LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   linux squid and iptables for secure lan for internet access. (https://www.linuxquestions.org/questions/linux-networking-3/linux-squid-and-iptables-for-secure-lan-for-internet-access-120362/)

pune_abhishek 11-27-2003 12:41 AM
linux squid and iptables for secure lan for internet access.
 
i have installed linux7.1 on a machine , i got one lan(192.168.10.1) and one internet ip(203.197.96.198) by isp , i want to create a secure gateway and router. i dont know which configuration would be better. i got two option 1.iptables 2.squid proxy. can i use both?
what should be the secure configuration in squid.conf file or may be in other files.
what should be the secure configuration in /etc/iptables file, i want to block ping from outside lan.

thanks in advance for ur answer(abhishek)

chrisfirestar 11-27-2003 01:49 AM
It depends on what you are trying to do really...

I would definately say that you would use iptables because you will need to use MASQUERADE etc but whether squid is going to do anything for you i'm not sure. Squid (i could be wrong) i have found more useful is making sure machine internally are not going to innappropriate content etc.

Iptables is used to block out everything else.

try this script to block everything for outside and allow connections from inside out. You will of course need to refine this to suit your own needs.

Code:

#!/bin/sh
# Firewall V1.0

################################################################################
#                                                                              #
#                            @@@ IMPORTANT @@@                                #
#                                                                              #
# This script is to be used as a Secure Firewall. The goal when desiging this  #
# script was to prevent non-trusted traffic INTO the Leadingside Network and  #
# to Restrict access to "work related tasks". This included the developement  #
# of a Proxy server to Filter packets and block Instant Massaging.            #
#                                                                              #
# I hope that you find this script useful and that you will be able to use it  #
# in your own network environment.                                            #
#                                                                              #
# Please make sure that you read through the README file and understand what  #
# is being done by this script.                                                #
#                                                                              #
#                      Written By Chris Winfield-Blum                          #
#                                                                              #
################################################################################


# IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


# Blocks External Ping requests
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Set an absolute path to IPTABLES and define the interfaces.
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.

IPTABLES="/sbin/iptables"
OUTSIDE=eth0
INSIDE=eth1

# Other Definitions
EXT_IP="202.xxx.xxx.xx"
INT_IP="192.168.1.1"
MAILSVR="192.168.1.251"

# Test Machine Definitions
TEST_PC="192.168.1.250"
TEST_HTTP="8080"
TEST_HTTPS="8081"

# Clear out any existing firewall rules, and any chains that might have
# been created.
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IPTABLES -X

# Set Default Rules
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.

# silent      - Just dop the packet
# tcpflags    - Log packets with bad flags, most likely an attack
# firewalled  - Log packets that that we refuse, possibly from an attack

$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPTABLES -A firewalled -j DROP

# Use below to enable MASQUERADE eth1
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags

# Allow selected ICMP types and drop the rest.
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled

# The loopback interface is inheritly trustworthy
$IPTABLES -A INPUT -i lo -j ACCEPT

# Inside Machine are trustworthy
$IPTABLES -A INPUT -i $INSIDE -d $INT_IP -j ACCEPT

# Port forwarding.

# Redirect Traffic for Port 80 to Squid Proxy Server:3128
$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp --dport 80 -j REDIRECT --to-port 3128

# Redirect External & Internal HTTP on 8080 to Local PC
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTP -d $EXT_IP -j DNAT --to $TEST_PC:$TEST_HTTP
#$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp -m tcp --dport $TEST_HTTP -d $EXT_IP -j DNAT --to $TEST_PC:$TEST_HTTP

# Redirect External & Internal SSH on 8081 to Local PC
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTPS -j DNAT --to $TEST_PC:$TEST_HTTPS
#$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp -m tcp --dport $TEST_HTTPS -j DNAT --to $TEST_PC:$TEST_HTTPS

# Redirect External Emails to Mailserver
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport 110 -j DNAT --to $MAILSVR:110
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport 25 -j DNAT --to $MAILSVR:25

# INPUT SETTINGS

# Pop3
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 110 -j ACCEPT
# SMTP
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 25 -j ACCEPT
# SSH
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
# HTTP
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 80 -j ACCEPT
# HTTPS
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 443 -j ACCEPT
# TEST PC
#$IPTABLES -A INPUT -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTP -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTPS -j ACCEPT

# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Anything that hasn't already matched gets logged and then dropped.
$IPTABLES -A INPUT -j firewalled

pune_abhishek 11-28-2003 03:10 AM
hi chrisfirestar,
thank for your reply

Dont you feel that your firewall rules are more complicated. i have implemented one firewall with MASQUERADING and also with ip forwarding.

My defualt rules was

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

and i only given permission to 192.168.10.0,192.168.10.1 upto 192.168.10.20 as source and anywhere as destination. My protocol was TCP and FTP and port was 80 and 21.

it was working properly as far as web is concern. my question is , will it be Ok, when we think about secure network.

Abhishek

chrisfirestar 11-30-2003 07:11 PM
well if the defaults are DROP you should be ok... a few other things you may want to enter into the rules (or manually change is)

# Blocks External Ping requests
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

this means the outside world cant ping you... therefor making you hidden on the net.
visit: www.grc.com and do the shields up! test. this will tell you any flaws you may have in your firewall :)

if you have any other problems or unsure how to fix a problem that arises report :)

dubman 11-30-2003 07:20 PM
http://eressea.pikus.net/~pikus/plug...all/page0.html

this may be helpful


All times are GMT -5. The time now is 09:39 PM.