On Thu, 03 Jan 2002, Martin A. Hansen wrote:
> any suggestions on how to set up a strong firewall rule set will be
> appreciated!
I don't believe the standard ipmasq setup provides any form of
firewalling.
I have attached the script that I'm currently using. Feel free to use it
if it suits you. A couple of notes:
o I'm running this on an old 486. Ipmasq is by default set up so that
it will reinitialize the iptable rules whenever a new interface is
set up. This took to long on my computer, so I have disabled it. This
means that my script needs to be able to work without knowing the
IP address of my server. This isn't really a problem.
o I deleted all the files from /etc/ipmasq/rules and installed the
script as /etc/ipmasq/rules/A00doitall.rul mode 755. Yet another
optimization for my old computer...
o This need a 2.4 kernel
o The script currently assumes that eth0 and ppp0 are internal, and
that ppp1 and ippp* are external. You need to change the line
starting with "EXTERNAL=" to change this and delete the line with
ppp0 at the end if it is an external interface.
o The script works with multiple external interfaces if needed.
o My internal network uses 192.168.1.xxx. Search and replace if you use
a different block.
o I allow the following connections from the outside:
TCP: ssh to the server
gnutella and napster connections will be forwarded to a
specific computer (192.168.1.8) in the private network
UDP: two ports are open for replies to get DNS and ntpdate working.
you need to configure bind to use 1053 as source port if you
have it installed.
ICMP: Incoming pings are blocked, everything else gets through
(important!)
o All the rules that log information should be rate-limited, but
currently aren't. This could be used for a DoS attack.
I'd be very interested to hear comments about the security of this
setup.
Walter
# wh, 11.9.2001
# === Set variables and do sanity checks ===
PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
IPTABLES=/sbin/iptables
EXTERNAL=`enumerate-if | grep -E '^(ippp|ppp1)'`
if [ ! -e /proc/net/ip_forward -a ! -e /proc/sys/net/ipv4/ip_forward ]; then
echo "IP Forwarding has not been enabled in the kernel."
exit 1
fi
if [ ! -e /proc/net/ip_masquerade -a ! -e /proc/net/ip_tables_names ]; then
echo "IP Masquerade has not been enabled in the kernel."
exit 1
fi
# === Put everything to the default state first ===
echo 1 >/proc/sys/net/ipv4/ip_forward
#echo 1 >/proc/sys/net/ipv4/ip_always_defrag
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -F PREROUTING
$IPTABLES -t mangle -F OUTPUT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F OUTPUT
# === Allow everything over loopback and ppp0 ===
$IPTABLES -A INPUT -j ACCEPT -i lo
$IPTABLES -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0
$IPTABLES -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0
$IPTABLES -A INPUT -j ACCEPT -i ppp0
# === Allow everything with correct IP in over eth0 ===
$IPTABLES -A INPUT -j ACCEPT -i eth0 -d 255.255.255.255/32
$IPTABLES -A INPUT -j ACCEPT -i eth0 -s 192.168.1.0/24
$IPTABLES -A INPUT -j ACCEPT -i eth0 -d 224.0.0.0/4 -p ! tcp
for i in $EXTERNAL; do
# === Drop incoming packets with local addresses ===
$IPTABLES -A INPUT -j LOG -i $i -s 192.168.1.0/24
$IPTABLES -A INPUT -j DROP -i $i -s 192.168.1.0/24
# === Check everything else that comes in from the outside ===
# Allow TCP if initiated from the inside
$IPTABLES -A INPUT -j ACCEPT -i $i --protocol tcp \! --syn
# Allow incoming ssh, but log it
$IPTABLES -A INPUT -j LOG -i $i --protocol tcp --destination-port ssh
$IPTABLES -A INPUT -j ACCEPT -i $i --protocol tcp --destination-port ssh
# Reject identd lookups: Gives better performance and prevents clutter in the
logs
$IPTABLES -A INPUT -j REJECT -i $i --protocol tcp --destination-port auth
# Allow incoming UDP to port 1053. Bind is configured to use
# 1053 as the source port for its queries
$IPTABLES -A INPUT -j ACCEPT -i $i --protocol udp --destination-port 1053
# Allow incoming UTP to port 123. This is for ntpdate.
$IPTABLES -A INPUT -j ACCEPT -i $i --protocol udp --destination-port 123
# Log other people's pings
$IPTABLES -A INPUT -j LOG -i $i --protocol icmp --icmp-type echo-request
# Allow ICMP but no pings
$IPTABLES -A INPUT -j ACCEPT -i $i --protocol icmp --icmp-type \! echo-request
# Everything else coming in is logged and denied
# Masquerade packets to the outside
$IPTABLES -t nat -A POSTROUTING -o $i -s 192.168.1.0/24 -j MASQUERADE
$IPTABLES -A FORWARD -i eth0 -o $i -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -i $i -d 192.168.1.0/24 -j ACCEPT
# Forward incoming napster and gnut connections to 192.168.1.8
$IPTABLES -t nat -A PREROUTING -j DNAT -i $i --protocol tcp
--destination-port 5634 --to-destination 192.168.1.8
$IPTABLES -t nat -A PREROUTING -j DNAT -i $i --protocol tcp
--destination-port 6699 --to-destination 192.168.1.8
# Log escaping internal packets
$IPTABLES -A FORWARD -j LOG -o $i -d 192.168.1.0/24
$IPTABLES -A FORWARD -j DROP -o $i -d 192.168.1.0/24
$IPTABLES -A OUTPUT -j LOG -o $i -d 192.168.1.0/24
$IPTABLES -A OUTPUT -j DROP -o $i -d 192.168.1.0/24
# Let everything else out
$IPTABLES -A OUTPUT -j ACCEPT -o $i
# ... -s $IPOFIF/32
# we don't know the allowed source IP right now!
done
# Loopback out over lo is ok, ppp0 too
$IPTABLES -A OUTPUT -j ACCEPT -o lo
$IPTABLES -A OUTPUT -j ACCEPT -o ppp0
# Internal out over eth0 is ok
$IPTABLES -A OUTPUT -j ACCEPT -o eth0 -d 192.168.1.0/24
$IPTABLES -A OUTPUT -j ACCEPT -o eth0 -d 224.0.0.0/4 -p ! tcp
# Log everything else
$IPTABLES -A INPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
$IPTABLES -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
$IPTABLES -A FORWARD -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
