Re: ipmasq + port filtering recipe?

To: Luke Scharf <lscharf@ee.vt.edu>
Cc: debian-security@lists.debian.org
Subject: Re: ipmasq + port filtering recipe?
From: Ted Cabeen <ted@impulse.net>
Date: Fri, 15 Mar 2002 16:06:31 -0800
Message-id: <[🔎] 20020316000631.67085375E7@gray.impulse.net>
In-reply-to: <[🔎] 1016230298.20826.8.camel@garcon>
References: <[🔎] 1016230298.20826.8.camel@garcon>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain; charset=us-ascii

In message <[🔎] 1016230298.20826.8.camel@garcon>, Luke Scharf writes:
>I have a machine that's running Debian Potato a web server and an
>ipmasq.  The machine has an "internal" and "external" network card.  The
>internal network runs on 10.0.0.0/24 and the external network has a
>static IP address.
>
>I've apt-get install'd the ipmasq package and the IPMasq functionality
>works great.  What I'd like to do now is to use ipchains to do the
>following:
>1. On the external interface, I would like to only accept traffic from
>port 22 and port 80.
>2. The internal interface should be wide open - the internal network we
>trust the users who are physically in the room not to be malicious.

The ipmasq package sets up things pretty open, so all you need to do is lock
down the external interface.  Just make a copy of the 
/etc/ipmasq/rules/I90external.def file as I90external.rul and add lines.
Here's the netfilter section of my I90external.rul file.  As configured it
allows ssh, smtp, dns (both tcp and udp) and http traffic.

        netfilter)
            $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/32 -m state --state ESTABLISHED,RELATED
            $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/32 -p tcp --dport 22:22 -m state --state NEW
            $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/32 -p tcp --dport 25:25 -m state --state NEW
            $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/32 -p tcp --dport 53:53 -m state --state NEW
            $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/32 -p udp --dport 53:53 
            $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/32 -p tcp --dport 80:80 -m state --state NEW
            if [ -n "$BCOFIF" ]; then
                $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $BCOFIF/32 -m state --state ESTABLISHED,RELATED
            fi
            ;;

Since there's no general accept line here, (it used to be that first line, but
I changed it to use state) anything that doesn't match falls through and is
denied.  You may also want to add '-m state --state ESTABLISHED,RELATED' to
the ACCEPT line in I90extbcast.def as well, or otherwise you'll end up
allowing general broadcast packets.  If you want to be excessively paranoid,
you'll want a rule that re-assembles any fragments.  I have a I85fragments.rul
file that does this.  Here's the relevant line:
    $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -f

- -- 
Ted Cabeen           http://www.pobox.com/~secabeen            ted@impulse.net 
Check Website or Keyserver for PGP/GPG Key BA0349D2         secabeen@pobox.com
"I have taken all knowledge to be my province." -F. Bacon  secabeen@cabeen.org
"Human kind cannot bear very much reality."-T.S.Eliot        cabeen@netcom.com


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OpenBSD)
Comment: Exmh version 2.5 07/13/2001

iD8DBQE8koyHoayJfLoDSdIRAv/VAJ9Umn2wZYU11cXmJy1WtZw1D6+hJQCgkFMU
w3jTmgWJbG7owU9EXnXY64E=
=aAp+
-----END PGP SIGNATURE-----

Reply to:

References:
- ipmasq + port filtering recipe?
  - From: Luke Scharf <lscharf@ee.vt.edu>

Prev by Date: 2.2.18 exploit, and updating the kernel
Next by Date: Re: ipmasq + port filtering recipe?
Previous by thread: ipmasq + port filtering recipe?
Next by thread: Re: ipmasq + port filtering recipe?
Index(es):
- Date
- Thread