LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page IpChains again
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-20-2001, 02:33 PM   #1
ETT
LQ Newbie
 
Registered: Jul 2001
Posts: 2

Rep: Reputation: 0
Unhappy IpChains again

I have a RH 7.1
In this box I'm running apache,ftpd and sshd.
Also is my firewall, actually I have simple rules with ipchains, but I need more securyti.

I write new rules for IpChains, but don work. My new /etc/sysconfig/ipchains have this :

Someone can help for theses rules work.
Thanks a lot

ET
________________________________________________
#---------------------------------------------------------------#
# etho = 200.30.50.83 Internet #
# eth1 = 192.168.0.1 Local #
#---------------------------------------------------------------#
-A input -i ! lo -j DENY
-A output -i ! lo -j DENY
-A forward -j DENY
#---------------------------------------------------------------#
# No Spoofing #
#---------------------------------------------------------------#
-A input -s 192.168.0.0/24 -d 0/0 -i eth0 -j DENY
-A input -s ! 192.168.0.0/24 -d 0/0 -i eth1 -j DENY
-A input -s 127.0.0.0/255.0.0.0 -d 0/0 -i eth0 -j DENY
-A input -s 127.0.0.0/255.0.0.0 -d 0/0 -i eth1 -j DENY
#---------------------------------------------------------------#
# Ports above of 1024 are necessary #
#---------------------------------------------------------------#
-A input -s 0/0 -d 200.30.50.83/24 1024:65535 -p tcp -j ACCEPT
-A input -s 0/0 -d 200.30.50.83/24 1024:65535 -p udp -j ACCEPT
#---------------------------------------------------------------#
# New Rules #
# bad-good = From Internet to my LAN #
# good-bad = From my LAN to Internet #
# good-me = From my LAN to my box
# icmp-acc = For ICMP
#---------------------------------------------------------------#
-N bad-good
-N good-bad
-N good-me
-N icpm-acc
#---------------------------------------------------------------#
# From my LAN to Internet or my Box
#---------------------------------------------------------------#
-A forward -s 192.168.0.0/24 -i eth0 -j good-bad
-A input -s 192.168.0.0/24 -d 192.168.0.1 -j good-me
#---------------------------------------------------------------#
# From Internet to my LAN
#---------------------------------------------------------------#
-A input -s 0/0 -i eth0 -j bad-good
#---------------------------------------------------------------#
# These are the services permit to Internet #
# SMTP, POP3, DNS(tcp/udp), HTTP, SSH #
#---------------------------------------------------------------#
-A bad-good -p tcp -d 200.30.50.83 25 -j ACCEPT
-A bad-good -p tcp -d 200.30.50.83 110 -j ACCEPT
-A bad-good -p tcp -d 200.30.50.83 53 -j ACCEPT
-A bad-good -p udp -d 200.30.50.83 53 -j ACCEPT
-A bad-good -p tcp -d 200.30.50.83 80 -j ACCEPT
-A bad-good -p tcp -d 200.30.50.83 22 -j ACCEPT
-A bad-good -p icmp -j icmp-acc
-A bad-good -j REJECT
#---------------------------------------------------------------#
# The serveces that my LAN users can get from my BOX #
# SMTP,POP3,DNS,HTTP,FTP,SSH, FTP y SYNC #
#---------------------------------------------------------------#
-A good-me -p tcp -d 192.168.0.1 smtp -j ACCEPT
-A good-me -p tcp -d 192.168.0.1 pop3 -j ACCEPT
-A good-me -p udp -d 192.168.0.1 domain -j ACCEPT
-A good-me -p tcp -d 192.168.0.1 domain -j ACCEPT
-A good-me -p tcp -d 192.168.0.1 www -j ACCEPT
-A good-me -p tcp -d 192.168.0.1 ftp -j ACCEPT
-A good-me -p tcp -d 192.168.0.1 ssh -j ACCEPT
-A good-me -p tcp -d 192.168.0.1 rsync -j ACCEPT
-A good-me -p icmp -j ACCEPT
-A good-me -j REJECT
#---------------------------------------------------------------#
# The services that my LAN user can use for Internet #
#---------------------------------------------------------------#
#-A forward -s 192.168.0.0/24 -i eth0 -j good-bad
-A good-bad -p tcp --dport www -j MASQ
-A good-bad -p tcp --dport ssh -j MASQ
-A good-bad -p tcp --dport ftp -j MASQ
-A good-bad -p tcp --dport 23 -j MASQ
-A good-bad -p udp --dport 33434:33500 -j MASQ
-A good-bad -p icmp --icmp-typ ping -j MASQ
-A good-bad -j REJECT
#---------------------------------------------------------------#
# For ICMP
#---------------------------------------------------------------#
-A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
-A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
-A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
-A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
 
Old 07-23-2001, 05:41 AM   #2
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
You need to supply more info if you want us to give you a more secure way to do this.

For example I need to know this info so I can show you source inspection rule settings etc etc ect.

So far I know this:
etho = 200.30.50.83 Internet #
eth1 = 192.168.0.1 Local #

I also need to know this:
The IP address of the DNS that the PC's use "first"
The IP address of the DNS that the PC's use "secondary"
The IP address of the POP account that your PC's use.
The IP address of the SMTP account that your PC's use.
A full list of the services that you think you'll use in this format below.

example:
My Lan users want access to these services from my internal network out to the internet only.
POP
SMTP
HTTP
HTTPS
FTP
DNS


My firewall wants access to these services out to the internet only.
POP
SMTP
HTTP
HTTPS
FTP
DNS
SSH

My firewall will allow these services in from the internet
HTTP "everyone"
FTP "everyone"
SSH "MY home IP address and one internal IP address from my network"
NAT to my Internal system "Only if my internal system made the requests in the first place"

Supply this and I can show you a more secure way to do this.

/Raz
 
Old 07-23-2001, 09:16 AM   #3
ETT
LQ Newbie
 
Registered: Jul 2001
Posts: 2

Original Poster
Rep: Reputation: 0
Talking More info for Ipchains
OK Raz
The NIC with real IP is eth0 = 200.30.50.83
The NIC with private IP is eth1 = 192.168.0.1

My linux box is running

DNS
HTTP
POP
SMTP
SSH
FTP ( is a manual service )
NAT

Then the IP for these services are the same 192.168.0.1.
Linux is the only box that work in my LAN.
In future other Linux will be running Samba.

All these services are for my local users.
-------------------------------

For external user only is posible to access

HTTP ( my web site for everyone )
DNS ( My Linux is the primary DNS for my domain )
POP ( The user want to read e-mail from home by some ISP )
SMTP ( My linux receive the e-mail for may domain )
SSH ( My IP 205.218.250.28 and the Linux IP"
NAT to my Internal system "Only if my internal system
made the requests in the first place"


My Lan users want access to these services from my internal network out to the internet only.

POP
SMTP ( my users make SMTP only with Linux )
HTTP
HTTPS
FTP
DNS ( My users use linux for DNS )

Tha LAN user use FTP for put html file in my linux box y download some files from Internet


My firewall wants access to these services out to the internet only.

POP
SMTP
HTTP
HTTPS
FTP
DNS
SSH

Thans a lot
ET
 
Old 07-24-2001, 07:49 AM   #4
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Right as you didn't give me the DNS address of your Firewalls resolve ip, I'll just show you the rules for SYN flag rules and other basic rules to secure the box.

remove your old script and create this file in it's place with executable rights "chmod +x name"

This is also untested so play with the settings until everything works as you want it to.

echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.tcp_max_syn_backlog=256
# for 7.0 only (sysctl -w net.ipv4.vs.timeout_established=9600)
sysctl -w net.ipv4.tcp_syn_retries=5
# for 7.0 only (sysctl -w net.ipv4.vs.timeout_synack=60)
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=7600
sysctl -w net.ipv4.icmp_echoreply_rate=10
sysctl -w net.ipv4.tcp_fin_timeout=360
sysctl -w net.ipv4.tcp_rfc1337=1
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# for 7.0 only (echo 1 > /proc/sys/net/ipv4/ip_always_defrag)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 59 > /proc/sys/net/ipv4/ip_default_ttl
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects


# clear all ipchains settings
ipchains -F

# Deny all access to server secure mode enabled.
ipchains -P input REJECT
ipchains -P output REJECT
ipchains -P forward REJECT

# startup firewall script
# sets timeout values for FIN flags etc..
ipchains -M -S 6800 15 200

# magic NAT setting for MASQing
ipchains -A forward -s 192.168.0.0/24 -j MASQ

# allows access to firewall services from IPN & reject spoofing
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
ipchains -A input -i eth1 -s 192.168.0.0/24 -j ACCEPT
ipchains -A output -i eth1 -d 192.168.0.0/24 -j ACCEPT
ipchains -A input -i eth0 -s 10.0.0.0/8 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 172.16.0.0/12 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 192.168.0.0/16 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 127.0.0.0/8 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 255.255.255.255 -j REJECT -l
ipchains -A input -i eth0 -d 0.0.0.0 -j REJECT -l
# Netbios windows connections & makes people think it's a nt system
ipchains -A input -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A input -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p udp -s 0/0 --dport 137:139 -j DENY
# lets people find filtered/ not open firewalled port for Trojans (it confused the kids)
ipchains -A input -p tcp -s 0/0 --dport 54320 -j DENY -l
ipchains -A input -p udp -s 0/0 --dport 54320 -j DENY –l
ipchains -A input -p tcp -s 0/0 --dport 31337 -j DENY -l
ipchains -A input -p tcp -s 0/0 --dport 20034 -j DENY -l
ipchains -A input -p tcp -s 0/0 --dport 6776 -j DENY -l
ipchains -A input -p tcp -s 0/0 --dport 54321 -j DENY -l

# turns off UDP traces
ipchains -A input -p udp -d 200.30.50.83 -s 0/0 33434:33600 -j REJECT -l

# ssh 128bit access from these pcs only
ipchains -A input -p tcp -s 0/0 --sport 22 -d 200.30.50.83 1023:65535 -j REJECT –l
ipchains -A input -p tcp -s 0/0 --sport 22 -d 192.168.0.0/24 1023:65535 -j REJECT –l
ipchains -A input -p tcp -s 205.218.250.28 --sport 22 -d 200.30.50.83 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 200.30.50.83 --dport 22 -d 205.218.250.28 -j ACCEPT

# DNS lookup allowed out for firewall to it’s isp or others
ipchains -A output -p tcp -s 200.30.50.83 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 53 -d 200.30.50.83 1023:65535 -j ACCEPT

# DNS resolve allowed out to firewalls isp or others
ipchains -A output -p udp -s 200.30.50.83 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp ! -y -s 0/0 --sport 53 -d 200.30.50.83 1023:65535 -j ACCEPT

# HTTP 80 access from internal to internet
ipchains -A input -p tcp ! -y -s 0/0 --sport 80 -d 200.30.50.83 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 80 -t 0x01 0x10 -j ACCEPT

# HTTPS 443 access from internal to internet
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 443 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 443 -d 200.30.50.83 1023:65535 -j ACCEPT

# email for everyone
ipchains -A input -p tcp ! -y -s 0/0 --sport 110 -d 200.30.50.83 --dport 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 0/0 1023:65535 -d 0/0 --dport 110 -t 0x01 0x10 -j ACCEPT

ipchains -A input -p tcp -s 0/0 --sport 25 -d 200.30.50.83 --dport 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 0/0 1023:65535 -d 0/0 --dport 25 -t 0x01 0x10 -j ACCEPT

# ftp out for all (must load ftp module) doesn’t allow in
ipchains -A input -p tcp ! -y -s 0/0 --sport 21 -d 200.30.50.83 --dport 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 0/0 1023:65535 -d 0/0 --dport 21 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 20 -d 200.30.50.83 --dport 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 0/0 1023:65535 -d 0/0 --dport 20 -t 0x01 0x10 -j ACCEPT


# log hack attacks to these services
# look for scans
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 2 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 3 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 4 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 5 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 6 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 7 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 8 -j REJECT -l
# look for service scans
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 20 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 21 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 22 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 23 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 25 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 53 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 79 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 80 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 110 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 111 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 113 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 443 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 8080 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 6000 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 200.30.50.83 --dport 444:8079 -j REJECT -l

# icmp pings and pongs etc
# needed for icmp
ipchains -A output -p icmp -s 0/0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 3 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 4 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 9 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 12 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 14 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 18 -d 0/0 -j ACCEPT

# deny attacks coming in
ipchains -A input -p icmp -s 0/0 --icmp-type 8 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 11 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 10 -d 0/0 -j DENY -l
# Doesn’t work on Ipchains ?? it’s off as default
# ipchains -A input -p icmp -s 0/0 --icmp-type 5 -d 0/0 -j DENY -l
# ipchains -A input -p icmp -s 0/0 --icmp-type 10 -d 0/0 -j DENY -l
# ipchains -A input -p icmp -s 0/0 --icmp-type 13 -d 0/0 -j DENY -l
# ipchains -A input -p icmp -s 0/0 --icmp-type 11 -d 0/0 -j DENY -l
# ipchains -A input -p icmp -s 0/0 --icmp-type 17 -d 0/0 -j DENY -l

/raz
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Ipchains brokenflea Linux - Networking 1 02-03-2004 05:44 AM
ipchains i.d. Linux - Security 5 08-21-2002 02:12 PM
IpChains R4z0r Linux - Networking 3 03-01-2002 10:28 AM
ipchains help ... please> paulw Linux - Security 3 11-16-2001 10:15 AM
[ipchains] MrGreg Linux - General 4 07-14-2001 11:35 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:06 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration