| View previous topic :: View next topic |
| Author |
Message |
Hub-1
n00b
Joined: 12 Nov 2006
Posts: 5
|
 Posted: Sun Nov 12, 2006 8:57 am Post subject: Firewall in Gentoo Security Handbook - errors? |
 |
|
I'm a bit confused about the firewall script in the Gentoo Security Handbook
The script defines the internal and the external area of a local network as following:
| Code: |
#inside
IIP=10.0.0.2
IINTERFACE=eth0
LOCAL_NETWORK=10.0.0.0/24
#outside
OIP=217.157.156.144
OINTERFACE=eth1
|
But when it defines the NAT (network address translation) part it confuses me a bit:
| Code: | | $IPTABLES -t nat -A POSTROUTING -o $IINTERFACE -j MASQUERADE |
What exactly is the point of masquerading the internal interface? I'm not very well-versed with Iptables yet, but as far as I know, the masquerading should happen on the external interface, namely $OINTERFACE. Can someone please explain to my why masquerading is used on the internal interface?
Shouldn't it be like this?:
| Code: | | $IPTABLES -t nat -A POSTROUTING -o $OINTERFACE -j MASQUERADE |
Also another point, not an error actually, but something I wasn't able to find an explanation about.
The icmp rules are defined in their own chain, which is later added to the default chain.
| Code: |
#ICMP traffic
einfo "Creating icmp chain"
$IPTABLES -N icmp_allowed
$IPTABLES -F icmp_allowed
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"
$IPTABLES -A icmp_allowed -p icmp -j DROP
|
Nothing wrong with that, but when added to the default chain it looks like this.
Why is there a "-p icmp" defined when there is already one in the custom chain?
| Code: |
--snip--
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p icmp -j icmp_allowed
$IPTABLES -A OUTPUT -j check-flags
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -j allow-ssh-traffic-out
--snip--
|
This firewall has been around for a long time, therefore I'm sure all this makes sense, so - can anyone please explain it to me? |
|
| Back to top |
|
 |
Lorithar
n00b
Joined: 10 Mar 2006
Posts: 29
|
| Posted: Sun Nov 12, 2006 3:40 pm Post subject: |
|
|
| Quote: | But when it defines the NAT (network address translation) part it confuses me a bit:
Code:
$IPTABLES -t nat -A POSTROUTING -o $IINTERFACE -j MASQUERADE
|
Likely a typo --
| Quote: | Why is there a "-p icmp" defined when there is already one in the custom chain?
Code:
--snip--
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p icmp -j icmp_allowed
$IPTABLES -A OUTPUT -j check-flags
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -j allow-ssh-traffic-out
--snip--
|
the OUTPUT -p icmp
says add to table OUTPUT a filter for protocol icmp.
the -p option to iptables sets the protocol (ip/tcp/udp/icmp/yadda yadda) that the rule applies to -- iptables -p protocols are designed to be extensible -- i.e. if we add one or more in the future we simply need add a module that identifies the protocol and contains the functions to manipulate it.
_________________
I do the computer thing. Lots. |
|
| Back to top |
|
|
Hub-1
n00b
Joined: 12 Nov 2006
Posts: 5
|
| Posted: Sun Nov 12, 2006 10:17 pm Post subject: |
|
|
It really boggles my mind how this typo (if it really is one) hasn't been noticed for so long. This firewall script has been around for quite some time now. Does no one test this stuff before it gets released? After all, it is a Security handbook, and those people who use it are mostly inexperienced with iptables. This alone should actually be reason enough to test all these scripts thoroughly.
This typo renders the the whole forwarding process useless, I'm sure I'm not the only one who noticed this, or am I?
As for the -p icmp thing, I think I didn't make myself clear enough. I'm just asking why there is an additional "-p icmp" definition, because this is already defined in the icmp-allowed chain. Why is that?
Thanks for your help |
|
| Back to top |
|
|
kadeux
Tux's lil' helper
Joined: 21 Nov 2005
Posts: 103
|
| Posted: Mon Nov 13, 2006 12:47 am Post subject: Re: Firewall in Gentoo Security Handbook - errors? |
|
|
| Hub-1 wrote: | Why is there a "-p icmp" defined when there is already one in the custom chain?
|
Only icmp traffic should go through this custom chain to minimize the overhead. And in the chain the icmp-Match (-p icmp) is called with additional options for this match (--icmp-type) for further (specific) investigation of the icmp traffic.
| Hub-1 wrote: | But when it defines the NAT (network address translation) part it confuses me a bit:
| Code: | | $IPTABLES -t nat -A POSTROUTING -o $IINTERFACE -j MASQUERADE |
What exactly is the point of masquerading the internal interface? |
MASQUERADE is a special case of Source-NAT and is often used in a SOHO network instead of SNAT, when the external interface uses a dynamic IP address instead of a static IP address. The mentioned example seems to be a setup for a firewall with a static public IP for the external and a static private IP for the internal interface. Without any knowledge of the underlying network topology/infrastructure it is hard to say why the NAT is configured in this way.
Maybe it is really a typo, but you can't be too sure. Maybe you email the author or you can open a bug report in gentoo's bugzilla. And please let us know what you find out.
| Quote: | | This alone should actually be reason enough to test all these scripts thoroughly. |
This is true for all the billions of scripts all over the internet. Never use any script blindly! |
|
| Back to top |
|
|
Hub-1
n00b
Joined: 12 Nov 2006
Posts: 5
|
| Posted: Mon Nov 13, 2006 12:23 pm Post subject: |
|
|
| Quote: | | Only icmp traffic should go through this custom chain to minimize the overhead. And in the chain the icmp-Match (-p icmp) is called with additional options for this match (--icmp-type) for further (specific) investigation of the icmp traffic. |
Thanks for the explanation, it seems so obvious. I should have been able to figure this out myself! I thought there might be a special syntax when custom chains are addressed ... oh well 
| Quote: | MASQUERADE is a special case of Source-NAT and is often used in a SOHO network instead of SNAT, when the external interface uses a dynamic IP address instead of a static IP address. The mentioned example seems to be a setup for a firewall with a static public IP for the external and a static private IP for the internal interface. Without any knowledge of the underlying network topology/infrastructure it is hard to say why the NAT is configured in this way.
Maybe it is really a typo, but you can't be too sure. Maybe you email the author or you can open a bug report in gentoo's bugzilla. And please let us know what you find out. |
I personally think its a typo, but as you mentioned, there is a possibility that it is a valid configuration option. If it is valid, how would a system like that work, what would be the reason for doing something like this? |
|
| Back to top |
|
|
|
Networking & Security
