Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We have shared our dialup internet connection accross 4 users on our network of 30 guys. One user, who is acting as the gateway, is running Fedora Core3. Using an iptables config script, we have restricted access to the four of us..but that doesnt seem to be working..everyone can acces the net :-( .the script is below, please point out the errors..
also, how do i determine which users are being forwarded (i mean, which of them are accessing the net thru the gateway )at a particular instant? and then, how do i bump them off? which commands do i use?
heres my iptables config script::
========================================
Code:
#!/bin/bash
/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain
## enable local network services
/sbin/iptables --append INPUT --in-interface eth1 -p all -j ACCEPT
/sbin/iptables --append OUTPUT --out-interface eth1 -p all -j ACCEPT
## enable local network services
#/sbin/iptables --append INPUT --in-interface eth2 -p udp --dport 53 -j ACCEPT
#/sbin/iptables --append INPUT --in-interface eth2 -p tcp --dport 22 -j ACCEPT
##/sbin/iptables --append INPUT --in-interface eth2 -p tcp -j ACCEPT
/sbin/iptables -A OUTPUT -o eth2 -p all -j ACCEPT
/sbin/iptables -A INPUT -i eth2 -p all -j ACCEPT
## local loopback interface
/sbin/iptables --append INPUT --in-interface lo -p all -j ACCEPT
/sbin/iptables --append OUTPUT --out-interface lo -p all -j ACCEPT
##public service
#/sbin/iptables --append INPUT --in-interface eth0 -p tcp --dport 80 -j ACCEPT
/sbin/iptables --append INPUT --in-interface eth0 -p tcp --dport 8342:8345 -j ACCEPT
/sbin/iptables --append INPUT --in-interface eth0 -p tcp --dport 24716 -j ACCEPT
## Set up IP FORWARDing and Masquerading
/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
/sbin/iptables --append FORWARD --in-interface eth2 -j ACCEPT
/sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT
/sbin/iptables --append INPUT --in-interface eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
## reject others
/sbin/iptables --append INPUT --in-interface eth0 -m state --state NEW -j DROP
/sbin/iptables --append INPUT -j DROP
/sbin/iptables --append OUTPUT -p icmp -d 0/0 -j DROP
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------------------------------------
# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
# Also protects against IP spoofing
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
#---------------------------------------------------------------
# Enable logging of packets with malformed IP addresses
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#---------------------------------------------------------------
# Disable redirects
#---------------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
#---------------------------------------------------------------
# Disable source routed packets
#---------------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#---------------------------------------------------------------
# Disable acceptance of ICMP redirects
#---------------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#---------------------------------------------------------------
# Turn on protection from Denial of Service (DOS) attacks
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#---------------------------------------------------------------
# Disable responding to ping broadcasts
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
============================================
Thanx in advance,
Mayank
Last edited by funkymunky; 03-15-2005 at 04:26 PM.
Anything that is being forwarded by the FC gateway is going to use the FORWARD chain. Looking at your script, I don't see how you are restricting forwarding at all. I also don't see any default policies for any of the chains, so if you aren't setting the policy, it automagically becomes 'ACCEPT'. Therefore anything that doesn't specifically match a rule will reach the default policy (ACCEPT) and get forwarded. Maybe if you described how you would like to restrict access (by IP address, MAC address, etc) we can come up with a solution. It might also help top give a brief description of you network and what eth0/1/2 are connected to.
Sorry, i have posted a clean script, the was we got it off the net..unfortunately, the edited script got lost,,hope u can still help..:-(
The FC gateway has the dialup interface connected to ppp0, so all FORWARD requests should be routed to it. The only NIC present in it is connected to eth0, so all the requests come from there.
One unpleasant thing we had noticed was that people would change their IP to one of the four that were allowed, and would thus fool the firewall...thus MAC level authentication would be better..but i suppose that can be spoofed too..
Another query i had was:
How do i determine which users are being forwarded to ppp0 at a particular instant? "netstat -an" does show all of them , how do i determine which ones are simply accessing my LAN shares, and which ones are being forwarded? And then, how do i drop their connections?
Set your default policy for the FORWARD chain to DROP at the beginning of the script. So any packets which don't match any of the forwarding rules will get dropped:
Your forwarding rules are ok, but you should limit traffic being forwarded into the LAN to established or related states. Otherwise it might be possible for someone to remotely access the LAN.
If you wish to restrict access by MAC address, simply find the MAC addresses from the clients and replace the forwarding rules above with:
Code:
## Set up IP FORWARDing and Masquerading
/sbin/iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
/sbin/iptables --append FORWARD --in-interface eth0 -j ACCEPT -m mac --mac-source AA:AA:AA:AA:AA:AA
/sbin/iptables --append FORWARD --in-interface eth0 -j ACCEPT --m mac --mac-source BB:BB:BB:BB:BB:BB
/sbin/iptables --append FORWARD --in-interface eth0 -j ACCEPT -m mac --mac-source CC:CC:CC:CC:CC:CC
/sbin/iptables --append FORWARD --in-interface eth0 -j ACCEPT -m mac --mac-source EE:EE:EE:EE:EE;EE
/sbin/iptables --append FORWARD --in-interface ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
To find the clients mac addresses quickly, just use the arp command to display the current IP<->MAC mappings. Also, remember that restricting by MAC addresses only works for systems on the same physical network. It is possible to spoof MAC addresses fairly easily, so you might want to take a look at arpstar or arpwatch.
Thanx to Capt_Caveman, it seems to be working fine now. However, theres a peculiar problem we`re facing:
From the clients, no browser is able to open rediffmail.com, google images, or get to their yahoo mail inbox..the browsers time out while connecting to these sites. (there may be other such sites that are unreachable) Other sites work fine.
Among the 4 people sharing the Internet connection, two are running Fedore Core 3, while the others run Windoze. This behavious comes up only in the Linux *client*, the gateway linux box and the windoz clients work fine. One of theLinux boxes is acting as the server.
Further, this behavious is replicated if either of the Fedora Core boxes are made the gateway. And like i sed, only the linux *client * has this problem..ive even tried reinstalling Linux on both the Linux boxes, to no avail!
Make sure that ecn is off:
cat /proc/sys/net/ipv4/tcp_ecn (make sure it's 0)
Also linux clients can occasionally have problems with mtu size and DF flag. Try adding:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.