Re: ipchains
On Tue, Mar 28, 2000 at 11:25:39AM -0800, Simon Martin wrote:
> I started off with the following
>
> echo 0 > /proc/sys/net/ipv4/ip_forward
>
> iphains -P input REJECT
> ipchains -A input -j ACCEPT -s localhost
> ipchains -A input -j ACCEPT -s localnet/24
>
> ipchains -P forward REJECT
> ipchains -A forward -j MASQ -s localnet/24
>
> ipchains -P output ACCEPT
I'd set the default policies to DENY instead of REJECT. DENY drops the
packet with no other action. REJECT is more polite and tells the other
end the connection isn't allowed. I'm not sure your firewall needs to
be polite.
Try something like this (untested, but hacked from a working config)
# ipchains stuff before bringing up interfaces
# flush rules and set default to DENY, must explicitly enable services
ipchains -F input
ipchains -P input DENY
ipchains -F forward
ipchains -P forward DENY
# block private addresses from default route
ipchains -A input -j DENY -i ppp0 -s 10.0.0.0/8
ipchains -A input -j DENY -i ppp0 -s 172.16.0.0/12
ipchains -A input -j DENY -i ppp0 -s 192.168.0.0/16
# allow incoming dns connections
ipchains -A input -j ACCEPT -i ppp0 -s $NAMESERVER1/32 53 -p tcp
ipchains -A input -j ACCEPT -i ppp0 -s $NAMESERVER1/32 53 -p udp
# allow ssh in both directions
ipchains -A input -j ACCEPT --dport ssh -p tcp
ipchains -A input -j ACCEPT --dport ssh -p udp
# accept responses from internet
ipchains -A input -j ACCEPT -i ppp0 -p tcp ! -y
# masquerade internal net out to internet
ipchains -A forward -j MASQ -s localnet/24
# turn on ip forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
>
> What I expected was "input will accept anything from my local net, forward
> will masquerade everything from my localnet, output will send anything".
>
> Unfortunately this did not work. The configuration I have now is:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iphains -P input REJECT
> ipchains -A input -j ACCEPT -s localhost
> ipchains -A input -j ACCEPT -s localnet/24
> ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 www -p tcp
> ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 ftp -p tcp
> ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 ftp-data -p tcp
> ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 domain -p udp
> ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 smtp -p tcp
> ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d localnet/24 pop-3 -p tcp
>
> ipchains -P forward REJECT
> ipchains -A forward -j MASQ -s localnet/24
> ipchains -A forward -j MASQ -d localnet/24
>
> ipchains -P output ACCEPT
>
> This now works, but I find it very permissive. Anyone connecting from socket
> 80 on a remote machine can connect to my telnet port!!!
>
> I have 2 main questions:
>
> 1) What am I doing wrong?
> 2) I am about to update my kernel to linux-2.3.99-pre3 for other reasons.
> What will security be like on this?
>
> TIA
>
>
> __ _ Debian GNU User
> / /(_)_ __ _ ___ __ Simon Martin
> / / | | '_ \| | | \ \/ / Project Manager
> / /__| | | | | |_| |> < Isys
> \____/_|_| |_|\__,_/_/\_\ mailto: smartin@isys.cl
>
> There is a chasm of carbon and silicon the software cannot bridge
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
Lee Bradshaw lee@sectionIV.com (preferred)
Alantro Communications lee@alantro.com
Reply to: