| View previous topic :: View next topic |
| Author |
Message |
nickbrown
n00b
Joined: 07 Apr 2003
Posts: 15
Location: Edinburgh, Scotland.
|
 Posted: Thu Jun 12, 2003 3:18 pm Post subject: setting up a firewall with iptables |
 |
|
Hi, I'm hoping that someone will be able to help me configure my gentoo box as a firewall using iptables.
| Code: |
eth0|-------|eth1 |------|
-------| R |---------| PC |
|-------| |------|
|
My network is setup as above.
R is my gentoo router, and PC is (suprise) my PC.
I currently have R configured to get an IP address using DHCP from my isp over eth0. It also updates a dyndns entry with this.
I also have it configured to do masquerading for my PC. It runs a DHCP server to allocate my PC an address in the range 192.168.1.2 - 192.168.1.10 address range.
eth1 on the router is obviously configured with the address 192.168.1.1
It runs a caching DNS sever (out eth1 only) that my PC uses.
Is also also runs a websever hosting my website. Finally it is running a ssh sever.
This all runs smoothly. The PC is masqueraded just fine etc, and people can access my web site, and I ssh into the router.
However I have no firewall setup.
| Code: |
[root]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.1.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
The masquerading is the only rule I have. Can anyone suggest some rules that will work with my setup described above (ie will permit the dhcp,dns webserver etc) but will tighten up my security. If you provide a list of iptables commands can you provide comments explaining what they do.
Any help is much appreciated, thanks. |
|
| Back to top |
|
 |
slartibartfasz
Veteran
Joined: 29 Oct 2002
Posts: 1462
Location: Vienna, Austria
|
| Posted: Thu Jun 12, 2003 4:09 pm Post subject: |
|
|
you can try this:
| Code: |
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
will block all incomming traffic unless it was initiated from inside (of course u have to set the default policy of the chain to DROP: 'iptables -P INPUT DROP'.
_________________
To an engineer the glass is neither half full, nor half empty - it is just twice as big as it needs to be. |
|
| Back to top |
|
|
nickbrown
n00b
Joined: 07 Apr 2003
Posts: 15
Location: Edinburgh, Scotland.
|
| Posted: Thu Jun 12, 2003 4:31 pm Post subject: That can't be sufficent. |
|
|
| Code: |
iptables -t filter -P INPUT DROP
iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
Does not seem sufficent and is too restrictive.
People will not be able to connect to my website (or me ssh in) and the PC will not be able to do anything. (get a dhcp address, use the dns sever on the router).
The above may be a start, but it breaks everything in my setup as is. |
|
| Back to top |
|
|
uzik
Apprentice
Joined: 17 Apr 2003
Posts: 257
|
| Posted: Thu Jun 12, 2003 4:44 pm Post subject: |
|
|
For security you should:
1. Disable all services on your linux box that you aren't using.
(Time, talk, who, finger, pop, rauth, snmp, etc). If they're not
being used nobody can exploit a vulnerability in them. Consider
not even running inetd if you can. Nothing you mentioned needs it.
2. Use your firewall to block traffic that's not valid.
I.E. Only allow ssh from places YOU might be.
Only allow POP access except to specific machines that need it.
etc. |
|
| Back to top |
|
|
kopfarzt
Apprentice
Joined: 05 Apr 2003
Posts: 170
Location: Vienna, Austria
|
| Posted: Thu Jun 12, 2003 6:42 pm Post subject: |
|
|
You might want to take a look at fwbuilder (Gentoo package). It comes with a firewall "assistant" and gives thorough explanations for why things should be blocked. And it has a GUI, so it's easy to experiment.
It does not yet integrate into Gentoo's /etc/init.d scripts (search in bugs.gentoo.org, I filed a quick and dirty proposal for a start/stop script based on /etc/init.d/iptables).
kopfarzt |
|
| Back to top |
|
|
paranode
l33t
Joined: 06 Mar 2003
Posts: 679
Location: Texas
|
| Posted: Thu Jun 12, 2003 7:10 pm Post subject: Re: That can't be sufficent. |
|
|
| nickbrown wrote: | | Code: |
iptables -t filter -P INPUT DROP
iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
Does not seem sufficent and is too restrictive.
People will not be able to connect to my website (or me ssh in) and the PC will not be able to do anything. (get a dhcp address, use the dns sever on the router).
The above may be a start, but it breaks everything in my setup as is. |
Well you need to reverse those two rules. The default DROP policy should always be at the bottom. This is a good basic starting point. What you want to do from here is add a rule above the DROP policy for each service you want to allow. This is building from a default-deny policy instead of a default-accept.
_________________
Meh. |
|
| Back to top |
|
|
DefconAlpha
Apprentice
Joined: 25 Feb 2003
Posts: 151
Location: Alabama
|
| Posted: Thu Jun 12, 2003 7:25 pm Post subject: try this |
|
|
Here is a sample RedHat Firewall script that i made a long time ago... It splits up the protocols so it is easier (i think) to add new services later. This allows for dns lookups, smtp, ssh, and ident requests (plus just enough icmp to allow you to ping the machine... take out the 0 icmp rule and no one can ping you :) ) to come into the machine and anything from the machine can leave. if you are going to be in an enterprise environment, you will want to limit the outbound traffic as well (basically use all of the same rules, just applied to the OUTPUT chain rather than the INPUT chain)
| Code: | #!/bin/sh
# chkconfig: 2345 20 80
# description: All your base are belong to us.
LAN_IP_RANGE="207.65.182.2/24"
LAN_IP="207.65.182.170/32"
LOCALHOST_IP="127.0.0.1/32"
LAN_IFACE="eth0"
IPTABLES="/usr/local/sbin/iptables"
$IPTABLES --flush
echo "iptables: flushed"
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# ... denied!
echo "chains: dropping"
$IPTABLES -N tcpchain
$IPTABLES -N udpchain
$IPTABLES -N icmpchain
echo "user chains: created"
$IPTABLES -A tcpchain -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A tcpchain -p TCP -s 0/0 --dport 25 --syn -j ACCEPT
$IPTABLES -A tcpchain -p TCP -s 0/0 --dport 22 --syn -j ACCEPT
$IPTABLES -A tcpchain -p TCP -s 0/0 --dport 113 --syn -j ACCEPT
$IPTABLES -A tcpchain -p TCP -s 0/0 -j DROP
echo "tcp: filtered"
$IPTABLES -A icmpchain -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IPTABLES -A icmpchain -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
$IPTABLES -A icmpchain -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
$IPTABLES -A icmpchain -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPTABLES -A icmpchain -p ICMP -j DROP
echo "icmp: filtered"
$IPTABLES -A udpchain -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpchain -p UDP -j DROP
echo "udp: filtered"
$IPTABLES -A INPUT -p TCP -i $LAN_IFACE -j tcpchain
$IPTABLES -A INPUT -p ICMP -i $LAN_IFACE -j icmpchain
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE -j udpchain
echo "protocols: jumping"
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
echo "outbound: filtered" |
hope it helps... this should give you a jump start at least on making your own
_________________
In the end, the love you get is equal to the love you make
--John Lennon & Paul McCartney (The End - Abbey Road, |
|
| Back to top |
|
|
mpalladi
n00b
Joined: 16 Apr 2003
Posts: 47
|
| Posted: Fri Jun 13, 2003 2:13 pm Post subject: |
|
|
The book : Securing and Optimising Linux
http://www.openna.com
Has a great section on appropriate rules for a nmber of scenarios
It helped me a lot, although in the end I used shorewall. Very easy |
|
| Back to top |
|
|
|
Networking & Security
