ipchains log and samba query

RichardBuck · 12-22-2004, 07:16 PM

Hi all

Not new to Linux but entirely new to networking... Have recently linked an old machine running Windows 98 to a Linux box running RedHat 7.3 - direct cable conection, no hub. Linux box is linked to internet via cable modem on eth0, eth1 is the LAN interface. Set up firewall + masquerade using ipchains & a script based on the firemasq script found at unixgeeks.org -- this all seemed to work fine. Have now set up Samba as well & noticed a couple of oddities:

1) Whenever you see output from smbclient -L localhost -U% listed in examples it only ever mentions the LAN address, whereas the ouput when I run it lists both the eth1 address and the external IP address of the cable modem.
2) My ipchains log is filling up with hits ostensibly from the cable modem's external address on the port that Samba listens on. Don't know if this is spoofed (seems unlikely), should be dropped without bothering to log, or accepted.
3) Something is causing x/kde to slow down massively (not quite freezing) since I set this lot up...

Output of ifconfig:
eth0 Link encap:Ethernet HWaddr 00:0A:E6:43:98:48
inet addr:82.9.238.80 Bcast:255.255.255.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:228095 errors:0 dropped:0 overruns:0 frame:0
TX packets:9722 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:17314490 (16.5 Mb) TX bytes:1061795 (1.0 Mb)
Interrupt:10 Base address:0xd000

eth1 Link encap:Ethernet HWaddr 00:04:E2:18:40:75
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17838 errors:0 dropped:0 overruns:0 frame:0
TX packets:21758 errors:27 dropped:0 overruns:0 carrier:54
collisions:0 txqueuelen:100
RX bytes:2118070 (2.0 Mb) TX bytes:22438773 (21.3 Mb)
Interrupt:5 Base address:0x9c00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:991 errors:0 dropped:0 overruns:0 frame:0
TX packets:991 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:400494 (391.1 Kb) TX bytes:400494 (391.1 Kb)

Output of route -n:
Destination Gateway Genmask Flags Metric Ref Use Iface
82.9.238.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 82.9.238.254 0.0.0.0 UG 0 0 0 eth0

Output of smbclient -L localhost -U%:
added interface ip=82.9.238.80 bcast=82.9.238.255 nmask=255.255.255.0
added interface ip=192.168.0.1 bcast=192.168.0.255 nmask=255.255.255.0
Domain=[VALIS] OS=[Unix] Server=[Samba 2.2.3a]

Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Linux Box)
ADMIN$ Disk IPC Service (Linux Box)
HP690C Printer

Server Comment
--------- -------
BIGNOODLE Windows 98 Box
DRSMILE Linux Box

Workgroup Master
--------- -------
VALIS DRSMILE

Example from ipchains log:
Dec 23 00:37:15 localhost kernel: Packet log: inet-in DENY eth0 PROTO=17 82.9.238.80:138 82.9.238.255:138 L=238 S=0x00 I=0 F=0x4000 T=64 (#22)
Dec 23 00:37:15 localhost kernel: Packet log: inet-in DENY eth0 PROTO=17 82.9.238.80:138 82.9.238.255:138 L=236 S=0x00 I=0 F=0x4000 T=64 (#22)
Dec 23 00:49:15 localhost kernel: Packet log: inet-in DENY eth0 PROTO=17 82.9.238.80:138 82.9.238.255:138 L=238 S=0x00 I=0 F=0x4000 T=64 (#22)
Dec 23 00:49:15 localhost kernel: Packet log: inet-in DENY eth0 PROTO=17 82.9.238.80:138 82.9.238.255:138 L=236 S=0x00 I=0 F=0x4000 T=64 (#22)

Content of /etc/rc.firemasq script:
#!/bin/sh

# Change IPCHAINS to the correct path for your system
IPCHAINS=/sbin/ipchains

# Change INETDEV to the network device connceted to the Internet (ppp0/eth0)
# This is ppp0 by default for dial-up connections. Most cable modem users
# will probably want eth0 or possibly eth1. When in doubt look at the command
# 'ifconfig'.
INETDEV="eth0"

# Change LAN to the correct network address and network mask for your LAN
# this can be found by using ifconfig from one of the clients
LAN="192.168.0.0/24"

# Change LANDEV to the network device connected to your LAN
LANDEV="eth1"

# There should be no need to change this: you may need to play with it a little.
# If you have problems, try the command on the command-line, substituing $LANDEV
# for 'eth0' (or 'eth1', etc if you're a cable user).
LOCALIP=`ifconfig $LANDEV | grep inet | cut -d : -f 2 | cut -d B -f 1`

echo ""
echo "FireMasq version 0.7 by Dr. Teeth (2000)"
echo "Rehashed(!) by munk (2001)"
echo "---------------------------------------------------------"
echo "Local Network Device: $LANDEV"
echo "Local IP: $LOCALIP"
echo "Local Network Address: $LAN"
echo "External Network Device: $INETDEV"
echo "---------------------------------------------------------"
echo ""

#Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

#Set default chain policy
echo -n "Setting default chain policies..."
$IPCHAINS -P input DENY
$IPCHAINS -P forward DENY
$IPCHAINS -P output ACCEPT
echo " Done!"

#Flush all chains: start fresh
echo -n "Flushing chains..."
$IPCHAINS -F
$IPCHAINS -X
echo " Done!"

#Add custom chains
echo -n "Adding custom chains..."
$IPCHAINS -N inet-in # incoming from internet
$IPCHAINS -N inet-out # outgoing onto internet
echo " Done!"

#Set input rules
echo -n "Setting rules for input chain..."
#Any LAN address to any other LAN address is ok:
$IPCHAINS -A input -s $LAN -d $LAN -j ACCEPT
#Loopback interface comms all ok:
$IPCHAINS -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -i lo -j ACCEPT
#ADDED BY RMB cablemodem and dns servers are ok:
$IPCHAINS -A input -s 192.168.100.1 53 -d 0/0 -p udp -j ACCEPT
$IPCHAINS -A input -s 194.168.4.100 53 -d 0/0 -p udp -j ACCEPT
$IPCHAINS -A input -s 194.168.8.100 53 -d 0/0 -p udp -j ACCEPT
#ADDED BY RMB ntp comms are ok:
$IPCHAINS -A input -p udp --destination-port 123 -s 130.159.196.118 -j ACCEPT
$IPCHAINS -A input -p udp --destination-port 123 -s 194.164.127.5 -j ACCEPT
$IPCHAINS -A input -p udp --destination-port 123 -s 130.88.200.98 -j ACCEPT
#Any LAN address to anywhere (including internet) is ok:
$IPCHAINS -A input -s $LAN -d 0.0.0.0/0 -i $LANDEV -j ACCEPT
#Any comms on the internet interface should be handled by the 'inet-in' chain:
$IPCHAINS -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -i $INETDEV -j inet-in
echo " Done!"

#Set forward rules
echo -n "Setting rules for forward chain..."
#Forwarding LAN TO LAN ok:
$IPCHAINS -A forward -s $LAN -d $LAN -j ACCEPT
#Forwarding LAN to internet ok:
$IPCHAINS -A forward -s $LOCALIP -d 0.0.0.0/0 -j ACCEPT
echo " Done!"

#Activate masquerade
echo -n "Activating masquerade..."
$IPCHAINS -A forward -s $LAN -d 0.0.0.0/0 -j MASQ
#If you have trouble with timeouts, change this line:
# $IPCHAINS -M -S 7200 10 60
echo " Done!"

#Set output rules
echo -n "Setting rules for output chain..."
$IPCHAINS -A output -s $LAN -d $LAN -j ACCEPT
$IPCHAINS -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -i lo -j ACCEPT
$IPCHAINS -A output -s $LAN -d 0.0.0.0/0 -j ACCEPT
$IPCHAINS -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -i $INETDEV -j inet-out
echo " Done!"

#Set inet-in rules
echo "Setting rules for internet device incoming chain:"
echo -n " Setup port blocking on vulnerable ports..."
#These ports don't have to be blocked, but as they are
#these rules let you know when you're being attacked on
#the corresponding ports by logging the attack to /var/log/messages
#(or wherever your ipchains logging is done).
#Block NFS
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -j DENY -l
#Block postgres
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 postgres -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 postgres -j DENY -l
#Block X
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 5999:6003 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 5999:6003 -j DENY -l
#Block XFS
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 7100 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 7100 -j DENY -l
#Block Back Orifice
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 31337 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 31337 -j DENY -l
#Block netbus
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 12345:12346 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 12345:12346 -j DENY -l
echo " Done!"

echo -n ' Allowing ssh, dns, and icmp (ping/traceroute) traffic...'
#Vital for basic communications
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 ssh -d 0.0.0.0/0 -j ACCEPT
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 ssh -j ACCEPT
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 auth -j ACCEPT
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1023:65535 -j ACCEPT
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 1023:65535 -j ACCEPT
$IPCHAINS -A inet-in -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#ADDED BY RMB Allowing incoming dhcp traffic from cable modem and dhcp servers
$IPCHAINS -A inet-in -p udp -s 10.150.239.254 67 -d 255.255.255.255 68 -j ACCEPT
$IPCHAINS -A inet-in -p udp -s 62.254.128.20 67 -d 255.255.255.255 68 -j ACCEPT
$IPCHAINS -A inet-in -p udp -s 62.254.128.21 67 -d 255.255.255.255 68 -j ACCEPT
echo " Done!"

All ideas/suggestions gratefully received.