is my firewall setup good?
Hi all,
As I'm not a network specialist, I'd like your advices about
my firewall setup.
CONFIG: station, 2.2.10, (192.168.1.2)
server, 2.2.10, (192.168.1.1), 2 ehernet cards,
LAN in 192.168.1.0, WEB (cable-modem) in DHCP lease ADDR
ipmasq,
(no IP-in-IP, nor encapsulation, ...)
As there are some jerks, especially in france, who already tryied
to access my server, I don't want anybody to do that. But I'd like
to acces anywhere from the station and the server.
Any constructive criticisms will be welcomed.
JY
# Firewall Setup
# 1999-13-09 - Ver. 1.31 #
################################################ DATA GENERAL
IF_LAN=eth1
IF_WEB=eth0
IF_LAN_ADDR=192.168.1.1/32
LAN_ADDR=192.168.1.0/30
# Recover the DHCP leased ADDR from ifconfig
IF_WEB_ADDR=`/sbin/ipofif $IF_WEB`
################################################ POLICIES &/| TESTS
# Flush all
ipchains -F input
ipchains -F output
ipchains -F forward
# TEST ONLY
#ipchains -F LAN-WEB
#ipchains -F WEB-LAN
#ipchains -F ICMP-FLT
#ipchains -F IFinWEB
#ipchains -F IFoutWEB
#ipchains -F IFinLAN
#ipchains -F IFoutLAN
## ATTENTION: If policies = DENY => DON'T WORK <=> ACCEPT (?????)
## Every docs says DENY but it don't work!
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
################################################ SECURE LAN & WEB DURING SETUP
ipchains -A input -i ! lo -j DENY
ipchains -A output -i ! lo -j DENY
ipchains -A forward -j DENY
################################################ ICMPs FILTER
## NO ENDING DENY: Only under-chains returning to caller
# ICMPs chain
ipchains -N ICMP-FLT
# Let valid ICMPs passing through
ipchains -A ICMP-FLT -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A ICMP-FLT -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A ICMP-FLT -p icmp --icmp-type parameter-problem -j ACCEPT
ipchains -A ICMP-FLT -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A ICMP-FLT -p icmp --icmp-type pong -j ACCEPT
# log bad ICMPs demands
ipchains -A ICMP-FLT -p icmp --icmp-type address-mask-request -j DENY -l
ipchains -A ICMP-FLT -p icmp --icmp-type router-solicitation -j DENY -l
ipchains -A ICMP-FLT -p icmp --icmp-type redirect -j DENY -l
ipchains -A ICMP-FLT -p icmp --icmp-type timestamp-request -j DENY -l
################################################ INPUT
# INPUT chains & jumps
ipchains -N IFinLAN
ipchains -A input -i $IF_LAN -j IFinLAN
ipchains -N IFinWEB
ipchains -A input -i $IF_WEB -j IFinWEB
# Local Ok
ipchains -A input -i 127.0.0.1 -j ACCEPT
# I/F LAN --- INPUT
ipchains -A IFinLAN -i $IF_LAN -s ! $LAN_ADDR -d 0/0 -j DENY -l
ipchains -A IFinLAN -i $IF_LAN -s 0/0 -d 0/0 -j ACCEPT
ipchains -A IFinLAN -i $IF_LAN -s 0/0 -d 0/0 -j DENY -l
# I/F WEB --- INPUT
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d ! $IF_WEB_ADDR/32 -j DENY # if ADDR <> DHCP-WEB, DENY
# Classe C (192.168.0.0 - 192.168.255.0)
ipchains -A IFinWEB -i $IF_WEB -s 192.168.0.0/255.255.0.0 -d $IF_WEB_ADDR/32 -j DENY -l
# local IF (127.0.0.0-127.0.0.1)
ipchains -A IFinWEB -i $IF_WEB -s 127.0.0.0/31 -d $IF_WEB_ADDR/32 -j DENY -l
# Classe B (172.16.0.0 - 176.31.0.0)
ipchains -A IFinWEB -i $IF_WEB -s 172.16.0.0/255.240.0.0 -d $IF_WEB_ADDR/32 -j DENY -l
# Classe A (10.0.0.0)
ipchains -A IFinWEB -i $IF_WEB -s 10.0.0.0/255.0.0.0 -d $IF_WEB_ADDR/32 -j DENY -l
# AUTHORISATIONS
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d $IF_WEB_ADDR/32 -p tcp --dport 1024:5999 -j ACCEPT # TCP
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d $IF_WEB_ADDR/32 -p tcp --dport 6011:65535 -j ACCEPT # TCP
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d $IF_WEB_ADDR/32 -p udp --dport 1024:65535 -j ACCEPT # UDP
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d $IF_WEB_ADDR/32 -p udp --dport 6011:65535 -j ACCEPT # UDP
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d $IF_WEB_ADDR/32 -p icmp -j ICMP-FLT
## ?? Netscape seems to need this port to be opened (w/88?)
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d $IF_WEB_ADDR/32 -p tcp --dport 113 -j ACCEPT # TCP
# log the rest
ipchains -A IFinWEB -i $IF_WEB -s 0/0 -d 0/0 -j DENY -l
################################################ OUTPUT
# OUTPUT chains & jumps
ipchains -N IFoutLAN
ipchains -A output -i $IF_LAN -j IFoutLAN
ipchains -N IFoutWEB
ipchains -A output -i $IF_WEB -j IFoutWEB
# Local Ok
ipchains -A output -i 127.0.0.1 -j ACCEPT
# I/F LAN --- OUTPUT
ipchains -A IFoutLAN -i $IF_LAN -s 0/0 -d ! $LAN_ADDR -j DENY -l # if ADDR <> LAN, DENY & log
ipchains -A IFoutLAN -i $IF_LAN -s 0/0 -d 0/0 -j ACCEPT
# I/F WEB --- OUTPUT
ipchains -A IFoutWEB -i $IF_WEB -s 0/0 -d 0/0 -p tcp --dport 1:1023 -j ACCEPT
ipchains -A IFoutWEB -i $IF_WEB -s 0/0 -d 0/0 -p udp --dport 1:1023 -j ACCEPT
ipchains -A IFoutWEB -i $IF_WEB -s 0/0 -d 0/0 -p icmp -j ACCEPT
ipchains -A IFoutWEB -i $IF_WEB -j DENY -l
################################################ FORWARDING LAN <-> WEB
# FORWARDING
ipchains -N LAN-WEB
ipchains -N WEB-LAN
ipchains -A forward -i $IF_WEB -s $LAN_ADDR -d 0/0 -j LAN-WEB
ipchains -A input -i $IF_LAN -j WEB-LAN
ipchains -A forward -j DENY -l
###################################
# WEB > LAN
ipchains -A WEB-LAN -j DENY
####################################
# LAN > WEB
# In order to gain time, ordering must be done from the more used to the less
ipchains -A LAN-WEB -s $LAN_ADDR -d 0/0 -p tcp --dport www -j MASQ # > WWW Ok
ipchains -A LAN-WEB -s $LAN_ADDR -d 0/0 -p tcp --dport ftp -j MASQ # > FTP Ok
ipchains -A LAN-WEB -s $LAN_ADDR -d 0/0 -p tcp --dport ftp-data -j MASQ # > FTP-DATA Ok
ipchains -b -A LAN-WEB -s $LAN_ADDR -d 0/0 -p udp --dport domain -j MASQ
ipchains -A LAN-WEB -s $LAN_ADDR -d 0/0 -p tcp --dport nntp -j MASQ # > NNTP Ok (news)
ipchains -A LAN-WEB -s $LAN_ADDR -d 0/0 -p tcp --dport smtp -j MASQ # > SMTP Ok
ipchains -A LAN-WEB -s $LAN_ADDR -d 0/0 -p tcp --dport pop-3 -j MASQ # > POP-3 Ok
ipchains -A LAN-WEB -s $LAN_ADDR -d 0/0 -p udp --dport pop-3 -j MASQ # ??
ipchains -A LAN-WEB -s $LAN_ADDR -d 0/0 -p tcp --dport telnet -j MASQ # > TELNET Ok
## ipchains -A LAN-WEB -s $LAN_ADDR -d 0/0 -p tcp --dport gopher -j MASQ # > GOPHER Ok
## ipchains -A LAN-WEB -s $LAN_ADDR -d 0/0 -p tcp --dport ssh -j MASQ # > SSH no instant use
## ipchains -A LAN-WEB -s $LAN_ADDR -d 0/0 -p udp --dport 33434:33500 -j MASQ # ??? what is it ???
# Netscape seems to nedd that (w/113??)
ipchains -A LAN-WEB -s $LAN_ADDR -d 0/0 -p tcp --dport 88 -j MASQ
# forwarde MY pings
ipchains -A LAN-WEB -s $LAN_ADDR -d 0/0 -p icmp --icmp-type ping -j MASQ # > PING Ok
ipchains -A LAN-WEB -j REJECT -l
################################################ Ok already finished!
# Freeing communications: zap the locks lines
ipchains -D input 1
ipchains -D output 1
ipchains -D forward 1
###############################################################################
## !!! AUTORISING FORWARDING !!! (don't forget!)
echo 1 > /proc/sys/net/ipv4/ip_forward
###############################################################################
Reply to: