Re: ipmasq + port filtering recipe?
At 03:11 PM 3/15/2002, Luke Scharf wrote:
I've searched http://groups.google.com and and the web for a quick
recipe. I've also scanned the general documentation, but I haven't
figured out exactly how to do this yet.
I have a machine that's running Debian Potato a web server and an
ipmasq. The machine has an "internal" and "external" network card. The
internal network runs on 10.0.0.0/24 and the external network has a
static IP address.
I've apt-get install'd the ipmasq package and the IPMasq functionality
works great. What I'd like to do now is to use ipchains to do the
following:
1. On the external interface, I would like to only accept traffic from
port 22 and port 80.
2. The internal interface should be wide open - the internal network we
trust the users who are physically in the room not to be malicious.
Can you all point me to a recipe on how to do this? Is there any
documentation that applies to this specific situation?
Here's a (really really super) basic recipe
In this example, eth0 is external and eth1 is internal
======================================
echo " - Disabling IP Spoofing attacks."
for file in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo "1" > $file
done
echo " - Changing IP masquerading timeouts."
/sbin/ipchains -M -S 7200 10 60
/sbin/modprobe ip_masq_ftp
ipchains -F
ipchains -P input DENY
ipchains -P output ACCEPT
ipchains -P forward DENY
ipchains -A input -i eth0 -d 0/0 22 -j ACCEPT
ipchains -A input -i eth0 -d 0/0 80 -j ACCEPT
ipchains -A input -i eth1 -j ACCEPT
ipchains -A forward -s 10.0.0.0/24 -j MASQ
======================================
No port forwarding, really basic.... (this script has no warranty that it
will work... but it *is* a highly condensed simple version of what we run here.
so, I rate the chances as pretty good that it'll work)
One question though... while you trust your users not to be malicious,
do you trust your users not to accidentally open a malicious email
attachment, accidentally browse a malicious website with a vulnerable
browser, or other mistakes?
If not, you might want to tighten down outbound traffic as well.
Jer
Reply to: