LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-27-2003, 01:41 AM   #1
pune_abhishek
LQ Newbie
 
Registered: Nov 2003
Location: india
Posts: 8

Rep: Reputation: 0
Exclamation linux squid and iptables for secure lan for internet access.


i have installed linux7.1 on a machine , i got one lan(192.168.10.1) and one internet ip(203.197.96.198) by isp , i want to create a secure gateway and router. i dont know which configuration would be better. i got two option 1.iptables 2.squid proxy. can i use both?
what should be the secure configuration in squid.conf file or may be in other files.
what should be the secure configuration in /etc/iptables file, i want to block ping from outside lan.

thanks in advance for ur answer(abhishek)
 
Old 11-27-2003, 02:49 AM   #2
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
It depends on what you are trying to do really...

I would definately say that you would use iptables because you will need to use MASQUERADE etc but whether squid is going to do anything for you i'm not sure. Squid (i could be wrong) i have found more useful is making sure machine internally are not going to innappropriate content etc.

Iptables is used to block out everything else.

try this script to block everything for outside and allow connections from inside out. You will of course need to refine this to suit your own needs.

Code:
#!/bin/sh
# Firewall V1.0

################################################################################
#                                                                              #
#                            @@@ IMPORTANT @@@                                 #
#                                                                              #
# This script is to be used as a Secure Firewall. The goal when desiging this  #
# script was to prevent non-trusted traffic INTO the Leadingside Network and   #
# to Restrict access to "work related tasks". This included the developement   #
# of a Proxy server to Filter packets and block Instant Massaging.             #
#                                                                              #
# I hope that you find this script useful and that you will be able to use it  #
# in your own network environment.                                             #
#                                                                              #
# Please make sure that you read through the README file and understand what   #
# is being done by this script.                                                #
#                                                                              #
#                      Written By Chris Winfield-Blum                          #
#                                                                              #
################################################################################


# IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


# Blocks External Ping requests
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Set an absolute path to IPTABLES and define the interfaces.
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.

IPTABLES="/sbin/iptables"
OUTSIDE=eth0
INSIDE=eth1

# Other Definitions
EXT_IP="202.xxx.xxx.xx"
INT_IP="192.168.1.1"
MAILSVR="192.168.1.251"

# Test Machine Definitions
TEST_PC="192.168.1.250"
TEST_HTTP="8080"
TEST_HTTPS="8081"

# Clear out any existing firewall rules, and any chains that might have
# been created.
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IPTABLES -X

# Set Default Rules
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.

# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack

$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPTABLES -A firewalled -j DROP

# Use below to enable MASQUERADE eth1
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags

# Allow selected ICMP types and drop the rest.
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled

# The loopback interface is inheritly trustworthy
$IPTABLES -A INPUT -i lo -j ACCEPT

# Inside Machine are trustworthy
$IPTABLES -A INPUT -i $INSIDE -d $INT_IP -j ACCEPT

# Port forwarding.

# Redirect Traffic for Port 80 to Squid Proxy Server:3128
$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp --dport 80 -j REDIRECT --to-port 3128

# Redirect External & Internal HTTP on 8080 to Local PC
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTP -d $EXT_IP -j DNAT --to $TEST_PC:$TEST_HTTP
#$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp -m tcp --dport $TEST_HTTP -d $EXT_IP -j DNAT --to $TEST_PC:$TEST_HTTP

# Redirect External & Internal SSH on 8081 to Local PC
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTPS -j DNAT --to $TEST_PC:$TEST_HTTPS
#$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp -m tcp --dport $TEST_HTTPS -j DNAT --to $TEST_PC:$TEST_HTTPS

# Redirect External Emails to Mailserver
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport 110 -j DNAT --to $MAILSVR:110
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport 25 -j DNAT --to $MAILSVR:25

# INPUT SETTINGS

# Pop3
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 110 -j ACCEPT
# SMTP
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 25 -j ACCEPT
# SSH
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
# HTTP
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 80 -j ACCEPT
# HTTPS
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 443 -j ACCEPT
# TEST PC
#$IPTABLES -A INPUT -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTP -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTPS -j ACCEPT

# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Anything that hasn't already matched gets logged and then dropped.
$IPTABLES -A INPUT -j firewalled
 
Old 11-28-2003, 04:10 AM   #3
pune_abhishek
LQ Newbie
 
Registered: Nov 2003
Location: india
Posts: 8

Original Poster
Rep: Reputation: 0
hi chrisfirestar,
thank for your reply

Dont you feel that your firewall rules are more complicated. i have implemented one firewall with MASQUERADING and also with ip forwarding.

My defualt rules was

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

and i only given permission to 192.168.10.0,192.168.10.1 upto 192.168.10.20 as source and anywhere as destination. My protocol was TCP and FTP and port was 80 and 21.

it was working properly as far as web is concern. my question is , will it be Ok, when we think about secure network.

Abhishek
 
Old 11-30-2003, 08:11 PM   #4
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
well if the defaults are DROP you should be ok... a few other things you may want to enter into the rules (or manually change is)

# Blocks External Ping requests
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

this means the outside world cant ping you... therefor making you hidden on the net.
visit: www.grc.com and do the shields up! test. this will tell you any flaws you may have in your firewall

if you have any other problems or unsure how to fix a problem that arises report
 
Old 11-30-2003, 08:20 PM   #5
dubman
Member
 
Registered: Jan 2003
Distribution: Redhat 9, Fedora Core 1, Suse 8
Posts: 188

Rep: Reputation: 30
http://eressea.pikus.net/~pikus/plug...all/page0.html

this may be helpful
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
restrict access using squid, iptables? jgnasser Linux - Networking 3 04-13-2005 08:21 AM
transparent internet/lan access through crossover through linux box Golovko Linux - Networking 3 03-04-2005 02:38 AM
Secure Proxy Configuration(squid) for a LAN to access Internet pune_abhishek Linux - Networking 5 11-30-2003 02:33 PM
configure linux to internet access in a LAN poncho4u Slackware 9 08-16-2003 11:56 AM
configure linux to internet access in a LAN poncho4u Linux - Networking 5 08-15-2003 08:43 AM


All times are GMT -5. The time now is 10:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration