weekend networker

Kumado · 02-01-2006, 10:23 AM

Please don't point me to a link or man page, been there done that, if you don't know, don't post please.

A short and incomplete history - I am an instructor in a HS vocational setting that had to learn networking "the hard way".

I now manage the building I am in AND teach 11 & 12 Tech Prep at the same time, ie , I have no time. I fell in love with Linux and networking is kind of fun too.

I use Suse 9 atm for my NAT and web server. I NEED to branch into mail, SAMBA, MRTG etc. but I want to start with my firewall.

I want to learn how to do this "manually" thru shell ( and scripts ) or ssh. I know there are tools, SWAT for Samba for instance, not want I want to do, thanks.

for a simple firewall If I :

Code:

#!/bin/sh
 set -e
 

###############################
##            IT Lab Firewall
##   		 October 2005
###############################  


## iptable setup interfaces and Ips variables, declared here for global use for ease of change

EXT_IFACE=eth1
EXT_IP=zzzz     	# top nic

WEB_IFACE=eth1
WEB_IP=yyyy       	# routed live

DMZ_IFACE=eth2
DMZ_IP=yyyy
DMZ_NET=yyyy/y

LAN_IFACE=eth0
LAN_IP=xxxx
LAN_NET=xxxx/x
LAN_BCAST=xxxx

ANYWHERE=0/0
WEB_SERVER=yyyy      	        #should the mail, etc ips go in here as well?
MAIL_SERVER=			#
DNS_SERVER=
FTP_SERVER=
GAME_SERVER=
GATEWAY=xxxx

#LOGLEVEL=/var/log/firewall	#where the log daemon sends the log

load () 
{ 
# Flush all rules

iptables -F
iptables -t nat -F
iptables -t mangle -F

# Erase all non-default chains

iptables -X
iptables -t nat -X
iptables -t mangle -X	

	echo -e "Enabling IP forwarding.\n"
 	echo 1 > /proc/sys/net/ipv4/ip_forward

# disable to protect against flood / Denial of Service attacks

	echo -e "Enabling SYN Protection\n"
	echo 1 > /proc/sys/net/ipv4/tcp_syncookies

iptables -P INPUT	DROP
iptables -P OUTPUT	DROP
iptables -P FORWARD	DROP

# reset the default policies in the nat table.

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P LANOUTPUT ACCEPT

# reset the default policies in the mangle table.

iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

# allow ssh connection to this machine 

iptables -A INPUT -p tcp -m tcp --destination-port 22 -j ACCEPT 

# accept packets intended for this machine

iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A INPUT -s 127.0.0.1 -j ACCEPT 

# FWD: Allow all connections OUT and only existing and related ones IN"

iptables -A FORWARD -i $EXT_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $EXT_IFACE -j ACCEPT
iptables -A FORWARD -i $DMZ_IFACE -o $EXT_IFACE -j ACCEPT

# Enabling SNAT (MASQUERADE) functionality on $EXTIF"

iptables -t nat -A POSTROUTING -o $EXT_IFACE -s $LAN_NET -j MASQUERADE
iptables -t nat -A POSTROUTING -o $EXT_IFACE -s $DMZ_NET -j MASQUERADE

# RFC1918 - all other private ip access from external not permitted
...........................

( so many schools of thought here - so many different opinions )

Is this basically a good to start?

what should I look at ?

( anti-spoofing )
( blocking DNS, DHCP requests ... )
( route incoming port 80 traffic to DMZ .....)
( open ftp to DMZ for webserver )

I wish I knew more.

The script was easy to mod, I have programmed off and on for years, not my total original but cool.

Thanks Mike

halvy · 02-01-2006, 03:50 PM

i wish we knew more tooo mike, about what you are trying to learn/do.

how can anyone tell if that script is a 'good start', when we have no idea what your specs (hardware) or requirements are?

are you using this for the school?

and why are you even considering DMZ-- those 3 letters strick the fear of God in most admins.

good luck, lettuce know :]

Dmjmusser · 02-01-2006, 06:26 PM

You wanna learn Samba? Go right to the source, my friend: Samba.org. Check out the HOWTO and "Learn By Example" sections. From File Servers to Domain Controllers and Member...they'll teach you wonders. I know you didn't want to be pointed to a link, but I believe that reading the docs in this case is the best way to learn.

~Myles

Kumado · 02-01-2006, 06:43 PM

Your kidding I hope.
How does my hardware or if it is a school make any difference?
I asked if you did not know, not to post please.

If you don't understand the script, then forget that part. Let's try to make this so it helps more than one person.

Let's say I have an INT(ernal), EXT(ernal) and DMZ faceing nic. ( if DMZ is scarey them we can call it Fred )

( look at my script code in my 1st post and no it is not complete )

I assume that flushing and beginning polices at DROP are what most agree is "the best" ?
I think you need to turn on ip forwarding, msq, and syn protectoin ( is there more? )
I am pretty sure I want to accept all packets for this machine ( 127.0.0.1 )
I am pretty sure I want to accept packets that are related or established
Should I check for all bad things 1st? ie spoofs or port blocks ( such as external DHCP, DNS, etc ) so they are dropped right away? then test to see if it is related or established, then if it is to MY webserver?
I want to msq the internal and Fred networks
I should block attempts to connect to my network from the EXT with: ips from the INT/net, Fred/net ( or redirect web traffic for instance to the web server in Fred ), and the private IP ranges
I should block say, DNS, DHCP, etc requests since noone from outside can have and from inside, it will not be running on the NAT.

From all that I read ( and it takes alot of reading to find useful / understandable info to filter down to a pamplet ) I need to set up say, ICMP rules for a more secure firewall.

All and all, more info than I wanted to do at first.

All I wanted to start with is a firewall that will MSQ the 2 networks to the outside correctly, IE, web, mail, DNS ( which is outside ) ftp, etc and look like one ip to the world ( msq )

For anyone thaqt wants to go deeper, I should also drop requests from my DMZ to my INT so my web server cannot be made to hit my INT, right?

I am looking for sample iptable commands that help explain how to make it work. I can modify some of the lines I have, but I want to "see" how to do it and I want to find out what all I should do to nake it run the best. In less than 5 million words.

Sorry for being snipity, but I want real help.

Thank you

Mike