Solved

iptables/shorewall: how to set up so no visibility from outside?

Posted on 2006-06-22
6
929 Views
Last Modified: 2008-01-09
Trying to set up a host on a network so that it looks like an open wire to everything else on said network.  I'm using iptables with shorewall.  

I have it set up so that there is no answer (DROP) to the usual nmap scans, but there is still some information leakage because nmap can still determine the MAC.

Here's the details.  First is the nmap responses.  Next are the pertinent shorewall rules.  Last is an iptables -L listing.

~ # nmap -sS -O 192.168.0.54

Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-06-22 15:55 AKDT
Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1672 scanned ports on 192.168.0.54 are: filtered
MAC Address: 00:04:23:B2:14:F1 (Intel)
Too many fingerprints match this host to give specific OS details

Nmap finished: 1 IP address (1 host up) scanned in 47.564 seconds

~ # nmap -P0 192.168.0.54

Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-06-22 15:53 AKDT
All 1672 scanned ports on 192.168.0.54 are: filtered
MAC Address: 00:04:23:B2:14:F1 (Intel)

Nmap finished: 1 IP address (1 host up) scanned in 35.595 seconds

~ # nmap -sT -O -p1-65535 192.168.0.54

Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-06-22 10:51 AKDT
Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 65535 scanned ports on 192.168.0.54 are: filtered
MAC Address: 00:04:23:B2:14:F1 (Intel)
Too many fingerprints match this host to give specific OS details

Nmap finished: 1 IP address (1 host up) scanned in 1332.545 seconds


-------------------------------------------------------------

[root@netmon ~]# cd /etc/shorewall/
[root@netmon shorewall]# cat zones interfaces policy rules
#
# Shorewall version 3.0 - Zones File
#
# /etc/shorewall/zones
#
#       This file determines your network zones.
#
#       WARNING: The format of this file changed in Shorewall 3.0.0. You can
#                continue to use your old records provided that you set
#                IPSECFILE=ipsec in /etc/shorewall/shorewall.conf. This will
#                signal Shorewall that the IPSEC-related zone options are
#                still specified in /etc/shorewall/ipsec rather than in this
#                file.
#
#                To use records in the format described below, you must have
#                IPSECFILE=zones specified in /etc/shorewall/shorewall.conf.
#
# Columns are:
#
#       ZONE    Short name of the zone (5 Characters or less in length).
#               The names "all" and "none" are reserved and may not be
#               used as zone names.
#
#               Where a zone is nested in one or more other zones,
#               you may follow the (sub)zone name by ":" and a
#               comma-separated list of the parent zones. The parent
#               zones must have been defined in earlier records in this
#               file.
#
#               Example:
#
#                       #ZONE     TYPE     OPTIONS
#                       a         ipv4
#                       b         ipv4
#                       c:a,b     ipv4
#
#               Currently, Shorewall uses this information only to reorder the
#               zone list so that parent zones appear after their subzones in
#               the list. In the future, Shorewall may make more extensive use
#               of that information.
#
#       TYPE    ipv4 -  This is the standard Shorewall zone type and is the
#                       default if you leave this column empty or if you enter
#                       "-" in the column. Communication with some zone hosts
#                       may be encrypted. Encrypted hosts are designated using
#                       the 'ipsec'option in /etc/shorewall/hosts.
#               ipsec - Communication with all zone hosts is encrypted
#                       Your kernel and iptables must include policy
#                       match support.
#               firewall
#                     - Designates the firewall itself. You must have
#                       exactly one 'firewall' zone. No options are
#                       permitted with a 'firewall' zone. The name that you
#                       enter in the ZONE column will be stored in the shell
#                       variable $FW which you may use in other configuration
#                       files to designate the firewall zone.
#
#       OPTIONS,        A comma-separated list of options as follows:
#       IN OPTIONS,
#       OUT OPTIONS     reqid=<number> where <number> is specified
#                       using setkey(8) using the 'unique:<number>
#                       option for the SPD level.
#
#                       spi=<number> where <number> is the SPI of
#                       the SA used to encrypt/decrypt packets.
#
#                       proto=ah|esp|ipcomp
#
#                       mss=<number> (sets the MSS field in TCP packets)
#
#                       mode=transport|tunnel
#
#                       tunnel-src=<address>[/<mask>] (only
#                       available with mode=tunnel)
#
#                       tunnel-dst=<address>[/<mask>] (only
#                       available with mode=tunnel)
#
#                       strict  Means that packets must match all rules.
#
#                       next    Separates rules; can only be used with
#                               strict..
#
#               Example:
#                       mode=transport,reqid=44
#
#       The options in the OPTIONS column are applied to both incoming
#       and outgoing traffic. The IN OPTIONS are applied to incoming
#       traffic (in addition to OPTIONS) and the OUT OPTIONS are
#       applied to outgoing traffic.
#
#       If you wish to leave a column empty but need to make an entry
#       in a following column, use "-".
#------------------------------------------------------------------------------
# Example zones:
#
#       You have a three interface firewall with internet, local and DMZ
#       interfaces.
#
#       #ZONE   TYPE            OPTIONS         IN                      OUT
#       #                                       OPTIONS                 OPTIONS
#       fw      firewall
#       net     ipv4
#       loc     ipv4
#       dmz     ipv4
#
#
# For more information, see http://www.shorewall.net/Documentation.htm#Zones
#
###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
LANA    ipv4
LANB    ipv4
PCLAN   ipv4
MGMT    ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#
# Shorewall version 3.0 - Interfaces File
#
# /etc/shorewall/interfaces
#
#       You must add an entry in this file for each network interface on your
#       firewall system.
#
# Columns are:
#
#       ZONE            Zone for this interface. Must match the name of a
#                       zone defined in /etc/shorewall/zones. You may not
#                       list the firewall zone in this column.
#
#                       If the interface serves multiple zones that will be
#                       defined in the /etc/shorewall/hosts file, you should
#                       place "-" in this column.
#
#                       If there are multiple interfaces to the same zone,
#                       you must list them in separate entries:
#
#                       Example:
#
#                               loc     eth1    -
#                               loc     eth2    -
#
#       INTERFACE       Name of interface. Each interface may be listed only
#                       once in this file. You may NOT specify the name of
#                       an alias (e.g., eth0:0) here; see
#                       http://www.shorewall.net/FAQ.htm#faq18
#
#                       You may specify wildcards here. For example, if you
#                       want to make an entry that applies to all PPP
#                       interfaces, use 'ppp+'.
#
#                       There is no need to define the loopback interface (lo)
#                       in this file.
#
#       BROADCAST       The broadcast address for the subnetwork to which the
#                       interface belongs. For P-T-P interfaces, this
#                       column is left blank.If the interface has multiple
#                       addresses on multiple subnets then list the broadcast
#                       addresses as a comma-separated list.
#
#                       If you use the special value "detect", the firewall
#                       will detect the broadcast address for you. If you
#                       select this option, the interface must be up before
#                       the firewall is started, you must have iproute
#                       installed.
#
#                       If you don't want to give a value for this column but
#                       you want to enter a value in the OPTIONS column, enter
#                       "-" in this column.
#
#       OPTIONS         A comma-separated list of options including the
#                       following:
#
#                       dhcp         - Specify this option when any of
#                                      the following are true:
#                                      1. the interface gets its IP address
#                                         via DHCP
#                                      2. the interface is used by
#                                         a DHCP server running on the firewall
#                                      3. you have a static IP but are on a LAN
#                                         segment with lots of Laptop DHCP
#                                         clients.
#                                      4. the interface is a bridge with
#                                         a DHCP server on one port and DHCP
#                                         clients on another port.
#
#                       norfc1918    - This interface should not receive
#                                      any packets whose source is in one
#                                      of the ranges reserved by RFC 1918
#                                      (i.e., private or "non-routable"
#                                      addresses. If packet mangling or
#                                      connection-tracking match is enabled in
#                                      your kernel, packets whose destination
#                                      addresses are reserved by RFC 1918 are
#                                      also rejected.
#
#                       routefilter  - turn on kernel route filtering for this
#                                      interface (anti-spoofing measure). This
#                                      option can also be enabled globally in
#                                      the /etc/shorewall/shorewall.conf file.
#
#                       logmartians  - turn on kernel martian logging (logging
#                                      of packets with impossible source
#                                      addresses. It is suggested that if you
#                                      set routefilter on an interface that
#                                      you also set logmartians. This option
#                                      may also be enabled globally in the
#                                      /etc/shorewall/shorewall.conf file.
#
#                       blacklist    - Check packets arriving on this interface
#                                      against the /etc/shorewall/blacklist
#                                      file.
#
#                       maclist      - Connection requests from this interface
#                                      are compared against the contents of
#                                      /etc/shorewall/maclist. If this option
#                                      is specified, the interface must be
#                                      an ethernet NIC and must be up before
#                                      Shorewall is started.
#
#                       tcpflags     - Packets arriving on this interface are
#                                      checked for certain illegal combinations
#                                      of TCP flags. Packets found to have
#                                      such a combination of flags are handled
#                                      according to the setting of
#                                      TCP_FLAGS_DISPOSITION after having been
#                                      logged according to the setting of
#                                      TCP_FLAGS_LOG_LEVEL.
#
#                       proxyarp     -
#                               Sets
#                               /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
#                               Do NOT use this option if you are
#                               employing Proxy ARP through entries in
#                               /etc/shorewall/proxyarp. This option is
#                               intended soley for use with Proxy ARP
#                               sub-networking as described at:
#                               http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
#                       routeback    - If specified, indicates that Shorewall
#                                      should include rules that allow
#                                      filtering traffic arriving on this
#                                      interface back out that same interface.
#
#                       arp_filter   - If specified, this interface will only
#                                      respond to ARP who-has requests for IP
#                                      addresses configured on the interface.
#                                      If not specified, the interface can
#                                      respond to ARP who-has requests for
#                                      IP addresses on any of the firewall's
#                                      interface. The interface must be up
#                                      when Shorewall is started.
#
#                       arp_ignore[=<number>]
#                                    - If specified, this interface will
#                                      respond to arp requests based on the
#                                      value of <number>.
#
#                                      1 - reply only if the target IP address
#                                      is local address configured on the
#                                      incoming interface
#
#                                      2 - reply only if the target IP address
#                                      is local address configured on the
#                                      incoming interface and both with the
#                                      sender's IP address are part from same
#                                      subnet on this interface
#
#                                      3 - do not reply for local addresses
#                                      configured with scope host, only
#                                      resolutions for global and link
#                                      addresses are replied
#
#                                      4-7 - reserved
#
#                                      8 - do not reply for all local
#                                      addresses
#
#                                      If no <number> is given then the value
#                                      1 is assumed
#
#                                      WARNING -- DO NOT SPECIFY arp_ignore
#                                      FOR ANY INTERFACE INVOLVED IN PROXY ARP.
#
#                       nosmurfs     - Filter packets for smurfs
#                                      (packets with a broadcast
#                                      address as the source).
#
#                                      Smurfs will be optionally logged based
#                                      on the setting of SMURF_LOG_LEVEL in
#                                      shorewall.conf. After logging, the
#                                      packets are dropped.
#
#                       detectnets   - Automatically taylors the zone named
#                                      in the ZONE column to include only those
#                                      hosts routed through the interface.
#
#                       upnp         - Incoming requests from this interface
#                                      may be remapped via UPNP (upnpd).
#
#                       WARNING: DO NOT SET THE detectnets OPTION ON YOUR
#                                INTERNET INTERFACE.
#
#                       The order in which you list the options is not
#                       significant but the list should have no embedded white
#                       space.
#
#       Example 1:      Suppose you have eth0 connected to a DSL modem and
#                       eth1 connected to your local network and that your
#                       local subnet is 192.168.1.0/24. The interface gets
#                       it's IP address via DHCP from subnet
#                       206.191.149.192/27. You have a DMZ with subnet
#                       192.168.2.0/24 using eth2.
#
#                       Your entries for this setup would look like:
#
#                       net     eth0    206.191.149.223 dhcp
#                       local   eth1    192.168.1.255
#                       dmz     eth2    192.168.2.255
#
#       Example 2:      The same configuration without specifying broadcast
#                       addresses is:
#
#                       net     eth0    detect          dhcp
#                       loc     eth1    detect
#                       dmz     eth2    detect
#
#       Example 3:      You have a simple dial-in system with no ethernet
#                       connections.
#
#                       net     ppp0    -
#
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
#
###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
LANA    eth0
LANB    eth1
PCLAN   eth2
MGMT    eth3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 3.0 - Policy File
#
# /etc/shorewall/policy
#
#                    THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
#       This file determines what to do with a new connection request if we
#       don't get a match from the /etc/shorewall/rules file . For each
#       source/destination pair, the file is processed in order until a
#       match is found ("all" will match any client or server).
#
#                       INTRA-ZONE POLICIES ARE PRE-DEFINED
#
#       For $FW and for all of the zoned defined in /etc/shorewall/zones,
#       the POLICY for connections from the zone to itself is ACCEPT (with no
#       logging or TCP connection rate limiting but may be overridden by an
#       entry in this file. The overriding entry must be explicit (cannot use
#       "all" in the SOURCE or DEST).
#
# Columns are:
#
#       SOURCE          Source zone. Must be the name of a zone defined
#                       in /etc/shorewall/zones, $FW or "all".
#
#       DEST            Destination zone. Must be the name of a zone defined
#                       in /etc/shorewall/zones, $FW or "all"
#
#       POLICY          Policy if no match from the rules file is found. Must
#                       be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
#                       ACCEPT          - Accept the connection
#                       DROP            - Ignore the connection request
#                       REJECT          - For TCP, send RST. For all other,
#                                         send "port unreachable" ICMP.
#                       QUEUE           - Send the request to a user-space
#                                         application using the QUEUE target.
#                       CONTINUE        - Pass the connection request past
#                                         any other rules that it might also
#                                         match (where the source or
#                                         destination zone in those rules is
#                                         a superset of the SOURCE or DEST
#                                         in this policy).
#                       NONE            - Assume that there will never be any
#                                         packets from this SOURCE
#                                         to this DEST. Shorewall will not set
#                                         up any infrastructure to handle such
#                                         packets and you may not have any
#                                         rules with this SOURCE and DEST in
#                                         the /etc/shorewall/rules file. If
#                                         such a packet _is_ received, the
#                                         result is undefined. NONE may not be
#                                         used if the SOURCE or DEST columns
#                                         contain the firewall zone ($FW) or
#                                         "all".
#
#                       If this column contains ACCEPT, DROP or REJECT and a
#                       corresponding common action is defined in
#                       /etc/shorewall/actions (or
#                       /usr/share/shorewall/actions.std) then that action
#                       will be invoked before the policy named in this column
#                       is enforced.
#
#       LOG LEVEL       If supplied, each connection handled under the default
#                       POLICY is logged at that level. If not supplied, no
#                       log message is generated. See syslog.conf(5) for a
#                       description of log levels.
#
#                       Beginning with Shorewall version 1.3.12, you may
#                       also specify ULOG (must be in upper case). This will
#                       log to the ULOG target and sent to a separate log
#                       through use of ulogd
#                       (http://www.gnumonks.org/projects/ulogd).
#
#                       If you don't want to log but need to specify the
#                       following column, place "-" here.
#
#       LIMIT:BURST     If passed, specifies the maximum TCP connection rate
#                       and the size of an acceptable burst. If not specified,
#                       TCP connections are not limited.
#
#       Example:
#
#       a) All connections from the local network to the internet are allowed
#       b) All connections from the internet are ignored but logged at syslog
#          level KERNEL.INFO.
#       d) All other connection requests are rejected and logged at level
#          KERNEL.INFO.
#
#       #SOURCE         DEST            POLICY          LOG
#       #                                               LEVEL
#       loc             net             ACCEPT
#       net             all             DROP            info
#       #
#       # THE FOLLOWING POLICY MUST BE LAST
#       #
#       all             all             REJECT          info
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
$FW     all     DROP
all     $FW     DROP
all     all     DROP
$FW     MGMT    DROP
MGMT    $FW     DROP
all     MGMT    DROP
MGMT    all     DROP
#LAST LINE -- DO NOT REMOVE
#
# Shorewall version 3.0 - Rules File
#
# /etc/shorewall/rules
#
#       Rules in this file govern connection establishment. Requests and
#       responses are automatically allowed using connection tracking. For any
#       particular (source,dest) pair of zones, the rules are evaluated in the
#       order in which they appear in this file and the first match is the one
#       that determines the disposition of the request.
#
#       In most places where an IP address or subnet is allowed, you
#       can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
#       indicate that the rule matches all addresses except the address/subnet
#       given. Notice that no white space is permitted between "!" and the
#       address/subnet.
#------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet,
#          you cannot use an ACCEPT rule to allow traffic from the internet to
#          that system. You *must* use a DNAT rule instead.
#------------------------------------------------------------------------------
#
# The rules file is divided into sections. Each section is introduced by
# a "Section Header" which is a line beginning with SECTION followed by the
# section name.
#
# Sections are as follows and must appear in the order listed:
#
#       ESTABLISHED             Packets in the ESTABLISHED state are processed
#                               by rules in this section.
#
#                               The only ACTIONs allowed in this section are
#                               ACCEPT, DROP, REJECT, LOG and QUEUE
#
#                               There is an implicit ACCEPT rule inserted
#                               at the end of this section.
#
#       RELATED                 Packets in the RELATED state are processed by
#                               rules in this section.
#
#                               The only ACTIONs allowed in this section are
#                               ACCEPT, DROP, REJECT, LOG and QUEUE
#
#                               There is an implicit ACCEPT rule inserted
#                               at the end of this section.
#
#       NEW                     Packets in the NEW and INVALID states are
#                               processed by rules in this section.
#
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
#          ESTABLISHED and RELATED sections must be empty.
#
# Note: If you are not familiar with Netfilter to the point where you are
#       comfortable with the differences between the various connection
#       tracking states, then I suggest that you omit the ESTABLISHED and
#       RELATED sections and place all of your rules in the NEW section.
#
# You may omit any section that you don't need. If no Section Headers appear
# in the file then all rules are assumed to be in the NEW section.
#
# Columns are:
#
#       ACTION          ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
#                       LOG, QUEUE or an <action>.
#
#                               ACCEPT   -- allow the connection request
#                               ACCEPT+  -- like ACCEPT but also excludes the
#                                           connection from any subsequent
#                                           DNAT[-] or REDIRECT[-] rules
#                               NONAT    -- Excludes the connection from any
#                                           subsequent DNAT[-] or REDIRECT[-]
#                                           rules but doesn't generate a rule
#                                           to accept the traffic.
#                               DROP     -- ignore the request
#                               REJECT   -- disallow the request and return an
#                                           icmp-unreachable or an RST packet.
#                               DNAT     -- Forward the request to another
#                                           system (and optionally another
#                                           port).
#                               DNAT-    -- Advanced users only.
#                                           Like DNAT but only generates the
#                                           DNAT iptables rule and not
#                                           the companion ACCEPT rule.
#                               SAME     -- Similar to DNAT except that the
#                                           port may not be remapped and when
#                                           multiple server addresses are
#                                           listed, all requests from a given
#                                           remote system go to the same
#                                           server.
#                               SAME-    -- Advanced users only.
#                                           Like SAME but only generates the
#                                           NAT iptables rule and not
#                                           the companion ACCEPT rule.
#                               REDIRECT -- Redirect the request to a local
#                                           port on the firewall.
#                               REDIRECT-
#                                        -- Advanced users only.
#                                           Like REDIRET but only generates the
#                                           REDIRECT iptables rule and not
#                                           the companion ACCEPT rule.
#
#                               CONTINUE -- (For experts only). Do not process
#                                           any of the following rules for this
#                                           (source zone,destination zone). If
#                                           The source and/or destination IP
#                                           address falls into a zone defined
#                                           later in /etc/shorewall/zones, this
#                                           connection request will be passed
#                                           to the rules defined for that
#                                           (those) zone(s).
#                               LOG      -- Simply log the packet and continue.
#                               QUEUE    -- Queue the packet to a user-space
#                                           application such as ftwall
#                                           (http://p2pwall.sf.net).
#                               <action> -- The name of an action defined in
#                                           /etc/shorewall/actions or in
#                                           /usr/share/shorewall/actions.std.
#                               <macro>  -- The name of a macro defined in a
#                                           file named macro.<macro-name>. If
#                                           the macro accepts an action
#                                           parameter (Look at the macro
#                                           source to see if it has PARAM in
#                                           the TARGET column) then the macro
#                                           name is followed by "/" and the
#                                           action (ACCEPT, DROP, REJECT, ...)
#                                           to be substituted for the
#                                           parameter. Example: FTP/ACCEPT.
#
#                       The ACTION may optionally be followed
#                       by ":" and a syslog log level (e.g, REJECT:info or
#                       DNAT:debug). This causes the packet to be
#                       logged at the specified level.
#
#                       If the ACTION names an action defined in
#                       /etc/shorewall/actions or in
#                       /usr/share/shorewall/actions.std then:
#
#                       - If the log level is followed by "!' then all rules
#                         in the action are logged at the log level.
#
#                       - If the log level is not followed by "!" then only
#                         those rules in the action that do not specify
#                         logging are logged at the specified level.
#
#                       - The special log level 'none!' suppresses logging
#                         by the action.
#
#                       You may also specify ULOG (must be in upper case) as a
#                       log level.This will log to the ULOG target for routing
#                       to a separate log through use of ulogd
#                       (http://www.gnumonks.org/projects/ulogd).
#
#                       Actions specifying logging may be followed by a
#                       log tag (a string of alphanumeric characters)
#                       are appended to the string generated by the
#                       LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
#                       Example: ACCEPT:info:ftp would include 'ftp '
#                       at the end of the log prefix generated by the
#                       LOGPREFIX setting.
#
#       SOURCE          Source hosts to which the rule applies. May be a zone
#                       defined in /etc/shorewall/zones, $FW to indicate the
#                       firewall itself, "all", "all+" or "none" If the ACTION
#                       is DNAT or REDIRECT, sub-zones of the specified zone
#                       may be excluded from the rule by following the zone
#                       name with "!' and a comma-separated list of sub-zone
#                       names.
#
#                       When "none" is used either in the SOURCE or DEST
#                       column, the rule is ignored.
#
#                       When "all" is used either in the SOURCE or DEST column
#                       intra-zone traffic is not affected. When "all+" is
#                       used, intra-zone traffic is affected.
#
#                       Except when "all[+]" is specified, clients may be
#                       further restricted to a list of subnets and/or hosts by
#                       appending ":" and a comma-separated list of subnets
#                       and/or hosts. Hosts may be specified by IP or MAC
#                       address; mac addresses must begin with "~" and must use
#                       "-" as a separator.
#
#                       Hosts may be specified as an IP address range using the
#                       syntax <low address>-<high address>. This requires that
#                       your kernel and iptables contain iprange match support.
#                       If you kernel and iptables have ipset match support
#                       then you may give the name of an ipset prefaced by "+".
#                       The ipset name may be optionally followed by a number
#                       from 1 to 6 enclosed in square brackets ([]) to
#                       indicate the number of levels of source bindings to be
#                       matched.
#
#                       dmz:192.168.2.2         Host 192.168.2.2 in the DMZ
#
#                       net:155.186.235.0/24    Subnet 155.186.235.0/24 on the
#                                               Internet
#
#                       loc:192.168.1.1,192.168.1.2
#                                               Hosts 192.168.1.1 and
#                                               192.168.1.2 in the local zone.
#                       loc:~00-A0-C9-15-39-78  Host in the local zone with
#                                               MAC address 00:A0:C9:15:39:78.
#
#                       net:192.0.2.11-192.0.2.17
#                                               Hosts 192.0.2.11-192.0.2.17 in
#                                               the net zone.
#
#                       Alternatively, clients may be specified by interface
#                       by appending ":" to the zone name followed by the
#                       interface name. For example, loc:eth1 specifies a
#                       client that communicates with the firewall system
#                       through eth1. This may be optionally followed by
#                       another colon (":") and an IP/MAC/subnet address
#                       as described above (e.g., loc:eth1:192.168.1.5).
#
#       DEST            Location of Server. May be a zone defined in
#                       /etc/shorewall/zones, $FW to indicate the firewall
#                       itself, "all". "all+" or "none".
#
#                       When "none" is used either in the SOURCE or DEST
#                       column, the rule is ignored.
#
#                       When "all" is used either in the SOURCE or DEST column
#                       intra-zone traffic is not affected. When "all+" is
#                       used, intra-zone traffic is affected.
#
#                       Except when "all[+]" is specified, the server may be
#                       further restricted to a particular subnet, host or
#                       interface by appending ":" and the subnet, host or
#                       interface. See above.
#
#                               Restrictions:
#
#                               1. MAC addresses are not allowed.
#                               2. In DNAT rules, only IP addresses are
#                                  allowed; no FQDNs or subnet addresses
#                                  are permitted.
#                               3. You may not specify both an interface and
#                                  an address.
#
#                       Like in the SOURCE column, you may specify a range of
#                       up to 256 IP addresses using the syntax
#                       <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
#                       the connections will be assigned to addresses in the
#                       range in a round-robin fashion.
#
#                       If you kernel and iptables have ipset match support
#                       then you may give the name of an ipset prefaced by "+".
#                       The ipset name may be optionally followed by a number
#                       from 1 to 6 enclosed in square brackets ([]) to
#                       indicate the number of levels of destination bindings
#                       to be matched. Only one of the SOURCE and DEST columns
#                       may specify an ipset name.
#
#                       The port that the server is listening on may be
#                       included and separated from the server's IP address by
#                       ":". If omitted, the firewall will not modifiy the
#                       destination port. A destination port may only be
#                       included if the ACTION is DNAT or REDIRECT.
#
#                       Example: loc:192.168.1.3:3128 specifies a local
#                       server at IP address 192.168.1.3 and listening on port
#                       3128. The port number MUST be specified as an integer
#                       and not as a name from /etc/services.
#
#                       if the ACTION is REDIRECT, this column needs only to
#                       contain the port number on the firewall that the
#                       request should be redirected to.
#
#       PROTO           Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
#                       "ipp2p:udp", "ipp2p:all" a number, or "all".
#                       "ipp2p*" requires ipp2p match support in your kernel
#                       and iptables.
#
#       DEST PORT(S)    Destination Ports. A comma-separated list of Port
#                       names (from /etc/services), port numbers or port
#                       ranges; if the protocol is "icmp", this column is
#                       interpreted as the destination icmp-type(s).
#
#                       If the protocol is ipp2p, this column is interpreted
#                       as an ipp2p option without the leading "--" (example
#                       "bit" for bit-torrent). If no port is given, "ipp2p" is
#                       assumed.
#
#                       A port range is expressed as <low port>:<high port>.
#
#                       This column is ignored if PROTOCOL = all but must be
#                       entered if any of the following ields are supplied.
#                       In that case, it is suggested that this field contain
#                        "-"
#
#                       If your kernel contains multi-port match support, then
#                       only a single Netfilter rule will be generated if in
#                       this list and the CLIENT PORT(S) list below:
#                       1. There are 15 or less ports listed.
#                       2. No port ranges are included.
#                       Otherwise, a separate rule will be generated for each
#                       port.
#
#       CLIENT PORT(S)  (Optional) Port(s) used by the client. If omitted,
#                       any source port is acceptable. Specified as a comma-
#                       separated list of port names, port numbers or port
#                       ranges.
#
#                       If you don't want to restrict client ports but need to
#                       specify an ORIGINAL DEST in the next column, then
#                       place "-" in this column.
#
#                       If your kernel contains multi-port match support, then
#                       only a single Netfilter rule will be generated if in
#                       this list and the DEST PORT(S) list above:
#                       1. There are 15 or less ports listed.
#                       2. No port ranges are included.
#                       Otherwise, a separate rule will be generated for each
#                       port.
#
#       ORIGINAL DEST   (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
#                       then if included and different from the IP
#                       address given in the SERVER column, this is an address
#                       on some interface on the firewall and connections to
#                       that address will be forwarded to the IP and port
#                       specified in the DEST column.
#
#                       A comma-separated list of addresses may also be used.
#                       This is usually most useful with the REDIRECT target
#                       where you want to redirect traffic destined for
#                       particular set of hosts.
#
#                       Finally, if the list of addresses begins with "!" then
#                       the rule will be followed only if the original
#                       destination address in the connection request does not
#                       match any of the addresses listed.
#
#                       For other actions, this column may be included and may
#                       contain one or more addresses (host or network)
#                       separated by commas. Address ranges are not allowed.
#                       When this column is supplied, rules are generated
#                       that require that the original destination address
#                       matches one of the listed addresses. This feature is
#                       most useful when you want to generate a filter rule
#                       that corresponds to a DNAT- or REDIRECT- rule. In this
#                       usage, the list of addresses should not begin with "!".
#
#                       See http://shorewall.net/PortKnocking.html for an
#                       example of using an entry in this column with a
#                       user-defined action rule.
#
#       RATE LIMIT      You may rate-limit the rule by placing a value in
#                       this colume:
#
#                               <rate>/<interval>[:<burst>]
#
#                       where <rate> is the number of connections per
#                       <interval> ("sec" or "min") and <burst> is the
#                       largest burst permitted. If no <burst> is given,
#                       a value of 5 is assumed. There may be no
#                       no whitespace embedded in the specification.
#
#                               Example: 10/sec:20
#
#       USER/GROUP      This column may only be non-empty if the SOURCE is
#                       the firewall itself.
#
#                       The column may contain:
#
#       [!][<user name or number>][:<group name or number>][+<program name>]
#
#                       When this column is non-empty, the rule applies only
#                       if the program generating the output is running under
#                       the effective <user> and/or <group> specified (or is
#                       NOT running under that id if "!" is given).
#
#                       Examples:
#
#                               joe     #program must be run by joe
#                               :kids   #program must be run by a member of
#                                       #the 'kids' group
#                               !:kids  #program must not be run by a member
#                                       #of the 'kids' group
#                               +upnpd  #program named upnpd (This feature was
#                                       #removed from Netfilter in kernel
#                                       #version 2.6.14).
#
#       Example: Accept SMTP requests from the DMZ to the internet
#
#       #ACTION SOURCE  DEST PROTO      DEST    SOURCE  ORIGINAL
#       #                               PORT    PORT(S) DEST
#       ACCEPT  dmz     net       tcp   smtp
#
#       Example: Forward all ssh and http connection requests from the
#                internet to local system 192.168.1.3
#
#       #ACTION SOURCE  DEST            PROTO   DEST    SOURCE  ORIGINAL
#       #                                       PORT    PORT(S) DEST
#       DNAT    net     loc:192.168.1.3 tcp     ssh,http
#
#       Example: Forward all http connection requests from the internet
#                to local system 192.168.1.3 with a limit of 3 per second and
#                a maximum burst of 10
#
#       #ACTION SOURCE DEST            PROTO  DEST  SOURCE  ORIGINAL RATE
#       #                                     PORT  PORT(S) DEST     LIMIT
#       DNAT    net    loc:192.168.1.3 tcp    http  -       -        3/sec:10
#
#       Example: Redirect all locally-originating www connection requests to
#                port 3128 on the firewall (Squid running on the firewall
#                system) except when the destination address is 192.168.2.2
#
#       #ACTION  SOURCE DEST      PROTO DEST    SOURCE  ORIGINAL
#       #                               PORT    PORT(S) DEST
#       REDIRECT loc    3128      tcp   www      -      !192.168.2.2
#
#       Example: All http requests from the internet to address
#                130.252.100.69 are to be forwarded to 192.168.1.3
#
#       #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
#       #                                       PORT    PORT(S) DEST
#       DNAT      net   loc:192.168.1.3 tcp     80      -       130.252.100.69
#
#       Example: You want to accept SSH connections to your firewall only
#                from internet IP addresses 130.252.100.69 and 130.252.100.70
#
#       #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
#       #                                       PORT    PORT(S) DEST
#       ACCEPT   net:130.252.100.69,130.252.100.70 $FW \
#                                       tcp     22
#############################################################################################################
#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/
#                                               PORT    PORT(S)         DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT  LANA    $FW     TCP     ssh
ACCEPT  LANB    $FW     TCP     ssh
ACCEPT  PCLAN   $FW     TCP     ssh
#ACCEPT  MGMT    $FW     TCP     ssh
ACCEPT  LANA    $FW     TCP     http
ACCEPT  LANB    $FW     TCP     http
ACCEPT  PCLAN   $FW     TCP     http
#ACCEPT  MGMT    $FW     TCP     http
ACCEPT  LANA    $FW     TCP     https
ACCEPT  LANB    $FW     TCP     https
ACCEPT  PCLAN   $FW     TCP     https
#ACCEPT  MGMT    $FW     TCP     https
ACCEPT  $FW     MGMT    UDP     53
ACCEPT  $FW     MGMT    TCP     53
DROP    MGMT    $FW     TCP     113
DROP    MGMT    $FW     UDP     113
# 514 is syslog port.  accept both TCP (syslog-ng) and UDP (sysklogd)
ACCEPT  LANA    $FW     TCP     514
ACCEPT  LANA    $FW     UDP     514
ACCEPT  LANB    $FW     TCP     514
ACCEPT  LANB    $FW     UDP     514
ACCEPT  PCLAN   $FW     TCP     514
ACCEPT  PCLAN   $FW     UDP     514
# allow any icmp out.
ACCEPT  $FW     LANA    ICMP
ACCEPT  $FW     LANB    ICMP
ACCEPT  $FW     PCLAN   ICMP
ACCEPT  $FW     LANA    TCP     ssh
ACCEPT  $FW     LANB    TCP     ssh
ACCEPT  $FW     PCLAN   TCP     ssh
ACCEPT  $FW     LANA    TCP     snmp
ACCEPT  $FW     LANB    TCP     snmp
ACCEPT  $FW     PCLAN   TCP     snmp
ACCEPT  $FW     LANA    UDP     snmp
ACCEPT  $FW     LANB    UDP     snmp
ACCEPT  $FW     PCLAN   UDP     snmp
ACCEPT  $FW     LANA    TCP     ntp
ACCEPT  $FW     LANB    TCP     ntp
# 10000 is webmin.  Accept temporarily until everyone
# understands how to ssh portforward
# 113 is identd.  Irrelevent and idiotic.
ACCEPT  PCLAN   $FW     tcp     10000
DROP    LANA    $FW     TCP     113
DROP    LANB    $FW     TCP     113
DROP    PCLAN   $FW     TCP     113
DROP    LANA    $FW     UDP     113
DROP    LANB    $FW     UDP     113
DROP    PCLAN   $FW     UDP     113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

------------------------------------------------

[root@netmon shorewall]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
eth0_in    all  --  anywhere             anywhere
eth1_in    all  --  anywhere             anywhere
eth2_in    all  --  anywhere             anywhere
eth3_in    all  --  anywhere             anywhere
Drop       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
eth0_fwd   all  --  anywhere             anywhere
eth1_fwd   all  --  anywhere             anywhere
eth2_fwd   all  --  anywhere             anywhere
eth3_fwd   all  --  anywhere             anywhere
Drop       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
fw2LANA    all  --  anywhere             anywhere
fw2LANB    all  --  anywhere             anywhere
fw2PCLAN   all  --  anywhere             anywhere
fw2MGMT    all  --  anywhere             anywhere
Drop       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain Drop (10 references)
target     prot opt source               destination
reject     tcp  --  anywhere             anywhere            tcp dpt:auth
dropBcast  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
dropInvalid  all  --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere            multiport dports 135,microsoft-ds
DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
DROP       udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535
DROP       tcp  --  anywhere             anywhere            multiport dports 135,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere            udp dpt:1900
dropNotSyn  tcp  --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere            udp spt:domain

Chain LANA2fw (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:shell
ACCEPT     udp  --  anywhere             anywhere            udp dpt:syslog
DROP       tcp  --  anywhere             anywhere            tcp dpt:auth
DROP       udp  --  anywhere             anywhere            udp dpt:auth
all2fw     all  --  anywhere             anywhere

Chain LANB2fw (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:shell
ACCEPT     udp  --  anywhere             anywhere            udp dpt:syslog
DROP       tcp  --  anywhere             anywhere            tcp dpt:auth
DROP       udp  --  anywhere             anywhere            udp dpt:auth
all2fw     all  --  anywhere             anywhere

Chain MGMT2all (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
Drop       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain MGMT2fw (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere            tcp dpt:auth
DROP       udp  --  anywhere             anywhere            udp dpt:auth
Drop       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain PCLAN2fw (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:shell
ACCEPT     udp  --  anywhere             anywhere            udp dpt:syslog
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:10000
DROP       tcp  --  anywhere             anywhere            tcp dpt:auth
DROP       udp  --  anywhere             anywhere            udp dpt:auth
all2fw     all  --  anywhere             anywhere

Chain Reject (0 references)
target     prot opt source               destination
reject     tcp  --  anywhere             anywhere            tcp dpt:auth
dropBcast  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
dropInvalid  all  --  anywhere             anywhere
reject     udp  --  anywhere             anywhere            multiport dports 135,microsoft-ds
reject     udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
reject     udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535
reject     tcp  --  anywhere             anywhere            multiport dports 135,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere            udp dpt:1900
dropNotSyn  tcp  --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere            udp spt:domain

Chain all2MGMT (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
Drop       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain all2all (12 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
Drop       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain all2fw (3 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
Drop       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain dropBcast (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast
DROP       all  --  anywhere             anywhere            PKTTYPE = multicast

Chain dropInvalid (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID

Chain dropNotSyn (2 references)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp flags:!SYN,RST,ACK/SYN

Chain dynamic (8 references)
target     prot opt source               destination

Chain eth0_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere            state INVALID,NEW
all2all    all  --  anywhere             anywhere
all2all    all  --  anywhere             anywhere
all2all    all  --  anywhere             anywhere

Chain eth0_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere            state INVALID,NEW
LANA2fw    all  --  anywhere             anywhere

Chain eth1_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere            state INVALID,NEW
all2all    all  --  anywhere             anywhere
all2all    all  --  anywhere             anywhere
all2all    all  --  anywhere             anywhere

Chain eth1_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere            state INVALID,NEW
LANB2fw    all  --  anywhere             anywhere

Chain eth2_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere            state INVALID,NEW
all2all    all  --  anywhere             anywhere
all2all    all  --  anywhere             anywhere
all2all    all  --  anywhere             anywhere

Chain eth2_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere            state INVALID,NEW
PCLAN2fw   all  --  anywhere             anywhere

Chain eth3_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere            state INVALID,NEW
all2all    all  --  anywhere             anywhere
all2all    all  --  anywhere             anywhere
all2all    all  --  anywhere             anywhere

Chain eth3_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere            state INVALID,NEW
MGMT2fw    all  --  anywhere             anywhere

Chain fw2LANA (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:snmp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:snmp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ntp
fw2all     all  --  anywhere             anywhere

Chain fw2LANB (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:snmp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:snmp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ntp
fw2all     all  --  anywhere             anywhere

Chain fw2MGMT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
Drop       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain fw2PCLAN (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:snmp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:snmp
fw2all     all  --  anywhere             anywhere

Chain fw2all (3 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
Drop       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain reject (6 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast
DROP       all  --  anywhere             anywhere            PKTTYPE = multicast
DROP       all  --  255.255.255.255      anywhere
DROP       all  --  224.0.0.0/4          anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere            reject-with icmp-host-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain shorewall (0 references)
target     prot opt source               destination

Chain smurfs (0 references)
target     prot opt source               destination
LOG        all  --  255.255.255.255      anywhere            LOG level info prefix `Shorewall:smurfs:DROP:'
DROP       all  --  255.255.255.255      anywhere
LOG        all  --  224.0.0.0/4          anywhere            LOG level info prefix `Shorewall:smurfs:DROP:'
DROP       all  --  224.0.0.0/4          anywhere
[root@netmon shorewall]#  

0
Comment
Question by:amlp
  • 2
6 Comments
 
LVL 16

Accepted Solution

by:
Blaz earned 125 total points
ID: 16966368
> Trying to set up a host on a network so that it looks like an open wire to everything else on said network.  
> I'm using iptables with shorewall.  

Maybe it would be a better start point if you told us why you want this. If you merely want it to look like an open wire then it is simple to set up an open wire and disconnect this host from the network...

> I have it set up so that there is no answer (DROP) to the usual nmap scans, but there is still some
> information leakage because nmap can still determine the MAC.

If you want any IP packet destined to your machine to be received, then you must have the ARP protocol up and running and you will always get back the MAC address.

If you disable ARP responses from your machine, no normal network traffic will work, so you might as well disconnect the machine from network.

There is a middle way, but I'm not sure you are trying to achieve this - to create a machine that only receives (ethernet) traffic and sends NO responses (including ACKs). This is usually done only for a logging machine.
0
 

Author Comment

by:amlp
ID: 16994216
I want to see just how invisible a machine can be from the outside looking in and still be usable.  This is kind of three quarters academic exercise out of pure curiosity, and one quarter wanting to stay off the boneheads' radar.

Ideally, would want to be undetectable from the outside, but still usable from the inside out.  

You're right, I didn't see any way to do that as long as there's any possibility of incoming traffic because of layer two issues.  But I'm no expert; that's why I ask.

0
 
LVL 27

Assisted Solution

by:Nopius
Nopius earned 125 total points
ID: 17006526
to toggle off ARP MAC disclosure run:
ifconfig eth0 -arp

but you need to use static mac address to save connectivity between LAN station from where you are connecting to this radar:
arp -s 192.168.0.54 00:04:23:B2:14:F1

then,  flush arp tables on your switches and on your machine from that you run scans (it's probably the other station then management).
0
 
LVL 27

Expert Comment

by:Nopius
ID: 17006545
one more comment. After disabling ARP on your silent host to save connectivity between it and it's management station you need to add static MAC of management station also (so you need to run "arp -s x.x.x.x ..." on your stealth host before turning off arp on the ethernet interface).
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now