Re: Firewal Rules
Regarding: allowing answer packets through a firewall.
> I want to as a default REJECT all packets from my firewall's external
> interface, and then allow in only certain packets.
[snip]
> My real question here is, how would I go about allowing the
> windows machine(s) behind the firewall to receive full responses from the
> internet without returning the firewall back to it's previous default state
> of ACCEPT.
Apologies, if I misunderstood, but it appears you are asking for
connection tracking. A feature that is available in the 2.4 kernels.
If you use a 2.4 kernel and upgrade to "iptables", then you can allow
return packets according to whether they are part of an existing
connection.
Assuming this is what you are after, I am going to just paste some junk
from my own over-engineered rule set to give the flavour, i.e., I won't
try and summarize it. Apologies if 400+ lines breaches list etiquette.
Don't let the LOC fool you ;-), I am _not_ any sort of security expert.
I just playing with this stuff out of an interest.
This is on a redhat box. It gets called every time the ppp connection
is started or stopped. There are a few variables that get set by
inspecting the state using ifconfig, earlier in the script.
# We demarcate zones and build chains to describe packet transfers
# between zones. The zone names being used are: "civil zone" (CIV),
# "bastion zone"(BST), and "battlefield" (BAT). The network topology
# does not include a demilitarized zone --- the servers are running on
# the firewall (BST).
#
# Since every packet passes through one of INPUT, FORWARD, or OUTPUT
# we do not add rules to the NAT chains, except for masquerading.
# "Immediately impose a strict DROP policy:"
modprobe ip_tables \
&& modprobe ip_conntrack \
&& modprobe ip_conntrack \
&& modprobe iptable_filter \
&& modprobe iptable_nat \
&& modprobe ipt_REJECT \
&& modprobe ipt_LOG \
&& modprobe ipt_MASQUERADE \
&& modprobe ipt_limit \
&& modprobe ipt_state \
&& modprobe ip_conntrack_ftp \
&& modprobe ip_nat_ftp \
&& iptables -P INPUT DROP \
&& iptables -P FORWARD DROP \
&& iptables -P OUTPUT DROP \
&& iptables -t nat -P PREROUTING ACCEPT \
&& iptables -t nat -P OUTPUT ACCEPT \
&& iptables -t nat -P POSTROUTING ACCEPT
# "Flush chains, remove user defined chains, zero counters:"
iptables -F \
&& iptables -t nat -F \
&& iptables -X \
&& iptables -Z
# BST borders: an input/output chain for each non-trivial interface.
#
# Each input and output chain is factorised into an acceptance chain
# for new connection requests (-new). Existing connections are always
# carried, as are all related requests except those from the internet.
iptables -N eth-in
iptables -N eth-in-new
iptables -N eth-bcast
iptables -N eth-out
iptables -N eth-out-new
iptables -N ppp-in
iptables -N ppp-in-new
iptables -N ppp-out
iptables -N ppp-out-new
# BST escorts: forward chains for the masqueraded civilian zone.
#
# There can be no inwards establishment of new connections. But the
# outwards filter is factorised as above. Existing connections are
# always carried.
iptables -N bat-civ
iptables -N civ-bat
iptables -N civ-bat-new
# ICMP handling: chains for ICMP requests and error replies.
#
# These acceptance chains factorise the rules to handle ICMP packets
# across all chains. Care must be taken when be used in conjunction
# with forwarding. Otherwise, these mechanisms could be exploited to
# determine the network topology. Note that there is ICMP rate
# limiting in the linux kernel, see: icmp(7).
iptables -N icmp-new
iptables -N icmp-rel
# eth-in: input filtering from civil zone.
#
# To qualify, packets must approach eth0 with a source address in
# the civil zone. To pass, they must be:
# - part of an existing connection;
# - related to an existing connection;
# - requesting a new ssh connection;
# - requesting a name server lookup;
# - negotiating an IP address with the bootps server;
# - requesting an identd lookup;
# - requesting a new printer connection; or
# - a valid ping.
action "Build eth-in filter:" \
iptables -A eth-in \
-m state --state ESTABLISHED,RELATED -j ACCEPT \
&& iptables -A eth-in \
-m state --state NEW -j eth-in-new \
&& iptables -A eth-in \
-m limit -j LOG --log-prefix "eth-in: " \
&& iptables -A eth-in \
-j REJECT \
&& iptables -A eth-in-new \
-p tcp --dport ssh --syn -j ACCEPT \
&& iptables -A eth-in-new \
-p udp --dport domain -j ACCEPT \
&& iptables -A eth-in-new \
-p tcp --dport domain --syn -j ACCEPT \
&& iptables -A eth-in-new \
-p udp --sport bootpc --dport bootps -j ACCEPT \
&& iptables -A eth-in-new \
-p tcp --dport auth --syn -j ACCEPT \
&& iptables -A eth-in-new \
-p tcp --dport printer --syn -j ACCEPT \
&& iptables -A eth-in-new \
-p icmp -j icmp-new
# eth-bcast: input filtering of broadcast messages from civil zone.
#
# To qualify, packets must approach eth0 with a destination address of
# 255.255.255.255. To pass, they must be:
# - negotiating an IP address with the bootps server.
action "Build eth-bcast filter:" \
iptables -A eth-bcast \
-p udp --sport bootpc --dport bootps -j ACCEPT \
&& iptables -A eth-bcast \
-j REJECT
# eth-out: output filtering to civil zone.
#
# To qualify, packets must approach eth0 with the eth0 address as
# the source and a destination address in the civil zone. To
# pass, they must be:
# - part of an existing connection;
# - related to an existing connection;
# - requesting a new ssh connection;
# - requesting a new www, secure www, or webcache connection;
# - requesting an identd lookup;
# - requesting a dictd lookup; or
# - a valid ping.
action "Build eth-out filter:" \
iptables -A eth-out \
-m state --state ESTABLISHED,RELATED -j ACCEPT \
&& iptables -A eth-out \
-m state --state NEW -j eth-out-new \
&& iptables -A eth-out \
-m limit -j LOG --log-prefix "eth-out: " \
&& iptables -A eth-out \
-j REJECT \
&& iptables -A eth-out-new \
-p tcp --dport ssh --syn -j ACCEPT \
&& iptables -A eth-out-new \
-p tcp --dport www --syn -j ACCEPT \
&& iptables -A eth-out-new \
-p tcp --dport webcache --syn -j ACCEPT \
&& iptables -A eth-out-new \
-p tcp --dport https --syn -j ACCEPT \
&& iptables -A eth-out-new \
-p tcp --dport auth --syn -j ACCEPT \
&& iptables -A eth-out-new \
-p tcp --dport 2628 --syn -j ACCEPT \
&& iptables -A eth-out-new \
-p icmp -j icmp-new
# ppp-in: input filtering from battlefield.
#
# To qualify, packets must approach ppp+ with the internet address
# as the destination. To pass, they must be:
# - part of an established connection;
# - an ICMP reply related to an existing connection;
# - requesting a new ssh connection;
# - requesting an identd lookup; or
# - a valid ping.
action "Build ppp-in filter:" \
iptables -A ppp-in \
-m state --state ESTABLISHED -j ACCEPT \
&& iptables -A ppp-in \
-m state --state RELATED -j icmp-rel \
&& iptables -A ppp-in \
-m state --state NEW -j ppp-in-new \
&& iptables -A ppp-in \
-m limit -j LOG --log-prefix "ppp-in: " \
&& iptables -A ppp-in \
-j REJECT \
&& iptables -A ppp-in-new \
-p tcp --dport ssh --syn -j ACCEPT \
&& iptables -A ppp-in-new \
-p tcp --dport auth --syn -j ACCEPT \
&& iptables -A ppp-in-new \
-p icmp -j icmp-new
# ppp-out: output filtering to battlefield.
#
# To qualify, packets must approach ppp+ with the internet address as
# the source. To pass, they must be:
# - part of an established connection;
# - related to an established connection;
# - requesting a new ftp connection;
# - requesting a new ssh connection;
# - requesting a new smtp connection;
# - requesting an external name server lookup;
# - requesting a new www, secure www, or webcache connection;
# - requesting a new pop3 mail connection;
# - requesting an identd lookup;
# - a FIN acknowledge packet (curiously, this is not included
# under RELATED --- a problem with the way mozilla terminates
# connection?); or
# - a valid ping.
action "Build ppp-out filter:" \
iptables -A ppp-out \
-m state --state ESTABLISHED,RELATED -j ACCEPT \
&& iptables -A ppp-out \
-m state --state NEW -j ppp-out-new \
&& iptables -A ppp-out \
-m limit -j LOG --log-prefix "ppp-out: " \
&& iptables -A ppp-out \
-j REJECT \
&& iptables -A ppp-out-new \
-p tcp --dport ftp --syn -j ACCEPT \
&& iptables -A ppp-out-new \
-p tcp --dport ssh --syn -j ACCEPT \
&& iptables -A ppp-out-new \
-p tcp --dport smtp --syn -j ACCEPT \
&& iptables -A ppp-out-new \
-p udp --dport domain -j ACCEPT \
&& iptables -A ppp-out-new \
-p tcp --dport domain --syn -j ACCEPT \
&& iptables -A ppp-out-new \
-p tcp --dport www --syn -j ACCEPT \
&& iptables -A ppp-out-new \
-p tcp --dport https --syn -j ACCEPT \
&& iptables -A ppp-out-new \
-p tcp --dport webcache --syn -j ACCEPT \
&& iptables -A ppp-out-new \
-p tcp --dport pop3 --syn -j ACCEPT \
&& iptables -A ppp-out-new \
-p tcp --dport auth --syn -j ACCEPT \
&& iptables -A ppp-out-new \
-p tcp --tcp-flags SYN,ACK,FIN,RST,PSH ACK,FIN -j ACCEPT \
&& iptables -A ppp-out-new \
-p icmp -j icmp-new
# bat-civ: input filtering by escort from battlefield.
#
# To qualify, packets must be forwarded from ppp+ to eth0 with a civil
# zone destination address (after masquerading). To pass, they must
# be:
# - part of an established connection;
# - an ICMP reply related to an established connection, or
# - requesting an identd lookup.
# Everything else is silently dropped.
action "Build inter- to intra- network filter:" \
iptables -A bat-civ \
-m state --state ESTABLISHED -j ACCEPT \
&& iptables -A bat-civ \
-m state --state RELATED \
-p icmp -j icmp-rel \
&& iptables -A bat-civ \
-m state --state NEW \
-p tcp --dport auth --syn -j ACCEPT \
&& iptables -A bat-civ \
-m limit -j LOG --log-prefix "bat-civ: " \
&& iptables -A bat-civ \
-j DROP
# civ-bat: output filtering by escort to battlefield.
#
# To qualify, packets must be forwarded from eth0 with a civil zone
# source address (after masquerading), to ppp+. To pass, they must
# be:
# - part of an established connection;
# - related to an established connection;
# - requesting a new ftp connection;
# - requesting a new ssh connection;
# - requesting a new smtp connection;
# - requesting a new www or webcache connection;
# - an identd lookup;
# - a FIN acknowledge packet (curiously, this is not included
# under RELATED); or
# - a valid ping.
action "Build intra- to inter- network filter:" \
iptables -A civ-bat \
-m state --state ESTABLISHED,RELATED -j ACCEPT \
&& iptables -A civ-bat \
-m state --state NEW -j civ-bat-new \
&& iptables -A civ-bat \
-m limit -j LOG --log-prefix "civ-bat: " \
&& iptables -A civ-bat \
-j REJECT \
&& iptables -A civ-bat-new \
-p tcp --dport ftp --syn -j ACCEPT \
&& iptables -A civ-bat-new \
-p tcp --dport ssh --syn -j ACCEPT \
&& iptables -A civ-bat-new \
-p tcp --dport smtp --syn -j ACCEPT \
&& iptables -A civ-bat-new \
-p tcp --dport www --syn -j ACCEPT \
&& iptables -A civ-bat-new \
-p tcp --dport webcache --syn -j ACCEPT \
&& iptables -A civ-bat-new \
-p tcp --dport https --syn -j ACCEPT \
&& iptables -A civ-bat-new \
-p tcp --dport pop3 --syn -j ACCEPT \
&& iptables -A civ-bat-new \
-p tcp --dport auth --syn -j ACCEPT \
&& iptables -A civ-bat-new \
-p tcp --tcp-flags SYN,ACK,FIN,RST,PSH ACK,FIN -j ACCEPT \
&& iptables -A civ-bat-new \
-p icmp -j icmp-new
# icmp-new: acceptance of honoured ICMP requests.
#
# To qualify, packets must be travelling across a BST border, and must
# be initiating a connection. They must not be travelling in the
# inwards direction across the FORWARD chain in case network topology
# is revealed.
action "Build ICMP request filter:" \
iptables -A icmp-new \
-p icmp --icmp-type echo-request -j ACCEPT \
&& iptables -A icmp-new \
-p icmp --icmp-type timestamp-request -j ACCEPT
# icmp-rel: acceptance of exposed ICMP error replies.
#
# To qualify, packets must be travelling across a BST border, and must
# be associated with an existing connection. They must not be
# travelling in the outwards direction across the FORWARD chain in
# case network topology is revealed.
action "Build ICMP error filter:" \
iptables -A icmp-rel \
-p icmp --icmp-type parameter-problem -j ACCEPT \
&& iptables -A icmp-rel \
-p icmp --icmp-type time-exceeded -j ACCEPT \
&& iptables -A icmp-rel \
-p icmp --icmp-type destination-unreachable -j ACCEPT \
&& iptables -A icmp-rel \
-p icmp --icmp-type source-quench -j ACCEPT
# INPUT: sort input packets according to interface and address.
#
# Jumps describe the sanctioned network topology. They are
# decided by correspondences between interfaces and addresses.
action "Setup jumps for input filtering:" \
iptables -A INPUT \
-i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT \
&& iptables -A INPUT \
-i lo -s ${CIVIP} -d ${CIVIP} -j ACCEPT \
&& iptables -A INPUT \
-i lo -s ${BATIP} -d ${BATIP} -j ACCEPT \
&& iptables -A INPUT \
-i eth0 -s ${CIVNET} -d ${CIVIP} -j eth-in \
&& iptables -A INPUT \
-i eth0 -d 255.255.255.255 -j eth-bcast \
&& iptables -A INPUT \
-i ${BATIF} -d ${BATIP} -j ppp-in \
&& iptables -A INPUT \
-m limit -j LOG
# FORWARD: sort forward packets according to interface and address.
#
# Start masquerading on POSTROUTING for all packets leaving the civil
# zone for the internet. The forward chains sees the full addresses.
# Jumps to forwarding chains describe the network topology. They are
# decided by correspondences between interfaces and addresses.
action "Setup jumps for forward filtering:" \
iptables -t nat -A POSTROUTING \
-s ${CIVNET} -o ${BATIF} -j MASQUERADE \
&& iptables -A FORWARD \
-i ${BATIF} -o eth0 -d ${CIVNET} -j bat-civ \
&& iptables -A FORWARD \
-i eth0 -s ${CIVNET} -o ${BATIF} -j civ-bat \
&& iptables -A FORWARD \
-m limit -j LOG
# OUTPUT: sort output packets according to interface and address.
#
# Jumps describe the sanctioned network topology. They are
# decided by correspondences between interfaces and addresses.
action "Setup jumps for output filtering:" \
iptables -A OUTPUT \
-o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT \
&& iptables -A OUTPUT \
-o lo -s ${CIVIP} -d ${CIVIP} -j ACCEPT \
&& iptables -A OUTPUT \
-o lo -s ${BATIP} -d ${BATIP} -j ACCEPT \
&& iptables -A OUTPUT \
-o eth0 -s ${CIVIP} -d ${CIVNET} -j eth-out \
&& iptables -A OUTPUT \
-o ${BATIF} -s ${BATIP} -j ppp-out \
&& iptables -A OUTPUT \
-m limit -j LOG
Reply to: