Ipchains configuration
Hi, i am new with Linux and i'm trying to configure ipchains to secure a server, i am using Red Hat 7.1.
The ipchains is the only that i need to setup for a Firewall?? I read all your comments but i did'nt find anyting like seting up ipchains using 2 NICs: eth0 and eth1. eth0 - public eth1 - internal LAN thanx |
Ok as your didn't supply enough info on the kind of settup you have, I'm going assume your using the Linux Box as a NAT system for your Windows PC's on the internal lan.
Also I'm going to asume these numbers for your IP's eth0 = 32.21.2.233 "external IP" eth1 = 192.168.0.5 "Internal IP" Your DNS server1 = 32.21.67.12 Your DNS server2 = 32.12.2.11 Your POP server = 195.40.8.24 Your SMTP server = 195.40.8.23 # setup the ipv4 files for packet options # tunes up the Stack adds some OS fingerprint deception # All packets are fragged before firewall in 7.1 not 7.0 echo 1 > /proc/sys/net/ipv4/ip_forward sysctl -w net.ipv4.tcp_max_syn_backlog=256 sysctl -w net.ipv4.tcp_syn_retries=5 sysctl -w net.ipv4.route.mtu_expires=512 sysctl -w net.ipv4.tcp_keepalive_time=7600 sysctl -w net.ipv4.icmp_echoreply_rate=20 sysctl -w net.ipv4.tcp_fin_timeout=180 sysctl -w net.ipv4.tcp_rfc1337=1 echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 61 > /proc/sys/net/ipv4/ip_default_ttl echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # only use these four options if your using a DSL connection, not cable. echo 262144 > /proc/sys/net/core/rmem_default echo 262144 > /proc/sys/net/core/rmem_max echo 262144 > /proc/sys/net/core/wmem_default echo 262144 > /proc/sys/net/core/wmem_max # Flush all chains ipchains -F # Deny all access to server, enable secure mode. # Reject not Deny ipchains -P input REJECT ipchains -P output REJECT ipchains -P forward REJECT # sets timeout vaules for FIN flags etc.. ipchains -M -S 6800 15 200 # magic NAT setting for MASQing ipchains -A forward -s 192.168.0.0/24 -j MASQ # allows access to server from Internal Only. ipchains -A input -i lo -j ACCEPT ipchains -A output -i lo -j ACCEPT # Stops Faked "Spoofed" Packets for hitting IPN on firewall and logs ipchains -A input -i eth0 -s 10.0.0.0/8 -d 0/0 -j REJECT -l ipchains -A input -i eth0 -s 172.16.0.0/12 -d 0/0 -j REJECT -l ipchains -A input -i eth0 -s 192.168.0.0/16 -d 0/0 -j REJECT -l ipchains -A input -i eth0 -s 127.0.0.0/8 -d 0/0 -j REJECT -l ipchains -A input -i eth0 -s 255.255.255.255 -j REJECT -l ipchains -A input -i eth0 -d 0.0.0.0 -j REJECT -l # Stops Annoying Netbios windows Broadcasts & makes people think it's a NT system with a firewall running # Note this needs modifying if your going to use Samba. ipchains -A input -p tcp -s 0/0 --dport 137:139 -j DENY ipchains -A input -p udp -s 0/0 --dport 137:139 -j DENY ipchains -A forward -p tcp -s 0/0 --dport 137:139 -j DENY ipchains -A forward -p udp -s 0/0 --dport 137:139 -j DENY ipchains -A output -p tcp -s 0/0 --dport 137:139 -j DENY ipchains -A output -p udp -s 0/0 --dport 137:139 -j DENY # Allow Internal systems to connect via SSH to Linux box only ipchains -A input -p tcp -s 192.168.0.0/24 --sport 22 -d 192.168.0.0/24 1023:65535 -j ACCEPT ipchains -A output -p tcp -s 192.168.0.0/24 --dport 22 -d 192.168.0.0/24 -j ACCEPT # DNS1 lookup allowed only to ISP from NATbox, SYN flag not allowed in ipchains -A output -p tcp -s 32.21.2.233 1023:65535 --dport 53 -j ACCEPT ipchains -A input -p tcp ! -y -s 32.21.67.12 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT # DNS1 resolve udp allowed only from ISP Natbox, SYN flag not allowed in ipchains -A output -p udp -s 32.21.2.233 1023:65535 --dport 53 -d 0/0 -j ACCEPT ipchains -A input -p udp ! -y -s 32.21.67.12 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT # DNS2 lookup allowed only to ISP from NATbox, SYN flag not allowed in ipchains -A output -p tcp -s 32.21.2.233 1023:65535 --dport 53 -j ACCEPT ipchains -A input -p tcp ! -y -s 32.12.2.11 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT # DNS2 resolve udp allowed only from ISP Natbox, SYN flag not allowed in ipchains -A output -p udp -s 32.21.2.233 1023:65535 --dport 53 -d 0/0 -j ACCEPT ipchains -A input -p udp ! -y -s 32.12.2.11 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT # HTTP 80 access from Internal network to internet # TOS setting on TCP given highest priority on web traffic. ipchains -A output -p tcp -s 0/0 1023:65535 --dport 80 -t 0x01 0x10 -j ACCEPT ipchains -A input -p tcp ! -y -s 0/0 --sport 80 -d 32.21.2.233 1023:65535 -j ACCEPT # HTTPS 443 access ipchains -A output -p tcp -s 0/0 1023:65535 --dport 443 -t 0x01 0x10 -j ACCEPT ipchains -A input -p tcp ! -y -s 0/0 --sport 443 -d 32.21.2.233 1023:65535 -j ACCEPT #Your POP and SMTP server ipchains -A input -p tcp ! -y -s 195.40.8.23 --sport 110 -d 32.21.2.233 --dport 1023:65535 -j ACCEPT ipchains -A output -p tcp -s 0/0 1023:65535 -d 195.40.8.23 --dport 110 -j ACCEPT ipchains -A input -p tcp ! -y -s 195.40.8.24 --sport 25 -d 32.21.2.233 --dport 1023:65535 -j ACCEPT ipchains -A output -p tcp -s 0/0 1023:65535 -d 195.40.8.24 --dport 25 -j ACCEPT # log hack attacks to these services # look for scans in orders ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 2 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 3 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 4 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 5 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 6 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 7 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 8 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 20 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 21 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 22 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 23 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 25 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 53 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 79 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 80 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 110 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 111 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 113 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 443 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 8080 -j REJECT -l ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 6000 -j REJECT -l # icmp pings and pongs etc # needed for icmp to manage network correctly ipchains -A output -p icmp -s 0/0 -d 0/0 -j ACCEPT ipchains -A input -p icmp -s 0/0 --icmp-type 0 -d 0/0 -j ACCEPT ipchains -A input -p icmp -s 0/0 --icmp-type 3 -d 0/0 -j ACCEPT ipchains -A input -p icmp -s 0/0 --icmp-type 4 -d 0/0 -j ACCEPT ipchains -A input -p icmp -s 0/0 --icmp-type 9 -d 0/0 -j ACCEPT ipchains -A input -p icmp -s 0/0 --icmp-type 12 -d 0/0 -j ACCEPT ipchains -A input -p icmp -s 0/0 --icmp-type 14 -d 0/0 -j ACCEPT ipchains -A input -p icmp -s 0/0 --icmp-type 18 -d 0/0 -j ACCEPT # deny inbound ICMP requests that shouldn't be allowed. ipchains -A input -p icmp -s 0/0 --icmp-type 8 -d 0/0 -j DENY -l # Turns off traceroute from windows boxes ipchains -A input -p icmp -s 0/0 --icmp-type 11 -d 0/0 -j DENY -l ipchains -A input -p icmp -s 0/0 --icmp-type 10 -d 0/0 -j DENY -l # turns off traceroute from Unix boxes ipchains -A input -p udp -d 32.21.2.233 -s 0/0 33434:33600 -j REJECT -l -------------- 000 ------------ Play around with the setting one at a time until you get them working. /Raz |
Thanx
Ok raz, thanks a lot. I'll try it and i tell you later about my work.
|
Could anyone give me a link to a good ipchains guide that they've used, that would be good for a newbie. I've been through the man page several times when I was fiddling with it, but Razs' post is a bit overwhelming!
Cheers glj |
I could use a little info too, but more than anything I want to read what raz read. It looks like he writes firewall rules in his sleep.
|
Hi,
Checkout this link. http://logi.cc/linux/athome-firewall.php3 it's full of useful info on setting up a firewall. Then use this site to scan your ip address and check what can be seen from outside. http://scan.sygatetech.com/ /Raz |
Trust me Linux firewall rules are easy to setup, once you understand the fundamentals of what protocol is allowed to talk to what port and from where and why.
Then you start by drawing a diagram of your network layout and what services need to talk to what. Then you start adding each service and testing it and fine tuning until you have a strong policy rule set. This is the same principal for all firewalls, from Nokia FW1's to PIX's and WatchGuards. The only book I use as my bible is "internet core protocols" from O'Reilly. Get you head around that book and your sorted. /Raz |
thanks. that was just what I was lookin for. The syntax for ipchains doesn't seem that difficult but it was the core reasong that was confusing me.
|
Same here.
Cheers for the info Raz glj |
ipchains guide
|
Here is a great place for some networking information.
These documents are showing me the light on IP addresses. It seems to go real in depth and it is helping me understand things a little more clearly. |
Cinnix,
Did you forget to paste the link or are you referring to one of the URL's already posted. Cheers, Raz |
Whoopsie, sorry about that.
These are pretty technical documents but I cant beleive how much I learned off of so few pages. http://www.3com.com/solutions/en_US/ncs/501302.html |
All times are GMT -5. The time now is 12:28 PM. |