Re: ipmasq + port filtering recipe?

To: debian-security@lists.debian.org
Subject: Re: ipmasq + port filtering recipe?
From: Jerry Lynde <jlynde@diligence.com>
Date: Fri, 15 Mar 2002 17:25:11 -0700
Message-id: <[🔎] 4.3.2.7.2.20020315170444.03679e78@mail.diligence.com>
In-reply-to: <[🔎] 1016230298.20826.8.camel@garcon>

At 03:11 PM 3/15/2002, Luke Scharf wrote:

I've searched http://groups.google.com and and the web for a quick
recipe.  I've also scanned the general documentation, but I haven't
figured out exactly how to do this yet.

I have a machine that's running Debian Potato a web server and an
ipmasq.  The machine has an "internal" and "external" network card.  The
internal network runs on 10.0.0.0/24 and the external network has a
static IP address.

I've apt-get install'd the ipmasq package and the IPMasq functionality
works great.  What I'd like to do now is to use ipchains to do the
following:
1. On the external interface, I would like to only accept traffic from
port 22 and port 80.
2. The internal interface should be wide open - the internal network we
trust the users who are physically in the room not to be malicious.

Can you all point me to a recipe on how to do this?  Is there any
documentation that applies to this specific situation?


Here's a (really really super) basic recipe
In this example, eth0 is external and eth1 is internal
======================================
echo "  - Disabling IP Spoofing attacks."
for file in /proc/sys/net/ipv4/conf/*/rp_filter
do
 echo "1" > $file
done

echo "  - Changing IP masquerading timeouts."
/sbin/ipchains -M -S 7200 10 60

/sbin/modprobe ip_masq_ftp

ipchains -F
ipchains -P input DENY
ipchains -P output ACCEPT
ipchains -P forward DENY
ipchains -A input -i eth0 -d 0/0 22 -j ACCEPT
ipchains -A input -i eth0 -d 0/0 80 -j ACCEPT
ipchains -A input -i eth1 -j ACCEPT
ipchains -A forward -s 10.0.0.0/24 -j MASQ
======================================
No port forwarding, really basic.... (this script has no warranty that it
will work... but it *is* a highly condensed simple version of what we run here.
so, I rate the chances as pretty good that it'll work)

One question though... while you trust your users not to be malicious,
do you trust your users not to accidentally open a malicious email
attachment, accidentally browse a malicious website with a vulnerable
browser, or other mistakes?

If not, you might want to tighten down outbound traffic as well.


Jer

Reply to:

References:
- ipmasq + port filtering recipe?
  - From: Luke Scharf <lscharf@ee.vt.edu>

Prev by Date: Re: ipmasq + port filtering recipe?
Next by Date: Re: 2.2.18 exploit, and updating the kernel
Previous by thread: Re: ipmasq + port filtering recipe?
Next by thread: Re: ipmasq + port filtering recipe?
Index(es):
- Date
- Thread