LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-12-2003, 10:01 PM   #1
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
Iptables Firewall & Proxy Server


Here's the lowdown hahah

I have been asked to block Yahoo etc and my work place as well as building a firewall to protect them. Built a IPTABLES Firewall and changed the layout of the network to put their mailserver behind the firewall (priority 1) NOW i have built a proxy server within the firewall box to filter more stuff to do with the Instant Messaging stuff (because yahoo etc will go through port 80 if it needs)

NOW the problem is im not the best with IPTABLES.. I was using Guarddog but it wasnt doing the right things (eg i would open a port and when i did a port scan it would be closed etc etc) so I went back to the drawing board. Everything is working BUT i think what I need to do is to make sure that all of the clients use port 3128 (proxy) for their browsing etc...

to do this I would by default turn OUTPUT to DROP
then open up port 3128 (hopefully specifically to ip ranges 192.168.1.10-192.168.1.249 on internal network - eth1)

so this is the firewalling script I have built up...

what do I need to add to make it do what I want??

########################################

EDITING AND UPDATED BELOW

Last edited by chrisfirestar; 11-24-2003 at 04:08 AM.
 
Old 11-20-2003, 03:43 PM   #2
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
I haven't had a chance to read the script in-depth yet (I'm still at work) but my first comment would be regarding policies.

In General, the policies should be
INPUT drop
FORWARD drop
OUTPUT accept (unless you are really paranoid)
If you are that paranoid, you will at least need:
$IPTABLES -A OUTPUT -i lo -j ACCEPT as well as
$IPTABLeS -A INPUT -i lo -j ACCEPT

Now as for the rest of your script... lets talk about what you want. So users on the inside are not allowed to masquerade out to the Internet, they MUST use the proxy server to browse. Is that correct?

In that case, you want to
allow INPUT connections on port 3128 from -i $INSIDE
allow INPUT connections from 192.168.1.1 (The admin machine?) from -i $INSIDE

We haven't talked about your internal http/smtp server on 1.251 yet...
You will have to accept forwarded connections on those ports.
You will also have to accept forwarded connections FROM 1.251
You DO NOT want to allow INPUT connections on those ports. This is because in iptables, the INPUT table is NOT consulted when using forwarding (DNAT). It is completely bipassed.

As for states... you should think about using iptables stateful abilities. Basically, allow new, established and related connections to ports 80/110/25/443 in and established and related connections out.... etc.

One last thing... you don't have any protection against spoofed ip addresses or invalid states. You should consider defense and not just routing. Perhaps some logging would help...
 
Old 11-21-2003, 01:18 AM   #3
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Original Poster
Rep: Reputation: 30
not a matter or paranoid its a matter of I want to block out everything going out to make sure that it is not allowing ANY of the chats...
 
Old 11-21-2003, 02:03 AM   #4
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Original Poster
Rep: Reputation: 30
HERE IS MY UPDATED IPTABLES AFTER WORKING ON IT... COULD REALLY USE SOME HELP HERE!

#!/bin/sh

# Allow Network IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Blocks External Ping requests
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# IPTables Primary Definitions

IPTABLES="/sbin/iptables"
OUTSIDE=eth0
INSIDE=eth1

# Other Definitions
EXT_IP="202.189.48.11"
INT_IP="192.168.1.1"
MAILSVR="192.168.1.251"

# Test Machine Definitions
TEST_PC="192.168.1.250"
TEST_HTTP="8080"
TEST_HTTPS="8081"

# Clear out any existing firewall rules, and any chains that might have
# been created.

$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IPTABLES -X

# Set Default Rules

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD ACCEPT

# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.

# silent - Just dop the packet
# tcpflags - Log packets with bad flags, most likely an attack
# firewalled - Log packets that that we refuse, possibly from an attack

$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPTABLES -A firewalled -j DROP

# Use below to enable MASQUERADE eth1
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags

# Allow selected ICMP types and drop the rest.
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled

# The loopback interface is inheritly trustworthy.
$IPTABLES -A INPUT -i lo -j ACCEPT

# Inside Devices are trusted
$IPTABLES -A INPUT -i $INSIDE -d 192.168.1.1 -j ACCEPT

# PORT FORWARDING

# Redirect Traffic for Port 80 to Squid Proxy Server:3128
$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp --dport 80 -j REDIRECT --to-port 3128

# Redirect External & Internal HTTP on 8080 to Local PC
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTP -d $EXT_IP -j DNAT --to $TEST_PC:$TEST_HTTP
#$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp -m tcp --dport $TEST_HTTP -d $EXT_IP -j DNAT --to $TEST_PC:$TEST_HTTP

# Redirect External & Internal SSH on 8081 to Local PC
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTPS -j DNAT --to $TEST_PC:TEST_HTTPS
#$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp -m tcp --dport $TEST_HTTPS -j DNAT --to $TEST_PC:$TEST_HTTPS

# Redirect External Emails to Mailserver
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport 110 -j DNAT --to $MAILSVR:110
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport 25 -j DNAT --to $MAILSVR:25

# INPUT SETTINGS

# Pop3
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 110 -j ACCEPT
# SMTP
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 25 -j ACCEPT
# SSH
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
# HTTP
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 80 -j ACCEPT
# HTTPS
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 443 -j ACCEPT
# TEST PC
#$IPTABLES -A INPUT -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTP -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTPS -j ACCEPT

# OUTPUT SETTINGS
# I decided to enter this manually so that I didnt have to this will
# give these machine access to EVERY PORT

# Priviledged Users Into Firewall
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.1 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.2 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.3 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.4 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.5 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.6 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.7 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.8 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.9 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.10 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.249 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.250 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.251 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.252 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.253 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.254 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.255 -j ACCEPT

# Client Users Into Firewall
# DNS
$IPTABLES -A INPUT -i $INSIDE -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -p udp --dport 53 -j ACCEPT
# Proxy 3128
$IPTABLES -A INPUT -i $INSIDE -p tcp --dport 3128 -j ACCEPT
# HTTP
$IPTABLES -A INPUT -i $INSIDE -p tcp --dport 80 -j ACCEPT
# Pop3
$IPTABLES -A INPUT -i $INSIDE -p tcp --dport 110 -j ACCEPT
# HTTPS
$IPTABLES -A INPUT -i $INSIDE -p tcp --dport 443 -j ACCEPT
# SMTP
$IPTABLES -A INPUT -i $INSIDE -p tcp --dport 25 -j ACCEPT
# SSH
$IPTABLES -A INPUT -i $INSIDE -p tcp --dport 22 -j ACCEPT
# Test PC
$IPTABLES -A INPUT -i $INSIDE -p tcp --dport $TEST_HTTP -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -p tcp --dport $TEST_HTTPS -j ACCEPT

# Priviledged Users Out of Firewall
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.1 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.2 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.3 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.4 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.5 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.6 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.7 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.8 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.9 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.10 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.249 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.250 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.251 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.252 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.253 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.254 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -s 192.168.1.255 -j ACCEPT


# Client Users Out of Firewall
# DNS
$IPTABLES -A OUTPUT -o $OUTSIDE -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $OUTSIDE -p udp --dport 53 -j ACCEPT
# HTTPS
$IPTABLES -A OUTPUT -o $OUTSIDE -p tcp --dport 443 -j ACCEPT
# Pop3
$IPTABLES -A OUTPUT -o $OUTSIDE -p tcp --dport 110 -j ACCEPT
# SMTP
$IPTABLES -A OUTPUT -o $OUTSIDE -p tcp --dport 25 -j ACCEPT
# SSH
$IPTABLES -A OUTPUT -o $OUTSIDE -p tcp --dport 22 -j ACCEPT

# DROP Everything Else
#$IPTABLES -A OUTPUT -o $OUTSIDE -j DROP
#$IPTABLES -A INPUT -i $INSIDE -j DROP


# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Anything that hasn't already matched gets logged and then dropped.
$IPTABLES -A INPUT -j firewalled
 
Old 11-21-2003, 10:21 AM   #5
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
Ok. I promise to take a look at this later today.

Have a read through this thread and try to apply some of my structure comments to your code. It will shorten your script drastically and make it more readable
Read here

[edit]
ps: With regards to your OUTPUT policy, the OUTPUT table is not consulted when forwarding connections to the internet. OUTPUT relates directly to the firewall machine ONLY. This also applies to INPUT as well.
[/edit]

Last edited by JordanH; 11-21-2003 at 10:24 AM.
 
Old 11-21-2003, 09:09 PM   #6
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
I'm re-writing this script now and I have a few comments.
1. You have a line that allows all internall connections to connect to the firewall and then you have another group of settings explicitly listing machines to connect. Which would you like? All or some? BTW, restrictin access based on IP isn't a good way to do things because a user can set their ip to static and become a trusted machine. I suspect you should allow all or none.
2. Your rules to redirect HTTP, POP and SMTP traffic probably won't work... although I didn't test it, in theory if 192.168.1.55 makes an http request to 192.168.1.1 but the reply comes back from 192.168.1.251 then your .55 machine will be confused and your reply is lost. Use an internal DNS entry instead.
 
Old 11-21-2003, 09:10 PM   #7
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
#!/bin/sh
#
# Firewall v0.1
# Firewall for ChrisFireStar
# nov.20.2003 - jordan_harkness @ hotmail.com

# Allow Network IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# IPTables Primary Definitions
ipt="/sbin/iptables"

#Change these to match your adapters.
ext=ppp0
int=eth0

smtp_ip="192.168.1.251"
smtp_port=25
pop3_port=110
http_ip="192.168.1.250"
http_extport=80
http_intport=8080
https_extport=443
https_intport=8081

logops="--log-level=3 -m limit --limit 1/second --limit-burst 10"
spoofed="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12
192.168.0.0/16 255.255.255.255"

# Set policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT

# Delete table rules, chains and counters
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done

########## ########## ##########
# DNAT
# - Redirect http, https, smtp and pop3 to internal machines
########## ########## ##########
$ipt -t nat -A PREROUTING -i $ext -p tcp --dport $http_extport -j DNAT --to $http_ip:$http_intport
$ipt -t nat -A PREROUTING -i $ext -p tcp --dport $https_extport -j DNAT --to $http_ip:$https_intport
$ipt -t nat -A PREROUTING -i $ext -p tcp --dport $smtp_port -j DNAT --to $smtp_ip:$smtp_port
$ipt -t nat -A PREROUTING -i $ext -p tcp --dport $pop3_port -j DNAT --to $smtp_ip:$pop3_port
########## ########## ##########

########## ########## ##########
# Log bad IP - only from external
$ipt -N BAD_IP
$ipt -A BAD_IP -j LOG --log-prefix "IPT: BAD IP: " $logops
$ipt -A BAD_IP -j DROP
# Spoofed IP chain
$ipt -N SPOOF
for spf in $spoofed
do
$ipt -A SPOOF -s $spf -j BAD_IP
done
########## ########## ##########

########## ########## ##########
# Log bad flags
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
$ipt -N BAD_FLAG
$ipt -A BAD_FLAG -j LOG --log-prefix "IPT: BAD FLAG: " $logops
$ipt -A BAD_FLAG -j DROP
# Check flags
$ipt -N FLAGS
$ipt -A FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j BAD_FLAG
$ipt -A FLAGS -p tcp --tcp-flags ALL ALL -j BAD_FLAG
$ipt -A FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j BAD_FLAG
$ipt -A FLAGS -p tcp --tcp-flags ALL NONE -j BAD_FLAG
$ipt -A FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j BAD_FLAG
$ipt -A FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j BAD_FLAG
########## ########## ##########

########## ########## ##########
# Allow selected ICMP types and drop the rest.
$ipt -N ICMP
$ipt -A ICMP -p icmp --icmp-type 0 -j ACCEPT
$ipt -A ICMP -p icmp --icmp-type 3 -j ACCEPT
$ipt -A ICMP -p icmp --icmp-type 11 -j ACCEPT
$ipt -A ICMP -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
########## ########## ##########


########## ########## ##########
# INT_FIREWALL - Internal connections to Firewall
# - Internal machines may try to connect to any port
########## ########## ##########
$ipt -N INT_FIREWALL
$ipt -A INT_FIREWALL -m state --state INVALID -j DROP
$ipt -A INT_FIREWALL -j FLAGS
$ipt -A INT_FIREWALL -j ACCEPT
########## ########## ##########


########## ########## ##########
# EXT_FIREWALL - External connections to Firewall
# - Do not allow ANY new connections to enter the firewall
# - allow only established and related sessions to come back
########## ########## ##########
$ipt -N EXT_FIREWALL
$ipt -A EXT_FIREWALL -m state --state INVALID -j DROP
$ipt -A EXT_FIREWALL -j SPOOF
$ipt -A EXT_FIREWALL -j FLAGS
$ipt -A EXT_FIREWALL -j ICMP
$ipt -A EXT_FIREWALL -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A EXT_FIREWALL -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A EXT_FIREWALL -j DROP
########## ########## ##########

########## ########## ##########
# IN_NETWORK - External connections to inside network
# - Allow connections to be forwarded to your correct servers
########## ########## ##########
$ipt -N IN_NETWORK
$ipt -A IN_NETWORK -m state --state INVALID -j DROP
$ipt -A IN_NETWORK -j SPOOF
$ipt -A IN_NETWORK -j FLAGS
$ipt -A IN_NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p tcp --syn -d $http_ip --dport $http_intport -j ACCEPT
$ipt -A IN_NETWORK -p tcp --syn -d $http_ip --dport $https_intport -j ACCEPT
$ipt -A IN_NETWORK -p tcp --syn -d $smtp_ip --dport $smtp_port -j ACCEPT
$ipt -A IN_NETWORK -p tcp --syn -d $smtp_ip --dport $pop3_port -j ACCEPT
$ipt -A IN_NETWORK -j DROP
########## ########## ##########


########## ########## ##########
# OUT_NETWORK - Internal connections leaving network
# - Allow established connections back out.
# - Deny forwarding for internal clients
# - allow ICMP packets to be forwarded (ping external hosts)
########## ########## ##########
$ipt -N OUT_NETWORK
$ipt -A OUT_NETWORK -m state --state INVALID -j DROP
$ipt -A OUT_NETWORK -j FLAGS
$ipt -A OUT_NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUT_NETWORK -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUT_NETWORK -p icmp -j ACCEPT
$ipt -A OUT_NETWORK -j DROP
########## ########## ##########

########## ########## ##########
# Main Rules
########## ########## ##########
$ipt -A INPUT -i lo -j ACCEPT

$ipt -A INPUT -i $int -j INT_FIREWALL
$ipt -A INPUT -i $ext -j EXT_FIREWALL

$ipt -A FORWARD -i $ext -j IN_NETWORK
$ipt -A FORWARD -i $int -j OUT_NETWORK

# Turn on Masquerading and port forwarding
$ipt -t nat -A POSTROUTING -o $ext -j MASQUERADE
########## ########## ##########
 
Old 11-23-2003, 08:19 PM   #8
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Original Poster
Rep: Reputation: 30
I have to use those specific IP's because they will be server machines (including test servers for development) and the management team. and i would like to NOT allow everyone to have access JUST those specific IP's

I realise its not the BEST way but it will have to do i thinks...as long as it does what its supposed to.. i will comment out IP addresses that arent in use and people will have to apply for a static IP when they need one.

The traffic to redirect http and mail are working at the moment
 
Old 11-24-2003, 11:30 PM   #9
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
In that case, change the INT_FIREWALL section to this...

Quote:
########## ########## ##########
# INT_FIREWALL - Internal connections to Firewall
# - Internal machines may try to connect to any port
########## ########## ##########
int_allow="192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4"
$ipt -N INT_FIREWALL
$ipt -A INT_FIREWALL -m state --state INVALID -j DROP
$ipt -A INT_FIREWALL -j FLAGS
$ipt -A INT_FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
for ips in $int_allow
do
$ipt -A INT_FIREWALL -s $ips -j allow
done
$ipt -A INT_FIREWALL -j DROP
########## ########## ##########
Make sure to change the int_allow=" ..... " line to include all allowable incoming connections internally. That is practically allowing everyone to have access, everyone that knows how to change their ip address. *shrug* Another option is using MAC address instead of IP but that only stops casual snooping.
 
Old 12-01-2003, 05:16 AM   #10
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Original Poster
Rep: Reputation: 30
Sorry but this didnt work hmmm

I am VERY VERY CLOSE NOW THOUGH
I can block myself off of the chats etc by using -s 192.168.1.27 -d 0/0 (my ip) for the rules...

what would be even better now is that If i can select an IP range... eg 192.168.1.27-192.168.1.37

how would that look
if I was to put it as a definiation
how would it go?

CLIENTS="192.168.1.27:192.168.1.37" (something like this but not this cause IT DONT WORK! hehe)

SO CLOSE YET SO FAR! hahaha once this is up and running ill write up everything I have done so that ya'll can see it and download the scripts etc
 
Old 12-01-2003, 09:18 AM   #11
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
Oh Shooot! I just noticed my typo.

This...
Quote:
$ipt -A INT_FIREWALL -s $ips -j allow
should read
$ipt -A INT_FIREWALL -s $ips -j ACCEPT

!!!! so sorry !!!!
 
Old 12-01-2003, 09:21 AM   #12
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
Blocking a range... theoretically, adding the following line should work
$ipt -A INT_FIREWALL -s 192.168.0.27:192.168.0.37 -j DROP

However, it is unecessary if you have the policy set to drop.
 
Old 12-01-2003, 09:30 PM   #13
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Original Poster
Rep: Reputation: 30
i got it working...

for ((SOURCE=11;SOURCE<=249;SOURCE++))
do
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.$SOURCE -d 0/0 -p tcp --dport 3128 -j ACCEPT
done

seems to work well so now i have everything working... I will write up everything I have done and place is on a website.. then give you all the URL

if you have any questions email chris_w_b2002@yahoo.com for now

*happy*

Thanks everyone for your help and advice!
 
Old 12-02-2003, 02:56 PM   #14
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
Congratulations.

I have a quesiton though... Didn't the -s 192.168.0.11:192.168.0.249 notation work?
 
Old 12-02-2003, 08:11 PM   #15
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Original Poster
Rep: Reputation: 30
not sure me it didnt. It didnt like it at all for some reason.. but that could be something else that I was doing wrong haha
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
squid proxy server configuration & distribution of internet without proxy gaurav_gupta082 Linux From Scratch 2 07-31-2010 12:25 PM
Server as firewall and proxy. fiomba Linux - Security 2 11-16-2005 07:24 AM
Setting up a proxy & firewall mayordc Red Hat 3 11-24-2004 11:23 AM
how to make iptables firewall ruls for squide proxy AZIMBD03 Linux - Security 1 03-22-2004 12:12 PM
Simple proxy/firewall server scammeh^ Linux - Networking 3 10-15-2003 02:11 PM


All times are GMT -5. The time now is 01:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration