iptables am i on the right way ?
hi,
I am making a file with rules to secure what i have here and i would like to know if you guys could spot my mistakes and also help me out to make this file on what i am still learning. i have 2 network cards eth0 that holds the local network and eth1 that holds the internet and the real ips. eth0 = 192.168.0.0/24 eth1 = 200.xxx.xxx.253/255.255.255.240 eth1:1 = 200.xxx.xxx.252/255.255.255.240 eth1:2 = 200.xxx.xxx.251/255.255.255.240 This machine is called firewall and it has the follow services: DNS, MAIL, MYSQL(local network), SSH(external access) From the local network i have some softwares that need access to the internet, they use the ports tcp 2136, tcp 2631, udp 2631, tcp 3007, tcp 137, tcp 10000, tcp 3057. i am not quiet sure on how to create this rules because the software is installed into a machine from the internal network and i am not sure if the program will reply back so what rules i would need in this case to allow any machine within the internal network to talk with this program tru the internet. Besides those i need to redirect the ports 80 and 8080 to an internal ip that holds the websever on the ip 192.168.0.4 and also redirect the port 4000 to the MTSC access to this server. I would appreciate if you guys could help me out on this. Here is the firewall i have so far: Code:
#!/bin/bash |
hmm the script in general looks good , if you want your application that located at the inside network to be active to the internet you should have a look at the NAT table from documents here .. http://www.netfilter.org/documentati...entation-howto
Good Luck . . |
Start it up and see if it works. I would suggest adding some echos before each group of commands, that way if you have a problem you know approximately where the problem is, IE:
Echo "PROXY SQUID RULES" |
Let me add something that tends to save me when I think a connection should go through but doesn't. Instead of just "DROP", I create a new chain "LOG_AND_DROP". All "DROP" targets get replaced with "LOG_AND_DROP". That chain then gets
-A LOG_AND_DROP -j LOG --log-level info --log-prefix dropped-packet: -A LOG_AND_DROP -j DROP and I usually have the first line commented out. As shown above, it will add an entry to the syslog for each packet that get gets dropped, and you will be able to see what's going on. In a busy network with a high drop rate this can lead to a lot of messages in the syslog, that's why I have it switched off mostly and activate the line only when I need to debug my firewall settings. Having it sitting there ready to be activated by removing the comment is also nice if you have to activate in a hurry, when you think that you are getting scanned or attacked and need to log the activity. Hope it helps a bit, mlp |
Quote:
mlp68 it looks like a very good idea and i might not leave it active like you said because we have a huge traffic but it would be awesome for debug when a problem comes up. how would i implement the LOG_AND_DROP ? Quote:
Quote:
Also i would like to ask everyone to check out my rules and spot me what i did wrong or could change or implement to make it better. THANKS. |
Quote:
Code:
$IPT -N LOG_AND_DROP Code:
$IPT -A LOG_AND_DROP -j LOG --log-level info --log-prefix dropped-packet: Now in the existing lines of your script, you replace what reads "-j DROP" with "-j LOG_AND_DROP", for example the current line Code:
$IPTABLES -A INPUT -s $ALL -d $ALL -j DROP Code:
$IPTABLES -A INPUT -s $ALL -d $ALL -j LOG_AND_DROP You are asking if other could help debug your script. My opinion, you make it pretty much unreadable with all those definitions and substitutions that make you jump back and forth... what was that $ALL again? And why is it "$IPT" mostly, but once (in the DROP line that I quoted above) the command is called "$IPTABLES"? All those variables which one needs to look up make it very hard to understand what's going on. The way you define $IPT, $MODP, $INSMOD, etc doesn't even help you fending off an attacker who manages to tweak your PATH variable (one of the classic attacks - sneak in a same-name executable ahead of the system one in root's PATH), which is the reason why in scripts the commands are normally given with the full path. You define IPT=`which iptables`, which leaves you vulnerable to that attack. Also, I don't think you have to explicitly insmod all those target-modules, do you? If you specify a target, it gets loaded automatically. At least in most systems it is. Hope it helps somewhat, good luck, mlp |
Thanks for point that out for me and for being present at my topic it is helping me a lot also thanks for taking the time :)
I am trying to make it the best way and like you said indeed i dont need to use which because i do know the full path of it and do agree that using which it could be malicious used against me. Thanks for explainning about the LOG_AND_DROP i am making a different approch of my code now to fit those in for when i need to use it. Another thing i was trying to separete the logs of iptables from /var/log/messages at the syslog.conf but even after i make a new like for warning or info or whatever set the log-level to it and restart syslog it wasnt redirecting the messages any ideas ? I see, i will change the nameing-scheme again i was just trying to reduce it is usage since i hold it into a variable i dont think i need to use $IPTABLES to make it readable to everyone i belive that $IPT as a resume would work good but i guess not :P My problem now is that with this code i don't have internet access, squid redirection look like working fine since it timeouts, since i can ping but can't download something i belive it did be something direct to the dns or www access could anyone help me out on what i have missed in my rules ? About the $ALL it is meant for everything like anywhere 0/0 or 0.0.0.0/0 UNIVERSE ? would it be better named as UNIVERSE or just use 0/0 or 0.0.0.0/0 ? what do you think ? |
All times are GMT -5. The time now is 03:07 PM. |