[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[seul-edu] IPCHAINS?



Hey gang,

I posted yesterday and appreciated the couple of responses I got
regarding languages to teach and curriculum.

Now for some technical help.  I'm back at school today just to check on
things and begin mapping out the summer work.  The first thing I wanted
to revise now that I had time was my firewall.  About 7 months ago a
friend helped me get it up and running.  It was very simple and I
realized it wasn't blocking anything.  But I really didn't care, as it
let me get all the computers on the net.

Now, however, I would like to make things a lot more secure.  I'm
working from a revised copy of some examples my friend gave me and I
can't seem to get something right with the INPUT chain.  Here's the
deal, I have an ISDN router (192.168.1.1) that connects to the
internet.  It's LAN connection goes directly to the second ethernet card
on my firewall (ETH1 - 192.168.1.2).  Inside the firewall the first
ethernet card (ETH0 - 192.168.0.2) is connected to the internal network
(which obviously is a 192.168.0 network).

I think my problem is that I'm not specifying correctly what the INPUT
chain rule should be looking for.  I think it should be looking for
packets destined 192.168.1 packets to forward to the internal network.
Everything else should be denied.  At the moment, MASQ only works if I
set the default INPUT policy to ACCEPT and really don't filter
anything... not very secure obviously.

As you can tell I'm very confused.  Most of the examples I have are of
firewall's that are also the connection to the outside world - not a go
between like mine.

Help is much appreciated.  Below you'll find a copy of both tries of my
rules.

Ryan Booz
Tech Coordinator
Belleville Mennonite School

========= Ipchains that work and I'm using right now ==================
# set up massquerading
echo "Setting up masquerading..."
echo 1 > /proc/sys/net/ipv4/ip_forward

#Flush all chains so that we're starting with a clean slate
/sbin/ipchains -F

#Don't limit incoming traffic - pointless as firewall, but usable right
now
/sbin/ipchains -P input ACCEPT

#Don't limit outgoing traffic
/sbin/ipchains -P output ACCEPT

#default policy for forward chain is DENY.  Log all attempts
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth1 -s 192.168.0.0/24 -j MASQ
/sbin/ipchains -A forward -j DENY -l

#make internal active/passive ftp work
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio



=========== What I'm trying to work towards ============================

# set up massquerading
echo "Setting up masquerading..."
echo 1 > /proc/sys/net/ipv4/ip_forward

#Flush all chains so that we're starting with a clean slate
/sbin/ipchains -F

#set everything to deny while we're setting things up to avoid race
conditions
/sbin/ipchains -I input 1 -i ! lo -j DENY
/sbin/ipchains -I output 1 -i ! lo -j DENY
/sbin/ipchains -I forward 1 -j DENY

#Don't limit outgoing traffic
/sbin/ipchains -P output ACCEPT

#default policy for forward chain is DENY.  Log all attempts
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i  eth1 -s 192.168.0.0/255.255.0.0 -j MASQ
/sbin/ipchains -A forward -j DENY -l

#default policy for input chain is DENY
/sbin/ipchains -P input DENY

#Create a new chain.  don't know my external IP address, but anything
coming
#in on the dial-up connection destined for a class B 192.168 address
must be
#talking to us
/sbin/ipchains -N bad-if
/sbin/ipchains -A input -i eth1 -d 192.168.0.0/255.255.0.0 -j bad-if

#log anything that doesn't hit that filter
/sbin/ipchains -A input -j DENY -l

#accept replies to masquaded packets
/sbin/ipchains -A bad-if -p tcp --dport 61000:65096 -j ACCEPT
/sbin/ipchains -A bad-if -p udp --dport 61000:65096 -j ACCEPT

#accept incoming ssh connections in both directions
/sbin/ipchains -A bad-if -p tcp --dport ssh -j ACCEPT
/sbin/ipchains -A bad-if -p tcp --sport ssh -j ACCEPT

#allow dns replies
/sbin/ipchains -A bad-if -p tcp --sport domain -j ACCEPT
/sbin/ipchains -A bad-if -p udp --sport domain -j ACCEPT

#allow http, secure http replies (no SYN packets)
/sbin/ipchains -A bad-if -p tcp --sport http  -j ACCEPT
/sbin/ipchains -A bad-if -p tcp --sport https -j ACCEPT
/sbin/ipchains -A bad-if -p udp --sport https -j ACCEPT

#allow ntp
/sbin/ipchains -A bad-if -p udp --sport ntp -j ACCEPT

#Handle any standard error ICMP packets
/sbin/ipchains -A bad-if -p icmp --icmp-type pong -j ACCEPT
/sbin/ipchains -A bad-if -p icmp --icmp-type destination-unreachable -j
ACCEPT
/sbin/ipchains -A bad-if -p icmp --icmp-type source-quench -j ACCEPT
/sbin/ipchains -A bad-if -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/ipchains -A bad-if -p icmp --icmp-type parameter-problem -j ACCEPT

#reject identd requests, but don't log them. We reject rather than deny
so
#that ssh doesn't site around waiting for them.
/sbin/ipchains -A bad-if -p tcp --dport auth -j REJECT

#deny everything else.  log it
/sbin/ipchains -A bad-if -j DENY -l

#clear out blocking that we set up in the beginning
/sbin/ipchains -D input 1
/sbin/ipchains -D forward 1
/sbin/ipchains -D output 1

#make internal active/passive ftp work
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio