Re: Re: 2 nic setup for firewall machine

To: debian-firewall@lists.debian.org
Subject: Re: Re: 2 nic setup for firewall machine
From: "Benedict Verheyen" <linux4bene@pandora.be>
Date: Tue 11 Feb 2003 13:58:07 +0100
Message-id: <20030211125808.CAFF81F53D@murphy.debian.org>
>1. Firewall machine 
>=================== 
>
>IN from net: allow ddt for Dynamic DNS (http://www.ddts.org/), ssh 
>IN from lan: allow ssh, dhcp
>OUT to net: allow ftp, ssh, smtp, dns, www, pop3, imap, ddt, 
>proxy server access to isp, ping 
>OUT to lan: allow dhcp for LAN clients 
>
>2. LAN 
====== 
>IN: allow in only stuff related to what went out 
>OUT: allow ftp, ssh, smtp, dns, www, pop3,imap, ddt, proxy isp, 
>dhcp to firewall machine 
>
>It's not totally clear what the policy is supposed to be for each 
>machine here. Looking at your current rules, here is what traffic I 
>think would actually be allowed: 
>FW to Inet: ftp, ssh, smtp, dns, www, pop3, imap, ddt, isp proxy, ping 

this is what i want.

>Inet to FW: ssh, ddt, dhcp replies, related/established connections 

this is also what i want

>LAN to FW: ssh, dhcp 

I will need imap, smtp too since my server will run courier imap.
Do i specify these in the FORWARD chain?

>FW to LAN: nothing! 

i don't think anything like this is necessary or do i have to specifically let
dhcp through for eth1? same for imap or will these automatically go through
because of the related/established rule?

>LAN to Inet: (1/sec) [SYN, RST, echo], established/related connections 

Hhhm.  I would want to specify what goes out from the lan. Basically this will
be these services:
ftp, ssh, smtp, dns, www, pop3, isp proxy, ping
Everything else should be dropped. As you said, i will specify these
in the FORWARD rule.

>Inet to LAN: everything!

Ouch. Only related or established connections should go through! Aaaargh.

>Probably not quite what you wanted ;-)

Nope :-(

>For some forward rules you said "Not sure if you really want these rules."

Why wouldn't i want these? Would they flood the logs?

================== script v0.2 ========================== 

#!/bin/sh 

# Set variables needed for a 2 interfaces system where interface eth0 
# gets an ip from the isp (cable modem) over dhcp and eth1 is 
# 192.168.0.1 and serves the LAN with 
# ip's in the range 192.168.0.2-192.168.0.10 
IPT=`which iptables` 
DEP=`which depmod` 
INS=`which insmod` 
EXTIF="eth0" 
INTIF="eth1" 
LO="lo" 
LAN="192.168.0.0/24" 

# i need to check this list so it's possible it's not up to date. 
# I used the Dotted Decimal Non-aggregated list 
# of http://www.cymru.com/Documents/bogon-dd.html 
RESERVED_NET=" 
0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 \ 
10.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 \ 
36.0.0.0/8 37.0.0.0/8 39.0.0.0/8 \ 
41.0.0.0/8 42.0.0.0/8 49.0.0.0/8 \ 
50.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \ 
70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \ 
74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 \ 
79.0.0.0/8 \ 
83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \ 
88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 \ 
93.0.0.0/8 94.0.0.0/8 \ 
95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 \ 
100.0.0.0/8 101.0.0.0/8 \ 
102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 \ 
107.0.0.0/8 \ 
108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 \ 
113.0.0.0/8 \ 
114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 \ 
119.0.0.0/8 \ 
120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 \ 
125.0.0.0/8 \ 
126.0.0.0/8 127.0.0.0/8 \ 
169.254.0.0/16 172.16.0.0/255.240.0.0 \ 
192.0.2.0/24 192.168.0.0/16 \ 
197.0.0.0/8 198.18.0.0/255.254.0.0 \ 
201.0.0.0/8 222.0.0.0/8 223.0.0.0/8 224.0.0.0/224.0.0.0"

#Insert necessary modules 
$INS ip_tables 
$INS ip_conntrack 
$INS ip_conntrack_ftp 
$INS ip_conntrack_irc 
$INS iptable_filter 
$INS ipt_limit 
$INS ipt_state 
$INS ipt_unclean 
$INS ipt_LOG 
$INS iptables_nat 
$INS ipt_MASQUERADE 
$INS ip_nat_ftp 

#Clearing any previous configuration 
$IPT -F 
$IPT -X 
$IPT -Z 

$IPT -P INPUT DROP 
$IPT -F INPUT 
$IPT -P OUTPUT DROP 
$IPT -F OUTPUT 
$IPT -P FORWARD DROP 
$IPT -F FORWARD 
$IPT -t nat -F 
$IPT -t nat -X 
$IPT -t mangle -F 
$IPT -t mangle -X 

# Create the rules 
$IPT -N inet_in 
$IPT -N local_in 
$IPT -N checkspoof 
$IPT -N logspoof 
$IPT -N inet_out 
$IPT -N local_out 

# Dynamic IP 
echo "1" /proc/sys/net/ipv4/ip_dynaddr 

# Disable spoofing 
echo "1" /proc/sys/net/ipv4/conf/eth0/rp_filter 

# Block all echo requests 
#echo "1" /proc/sys/net/ipv4/icmp_echo_ignore_all 

# Add synflood protection 
echo "1" /proc/sys/net/ipv4/tcp_syncookies 

# Log martians 
echo "1" /proc/sys/net/ipv4/conf/all/log_martians 

# Not accept ICMP redirect messages 
echo "0" /proc/sys/net/ipv4/conf/all/accept_redirects 

# Track nr of connections 
echo "16384" /proc/sys/net/ipv4/ip_conntrack_max 

# Disable ICMP send_redirect 
echo "0" /proc/sys/net/ipv4/conf/eth0/send_redirects 

# Don't accept source routed packets. 
echo "0" /proc/sys/net/ipv4/conf/eth0/accept_source_route 

# ICMP Broadcasting protection (smurf amplifier protection) 
echo "1" /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

# ICMP Dead Error Messages protection 
echo "1" /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 

# LooseUDP patch is required by some internet-based games 
# echo "1" /proc/sys/net/ipv4/ip_masq_udp_dloose 

# IP forwarding (need it to perform for example NAT) 
# echo "1" /proc/sys/net/ipv4/ip_forward 

# Reduce DoS'ing ability by reducing timeouts 
# Defaults: 
# echo 60 /proc/sys/net/ipv4/tcp_fin_timeout 
# echo 7200 /proc/sys/net/ipv4/tcp_keepalive_time 
# echo 1 /proc/sys/net/ipv4/tcp_window_scaling 
# echo 1 /proc/sys/net/ipv4/tcp_sack 
echo "10" /proc/sys/net/ipv4/tcp_fin_timeout 
echo "1800" /proc/sys/net/ipv4/tcp_keepalive_time 
echo "0" /proc/sys/net/ipv4/tcp_window_scaling 
echo "0" /proc/sys/net/ipv4/tcp_sack 

# Set out local port range 
# Default echo "1024 4999" /proc/sys/net/ipv4/ip_local_port_range 
echo "32768 61000" /proc/sys/net/ipv4/ip_local_port_range 

# Time To Live (TTL) is the term for a data field in the internet 
# protocol. 
# TTL is today interpreted to indicate the maximum number of 
# routers a packet may transit. 
echo "64" /proc/sys/net/ipv4/ip_default_ttl 

# Increase the default queuelength. (Kernel Default: 1024) 
#echo "2048" /proc/sys/net/ipv4/ip_queue_maxlen 

# Enable ECN? (Explicit Congestion Notification) 
echo "1" /proc/sys/net/ipv4/tcp_ecn 


################################################################# 
### logspoof #### 
################################################################# 
$IPT -A logspoof -m limit --limit 3/min \ 
     -j LOG --log-prefix "ip spoofing detected " \ 
     --log-tcp-sequence --log-level info 
$IPT -A logspoof -j DROP 

################################################################# 
### checkspoof #### 
################################################################# 
# this ip is used by my isp for something (don't know what) and 
# is send every 2 minutes so i do 
# not even want to log this! Annoying isp. It goes to address 
# 224.0.0.1 which is IGMP multicast network 
$IPT -A checkspoof -s 10.95.11.80 -j DROP 

## Class A Reserved 
$IPT -A checkspoof -s 10.0.0.0/8 -j logspoof 

## Class B Reserved 
$IPT -A checkspoof -s 172.16.0.0/12 -j logspoof 

## Class C Reserved 
$IPT -A checkspoof -s 192.168.0.0/16 -j logspoof 

## Class D Reserved 
$IPT -A checkspoof -s 224.0.0.0/4 -j logspoof 

## Class E Reserved 
$IPT -A checkspoof -s 240.0.0.0/5 -j logspoof 

for NET in $RESERVED_NET; do 
    $IPT -A checkspoof -s $NET -j logspoof 
done 

################################################################# 
### inet_in #### 
################################################################# 
### allow inside on firewall machine: ssh, ddt 

$IPT -A inet_in -p tcp --dport 22 -j ACCEPT # allow ssh in 
$IPT -A inet_in -p udp --dport 1052 -j ACCEPT # allow ddt queries in 
$IPT -A inet_in -p tcp ! --syn -m state --state NEW \ 
     -j LOG --log-prefix "inet_in: New not syn:" 
$IPT -A inet_in -p tcp ! --syn -m state --state NEW \ 
     -j DROP 
$IPT -A inet_in -j checkspoof 
$IPT -A inet_in -p ALL -m state --state ESTABLISHED,RELATED \ 
     -j ACCEPT 

################################################################ 
### internal_in #### 
################################################################ 
# allow dhcp request to eth1, allow ssh to firewall from lan 
$IPT -A internal_in -p tcp --dport 22 -j ACCEPT 
$IPT -A internal_in -p udp --sport 67 --dport 68 -j ACCEPT 

################################################################ 
### local_in #### 
################################################################ 
$IPT -A local_in -j ACCEPT 

################################################################ 
### inet_out #### 
################################################################ 
### allow outside from firewall machine: ping, dns, 
### proxy of isp (8080), dhcp, news, smtp, 
### www, imap, pop3, ftp (+ftpdata), ssh, ddt 

### all tcp ports ### 
$IPT -A inet_out -p tcp --dport 21 -j ACCEPT # ftp 
$IPT -A inet_out -p tcp --dport 22 -j ACCEPT # ssh 
$IPT -A inet_out -p tcp --dport 25 -j ACCEPT # smtp 
$IPT -A inet_out -p tcp --dport 53 -j ACCEPT # dns 
$IPT -A inet_out -p tcp --dport 80 -j ACCEPT # www 
$IPT -A inet_out -p tcp --dport 110 -j ACCEPT # pop3 
$IPT -A inet_out -p tcp --dport 143 -j ACCEPT # imap 
$IPT -A inet_out -p tcp --dport 1052 -j ACCEPT # ddt ports 
$IPT -A inet_out -p tcp --dport 8080 -j ACCEPT # proxy isp 

### all udp ports ### 
$IPT -A inet_out -p udp --dport 53 -j ACCEPT # dns 
$IPT -A inet_out -p udp --sport 67 --dport 68 -j ACCEPT # DHCP to isp 
$IPT -A inet_out -p udp --dport 1052 -j ACCEPT # ddt ports 

### all icmp ### 
$IPT -A inet_out -p icmp --icmp-type 0 -j ACCEPT 
$IPT -A inet_out -p icmp --icmp-type 3 -j ACCEPT 
$IPT -A inet_out -p icmp --icmp-type 8 -j ACCEPT 
$IPT -A inet_out -p icmp --icmp-type 11 -j ACCEPT 

################################################################# 
### local_out #### 
################################################################# 
$IPT -A local_out -j ACCEPT 

################################################################# 
### INPUT #### 
################################################################# 
$IPT -A INPUT -i $EXTIF -j inet_in 
$IPT -A INPUT -i $INTIF -j internal_in 
$IPT -A INPUT -i $LO -j local_in 
$IPT -A INPUT -i $EXTIF -p ALL -j LOG \ 
     --log-prefix "INPUT: dropped packets" 
$IPT -A INPUT -i $EXTIF -p ALL -j DROP 

################################################################# 
#### OUTPUT #### 
################################################################# 
$IPT -A OUTPUT -o $EXTIF -j inet_out 
$IPT -A OUTPUT -o $LO -j local_out 
$IPT -A OUTPUT -o $EXTIF -p ALL -j LOG --log-level info \ 
     --log-prefix "OUTPUT: dropped packets" 
$IPT -A OUTPUT -o $EXTIF -p ALL -j DROP 


################################################################# 
#### FORWARD #### 
################################################################# 

# Syn-flood protection: 
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT 

# Furtive port scanner: 
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \ 
     -m limit --limit 1/s -j ACCEPT 

# Ping of death: 
$IPT -A FORWARD -p icmp --icmp-type echo-request \ 
     -m limit --limit 1/s -j ACCEPT 

# Log invalid packets 
$IPT -A FORWARD -m state --state INVALID -j LOG \ 
     --log-prefix "FORWARD: invalid packets" 
$IPT -A FORWARD -m state --state INVALID -j DROP 


#### Not sure if you really want these rules. 
#### --- Why wouldn't i want these? Would they flood the logs?

### allow forwarding to the net from the lan 
$IPT -A FORWARD -i $INTIF -o $EXTIF -s $LAN -d ! $LAN -j ACCEPT 

### rules for what gis allowed from the lan to the net
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 21 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 22 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 25 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 53 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 80 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 110 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 8080 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 8080 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 0 -j ACCEPT 
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 3 -j ACCEPT 
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT 
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 11 -j ACCEPT 

### allow forwarding to the lan from the net for established 
### or related connections 
$IPT -A FORWARD -i $EXTIF -o $INTIF -d $LAN -s ! $LAN \ 
     -m state --state ESTABLISHED,RELATED -j ACCEPT 

### log all the rest (i shouldn't get packets here?) ### 
$IPT -A FORWARD -p ALL -j LOG --log-level info \ 
     --log-prefix "FORWARD: dropped packets" 
$IPT -A FORWARD -p ALL -j DROP 

############################################################### 
#### POSTROUTING #### 
############################################################### 

$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE 

====================== script v 0.2 ========================= 

------ 
Benedict Verheyen 
Linux 2.4.20 AMD Athlon(tm) Processor AuthenticAMD GNU/Linux
Reply to:
Follow-Ups:
- Re: 2 nic setup for firewall machine
  - From: Jason McCarty <bclg@iup.edu>
Prev by Date: Re: 2 nic setup for firewall machine
Next by Date: unsubscribe
Previous by thread: Re: 2 nic setup for firewall machine
Next by thread: Re: 2 nic setup for firewall machine
Index(es):
- Date
- Thread