Re: Proper place for IPCHAINS rules
To help you a little I have two scripts I use at boot:
/etc/init.d/ipchains and
/etc/init.d/sysctl
Don't ask me why they are not in base, they should be!
Or at least script that are similar ;-)
They are both security sensitive!
To enable them at boot I have done:
root# cd /etc/rcS.d
root# ln -s ../init.d/ipchains S39ipchains
root# ln -s ../init.d/sysctl S39sysctl
You should start ipchains as soon as you have your IP ;-)
!!! After the scripts is more info and example's of the .conf files !!!
Here are the scripts:
---> begin ipchains <----
#! /bin/sh
# Script to setup ipchains
#
# Written by Onno Ebbinge <ebbin200@tech.nhl.nl>
# Version 1.1 (08-Jul-1999)
#
# Run this script before the network is launched.
#
# DHCP users must run this script as soon as they have their IP number.
# They will be vulnerable during this time but in most cases this will
# be a fraction of a second.
# If no ipchains, do nothing.
[ -f /sbin/ipchains ] || exit 0
case "$1" in
start)
echo -n "Setting up ipchains... "
/sbin/ipchains -P input DENY
/sbin/ipchains -P forward DENY
/sbin/ipchains -P output DENY
/sbin/ipchains -F
/sbin/ipchains -X
if [ -e /etc/ipchains.conf ]; then
/sbin/ipchains-restore < /etc/ipchains.conf >
/dev/null
echo "done."
else
echo "FAILED!"
echo "WARNING: Setting up ipchains with only the
loopback interface enabled!"
/sbin/ipchains -A input -i lo -j ACCEPT
/sbin/ipchains -A output -i lo -j ACCEPT
fi
;;
stop)
echo -n "Turning off ipchains, except loopback interface... "
/sbin/ipchains -P input DENY
/sbin/ipchains -P forward DENY
/sbin/ipchains -P output DENY
/sbin/ipchains -F
/sbin/ipchains -X
/sbin/ipchains -A input -i lo -j ACCEPT
/sbin/ipchains -A output -i lo -j ACCEPT
echo "done."
echo "BEWARE: Only the loopback interface is enabled!"
;;
*)
echo "Usage: /etc/init.d/ipchains {start|stop}"
exit 1
;;
esac
exit 0
---> end ipchains <----
---> begin sysctl <----
#! /bin/sh
# Script to setup various kernel parameters with sysctl
#
# Written by Onno Ebbinge <ebbin200@tech.nhl.nl>
# Version 1.0 (04-Jul-1999)
#
# Because there are kernel parameters that influence system and network
# security you should run this script before the network is launched.
# If no sysctl, do nothing.
[ -f /sbin/sysctl ] || exit 0
case "$1" in
start)
echo -n "Setting up various kernel parameters... "
# Kernel parameter settings can be put in /etc/sysctl.conf
# without the leading /proc/sys/ part.
# BEWARE: the version of sysctl that I use doesn't
# allow a newline at the end of the config file.
if [ -e /etc/sysctl.conf ]; then
/sbin/sysctl -p /etc/sysctl.conf > /dev/null
echo "done."
else
echo "FAILED!"
echo "WARNING: Some kernel security options could
be disabled!"
fi
# Any kernel parameter initialization that is similar
# in nature to the setup of IP spoof protection below
# should be done in a similar fashion as the IP spoof
# protection below.
echo -n "Setting up IP spoofing protection... "
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for d in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $d
done
echo "done."
else
echo "FAILED!"
echo "WARNING: You do NOT have IP spoofing
protection!"
echo "WARNING: This can be a SERIOUS security threat!"
fi
;;
stop)
echo -n "Turning 'off' various kernel parameters... "
# Turning 'off' kernel parameters sound a bit silly but
# there are circumstances that you would 'reset' some
# parameters.
/sbin/sysctl -w net/ipv4/ip_forward=0 > /dev/null
/sbin/sysctl -w net/ipv4/ip_local_port_range="1024 4999" >
/dev/null
echo "done."
;;
*)
echo "Usage: /etc/init.d/sysctl {start|stop}"
exit 1
;;
esac
exit 0
---> end sysctl <----
To save our ipchains in the right conf file use:
root# ipchains-save > /etc/ipchains.conf
There is my /etc/sysctl.conf file:
(the version of sysctl that I use doesn't
allow a newline at the end of the config file!)
I use Kernel 2.2.13, so the defrag part must be here!
---> begin sysctl.conf <---
net/ipv4/ip_always_defrag=1
net/ipv4/tcp_syncookies=1
net/ipv4/ip_local_port_range=32768 59999
net/ipv4/ip_forward=1
---> end sysctl.conf <---
And just in case if you are curious, here is
my ipchains setup:
inet (internet)
(all public IP addresses)
|
| (the ip number is changed ;-)
| 212.187.89.230/255.255.254.0
---------------------
| eth0 |
| |
| |
| lo |
| |
| |
| eth1 |
---------------------
| 10.0.0.1
|
|
lan (local area network)
(10.0.0.0/255.255.0.0)
I always use 10.0.0.0/255.255.0.0 instead of 10.0.0.0/255.0.0.0
for flexibility (other eth's, ppp's, etc get 10.1.0.0/255.255.0.0 etc)
When I setup a firewall I use these moto's:
- Assumption is the mother of all fuck-ups
- Trust nobody, not even yourself
- Be paranoia...
The firewall below was NOT made to be the best... it was made to
be MANAGEABLE. For example:
We trust the host and LAN, of course we should NOT!
Think: smart trojans, worms, viruses and stupid
mistakes from the users or sysadmin.
ID numbers that Microsoft, RealNetworks, etc
are sending to their servers...
Of course you should set up our firewall before the startup
scripts executes the ifconfig commands...
---------------------------------------------------------
# Set the chains in a safe state
ipchains -P input DENY
ipchains -P forward DENY
ipchains -P output DENY
ipchains -F
ipchains -X
# internet accept chains
ipchains -N inet_acc
# Main entry...
ipchains -A input -i eth0 -d 212.187.89.230 -j inet_acc
ipchains -A input -i eth0 -j DENY
ipchains -A input -i eth1 -j ACCEPT
ipchains -A input -i lo -j ACCEPT
ipchains -A input -l -j DENY
# Private numbers from inet are illegal
ipchains -A inet_acc -s 10.0.0.0/255.0.0.0 -j DENY
ipchains -A inet_acc -s 172.16.0.0/255.240.0.0 -j DENY
ipchains -A inet_acc -s 192.168.0.0/255.255.0.0 -j DENY
# MASQ ports, see /usr/src/linux/include/net/ip_masq.h
# Don't use '! -y' here because of active ftp...
# Don't forget to load the ip_masq_ftp module
ipchains -A inet_acc -p tcp --dport 61000:65096 -j ACCEPT
ipchains -A inet_acc -p udp --dport 61000:65096 -j ACCEPT
# Useful icmp's... (you can delete the last *-reply's safely)
ipchains -A inet_acc -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A inet_acc -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A inet_acc -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A inet_acc -p icmp --icmp-type parameter-problem -j ACCEPT
ipchains -A inet_acc -p icmp --icmp-type echo-reply -j ACCEPT
ipchains -A inet_acc -p icmp --icmp-type timestamp-reply -j ACCEPT
ipchains -A inet_acc -p icmp --icmp-type address-mask-reply -j ACCEPT
# services running on my machine that are accessible by
# the internet...
ipchains -A inet_acc -p udp --dport domain -j ACCEPT
ipchains -A inet_acc -p tcp --dport domain -j ACCEPT
ipchains -A inet_acc -p tcp --dport smtp -j ACCEPT
ipchains -A inet_acc -p tcp --dport www -j ACCEPT
ipchains -A inet_acc -p tcp --dport ftp-data -j ACCEPT
ipchains -A inet_acc -p tcp --dport ftp -j ACCEPT
ipchains -A inet_acc -p tcp --dport ssh -j ACCEPT
ipchains -A inet_acc -p tcp --dport auth -j ACCEPT
# When you work on the host these are useful.
# The first is for outgoing ssh's (begins at 1023 then
# goes down, so 4 simultaneous connections possible)
# The 32768 rules is a reflection for:
# sysctl -w net/ipv4/ip_local_port_range="32768 59999"
# This way you can use telnet, ftp, lynx, traceroute, etc)
ipchains -A inet_acc -p tcp ! -y --dport 1020:1023 -j ACCEPT
ipchains -A inet_acc -p tcp ! -y --dport 32768:59999 -j ACCEPT
ipchains -A inet_acc -p udp --dport 32768:59999 -j ACCEPT
ipchains -A inet_acc -j DENY
# Only MASQ the tcp, udp and icmp protocols
ipchains -A forward -p tcp -s 10.0.0.0/255.255.0.0 -i eth0 -j MASQ
ipchains -A forward -p udp -s 10.0.0.0/255.255.0.0 -i eth0 -j MASQ
ipchains -A forward -p icmp -s 10.0.0.0/255.255.0.0 -i eth0 -j MASQ
ipchains -A forward -l -j REJECT
# Optimize outgoing connections
ipchains -A output -p tcp -d 0/0 www -t 0x01 0x08 -j ACCEPT
ipchains -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08 -j ACCEPT
ipchains -A output -t 0x01 0x10 -j ACCEPT
ipchains -A output -l -j REJECT
# tcp connections are valid for 12 hours...
ipchains -M -S 43200 0 0
-----------------------------------------------
You also should edit your inetd.conf and hosts.deny
files...
If you have -any- comments on these matters please
do so...
Regards,
Onno
At 09:30 AM 11/16/99 -0500, Bryan Scaringe wrote:
thanks too all who replied. I think that for now, I will do something
like what is suggested below, except to run it AFTER the networking
is up, since the scripts depend on me knowing my IP Address, which
I get through DHCP (so networking has to be up). Shouldn't leave me
volnerable for more than a few msec.
Bryan
On 16-Nov-99 Onno wrote:
> BEWARE:
>
> Follow the instructions in IPCHAINS HOWTO... BUT the HOWTO contains
> SEVERE flaws!!!
>
> Create a script to setup ipchains and run it early in the bootup procedure.
> I have a script called 'ipchains' in /etc/init.d and made a symbolic link
> called 'S39ipchains' to '/etc/init.d/ipchains' in the
> '/etc/rcS.d' directory. This way the script will be run before S40network
> (sets the ethernet interfaces). It's better not to make a link in rc6.d
> for shutdown... let the firewall die with the kernel ;-)
>
> PS: the script in IPCHAINS HOWTO is flawed too...
>
> Regards,
>
> Onno
>
>
> At 09:54 PM 11/15/99 -0500, Bryan Scaringe wrote:
>>I would like to setup IPChains on my machine. I can't seem to find
>>any file under /etc/init.d/ for ipchains (networking only handles
>>spoof protection). Where do you folks start your ipchains or ipfwadm
>>rules?
>>
>>Thanks,
>> Bryan
>>
>>
>>--
>>Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org <
>>/dev/null
>
>
> --
> Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org <
> /dev/null
--
Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org <
/dev/null
Reply to: