Ipchains configuration
 

Hi, i am new with Linux and i'm trying to configure ipchains to secure a server, i am using Red Hat 7.1.

The ipchains is the only that i need to setup for a Firewall??

I read all your comments but i did'nt find anyting like seting up ipchains using 2 NICs: eth0 and eth1.

eth0 - public
eth1 - internal LAN

thanx

Ok as your didn't supply enough info on the kind of settup you have, I'm going assume your using the Linux Box as a NAT system for your Windows PC's on the internal lan.

Also I'm going to asume these numbers for your IP's
eth0 = 32.21.2.233 "external IP"
eth1 = 192.168.0.5 "Internal IP"
Your DNS server1 = 32.21.67.12
Your DNS server2 = 32.12.2.11
Your POP server = 195.40.8.24
Your SMTP server = 195.40.8.23

# setup the ipv4 files for packet options
# tunes up the Stack adds some OS fingerprint deception
# All packets are fragged before firewall in 7.1 not 7.0
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.tcp_max_syn_backlog=256
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=7600
sysctl -w net.ipv4.icmp_echoreply_rate=20
sysctl -w net.ipv4.tcp_fin_timeout=180
sysctl -w net.ipv4.tcp_rfc1337=1
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# only use these four options if your using a DSL connection, not cable.
echo 262144 > /proc/sys/net/core/rmem_default
echo 262144 > /proc/sys/net/core/rmem_max
echo 262144 > /proc/sys/net/core/wmem_default
echo 262144 > /proc/sys/net/core/wmem_max

# Flush all chains
ipchains -F

# Deny all access to server, enable secure mode.
# Reject not Deny
ipchains -P input REJECT
ipchains -P output REJECT
ipchains -P forward REJECT

# sets timeout vaules for FIN flags etc..
ipchains -M -S 6800 15 200

# magic NAT setting for MASQing
ipchains -A forward -s 192.168.0.0/24 -j MASQ

# allows access to server from Internal Only.
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT

# Stops Faked "Spoofed" Packets for hitting IPN on firewall and logs
ipchains -A input -i eth0 -s 10.0.0.0/8 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 172.16.0.0/12 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 192.168.0.0/16 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 127.0.0.0/8 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 255.255.255.255 -j REJECT -l
ipchains -A input -i eth0 -d 0.0.0.0 -j REJECT -l

# Stops Annoying Netbios windows Broadcasts & makes people think it's a NT system with a firewall running
# Note this needs modifying if your going to use Samba.
ipchains -A input -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A input -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p udp -s 0/0 --dport 137:139 -j DENY

# Allow Internal systems to connect via SSH to Linux box only
ipchains -A input -p tcp -s 192.168.0.0/24 --sport 22 -d 192.168.0.0/24 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 192.168.0.0/24 --dport 22 -d 192.168.0.0/24 -j ACCEPT

# DNS1 lookup allowed only to ISP from NATbox, SYN flag not allowed in
ipchains -A output -p tcp -s 32.21.2.233 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 32.21.67.12 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT
# DNS1 resolve udp allowed only from ISP Natbox, SYN flag not allowed in
ipchains -A output -p udp -s 32.21.2.233 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp ! -y -s 32.21.67.12 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT
# DNS2 lookup allowed only to ISP from NATbox, SYN flag not allowed in
ipchains -A output -p tcp -s 32.21.2.233 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 32.12.2.11 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT
# DNS2 resolve udp allowed only from ISP Natbox, SYN flag not allowed in
ipchains -A output -p udp -s 32.21.2.233 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp ! -y -s 32.12.2.11 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT

# HTTP 80 access from Internal network to internet
# TOS setting on TCP given highest priority on web traffic.
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 80 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 80 -d 32.21.2.233 1023:65535 -j ACCEPT
# HTTPS 443 access
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 443 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 443 -d 32.21.2.233 1023:65535 -j ACCEPT


#Your POP and SMTP server
ipchains -A input -p tcp ! -y -s 195.40.8.23 --sport 110 -d 32.21.2.233 --dport 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 0/0 1023:65535 -d 195.40.8.23 --dport 110 -j ACCEPT
ipchains -A input -p tcp ! -y -s 195.40.8.24 --sport 25 -d 32.21.2.233 --dport 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 0/0 1023:65535 -d 195.40.8.24 --dport 25 -j ACCEPT


# log hack attacks to these services
# look for scans in orders
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 2 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 3 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 4 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 5 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 6 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 7 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 8 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 20 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 21 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 22 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 23 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 25 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 53 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 79 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 80 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 110 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 111 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 113 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 443 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 8080 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 6000 -j REJECT -l

# icmp pings and pongs etc
# needed for icmp to manage network correctly
ipchains -A output -p icmp -s 0/0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 3 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 4 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 9 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 12 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 14 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 18 -d 0/0 -j ACCEPT

# deny inbound ICMP requests that shouldn't be allowed.
ipchains -A input -p icmp -s 0/0 --icmp-type 8 -d 0/0 -j DENY -l
# Turns off traceroute from windows boxes
ipchains -A input -p icmp -s 0/0 --icmp-type 11 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 10 -d 0/0 -j DENY -l
# turns off traceroute from Unix boxes
ipchains -A input -p udp -d 32.21.2.233 -s 0/0 33434:33600 -j REJECT -l


-------------- 000 ------------
Play around with the setting one at a time until you get them working.

/Raz

Thanx
 

Ok raz, thanks a lot. I'll try it and i tell you later about my work.

Could anyone give me a link to a good ipchains guide that they've used, that would be good for a newbie. I've been through the man page several times when I was fiddling with it, but Razs' post is a bit overwhelming!

Cheers

glj

I could use a little info too, but more than anything I want to read what raz read. It looks like he writes firewall rules in his sleep.

Hi,

Checkout this link.
http://logi.cc/linux/athome-firewall.php3

it's full of useful info on setting up a firewall.


Then use this site to scan your ip address and check what can be seen from outside.

http://scan.sygatetech.com/

/Raz

Trust me Linux firewall rules are easy to setup, once you understand the fundamentals of what protocol is allowed to talk to what port and from where and why.

Then you start by drawing a diagram of your network layout and what services need to talk to what.
Then you start adding each service and testing it and fine tuning until you have a strong policy rule set.

This is the same principal for all firewalls, from Nokia FW1's to PIX's and WatchGuards.

The only book I use as my bible is "internet core protocols" from O'Reilly.
Get you head around that book and your sorted.

/Raz

thanks. that was just what I was lookin for. The syntax for ipchains doesn't seem that difficult but it was the core reasong that was confusing me.

Same here.

Cheers for the info Raz

glj

ipchains guide
 

I have also found this useful:

http://64.81.50.241/ipchains/ipchains-script.shtml

Here is a great place for some networking information.

These documents are showing me the light on IP addresses. It seems to go real in depth and it is helping me understand things a little more clearly.

Cinnix,

Did you forget to paste the link or are you referring to one of the URL's already posted.

Cheers,
Raz

Whoopsie, sorry about that.

These are pretty technical documents but I cant beleive how much I learned off of so few pages.

http://www.3com.com/solutions/en_US/ncs/501302.html