Solved

Secure a RH71-server with ipchains

Posted on 2004-04-06
4
374 Views
Last Modified: 2010-05-18
Situation description:
======================
Internet connection is ADSL.
External interface to internet is 'ppp0' (eth0 is the connection to the ADSL-modem)
LAN interface  is 'eth1'

            (  Internet  )
                |
                |
            +---+----+ ppp0, a.b.c.d
            |  PC00  |
            +---+----+ eth1, 192.168.4.1
                |  
                |
          +-------+-------+
          |               |
      +---+----+      +---+----+
      |  PC01  |      |  PC02  |
      +--------+      +--------+
      192.168.4.2     192.168.4.2

Goal:
=====
Internet sharing with the following restrictions:
- no client on the LAN may retrieve POP3 mail from servers outside the LAN
- no client on the LAN may use another SMTP server than PC00
- block spoofed ips on ppp0 (no 192.168.4.0 addresses on ppp0)
No futher limitations for the clients.

Server (PC00) acts as :
- a webserver
- ssh-server.
- mailserver (systemaccount retrieves mail from outside LAN to distribute to other users on PC00
Must be pingable.

I tried with the following script. Something goes wrong but I can't pinpoint the problem:
ipchains -N lan-inet
ipchains -N inet-lan
ipchains -N icmp-acc

ipchains -A forward -s 192.168.4.0/24 -i ppp0 -j lan-inet
ipchains -A forward -i eth1 -j inet-lan
ipchains -A forward -j DENY -l

ipchains -A icmp-acc -p ICMP --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-acc -p ICMP --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p ICMP --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p ICMP --icmp-type parameter-problem -j ACCEPT

//No access to POP3 or SMTP servers outside LAN
ipchains -A lan-inet -p tcp --dport smtp -j REJECT
ipchains -A lan-inet -p tcp --dport pop3 -j REJECT
ipchains -A lan-inet -j MASQ

//No forwarding to internal machines
ipchains -A inet-lan -j REJECT

//Traffic on server !!
ipchains -N inet-if
ipchains -N lan-if

ipchains -A input -d 192.168.4.0/24 -j lan-if
ipchains -A input -j inet-if

//Traffic on LAN-interface
ipchains -A lan-if -i ! eth1 -j DENY
ipchains -A lan-if -j ACCEPT

//Traffic on Internet-interface
ipchains -A inet-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A inet-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A inet-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A inet-if -p TCP --dport web -j ACCEPT
ipchains -A inet-if -p TCP --dport ssh -j ACCEPT
ipchains -A inet-if -j icmp-acc
ipchains -A inet-if -j DENY -l

Can anyone help me out?
0
Comment
Question by:ping0621
  • 2
  • 2
4 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 200 total points
ID: 10767041
You'd really be better off using iptables, since it includes state full inspection. Assuming that your 7.1 system was up to date at the point that RedHat stopped supporting 7.1 in December you should have a functional iptables environment. An iptables rule set that will satisfy your requirements is below. I think I have it set up correctly for your LAN, but it is pretty heavily commented and you should be able to figure out how to use/modify it.

#!/bin/sh
#
# Save this in root's home directory as iptables-gw and make it executable
# with 'chmod +x iptables-gw'. Then to install the rule set simply run it
# with './iptables-gw'.

# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save
# the running config with 'iptables save' for RedHat to reinstate at the next
# boot IP fordarding must be enabled by other than this script for production
# use. That's best done by editing /etc/sysctl.conf and setting:
#
# net.ipv4.ip_forward = 1
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
#echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
# I find it easier to modify this file and run it to change the rulesets.,
# rather than modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
#
IPT="/sbin/iptables"
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
OUTSIDE=ppp0
INSIDE=eth1
INSIDE_IP=192.168.4.1
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP

$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP

$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# Use  NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4
#
# To Statically NAT an outside IP (1.2.3.4) to an inside IP (10.0.0.2) you'd
# do something like:
#
#$IPT -t nat -A PREROUTING -i $OUTSIDE -d 1.2.3.4 -j DNAT --to-destination 10.0.0.2
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -s 10.0.0.2 -j SNAT --to-source 1.2.3.4
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# We've slipped the surly bonds of windows and are dancing on the
# silvery wings of Linux, so don't allow that windows broadcast trash
# to leak out of the firewall.
#
$IPT -A FORWARD -p udp --dport 137 -j silent
$IPT -A FORWARD -p udp --dport 138 -j silent
$IPT -A FORWARD -p udp --dport 139 -j silent
$IPT -A FORWARD -p udp --dport 445 -j silent
#
# Block access from inside clients to IMAP, POP, and SMTP servers on the
# Internet and log the events.
#
$IPT -A FORWARD -p tcp --dport 25 -j firewalled
$IPT -A FORWARD -p tcp --dport 110 -j firewalled
$IPT -A FORWARD -p tcp --dport 143 -j firewalled
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.0.0.10
#
# Examples of allowing inbound for the port forwarding examples above or for
# allowing access to services running on the firewall
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 25 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following  if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the  IP to be that of the INSIDE interface
# of the firewall.
#
$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT
#
# If you are running a DHCP server on the firewall uncomment the next line
#
#$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPT -A INPUT -j firewalled
0
 
LVL 1

Author Comment

by:ping0621
ID: 10778808
I think my iptables are not correctly updated.
[root@pc00 root]# iptables -L
/lib/modules/2.4.20-28.7/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters.
      You may find more information in syslog or the output from dmesg
/lib/modules/2.4.20-28.7/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.20-28.7/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.20-28.7/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Or is this normal because I'm using ipchains for the moment.
If not I think I have enough info to build my ipchains rules more or less like iptables.
Give my a few days to check (I got today some bad new) , if I succeed you'll get the promised points
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10779625
> /lib/modules/2.4.20-28.7/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy

That error occurs because the ipchains modules are loaded. Execute 'chkconfig ipchains off' followed by 'service ipchains stop', followed by 'lsmod' and 'modprobe -r module-name' for any ipchains modules still loaded or reboot after disabling ipchains startup at boot.
0
 
LVL 1

Author Comment

by:ping0621
ID: 10828196
The scripts is PERFECT.
Now I must check the VPN rules again because these were written with ipchains.
The script gave my the idea how to write stricter rules. THX
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now