Re: A query on ipchains

To: debian-security@lists.debian.org
Subject: Re: A query on ipchains
From: Craig McPherson <craigm@bsu.dynhost.com>
Date: Fri, 7 Jul 2000 10:21:36 -0500
Message-id: <[🔎] 20000707102136.B29137@bsu.dynhost.com>
In-reply-to: <[🔎] 3965B13F.98E2107B@lander.es>; from koala@lander.es on Fri, Jul 07, 2000 at 12:30:23PM +0200
References: <[🔎] 3965AAE4.6E0E3949@lander.es> <[🔎] 20000707121725.B14320@tecnogi.com> <[🔎] 3965B13F.98E2107B@lander.es>

I'd check out http://www.linux-firewall-tools.com/

It has a good guide on setting up a LAN, firewalling, and various
basic network security issues.  It also has an automatic firewall
generation tool, but it's better to use the firewall it generates
as a guide to writing your own rather than just plugging it in
and trying to use it (which resulted in days of headaches for me
before I rewrote the thing from scratch), and I don't think the
tool can handle three network interfaces (although you can run
it twice, and then merge the outputs into a single script).

Anyway, you're going to be using the computer as a router, basically.
Networks B and C are going to be plugged only into the Linux box, and
not into each other at any other point, right?  If that's the
case, then you will of course need to turn on IP forwarding, you'll
need to set up the gateway machine to masquerade traffic between
Networks A and B and networks A and C, and you'll need to set the
gateway on Network A to the gateway of your ISP.  You do not need
to set a gateway for networks B or C on the gateway machine itself,
because there's nowhere else for it to go on those networks!  Make
sure you set the netmask correctly, though (for Network C you could
set it to 1.1.1.0/27 to give you a range of 1.1.1.0 to 1.1.1.32,
or to 1.1.1.0/26 to give you a range of 1.1.1.0 to 1.1.1.64... take
your pick.)

On your network B machines, you'll want to specify the network
B IP address of the gateway machine as the gateway, and on the
network C address, you'll want to specify the network C IP
address of the gateway machines as the gateway.

For the firewall itself, if you need it up quickly, I'd run
the tool at linux-firewall-tools.com twice, one for each
network, and then carefully edit them into one script, also
setting rules for communication between the two local subnets.

If you really want to get into it, read the TrinityOS documentation.
I don't have an URL handy, but you can find it.  If you can,
print it out, especially if you can print it on somebody else's
printer (it's about 600 pages or so in landscape mode...).  It's
a brilliant network security document for Linux.  Just very long....
and dry.....

Anyway, the firewall sequence should go something like this:

1.  Load modules.

2.  Flush the firewall.

3.  Set default rules:  input DENY, output and forward REJECT
is the most popular setup, but it's also one of the hardest
to get working correctly.

3.  Allow unlimited traffic on the loopback interface.

4.  Allow unlimited input/output with each of the local
networks.

5.  Masquerade traffic between the local interfaces and the
Internet.  (I don't know if you want the two networks
communicating with each other, but you don't need masqing
with that, just allow input/output between the two
networks.

6.  Allow specific services between the local world and the
Internet.  See the linux-firewall-tools firewall
for examples of this.  Everything else is rejected or dropped.
This is a pain having to explicitly allow everything, but
it's the most secure way.

Also early in the process there's other fun stuff you typically
do... i.e. block out packets from the Internet with invalid
source addresses (i.e. your own IP address, class A, B, or C
addresses, broadcasts, etc.), there's also a number of things
in /proc you typically have your firewall fiddle with for
various forms of spoofing and DOS protection.

E-mail me if you want a copy of my firewall: it's based
loosely on the Linux-firewall-tools firewall but was
rewritten so that it actually works for me -- you have one
more network, so you'd have to duplicate most parts of it
for the other network, but it should be a start.

On Fri, Jul 07, 2000 at 12:30:23PM +0200, Koala wrote:
> No, not really....
> 
> Network A (Internet)
> Network B (10.10.10.1/24)
> Network C (1.1.1.1/24)
> 
> Currently, the normal internal (Network B) work stations use one default gateway.
> Lets say it is 10.10.10.1, and the IP Addresses of the work stations would be in
> the class 10.10.10.1/24. Network C is a small group of 5 protected computers, lost
> on a HUB. Their IP Addresses are 1.1.1.1/24 . My idea, was, to have Network C going
> through a default gateway of 1.1.1.1 (Debian with ipchains) where the second
> interface card goes to the normal network B (10.10.10.1) Therefore, Netwrok C can
> see Network B, but Network B can´t access Network C. So, the ipchains box for
> network C would have two ethernet cards with the following configuration :
> 
> Network B    eth0 10.10.10.42    gw    10.10.10.1
> Network C    eth1 1.1.1.1    gw    10.10.10.42
> 
> The IP 10.10.10.1 would correspond to the ipchains box of network B. I hope this
> clears something up :)
> 
> Unfortunatly I don´t have a way of words, so I kind of explain myself in a bad way?
> Thanks for you time and patience....
> 
> Much Rspect !
> 
> Koala
> 
> Marco Giardini wrote:
> 
> > On Fri, Jul 07, 2000 at 12:03:16PM +0200, Mr.Koala wrote:
> > > Hi List,
> > >
> > > I was wondering if someone could point to a vast area about ipchains. I
> > > am trying to mount a debian box with ipchains and two network cards. The
> > > two network cards part is going fine I think, as I am also getting help
> > > to install an NE2000 as eth1. Anyway, staying on the point, the basis is
> > > to connect a secure internal/internal network (Network C), to the normal
> > > internal network (Network B). Network B is actually connected to the
> > if you have 3 networks (DMZ, internet and a LAN) you probably need 3
> > eth cards. Or have i lost something???
> >
> > .oesse.
> > >
> > > Koala
> > >
> > >
> > > --
> > > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> >
> > --
> > ------------------------------------------------------------------
> > Marco Giardini
> > TecnoGi spa                                   Tel. +39 0321 885422
> > Strada per Gravellona                         Fax  +39 0321 885333
> > Borgolavezzaro (NO)                         http://www.tecnogi.com
> > Key fingerprint = B5 B4 AA 91 89 50 43 8F  B1 6B C6 8C 34 79 5A 7F
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 
> 

-- 
Craig McPherson
Network Admin
Baptist Student Union
Fayetteville, Arkansas

Reply to:

References:
- A query on ipchains
  - From: Koala <koala@lander.es>
- Re: A query on ipchains
  - From: Marco Giardini <marco@tecnogi.com>
- Re: A query on ipchains
  - From: Koala <koala@lander.es>

Prev by Date: Re: [lamagra@DIGIBEL.ORG: proftp advisory]
Next by Date: Re: A query on ipchains
Previous by thread: Re: A query on ipchains
Next by thread: Re: A query on ipchains
Index(es):
- Date
- Thread