Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
ok here's an example:
The internet interface is "eth1"
The internal interface is "eth0"
The internal subnet is 192.168.10.0/24
The external IP address is "45.255.18.171"
I've added some comments to each rule so you can see what it does.
# load FTP nat module for stupid connection back tracking to NAT source.
if [ -e /lib/modules/$(uname -r)/ipv4/ip_masq_ftp.o ]; then
if [ -x /sbin/insmod ]; then
if ! $(grep -s ip_masq_ftp /proc/modules >/dev/null); then
/sbin/insmod -p -s ip_masq_ftp
fi
fi
fi
# Pull the chain flush the firewall
ipchains -F
ipchains -X
# Reject all packets and use rules instead
ipchains -P input REJECT
ipchains -P output REJECT
ipchains -P forward REJECT
# change timeouts on k2.2 only
# ipchains -M -S 6800 15 200
# allow inbound back from web server with SYN's off so adverts come in and don't crash Java scripts.
ipchains -A input -i eth1 -p tcp -s 0/0 --sport 80 -d 45.255.18.171 --dport 1024:65535 -j ACCEPT
ipchains -A input -i eth1 -p tcp -s 0/0 --sport 443 -d 45.255.18.171 --dport 1024:65535 -j ACCEPT
ipchains -A input -i eth1 -p tcp -s 0/0 --sport 8080 -d 45.255.18.171 --dport 1024:65535 -j ACCEPT
# Allow access out to all ports but only into 1023:65535 on firewall
# Only allow connection in bound if server requested outbound in first place.
# Change all outgoing packets TOS to priority level 1 for priority router access
ipchains -A output -p tcp -s 0/0 -d 0/0 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 1:65535 -d 45.255.18.171 1024:65535 -j ACCEPT
ipchains -A input -p tcp -s 0/0 --sport 1:65535 -d 45.255.18.171 1:1023 -j REJECT -l
# Do magic NAT for internal IPs
ipchains -A forward -s 192.168.10.0/24 -j MASQ
# allows access to server from IPN
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
# allow access from all ips on eth0 internal NIC
ipchains -A input -i eth0 -s 192.168.10.0/24 -j ACCEPT
ipchains -A output -i eth0 -d 192.168.10.0/24 -j ACCEPT
# Netbios windows connections rejected from internet to eth1
ipchains -A input -i eth1 -p tcp -s 0/0 --dport 137:139 -j REJECT -l
# Reject 10, 192, 172 and 127 non internet addresses from spoofing network card eth1
ipchains -A input -i eth1 -s 10.0.0.0/8 -d 0/0 -j REJECT
ipchains -A input -i eth1 -s 172.16.0.0/12 -d 0/0 -j REJECT
ipchains -A input -i eth1 -s 192.168.0.0/16 -d 0/0 -j REJECT
ipchains -A input -i eth1 -s 127.0.0.0/8 -d 0/0 -j REJECT -l
ipchains -A input -i eth1 -s 255.255.255.255 -j REJECT -l
ipchains -A input -i eth1 -d 0.0.0.0 -j REJECT -l
# People cant traceroute the server now with UDP packets
ipchains -A input -p udp -d 45.255.18.171 -s 0/0 33434:33600 -j REJECT -l
# DNS lookup allowed from any dns PROVIDED internal network requested it.
ipchains -A output -p tcp -s 45.255.18.171 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 53 -d 45.255.18.171 1023:65535 -j ACCEPT
# DNS lookup allowed from any dns, need stateful firewall to connection track this.
ipchains -A output -p udp -s 45.255.18.171 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp -s 0/0 --sport 53 -d 45.255.18.171 1023:65535 -j ACCEPT
------------------------
You must shutdown any services that you don't need.
he above example will only allow outgoing connections to websites ftp servers etc etc ect.
for a inbound connection you'll need rules that are similar to this example:
Depending on how your system is configured I find the best way to start a firewall is by adding a script line in the /etc/rc.d/rc.local file.
like
/etc/rc.d/firewall1.sh
"then it's the last process to be executed after the run level processes and doesn't mess anything up, in theory"
Then create a /etc/rc.d/firewall1.sh file with "chmod 700" rights.
Yes Inbound connections are any connections going into your systems services and are controlled with the INPUT rule in ipchains and the PREROUTING & INPUT rule in iptables.
Someone mentioned to me about it';s good to have a scruipt installed on the server that will turn off the firewall after 5 minutes. (Just while I'm settting it up) that way if I accidently block all the ports or something, Ican easily go in and correct it.
Any ideas?
so I add that script file. What do you put inside it,all the rules?
Maybe sounds hard, but I think you have to learn to evaluate the chains and learn/decide what's an acceptable accept/reject/deny policy before moving on. Familiarize yourself with the OS, networking and get your ipchains how-to's from linuxdoc.org, preferably trying out stuff on a staging server/testbox before deploying, if you can.
If you follow Raz' instructions you make the file /etc/rc.d/firewall1.sh, add the "bang" line:
"#!/bin/sh" (w/o quotes) as the first line, then add all the rules, save, close and make it executable by issuing "chmod 0750 /etc/rc.d/firewall1.sh" or "chmod 0700 /etc/rc.d/firewall1.sh".
Since RaQ's basically Red Hat, and if the filesystem still follows the standard, you can do 2 things: either leave it there, or move it to /etc/rc.d/init.d.
If you move it to init.d it will be easier to link the file to the runlevel you want it to run in, and even perform actions based on runlevel.
For example: if your default runlevel is 3 (multi-user, networking, no graphical login) then you do:
"ln -sf /etc/rc.d/init.d/firewall1.sh etc/rc.d/rc3.d/S99firewall1.sh".
Now when you reboot itll process the ipchains rules as the (almost last) process, because /etc/rc.d/rc.local comes after that.
Now for resetting the rules there are many ways.
W/o going into details about security issues too much, and hoping you won't expose vulnerable services, just let the script "sleep" for a few minutes.
Add the line "sleep 10m && ipchains -F && ipchains -X && ipchains -P (default policy rules here)"
to the bottom of the firewall.sh, and after 10 minutes of sleeping after processing the rules, itll flush.
Btw, I never worked with RaQ4's but I thought they where Red Hat based and came with the whole complete setup so any customer shouldnt have to deal with the OS?
BUT, It has no firewall which leaves it open to vulnerabilities and people are out there making loads of money getting paid jsut to set up ipchains on RAQ machines!
Now, I have 2 of these RAQ's so it would cost quite a bit. Secondly, I'm not an idiot else I wouldn't be in charge of it - I just don't have any linux experience before this.
But I'm learning :P
There is some usefull stuff here. I will compile it together and give it a shot. Then come back once I've run into a problem.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.