0 0.0.0.0/0 * -> 1433
0 0 DENY udp ----l- 0xFF 0x00 eth1 0.0.0.0/0 0.0.0.0/0 * -> 1433
0 0 DENY tcp ----l- 0xFF 0x00 eth1 0.0.0.0/0 0.0.0.0/0 * -> 2049
0 0 DENY udp ----l- 0xFF 0x00 eth1 0.0.0.0/0 0.0.0.0/0 * -> 2049
0 0 DENY tcp ----l- 0xFF 0x00 eth1 0.0.0.0/0 0.0.0.0/0 * -> 5432
0 0 DENY udp ----l- 0xFF 0x00 eth1 0.0.0.0/0 0.0.0.0/0 * -> 5432
437 143262 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 1023:65535
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 20
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 21
28 1120 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 22
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 53
110 4400 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 80
0 0 ACCEPT icmp ------ 0xFF 0x00 * 10.0.0.0/24 0.0.0.0/0 8 -> *
1336 68560 ACCEPT icmp ------ 0xFF 0x00 eth1 0.0.0.0/0 0.0.0.0/0 * -> *
0 0 ACCEPT icmp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> *
0 0 ACCEPT icmp ------ 0xFF 0x00 * 130.236.233.202 0.0.0.0/0 8 -> *
0 0 REJECT icmp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 8 -> *
2 88 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:80
0 0 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:20
0 0 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:21
0 0 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:22
0 0 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:25
0 0 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:137
0 0 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:138
4 176 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:139
0 0 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:113
0 0 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:512
0 0 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:8000
0 0 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:8020
0 0 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:8021
0 0 ACCEPT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:8022
7 728 REJECT all ----l- 0xFF 0x00 * 130.236.233.145 0.0.0.0/0 n/a
13 3276 REJECT all ----l- 0xFF 0x00 * 130.236.235.58 0.0.0.0/0 n/a
13 3172 REJECT all ----l- 0xFF 0x00 * 130.236.235.110 0.0.0.0/0 n/a
0 0 REJECT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:1024
0 0 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:53
87 10530 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:4000
23 920 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:26000
301573 17468266 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:27500
16 3364 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:28000
0 0 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> 0:29000
34 3578 REJECT udp ------ 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> *
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 22
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 20
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 21
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 80
118 137768 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 25
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 139
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 113
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 512
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 8000
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 8020
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 8021
0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 8022
0 0 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 27500
0 0 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 26000
0 0 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 28000
0 0 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 DENY tcp -y---- 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> *
73907 15134699 DENY udp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> *
Chain forward (policy ACCEPT: 9 packets, 2075 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
0 0 ACCEPT all ------ 0xFF 0x00 * 10.0.0.0/24 10.0.0.0/24 n/a
0 0 ACCEPT all ------ 0xFF 0x00 * 130.236.A.B 0.0.0.0/0 n/a
127 22625 MASQ all ------ 0xFF 0x00 * 10.0.0.0/24 0.0.0.0/0 n/a
0 0 MASQ all ------ 0xFF 0x00 * 10.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy ACCEPT: 132 packets, 16707 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
2153 230822 ACCEPT all ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 n/a
55 6395 - tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 * -> 80
0 0 - tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 * -> 21
0 0 - tcp ------ 0x01 0x08 * 0.0.0.0/0 0.0.0.0/0 * -> 20
64 10198 ACCEPT icmp ------ 0xFF 0x00 eth1 0.0.0.0/0 0.0.0.0/0 * -> *
0 0 ACCEPT icmp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> *
250057 31385006 ACCEPT all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a

zblaxell

You are REJECTing packets to ports 61000:65535 on input. You need those ports for masquerade replies to work (they can't be used for anything else).

zblaxell

This line:

34 3578 REJECT udp ------ 0xFF 0x00 * 0.0.0.0/0 130.236.A.B * -> *

To find out if this is the problem, try doing a few name lookups with "ping" and see if the number "34" increases.

pucko

ASKER

xblaxell. It seems that you know whats wrong. If I remove all of my firewalls rules it seems to work. Now the problem is that I cant find which to remove. I still wan't a firewall. I increased the points from 50 to 250 points in hope that you can give me some comment about my rules. Some of those are stupid I think.
Which can I remove?
And do you have any idea why I cant use ssh to some places if I uncomment the last rule.
My rules:
#!/bin/sh

echo -n "Starting Firewall"

echo 1 > /proc/sys/net/ipv4/ip_forward
IPCHAINS="/sbin/ipchains"

$IPCHAINS -F input
$IPCHAINS -F output
$IPCHAINS -F forward

INTERNALIF="eth0"
INTERNALNET="10.0.0.0/24"
INTERNALIP="10.0.0.2"
#

EXTERNALIF="eth1"
EXTERNALNET="0.0.0.0/0"
EXTERNALIP="130.236.A.B"
#
## Allow all connections on the internal interface
#
$IPCHAINS -A input -i $INTERNALIF -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i $INTERNALIF -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT

#
#
## IP Masq
#
## dont masq internal-internal traffic
#$IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT
#
## dont masq external interface direct
#$IPCHAINS -A forward -s $EXTERNALIP -d 0/0 -j ACCEPT
#
## masquerade all internal IP's going outside
$IPCHAINS -A forward -s $INTERNALNET -d 0/0 -j MASQ

#

$IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08

$IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 1433 -l -j DENY
$IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 1433 -l -j DENY
$IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 2049 -l -j DENY
$IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 2049 -l -j DENY
$IPCHAINS -A input -i $EXTERNALIF -p tcp -s 0/0 -d 0/0 5432 -l -j DENY
$IPCHAINS -A input -i $EXTERNALIF -p udp -s 0/0 -d 0/0 5432 -l -j DENY
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 1023:65535 -j ACCEPT

$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 20 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 21 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 22 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 53 -j ACCEPT
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 53 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 80 -j ACCEPT

/sbin/ipchains -A input -s $INTERNALNET echo-request -p icmp -j ACCEPT

$IPCHAINS -A input -i $EXTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A input -i $INTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i $EXTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i $INTERNALIF -p icmp -s 0/0 -d 0/0 -j ACCEPT

/sbin/ipchains -A input -s 130.236.E.F/32 echo-request -p icmp -j ACCEPT

/sbin/ipchains -A input -s 0/0 echo-request -p icmp -j REJECT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :80 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :20 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :21 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :22 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :25 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :137 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :138 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :139 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :113 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :512 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :8000 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :8020 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :8021 -j ACCEPT
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :8022 -j ACCEPT

#### Reject some idiots! ###################
/sbin/ipchains -A input -s 130.236.233.145/32 -d 0/0 -l -j REJECT
/sbin/ipchains -A input -s 130.236.235.58/32 -d 0/0 -l -j REJECT
/sbin/ipchains -A input -s 130.236.235.110/32 -d 0/0 -l -j REJECT

#########################
/sbin/ipchains -A input -p TCP -y -d $EXTERNALIP/32 :1024 -j REJECT
/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 :53 -j ACCEPT
/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 :4000 -j ACCEPT
/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 :26000 -j ACCEPT
/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 :27500 -j ACCEPT
/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 :28000 -j ACCEPT
/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 :29000 -j ACCEPT
/sbin/ipchains -A input -p UDP -d $EXTERNALIP/32 -j REJECT

/sbin/ipchains -A forward -j MASQ -s 10.0.0.4/24 -d 0.0.0.0/0

/usr/sbin/ipmasqadm autofw -A -p tcp 8000 10.0.0.4:80
/usr/sbin/ipmasqadm autofw -A -p tcp 8020 10.0.0.4:20

$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 22 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 20 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 21 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 80 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 25 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 137 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 138 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 139 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 113 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 512 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 8000 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 8020 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 8021 -j ACCEPT
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 8022 -j ACCEPT
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 27500 -j ACCEPT
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 26000 -j ACCEPT
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 28000 -j ACCEPT
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 53 -j ACCEPT
$IPCHAINS -A input -p tcp -y -d 130.236.A.B/32 -j DENY
$IPCHAINS -A input -p udp -j DENY
$IPCHAINS -A output -j ACCEPT
$IPCHAINS -A forward -j DENY
#$IPCHAINS -A input -p -j DENY

pucko

ASKER

Thanks. You don't have any idea Why ssh don't work if I add

$IPCHAINS -A input -p -j DENY

at the end of the file?

zblaxell

Your rules list is very repetitive and confusing. At the start of the file there is an ACCEPT rule for tcp -s 0/0 -d 0/0, which should accept all TCP headed anywhere. How ssh 'escapes' to the last line of the file (where it can be REJECTed by that last command) I don't know.

The line: $IPCHAINS -A input -p tcp -s 0/0 -d 0/0 1023:65535 -j ACCEPT

and the six lines below it should be enabling ssh access from and to anywhere.

Where are you trying to ssh from and to? To the firewall server or through it? What do you get from 'ssh -v'?

pucko

ASKER

I get: this + how to use it.
SSH Version 1.2.26 [i586-unknown-linux], protocol version 1.5.
Standard version. Does not use RSAREF.

I'm tryingt to ssh to another machine from the firewall..

zblaxell

Uhhh...I meant what happens when you use 'ssh -v' instead of 'ssh', as in 'ssh -v user@hostname'. It usually provides some information about what is going on, e.g. is it hanging doing DNS, waiting for an ident, or trying to bind to a low-numbered port...

Oh yeah. ssh will bind to a low numbered (below 1024) TCP port on the client side if it detects that it may have to use RhostsAuthentication. If you disable RhostsAuthentication or remove the setuid-root bit on ssh then ssh won't use low-numbered ports. Your ipchains rules don't allow connections from your firewall to outside machines on low-numbered ports (the 1023: half of 1023:65535). You could reduce the 1023 to 900 or so.

If you just want to prevent people from connecting to your machine, but want to enable outgoing connections, use rules with the '-y' option to enable all the TCP connections you wish to allow, then use 'ipchains -A input -p tcp -s 0/0 -d 0/0 -j REJECT' to deny all other connections.

Here is my web server's firewall rules list, with IP addresses deleted to protect the innocent. It explicitly verifies the source and destination of all addresses on each network interface, allows ssh, telnet, FTP, mail, ident, https, finger, and http to the outside world, 'ping' and certain ICMP messages (3 and 11; don't remember what they're for the moment) and all UDP access.

I check all IP addresses to make sure they have sensible source and destination addresses. By default nothing is permitted, and services which I actually use are explicitly permitted. Anything that is not permitted is logged to the syslog using '-l' - apart from being useful for debugging, this can alert me to people trying to break into my machine. However, my uplink generates a heck of a lot of noise on my eth1 that does not have my IP address, so I silently discard all such packets (12 megabytes a day). I also count all my own network traffic so I can verify my service provider's invoices.

#!/bin/sh -x
PATH=/sbin:/usr/bin:/bin

# Default timeouts
ipchains -M -S 3600 3600 3600

# Read config from Red Hat. eth0 is internal,
# eth1 is external.

/etc/sysconfig/network-scripts/ifcfg-eth0
INSIDE=$IPADDR
INSIDE_DEVICE=$DEVICE

/etc/sysconfig/network-scripts/ifcfg-eth1

# Our internal network addresses

PRIVATE_NETWORK=99.0.0.0/8
FOOBAR_NETWORK=98.0.0.0/8

# Default policy is deny, empty rule chains

ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
ipchains -F

# Ignore noise on uplink device.
ipchains -A input -i $DEVICE -d ! $IPADDR -j DENY

# Count SYN packets, total packets, packets on each interface
ipchains -A input -p tcp -y -l
ipchains -A output -p tcp -y -l
ipchains -A input
ipchains -A output
ipchains -A input -i lo
ipchains -A output -i lo
ipchains -A input -i eth0
ipchains -A output -i eth0
ipchains -A input -i eth1
ipchains -A output -i eth1

# FOOBAR network should not be accessible from web server.
# This is enforced on a firewall connected to FOOBAR,
# and also enforced here for redundancy.
ipchains -A input -s $FOOBAR_NETWORK -b -j DENY -l
ipchains -A output -s $FOOBAR_NETWORK -b -j DENY -l

# Allow only localhost and local IP addresses on loopback.
# Localnet addresses should not appear anywhere else.
ipchains -A input -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
ipchains -A input -i lo -s $IPADDR -d $IPADDR -j ACCEPT
ipchains -A input -i lo -s $INSIDE -d $INSIDE -j ACCEPT
ipchains -A input -i lo -j DENY -l
ipchains -A input -s 127.0.0.0/8 -d 127.0.0.0/8 -j DENY -l

# Ditto for output.
ipchains -A output -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
ipchains -A output -i lo -s $IPADDR -d $IPADDR -j ACCEPT
ipchains -A output -i lo -s $INSIDE -d $INSIDE -j ACCEPT
ipchains -A output -i lo -j DENY -l
ipchains -A output -s 127.0.0.0/8 -d 127.0.0.0/8 -j DENY -l

# Internal network addresses only on internal side
ipchains -A input -i $INSIDE_DEVICE -s $PRIVATE_NETWORK -j ACCEPT
ipchains -A output -i $INSIDE_DEVICE -d $PRIVATE_NETWORK -j ACCEPT

# Internal network addresses on internal network only.
ipchains -A input -s $PRIVATE_NETWORK -j DENY -l -b
ipchains -A output -s $PRIVATE_NETWORK -j DENY -l -b

# Allow traffic from outside world.
# TCP ports for local clients are defined in /proc/sys/net/ipv4/ip_local_port_range and are 1024:4999 by default.
# 61000:65095 are for masquerade.
# A.B.C.D etc are our DNS secondaries which need to use TCP for DNS. All others can use UDP.
# ICMP 0 and 8 are ping, 3 and 11 are TCP and UDP messages
ipchains -A input -i $DEVICE -d $IPADDR 20:25 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 79:80 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 113 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 443 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 1024:4999 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 61000:65095 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -s A.B.C.D -d $IPADDR 53 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -s E.F.G.H -d $IPADDR 53 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -s I.J.K.L -d $IPADDR 53 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -s M.N.O.P -d $IPADDR 53 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 53 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 123 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 1024:65535 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -s 0/0 0 -d $IPADDR -p icmp -j ACCEPT
ipchains -A input -i $DEVICE -s 0/0 3 -d $IPADDR -p icmp -j ACCEPT
ipchains -A input -i $DEVICE -s 0/0 8 -d $IPADDR -p icmp -j ACCEPT
ipchains -A input -i $DEVICE -s 0/0 11 -d $IPADDR -p icmp -j ACCEPT

# No control over outbound traffic
ipchains -A output -i $DEVICE -s $IPADDR -j ACCEPT

# Not a gateway onto private network. This stops an IP spoofing
# attack if it somehow gets through all the filtering above.
ipchains -A forward -s $PRIVATE_NETWORK -d $PRIVATE_NETWORK -j DENY -l
# Forward and masquerade private network to the world
ipchains -A forward -s $PRIVATE_NETWORK -j MASQ

# Report any other packets that are denied.
# Useful for debugging (-l logs these to the kernel syslog)
ipchains -A input -j DENY -l
ipchains -A output -j DENY -l
ipchains -A forward -j DENY -l

pucko

ASKER

How can I remove the set uid bit on ssh???

pucko

ASKER

I tried chmod -s ssh but I get:a201.ryd.student.liu.se: Reading configuration data /etc/ssh_config
pucko: ssh_connect: getuid 0 geteuid 0 anon 0
pucko: Connecting to tintin [X..Z.V] port 22.
pucko: Allocated local port 1022.

pucko

ASKER

Sorry.. was trying as root...
Thanks for all help!!!!

pucko

ASKER

I used your file and modified it. I have som problem. It seems like dns does not work and icq doesn't work either. I'll add this as a new question for you and name it Question for zblaxell so you can get some more points.