Re[2]: firewall script fighting
Hello Ray and others,
thanks for fast response:
RO> You need to clarify a detail: what is the IP address of "my server"?
RO> If it is a server on the LAN (with an address in the 192.168.99.0/24 range),
RO> you need to set up port forwarding to reach it. The relevant app is
RO> "ipmasqadm". You will also need to open the router to traffic to the ports
RO> you want to forward, as in the next paragraph.
the server is the router itself (potato). the router=server ist
connected to the internet via isdn and i am on dynamic IP.
RO> If it is the router itself, you need to be more specific than "nobody can
RO> connect to my server". As I read your ruleset, you have not opened any
RO> destination ports in the typical range (1-1024) for standard services. For
RO> each service you want to make accessable, you need an input-chain rule
RO> something like this:
RO> ipchains -A input -i $DEV_INET -p tcp -d a.b.c.d/32 443 -j ACCEPT
hm, i thought i did open specific services, for example:
#----- HTTP erlauben ----->
ipchains -A output -i $DEV_INET -p tcp -d $INET 80 -j ACCEPT
ipchains -A input -i $DEV_INET -p tcp -s $INET 80 -j ACCEPT ! -y
where $INET=0.0.0.0/0, maybe this is my mistake. do i have to enter
the real IP of the external interface? this would mean i have to reget
my ip every time i reconnect to internet cause i am on dialup ?
RO> where a.b.c.d is the IP address of your external interface (which you do not
RO> appear to have a shell variable for), and you replace "443" and "tcp" with
RO> the actual port and protocol for the service you want to offer. You may also
RO> need additional output-chain rules ... I did not check that part.
do i need to define the shellvariable $INET in such way:
INET=$(/sbin/ifconfig | /bin/grep P-t-P | /usr/bin/cut -c 21-38 | awk '{print $1}' )
and put the firewallscript in /etc/ppp/ip-up or link from there?
the current firewall-script is /etc/init.d/firewall and i link to it
from /etc/rc2.d/S20firewall. is this actually the common way to start
scripts at startup?
thanks again
RO> At 05:20 PM 4/1/01 +0200, tim@atomstrahl.de wrote:
>>Hello
>>
>>i try to setup a firewall for my lan. i want to be invissible to the
>>internet (no respond to a ping), but i want to allow some specific
>>connects. my script i have so far makes me invissible and i can surf
>>the web..., but nobody can connect to my server.
>>
>>maybe you easiely find some errors:
>>
>>
>>--------------------------------------------------------------------
>>
>>
>># Firewall Skript
>>#!/bin/sh
>>
>>DEV_LAN=eth0
>>IP_LAN=192.168.99.10
>>LAN=192.168.99.0/255.255.255.0
>>DEV_INET=ippp0
>>INET=0.0.0.0/0.0.0.0
>>
>>
>>insmod ip_masq_cuseeme
>>insmod ip_masq_ftp
>>insmod ip_masq_irc
>>insmod ip_masq_quake
>>insmod ip_masq_raudio
>>insmod ip_masq_user
>>insmod ip_masq_vdolive
>>
>>
>>
>>#----- IP Forwarding und Unterstuetzung dynamisch zugeteilter IP Adressen
RO> aktivieren -----
>>echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>>echo "1" > /proc/sys/net/ipv4/ip_forward
>>
>>#----- Alle Regeln loeschen -----
>>ipchains -F
>>
>>#----- Default Policy auf DENY setzen -----
>>ipchains -P input DENY
>>ipchains -P forward DENY
>>ipchains -P output DENY
>>
>>#----- ip-spoofing verhindern -----
>>ipchains -A input -i $DEV_INET -p tcp -s $LAN -j DENY -l
>>
>>#----- Loopback erlauben -----
>>ipchains -A input -i lo -j ACCEPT
>>ipchains -A output -i lo -j ACCEPT
>>
>>#----- alle Intranet Verbindungen erlauben -----
>>ipchains -A input -i $DEV_LAN -s $LAN -j ACCEPT
>>ipchains -A output -i $DEV_LAN -d $LAN -j ACCEPT
>>
>>#----- DNS Abfragen ins Internet erlauben, sowohl UDP als auch TCP -----
>>ipchains -A output -i $DEV_INET -p udp -d $INET 53 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p udp -s $INET 53 -j ACCEPT
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 53 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 53 -j ACCEPT ! -y
>>
>>#----- HTTP erlauben -----
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 80 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 80 -j ACCEPT ! -y
>>
>>#----- HTTPS erlauben -----
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 443 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 443 -j ACCEPT ! -y
>>
>>#----- FTP erlauben -----
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 21 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 21 -j ACCEPT ! -y
>>
>>#----- Erweiterung fuer aktives FTP -----
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 20 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 20 -j ACCEPT
>>
>>#----- SSH ins Internet erlauben -----
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 22 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 22 -j ACCEPT ! -y
>>
>>#----- SMTP ins Internet erlauben -----
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 25 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 25 -j ACCEPT ! -y
>>
>>#----- POP3 ins Internet erlauben -----
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 110 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 110 -j ACCEPT ! -y
>>
>>
>>#-------------highports---------------
>>ipchains -A output -i $DEV_INET -p tcp -d $INET 1023:65535 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p tcp -s $INET 1023:65535 -j ACCEPT ! -y
>>ipchains -A output -i $DEV_INET -p udp -d $INET 1023:65535 -j ACCEPT
>>ipchains -A input -i $DEV_INET -p udp -d $INET 1023:65535 -j ACCEPT
>>
>>
>>
>>#----- Chain fuer ICMP erstellen -----
>>ipchains -N icmp-out
>>ipchains -A icmp-out -p icmp --icmp-type echo-reply -j DENY
>>ipchains -A icmp-out -p icmp --icmp-type echo-request -j ACCEPT
>>ipchains -A icmp-out -p icmp --icmp-type destination-unreachable -j ACCEPT
>>ipchains -A icmp-out -p icmp --icmp-type source-quench -j ACCEPT
>>ipchains -A icmp-out -p icmp --icmp-type time-exceeded -j ACCEPT
>>ipchains -A icmp-out -p icmp --icmp-type parameter-problem -j ACCEPT
>>
>>ipchains -N icmp-in
>>ipchains -A icmp-in -p icmp --icmp-type echo-reply -j ACCEPT
>>ipchains -A icmp-in -p icmp --icmp-type echo-request -j DENY
>>ipchains -A icmp-in -p icmp --icmp-type destination-unreachable -j ACCEPT
>>ipchains -A icmp-in -p icmp --icmp-type source-quench -j ACCEPT
>>ipchains -A icmp-in -p icmp --icmp-type time-exceeded -j ACCEPT
>>ipchains -A icmp-in -p icmp --icmp-type parameter-problem -j ACCEPT
>>
>>#----- ICMP Pakete an Output Chain uebergeben -----
>>ipchains -A output -p icmp -j icmp-out
>>
>>#----- ICMP Pakete an Input Chain uebergeben -----
>>ipchains -A input -p icmp -j icmp-in
>>
>>#----- Masquerading aktivieren -----
>>ipchains -A forward -s 192.168.99.0/24 -d 0.0.0.0/0 -j MASQ
>>echo Firewall is up
>>
>>
>>-------------------------------------------------------------------------------
>>
>>again the problem is nobody cant connect except from inside the lan
>>
>>
>>thanks in advance
>>
>>
>>
>>--
>>Best regards,
>> tim mailto:tim@atomstrahl.de
>>
>>
>>
>>--
>>To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
>>with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>>
>>
>>
RO> --
RO> ------------------------------------"Never tell me the odds!"---
RO> Ray Olszewski -- Han Solo
RO> Palo Alto, CA ray@comarre.com
RO> ----------------------------------------------------------------
RO> --
RO> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
RO> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
Best regards,
tim mailto:tim@atomstrahl.de
Reply to: