Solved

Firewall on single server RH7.0  -  NIC  <->modem

Posted on 2001-08-12
16
324 Views
Last Modified: 2010-03-18
Running RH7.0 on an IntelliStation attached to  corp. LAN. via tr0 (9.xx.xx.xx). I have users who telnet into this Linux box via the LAN and use minicom/dip to dial out sl0 (ttyS0).
I want to setup a firewall on this server so that:

sl0:
All inbound requests on sl0 are denied.
All outbound requests on sl0 except telnet and ftp (port 20/21) are denied.

tr0:
All inbound requests on tr0 except telnet denied.
All outbound requests on tr0 except telnet and ftp are denied.
_______________________________
Would like your thoughts and examples on this.
0
Comment
Question by:dbusher
  • 5
  • 4
  • 2
  • +4
16 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 100 total points
ID: 6377814
ipchains -A input -i sl0 -j DENY
ipchains -A output -i sl0 --dport ! 20:21 -j DENY
# similar for tr0
0
 
LVL 2

Author Comment

by:dbusher
ID: 6378560
In what file should this go so that it is in effect upon boot up?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6378745
write a new rc-script started at boot.
I'm not familar with RH, but usualy this file is i /sbin/init.d or /etc/init.d, then you need a symlink to this file. See README in the directory.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6378751
you may manage rc-scripts with rctab
0
 
LVL 5

Expert Comment

by:vsamtani
ID: 6379100
RedHat doesn't have rctab, I believe. The best place to put the ipchains commands is at the end of /etc/rc.d/init.d/rc.local; this is the last startup script to be executed.

Vijay
0
 
LVL 2

Author Comment

by:dbusher
ID: 6380778
I just put my ipchain statement right on in that file? I'll give it a shot.
0
 
LVL 5

Expert Comment

by:BlackDiamond
ID: 6381212
If you want the rules to apply after you restart, just apply the rules on the command line like ahoffman showed above.  You can then save them for the RC scripts by typing "service ipchains save" after you have everything working the way you want.  Voila...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Assisted Solution

by:ifincham
ifincham earned 100 total points
ID: 6385859
Hi,

Don't think its quite as simple as that ! When you allow outbound packets you have to also allow the related inbound packets. Also FTP is a bit more complex because there is a client initiated connection on port 21 but then, for the data, a ftp-server initiated session from the server's port 20 that you have to allow in.

Firstly, 'flush' existing chain and set default :

ipchains -F
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY


For telnet :

ipchains -A output -i tr0 -p tcp -d any/0 23 -j ACCEPT
ipchains -A input -i tr0 -p tcp ! -y -s any/0 23 -j ACCEPT

For 'normal mode' (not-passive) FTP ;

ipchains -A output -i tr0 -p tcp -d any/0 21 -j ACCEPT
ipchains -A input -i tr0 -p tcp ! -y -s any/0 21 -j ACCEPT
ipchains -A input -i tr0 -p tcp -s any/0 20 -d any/o 1024:65535 -j ACCEPT
ipchains -A output -i tr0 -p tcp ! -y -s any/0 1024:65535 -d any/0 20 -j accept

Obviously, I've just shown the rules for the token-ring interface above... (The '! -y' bit means check that SYN is not set, i.e.  its not an attempt to initiate a connection the other way round)

On storing the rules...

'/sbin/service ipchains save' will place the output into  '/etc/sysconfig/ipchains'. Redhat have a sysv init script called ipchains so you would activate that by setting run-levels 2345 on via 'ntsysv' or even simpler by the following command (as root)

/sbin/chkconfig --level 2345 ipchains on

An alternative would be simply to place the rules in the '/etc/rc.d/rc.local' script which is the last script run in the normal redhat boot sequence.

Regards



0
 
LVL 2

Expert Comment

by:ifincham
ID: 6387583
Hi,

Actually just noticed there was a difference with the tr0 interface in that you wanted to allow inbound.

THe following allows inbound telnet

ipchains -A input -i tr0 -p tcp -s any/0 1024:65535 -d any/0 23 -j ACCEPT
ipchains -A output -1 tr0 -p tcp ! -y -s any/0 23 -d any/0 1024:65535 -j ACCEPT

Also in case you want passive ftp :

ipchains -A output -i tr0 -p tcp -s any/0 1024:65535 -d any/0 1024:65535 -j ACCEPT
ipchains -A input -i tr0 -p tcp ! -y -s any/0 1024:65535 -d any/0 1024:65535 -j ACCEPT

In fact, you'd be better off substituting 'any/0' for your actual IP address ... For example using 172.16.16.1 as your linux box..

ipchains -A output -i tr0 -p tcp -s 172.16.16.1 1024:65535 -d any/0 1024:65535 -j ACCEPT
ipchains -A input -i tr0 -p tcp ! -y -s any/0 1024:65535 -d 172.16.16.1 1024:65535 -j ACCEPT

Regards

0
 
LVL 2

Author Comment

by:dbusher
ID: 6391343
I will be away for 2 weeks. I will give each of these a shot when I return.  Sorry for the delay
0
 
LVL 2

Author Comment

by:dbusher
ID: 6539597
My 2 weeks turned out to be much longer.  I will me in the office on the 23rd to give this a shot. If all goes well I will accept at the end of the week. Sorry for the delay and thanks for all the great help.
0
 
LVL 2

Author Comment

by:dbusher
ID: 6539607
ifincham,  it looks like this will allow inbound AND outbound telnet on tr0.  True? Or does the FLUSH take care of this?? Thanks.
Also, How do I reject ALL inbound requests on my modem port ttyS0? Which is sl0. Same type of commands??  Sorry, I am a newbie at this.
0
 

Expert Comment

by:CleanupPing
ID: 9078704
dbusher:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9124759
except a typo (should be -o instead og -i in secind rule) my very first suggestion is still valid
0
 
LVL 7

Expert Comment

by:troopern
ID: 9984901
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Split between ahoffmann & ifincham.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

troopern
EE Cleanup Volunteer
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now