Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am making a file with rules to secure what i have here and i would like to know if you guys could spot my mistakes and also help me out to make this file on what i am still learning.
i have 2 network cards eth0 that holds the local network and eth1 that holds the internet and the real ips.
This machine is called firewall and it has the follow services:
DNS, MAIL, MYSQL(local network), SSH(external access)
From the local network i have some softwares that need access to the internet, they use the ports tcp 2136, tcp 2631, udp 2631, tcp 3007, tcp 137, tcp 10000, tcp 3057. i am not quiet sure on how to create this rules because the software is installed into a machine from the internal network and i am not sure if the program will reply back so what rules i would need in this case to allow any machine within the internal network to talk with this program tru the internet.
Besides those i need to redirect the ports 80 and 8080 to an internal ip that holds the websever on the ip 192.168.0.4 and also redirect the port 4000 to the MTSC access to this server.
I would appreciate if you guys could help me out on this.
Here is the firewall i have so far:
Code:
#!/bin/bash
# IPTables
IPT=`which iptables`;
# modprobe
MODP=`which modprobe`;
# Internal interface
IF_INT="eth0";
# External interface
IF_EXT="eth1";
# External ip
IP_EXT="200.xxx.xxx.253" # eth1 itself
IP_ALIAS="200.xxx.xxx.252" # Alias of eth1:2
IP_ALIAS2="200.xxx.xxx.251" # Alias of eth1:1
# External Network
EX_NETWORK="200.xxx.xxx.0/255.255.255.240";
# Internal Network
INT_NETWORK="192.168.0.0/24"
# Internal IP (Firewall)
IP_INT="192.168.0.24";
fw_start()
{
# -----------------------------------------------------------------
# Default rules
# -----------------------------------------------------------------
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# -----------------------------------------------------------------
# Load modules
# -----------------------------------------------------------------
$MODP ip_nat_ftp
$MODP ip_conntrack
$MODP ip_conntrack_ftp
$MODP ipt_REJECT
$MODP ipt_LOG
$MODP ipt_MASQUERADE
$MODP ipt_state
$MODP ipt_mac
$MODP ipt_mark
$MODP ipt_MARK
$MODP iptable_nat
$MODP ipt_multiport
$MODP ipt_owner
$MODP ipt_state
$MODP ipt_tos
$MODP iptable_mangle
$MODP ipt_limit
$MODP ip_tables
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "5 4 1 7" > /proc/sys/kernel/printk
# -----------------------------------------------------------------
# Enable loopback traffic
# -----------------------------------------------------------------
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# -----------------------------------------------------------------
# Spoofing
# -----------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
# ---------------------------------------------------------------------------------------
# SYN flood
# ---------------------------------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# -----------------------------------------------------------------
# Enable internal network traffic
# -----------------------------------------------------------------
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A INPUT -i $IF_INT -j ACCEPT
$IPT -t filter -A FORWARD -i $IF_INT -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A POSTROUTING -o $IF_INT -j MASQUERADE
$IPT -t nat -A PREROUTING -i $IF_EXT -d $INT_NETWORK -j ACCEPT
# ---------------------------------------------------------------------------------------
# Proxy Squid
# ---------------------------------------------------------------------------------------
$IPT -t nat -A PREROUTING -i $IF_EXT -p tcp --dport 80 -j REDIRECT --to-port 3128
# ---------------------------------------------------------------------------------------
# Restrict squid to the local network only
# ---------------------------------------------------------------------------------------
$IPT -A INPUT -i $IF_EXT -p tcp -s 0/0 --sport 1024:65535 -d $IP_EXT --dport 3128 -j DROP
# ---------------------------------------------------------------------------------------
# Enable total access to the network from ip X
# ---------------------------------------------------------------------------------------
# $IPT -A INPUT -i $IF_INT -s X -j ACCEPT
# $IPT -A OUTPUT -o $IF_INT -d X -j ACCEPT
# ---------------------------------------------------------------------------------------
# Enable icmp to and from our local network
# ---------------------------------------------------------------------------------------
$IPT -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $INT_NETWORK -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 0 -s $INT_NETWORK -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 8 -s $INT_NETWORK -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $INT_NETWORK -m state --state ESTABLISHED,RELATED -j ACCEPT
# ---------------------------------------------------------------------------------------
# DoS, NetBus, Ping, Port Scaner, Back Orifice
# ---------------------------------------------------------------------------------------
# Back Orifice
$IPT -A INPUT -p tcp --dport 31337 -j DROP
$IPT -A INPUT -p udp --dport 31337 -j DROP
$IPT -A INPUT -p tcp --dport 33435 -j LOG --log-prefix "BackOrifice"
# NetBus
$IPT -A INPUT -p tcp --dport 12345:12346 -j DROP
$IPT -A INPUT -p udp --dport 12345:12346 -j DROP
$IPT -A INPUT -p tcp --dport 12345 -j LOG --log-prefix "Netbus"
$IPT -A INPUT -p tcp --dport 12346 -j LOG --log-prefix "NetBus"
# Ping
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Port Scanners
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# ---------------------------------------------------------------------------------------
# Internet access
# ---------------------------------------------------------------------------------------
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -i $IF_EXT -j ACCEPT
$IPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -o $IF_EXT -j ACCEPT
# -----------------------------------------------------------------
# Packet flood
# -----------------------------------------------------------------
$IPT -A INPUT -j BLOCK
$IPT -A FORWARD -j BLOCK
}
fw_stop()
{
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P FORWARD ACCEPT
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t filter -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -t filter -Z
$IPT -t nat -Z
$IPT -t mangle -Z
}
fw_usage()
{
echo
echo "$0 (start | stop | restart | clear)"
echo
echo "start - Start the firewall"
echo "stop - Stop the firewall"
echo "restart - Restart the firewall"
echo "clear - Clean the counters"
}
fw_clear()
{
$IPT -t filter -Z
$IPT -t nat -Z
$IPT -t mangle -Z
}
case $1 in
start)
fw_start;
;;
stop)
fw_stop;
;;
restart)
fw_stop;
fw_start;
;;
clear)
fw_clear;
;;
*)
fw_usage;
exit;
;;
esac
hmm the script in general looks good , if you want your application that located at the inside network to be active to the internet you should have a look at the NAT table from documents here .. http://www.netfilter.org/documentati...entation-howto
Good Luck . .
Start it up and see if it works. I would suggest adding some echos before each group of commands, that way if you have a problem you know approximately where the problem is, IE:
Let me add something that tends to save me when I think a connection should go through but doesn't. Instead of just "DROP", I create a new chain "LOG_AND_DROP". All "DROP" targets get replaced with "LOG_AND_DROP". That chain then gets
-A LOG_AND_DROP -j LOG --log-level info --log-prefix dropped-packet:
-A LOG_AND_DROP -j DROP
and I usually have the first line commented out. As shown above, it will add an entry to the syslog for each packet that get gets dropped, and you will be able to see what's going on. In a busy network with a high drop rate this can lead to a lot of messages in the syslog, that's why I have it switched off mostly and activate the line only when I need to debug my firewall settings.
Having it sitting there ready to be activated by removing the comment is also nice if you have to activate in a hurry, when you think that you are getting scanned or attacked and need to log the activity.
Well i have learned a lot and changed a lot of my firewall since last post, thanks for the recommendations.
mlp68 it looks like a very good idea and i might not leave it active like you said because we have a huge traffic but it would be awesome for debug when a problem comes up.
how would i implement the LOG_AND_DROP ?
Quote:
echo " Create a chain that will LOG and DROP..."
$IPT -N LOG_AND_DROP
Then how do i apply it to a rule ?
Quote:
echo " LOG AND DROP TEST"
$IPT -A LOG_AND_DROP -i $IF_INT -p tcp --dport 110 -j DROP
$IPT -A LOG_AND_DROP -i $IF_INT -p tcp --dport 995 -j DROP
would it work like that ?
Also i would like to ask everyone to check out my rules and spot me what i did wrong or could change or implement to make it better.
Quote:
echo " LOG AND DROP TEST"
$IPT -A LOG_AND_DROP -i $IF_INT -p tcp --dport 110 -j DROP
$IPT -A LOG_AND_DROP -i $IF_INT -p tcp --dport 995 -j DROP
would it work like that ?
Hm, no. Your command to make the new chain with that name, in your script's nomenclature, is right:
Code:
$IPT -N LOG_AND_DROP
Then you add a log and the drop target to it:
Code:
$IPT -A LOG_AND_DROP -j LOG --log-level info --log-prefix dropped-packet:
$IPT -A LOG_AND_DROP -j DROP
Whatever ends up in that chain gets logged and then dropped.
Now in the existing lines of your script, you replace what reads "-j DROP" with "-j LOG_AND_DROP", for example the current line
Code:
$IPTABLES -A INPUT -s $ALL -d $ALL -j DROP
becomes
Code:
$IPTABLES -A INPUT -s $ALL -d $ALL -j LOG_AND_DROP
and so on.
You are asking if other could help debug your script. My opinion, you make it pretty much unreadable with all those definitions and substitutions that make you jump back and forth... what was that $ALL again? And why is it "$IPT" mostly, but once (in the DROP line that I quoted above) the command is called "$IPTABLES"? All those variables which one needs to look up make it very hard to understand what's going on.
The way you define $IPT, $MODP, $INSMOD, etc doesn't even help you fending off an attacker who manages to tweak your PATH variable (one of the classic attacks - sneak in a same-name executable ahead of the system one in root's PATH), which is the reason why in scripts the commands are normally given with the full path. You define IPT=`which iptables`, which leaves you vulnerable to that attack.
Also, I don't think you have to explicitly insmod all those target-modules, do you? If you specify a target, it gets loaded automatically. At least in most systems it is.
Thanks for point that out for me and for being present at my topic it is helping me a lot also thanks for taking the time
I am trying to make it the best way and like you said indeed i dont need to use which because i do know the full path of it and do agree that using which it could be malicious used against me.
Thanks for explainning about the LOG_AND_DROP i am making a different approch of my code now to fit those in for when i need to use it.
Another thing i was trying to separete the logs of iptables from /var/log/messages at the syslog.conf but even after i make a new like for warning or info or whatever set the log-level to it and restart syslog it wasnt redirecting the messages any ideas ?
I see, i will change the nameing-scheme again i was just trying to reduce it is usage since i hold it into a variable i dont think i need to use $IPTABLES to make it readable to everyone i belive that $IPT as a resume would work good but i guess not :P
My problem now is that with this code i don't have internet access, squid redirection look like working fine since it timeouts, since i can ping but can't download something i belive it did be something direct to the dns or www access could anyone help me out on what i have missed in my rules ?
About the $ALL it is meant for everything like anywhere 0/0 or 0.0.0.0/0 UNIVERSE ? would it be better named as UNIVERSE or just use 0/0 or 0.0.0.0/0 ? what do you think ?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
