Firewall

sanjibgupta · 10-21-2005, 06:11 AM

Hi

I was using previously ichains to run firewall script and now i have migrated to Rehat 2.1 ES and is running IPtables .
I have usued the a ipchains2iptables coverte tool to cover the script to iptables

I need to control SSH HTP FTP TELNET from my script.
I am attaching my script . Please what is wrong and what should be done to make it alright.
As i have seen that i could be able to ssh to a server which should not be avilable from the internet (according to my script).
Thanking you
Sanjib Gupta

##### FIREWALL SCRIPT FOLLOWS
echo
echo " FIREWALL is setting up"
echo

#echo "Getting ready for ip_masq......."
#echo "Setting up ip_alias and route to second(logical) network......"

IPADDR1="xxx.xxx.xxx.xx" # REPLACE with YOUR FIRST IP address!
IPADDR2="xxx.xxx.xxx.xx" # REPLACE with YOUR SECOND IP address!

NETWORK1="xxx.xxx.xxx.xx" # REPLACE with YOUR first network address!
NETMASK1="xxx.xxx.xxx.248" # REPLACE with YOUR first netmask!
BROADCAST1="xxx.xxx.xxx.xx" # REPLACE with YOUR first broadcast address!

NETWORK2="xxx.xxx.xxx.xx" # SubNet for router & firewall interface
NETMASK2="xxx.xxx.xxx.252" # SubNetmask for router & firewall interface

NETWORK3="0.0.0.0" # Default
NETMASK3="0.0.0.0" # Default

NETWORK4="xxx.xxx.xxx.xx" # Nameserver machine
NETMASK4="255.255.255.255" #Subnetmask for nameserver

NETWORK5="xxx.xxx.xxx.xx" #Gateway machine
NETMASK5="255.255.255.255" #Subnetmask for gateway

echo "Initializing ip_masq modules......"

echo "Setting up forwarding policies......"

/sbin/iptables -F
/sbin/iptables -P FORWARD DENY #Default policy is to deny

/sbin/iptables -A FORWARD -s ${NETWORK1}/${NETMASK1} -d ${NETWORK3}/${NETMASK3} -j ACCEPT
/sbin/iptables -A FORWARD -s ${NETWORK3}/${NETMASK3} -d ${NETWORK1}/${NETMASK1} -j ACCEPT

/sbin/iptables -A FORWARD -s ${NETWORK4}/${NETMASK4} -d ${NETWORK3}/${NETMASK3} -j ACCEPT
/sbin/iptables -A FORWARD -s ${NETWORK3}/${NETMASK3} -d ${NETWORK4}/${NETMASK4} -j ACCEPT

/sbin/iptables -A FORWARD -s ${NETWORK5}/${NETMASK5} -d ${NETWORK3}/${NETMASK3} -j ACCEPT
/sbin/iptables -A FORWARD -s ${NETWORK3}/${NETMASK3} -d ${NETWORK5}/${NETMASK5} -j ACCEPT

###You can selectively forbid rogue networks or machines from both inside####
###and outside to have ip connections through this firewall machine#########

########### forward chain ends here ###############

echo "Setting up input firewalling policies......"

#### Outgoing/Incoming smtp connection starts ####
#### Only these mail servers of the institute can send mail outside ###
#zzz.zzz.zzz.zz is a machine of Network I
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s xxx.xxx.xxx.xx/255.255.255.255 -d ${NETWORK3}/${NETMASK3} --dport smtp
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s ${NETWORK3}/${NETMASK3} -d zzz.zzz.zzz.zz/255.255.255.255 --dport 25

#### Outgoing/Incoming smtp connection ends ####

#### DNS query information
/sbin/iptables -A FORWARD -j ACCEPT -p udp -s ${NETWORK3}/${NETMASK3} -d ${NETWORK4}/255.255.255.255 --dport 53
/sbin/iptables -A FORWARD -j ACCEPT -p udp -s ${NETWORK4}/255.255.255.255 -d {NETWORK3}/${NETMASK3} --dport 53

#### DNS query ends

#### Inword http grant for all machines starts ####
#zzz.zzz.zzz.zz is a machine of Network I
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s ${NETWORK3}/${NETMASK3} -d zzz.zzz.zzz.zz/255.255.255.255 --dport 443
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s ${NETWORK3}/${NETMASK3} -d zzz.zzz.zzz.zz/255.255.255.255 --dport 80

#### Inword http grant for all machines ends ####

#### Inword ssh grant for 2 machines starts ####

/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s ${NETWORK3}/${NETMASK3} -d ${NETWORK5}/${NETMASK5} --dport 22
/sbin/iptables -A FORWARD -j REJECT -p tcp -s ${NETWORK3}/${NETMASK3} -d ${NETWORK1}/${NETMASK1} --dport 22
##Replace these by the actual ip addresses of your ssh servers##

#### Inword POP grant for 2 machines starts ####
/sbin/iptables -A FORWARD -j REJECT -p tcp -s ${NETWORK3}/${NETMASK3} -d ${NETWORK1}/${NETMASK1} --dport 110
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s ${NETWORK1}/${NETMASK1} -d zzz.zzz.zzz.zz/255.255.255.255 --dport 110
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s ${NETWORK1}/${NETMASK1} -d zzz.zzz.zzz.zz/255.255.255.255 --dport 995
#### Inword ftp grant for 4 machines ends ####
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s ${NETWORK3}/${NETMASK3} -d zzz.zzz.zzz.zz/255.255.255.255 --dport 21

#### Rejecting telnet from router-network to all other inside hosts.starts ####

/sbin/iptables -A FORWARD -j REJECT -p tcp -s ${NETWORK2}/${NETMASK2} -d ${NETWORK1}/${NETMASK1} --dport 23

#### Rejecting telnet from router-network to all other inside hosts ..ends ####

#### Accepting every outgoing connection starts ####

/sbin/iptables -A FORWARD -j ACCEPT -s ${NETWORK1}/${NETMASK1} -d ${NETWORK3}/${NETMASK3}
/sbin/iptables -A FORWARD -j ACCEPT -s ${NETWORK4}/${NETMASK4} -d ${NETWORK3}/${NETMASK3}

#### Accepting every outgoing connection ends ####

#### Accepting incoming connection for application port starts ####

/sbin/iptables -A FORWARD -j ACCEPT -p icmp -s ${NETWORK3}/${NETMASK3} -d ${NETWORK1}/${NETMASK1}

/sbin/iptables -A FORWARD -j ACCEPT -p icmp -s ${NETWORK3}/${NETMASK3} -d ${NETWORK4}/${NETMASK4}

#### Accepting incoming connection for application port ends ####

#### Rejection of any other incoming connection starts ####

/sbin/iptables -A FORWARD -j REJECT -s ${NETWORK3}/${NETMASK3} -d ${NETWORK1}/${NETMASK1}
/sbin/iptables -A FORWARD -j REJECT -s ${NETWORK3}/${NETMASK3} -d ${NETWORK4}/${NETMASK4}
/sbin/iptables -A FORWARD -j REJECT -s ${NETWORK3}/${NETMASK3} -d ${NETWORK2}/${NETMASK2}
/sbin/iptables -A FORWARD -j REJECT -s ${NETWORK3}/${NETMASK3} -d ${NETWORK5}/${NETMASK5}

#### Rejection of any other incoming connection ends ####
/sbin/iptables -A FORWARD -j REJECT -s ${NETWORK3}/${NETMASK3} -d ${NETWORK1}/${NETMASK1}
/sbin/iptables -A FORWARD -j REJECT -s ${NETWORK3}/${NETMASK3} -d ${NETWORK4}/${NETMASK4}
/sbin/iptables -A FORWARD -j REJECT -s ${NETWORK3}/${NETMASK3} -d ${NETWORK2}/${NETMASK2}
/sbin/iptables -A FORWARD -j REJECT -s ${NETWORK3}/${NETMASK3} -d ${NETWORK5}/${NETMASK5}

#### Rejection of any other incoming connection ends ####

################################################################################

sleep 2

echo 1 >/proc/sys/net/ipv4/ip_always_defrag
echo 1 >/proc/sys/net/ipv4/ip_forward
#The following modules may be needed - insert by hand if not autoloaded:
#iptables
#ipt_icmp
#ipt_REJECT
#ipt_tcp
#ipt_udp

unSpawn · 10-24-2005, 01:12 PM

I didn't read the "script" completely but it appears it doesn't include devicenames, doesn't split or filter in/outbound use state, limit or check for invalid nets/packets, besides that it's not DENY but DROP (spose that's i2i's fault), and /proc settings and checking/loading modules should precede the actual script. I think it would be best if you start writing a proper iptables script from scratch instead of trying to patch this "script". Check out the links in the LQ FAQ: Security references for links to Iptables tutorial and example scripts.

sundialsvcs · 10-24-2005, 02:59 PM

Instead of using RedHat's old tools, I prefer to use more advanced tools such as Shorewall.

The nice thing about these tools is that they quickly enable you to describe the security-configuration that you want, and then the tool will issue the appropriate iptables commands to implement it correctly.

It's simply a way to build a more-than-trivial firewall configuration quickly and accurately. It's a lot more sophisticated than some of the tools that are normally supplied with "distros."

Around here, we always use firewalls in addition to whatever firewall may be built into the routers. The outermost router filters some stuff, and each internal router filters the stuff passing through it, and each and every computer filters all of the stuff coming in or out. Recently we also finished rolling-out VPN throughout our internal network, so that all of the computers now talk among themselves in cipher.

tkedwards · 10-24-2005, 06:30 PM

Quote:

Instead of using RedHat's old tools, I prefer to use more advanced tools such as Shorewall.

I'll second that - we would have gone insane trying to write and maintain iptables scripts in our network if it wasn't for shorewall, iptables is very low level and long scripts like the Redhat tools produce are extremely hard to maintain.

Also why are you migrating to RHEL2.1? RHEL4 is out and if you already have a RHN subscription you can get 4 for free and use the same subscription for it. If you don't have a subscription then you should probably use a free rebuild like centos (www.centos.org).

sanjibgupta · 10-26-2005, 12:58 AM

Thanks for reply
but what are the files that i edit in /etc/shorewall as i try to start the shorewall service it fails

my machine has 2 cards
eth0-> connected to router directly live ip netmask 255.255.255.252
eth1-> connected to switch live ip having netmask 255.255.255.248
2 more network of 255.255.255.255 netmask are added to eth1 nework.

I wan to control all of them form this firewall script.

Please tell me which file i edit /etc/shorewall as i am unable to understand from the documentation pages

Thanks
Sanjib Gupta

tkedwards · 10-26-2005, 01:42 AM

The documentation on their site is very good (http://www.shorewall.net/Documentation_Index.html), especially the quickstart howto stuff (http://www.shorewall.net/shorewall_quickstart_guide.htm).

To being with shorewall is disabled (that's why it fails on startup) - you have to edit /etc/shorewall/shorewall.conf to start it up. The main files you'd edit are policy, rules, interfaces, zones and masq. The howto and shorewall docs explain it better than I can. If you have specific questions ask here.

sanjibgupta · 10-28-2005, 01:01 AM

Thanks
I have done it . But my problem lyes how do i ass thesse 2 network on eth1 apart from it original nework.
the original network is going fthrough the shorewall but i am unable to do it for the other 2 network which i had to eth1 by the route add net command

Sanjib Gupta