Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-29-2007, 02:24 PM
|
#1
|
LQ Newbie
Registered: Aug 2007
Posts: 11
Rep:
|
IPTABLES Misunderstanding
Forgive of my newbie status, but I am working on a new firewall/router for our company network. I am having a hard time getting it to function the way I would expect. I have read "Linux Firewalls" third edition, and that helped a lot. But none of the examples match our network very well.
First a little background on the network:
We have a 10meg dedicated ethernet connection to the internet. This connects to eth1 on a Centos 4.5 server. Then eth0 is the LAN interface. So we have 13 usable IP addresses from our ISP. We are only planning on using 3 at the moment. One for the firewall, one for the email server, one for the web server. (Three separate servers). The plan was to use DNAT for the two external servers (web, email).
So the setup we are looking for is a DENY by default policy. But I am having trouble getting packets to flow as expected. So what I am looking for here from more experienced linux gurus is some help understanding the best way to do this.
I have noticed that for a packet to get from the outside to a local machine on the network I have to add 6 different rules. INPUT, OUTPUT, FORWARD, NAT PREROUTING, NAT POSTROUTING, NAT OUTPUT. Is this really how it works?
I will post the firewall I have been working on:
Code:
#!/bin/sh
/sbin/modprobe ip_conntrack_ftp
IPT="/sbin/iptables" # Location of iptables on your system
INTERNET="eth1" # Internet-connected interface
LOOPBACK_INTERFACE="lo" # however your system names it
IPADDRESS="209.xxx.xxx.114" # your IP address
SUBNET_BASE="209.xxx.xxx.112" # ISP network segment base address
SUBNET_BROADCAST="209.xxx.xxx.127" # network segment broadcast address
DEFAULTGW="209.xxx.xxx.113" # ISP server & NOC address range
LAN_INTERFACE="eth0" # LAN Interface
LAN_ADDRESS="192.168.100.6" # LAN Ip Address
LAN_NETWORK="192.168.0.0/16" # The whole LAN
TIME_SERVER1="198.60.22.240" # address of a remote time server
TIME_SERVER2="216.218.254.202" # address of a remote time server
dnsEXTADDRESS="209.xxx.xxx.115" # external address of web server
dnsINTADDRESS="192.168.100.54" # internal address of web server
mailEXTADDRESS="209.xxx.xxx.116" # external address of email server
mailINTADDRESS="192.168.100.50" # internal address of email server
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # Class A private networks
CLASS_B="172.16.0.0/12" # Class B private networks
CLASS_C="192.168.0.0/16" # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well-known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
NFS_PORT="2049"
LOCKD_PORT="4045"
SOCKS_PORT="1080"
OPENWINDOWS_PORT="2000"
XWINDOW_PORTS="6000:6063"
SQUID_PORT="3128"
###############################################################
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Don.t Send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Drop Spoofed Packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Log packets with impossible addresses.
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
###############################################################
# Remove any existing rules from all chains
$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT --policy INPUT ACCEPT
$IPT --policy OUTPUT ACCEPT
$IPT --policy FORWARD ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
if [ "$1" = "stop" ]
then
echo "Firewall completely stopped! WARNING: THIS HOST HAS NO FIREWALL RUNNING."
exit 0
fi
# Unlimited traffic on the loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Unlimited traffic on the lan interface
$IPT -A INPUT -i $LAN_INTERFACE -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -j ACCEPT
$IPT -A FORWARD -i $LAN_INTERFACE -j ACCEPT
$IPT -A FORWARD -o $LAN_INTERFACE -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN_INTERFACE -j ACCEPT
$IPT -t nat -A POSTROUTING -o $LAN_INTERFACE -j ACCEPT
$IPT -t nat -A OUTPUT -o $LAN_INTERFACE -j ACCEPT
# Log everything for testing...
$IPT -A INPUT -j LOG --log-prefix "INPUT: "
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT: "
$IPT -A FORWARD -j LOG --log-prefix "FORWARD: "
$IPT -t nat -A PREROUTING -j LOG --log-prefix "NAT PREROUTING: "
$IPT -t nat -A POSTROUTING -j LOG --log-prefix "NAT POSTROUTING: "
$IPT -t nat -A OUTPUT -j LOG --log-prefix "NAT OUTPUT: "
# Set the default policy to drop
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP
$IPT -t nat --policy PREROUTING DROP
$IPT -t nat --policy POSTROUTING DROP
$IPT -t nat --policy OUTPUT DROP
###############################################################
# Stealth Scans and TCP State Flags
# All of the bits are cleared
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
###############################################################
# Using Connection State to By-pass Rule Checking
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A PREROUTING -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A POSTROUTING -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Using the state module alone, INVALID will break protocols that use
# bi-directional connections or multiple connections or exchanges,
# unless an ALG is provided for the protocol. At this time, FTP and is
# IRC are the only protocols with ALG support.
$IPT -A INPUT -m state --state INVALID -j LOG \
--log-prefix "INVALID input: "
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j LOG \
--log-prefix "INVALID output: "
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j LOG \
--log-prefix "INVALID forward: "
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -t nat -A PREROUTING -m state --state INVALID -j LOG \
--log-prefix "INVALID prerouting: "
$IPT -t nat -A PREROUTING -m state --state INVALID -j DROP
$IPT -t nat -A POSTROUTING -m state --state INVALID -j LOG \
--log-prefix "INVALID postrouting: "
$IPT -t nat -A POSTROUTING -m state --state INVALID -j DROP
$IPT -t nat -A OUTPUT -m state --state INVALID -j LOG \
--log-prefix "INVALID nat output: "
$IPT -t nat -A OUTPUT -m state --state INVALID -j DROP
###############################################################
# Source Address Spoofing and Other Bad Addresses
# Refuse spoofed packets pretending to be from the external interface.s IP address
$IPT -A INPUT -i $INTERNET -s $IPADDRESS -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $IPADDRESS -j DROP
# Refuse packets claiming to be from a Class A private network
$IPT -A INPUT -i $INTERNET -s $CLASS_A -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network
$IPT -A INPUT -i $INTERNET -s $CLASS_B -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network
$IPT -A INPUT -i $INTERNET -s $CLASS_C -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $CLASS_C -j DROP
# Refuse packets claiming to be from the loopback interface
$IPT -A INPUT -i $INTERNET -s $LOOPBACK -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $LOOPBACK -j DROP
# Refuse malformed broadcast packets
# Broadcast comming from the internet
$IPT -A INPUT -i $INTERNET -s $BROADCAST_DEST -j DROP
$IPT -A INPUT -i $INTERNET -s $BROADCAST_SRC -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $BROADCAST_DEST -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $BROADCAST_SRC -j DROP
# Broadcast out to the internet
$IPT -A FORWARD -i $LAN_INTERFACE -o $INTERNET \
-d $BROADCAST_SRC -j DROP
# Don.t forward limited broadcasts in either direction
$IPT -A FORWARD -d $BROADCAST_DEST -j DROP
# Block illegal multicast packets
$IPT -A INPUT -p ! udp -d $CLASS_D_MULTICAST -j DROP
$IPT -A FORWARD -p ! udp -d $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses
$IPT -A INPUT -i $INTERNET -s $CLASS_E_RESERVED_NET -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $CLASS_E_RESERVED_NET -j DROP
# refuse addresses defined as reserved by the IANA
# 0.*.*.* - Can.t be blocked unilaterally with DHCP
# 169.254.0.0/16 - Link Local Networks
# 192.0.2.0/24 - TEST-NET
$IPT -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
$IPT -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
$IPT -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s 192.0.2.0/24 -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s 169.254.0.0/16 -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s 192.0.2.0/24 -j DROP
###############################################################
# ICMP Control and Status Messages
# Drop initial ICMP fragments
$IPT -A INPUT --fragment -p icmp -j DROP
$IPT -A OUTPUT --fragment -p icmp -j DROP
$IPT -A FORWARD --fragment -p icmp -j DROP
$IPT -t nat -A PREROUTING --fragment -p icmp -j DROP
$IPT -t nat -A POSTROUTING --fragment -p icmp -j DROP
$IPT -t nat -A OUTPUT --fragment -p icmp -j DROP
#Other pings
$IPT -A INPUT -i $INTERNET -p icmp -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -p icmp -j ACCEPT
$IPT -A FORWARD -i $INTERNET -p icmp -j ACCEPT
$IPT -A FORWARD -o $INTERNET -p icmp -j ACCEPT
$IPT -t nat -A PREROUTING -i $INTERNET -p icmp -j ACCEPT
$IPT -t nat -A OUTPUT -o $INTERNET -p icmp -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INTERNET -p icmp -j ACCEPT
###############################################################
# Allow Traceroutes
$IPT -A INPUT -i $INTERNET -p udp \
-d $IPADDRESS --dport 32769:65535 -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -p udp \
-s $IPADDRESS --sport 32769:65535 \
--dport 33434:33523 -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INTERNET -p udp \
-s $IPADDRESS --sport 32769:65535 \
--dport 33434:33523 -j ACCEPT
$IPT -t nat -A PREROUTING -i $INTERNET -p udp \
-d $IPADDRESS --dport 32769:65535 -j ACCEPT
$IPT -t nat -A OUTPUT -o $INTERNET -p udp \
-s $IPADDRESS --sport 32769:65535 \
--dport 33434:33523 -j ACCEPT
###############################################################
###############################################################
# #
# This is our custom stuff #
# #
###############################################################
###############################################################
#Prerouting address to other Servers
#...........Website on Athena ports 80 and 443.............#
$IPT -t nat -A PREROUTING -i $INTERNET -p tcp \
--sport $UNPRIVPORTS -d $ATHENAEXTADDRESS --dport 80 \
-j DNAT --to-destination $ATHENAINTADDRESS
$IPT -t nat -A PREROUTING -i $INTERNET -p tcp \
--sport $UNPRIVPORTS -d $ATHENAEXTADDRESS --dport 443 \
-j DNAT --to-destination $ATHENAINTADDRESS
#..........DNS Server on Athena...............#
$IPT -t nat -A PREROUTING -i $INTERNET -p tcp \
--sport $UNPRIVPORTS -d $ATHENAEXTADDRESS --dport 53 \
-j DNAT --to-destination $ATHENAINTADDRESS
#...........Email Server On Hermes............#
#....First Redirect all incomming Port 25 through Barracuda....#
$IPT -t nat -A PREROUTING -i $INTERNET -p tcp \
--sport $UNPRIVPORTS -d $HERMESEXTADDRESS --dport 25 \
-j DNAT --to-destination 192.168.100.14
#...All Other Email Stuff is Done From HERMES....#
#POP
$IPT -t nat -A PREROUTING -i $INTERNET -p tcp \
--sport $UNPRIVPORTS -d $HERMESEXTADDRESS --dport 110 \
-j DNAT --to-destination $HERMESINTADDRESS
#IMAP
$IPT -t nat -A PREROUTING -i $INTERNET -p tcp \
--sport $UNPRIVPORTS -d $HERMESEXTADDRESS --dport 143 \
-j DNAT --to-destination $HERMESINTADDRESS
###############################################################
# DNS
# One name server gets prerouting
#..................Local Name Server Number ..................#
$IPT -A INPUT -i $INTERNET -p udp \
--sport $UNPRIVPORTS -d $IPADDRESS --dport 53 -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -p udp \
--sport $UNPRIVPORTS --dport 53 -j ACCEPT
$IPT -A FORWARD -o $INTERNET -p udp \
--sport $UNPRIVPORTS --dport 53 -j ACCEPT
$IPT -t nat -A PREROUTING -i $INTERNET -p udp \
--sport $UNPRIVPORTS -d $IPADDRESS --dport 53 -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INTERNET -p udp \
--sport $UNPRIVPORTS --dport 53 -j ACCEPT
$IPT -t nat -A OUTPUT -o $INTERNET -p udp \
--sport $UNPRIVPORTS --dport 53 -j ACCEPT
###############################################################
###############################################################
# #
# Leave at the bottom for SNAT #
# #
###############################################################
###############################################################
#..............For Email................#
$IPT -t nat -A POSTROUTING -o eth1 \
-s 192.168.100.50/32 \
-j SNAT --to-source 209.33.201.116
#..............For Everything else......#
$IPT -t nat -A POSTROUTING -o eth1 \
-s 192.168.0.0/16 \
-j SNAT --to-source 209.33.201.114
|
|
|
08-29-2007, 03:40 PM
|
#2
|
Member
Registered: Jul 2006
Location: Joinville, Brazil
Distribution: Debian, CentOS
Posts: 301
Rep:
|
|
|
|
08-29-2007, 04:06 PM
|
#3
|
LQ Newbie
Registered: Aug 2007
Posts: 11
Original Poster
Rep:
|
Quote:
Originally Posted by sparc86
|
Good link. What I am wondering is the best way to do default policies. Even in that example they only apply DROP policy to INPUT and FORWARD all others are ACCEPT policies. Is it safe to say that I can change my default policy on my NAT tables to accept? Then I only have to make rules for INPUT, OUTPUT, FORWARD?
I'm mostly looking for best default practices. Mainly because when I do DROP policy on all tables I can't get anything to work properly. :-)
Thanks,
David
|
|
|
08-29-2007, 05:31 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by davidz
What I am wondering is the best way to do default policies. Even in that example they only apply DROP policy to INPUT and FORWARD all others are ACCEPT policies. Is it safe to say that I can change my default policy on my NAT tables to accept? Then I only have to make rules for INPUT, OUTPUT, FORWARD?
|
Yes, you should keep your nat table chains' policies set to ACCEPT. But you still need to make your DNAT and SNAT rules, of course. Filtering should be done only in the filter table, so set your INPUT, OUTPUT, and FORWARD policies to DROP, but leave your nat table's PREROUTING, POSTROUTING, and OUTPUT chains set to ACCEPT. Same goes for your mangle and raw tables.
Code:
$IPT -t filter -P INPUT DROP
$IPT -t filter -P FORWARD DROP
$IPT -t filter -P OUTPUT DROP
$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
EDIT: Note that there are probably special cases when changing policies for some of these non-filter chains is indeed necessary. I am, however, not familiar with those cases.
Last edited by win32sux; 08-30-2007 at 09:36 AM.
|
|
|
08-30-2007, 09:31 AM
|
#5
|
LQ Newbie
Registered: Aug 2007
Posts: 11
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
Yes, you should keep your nat table chains' policies set to ACCEPT. But you still need to make your DNAT and SNAT rules, of course. Filtering should be done only in the filter table, so set your INPUT, OUTPUT, and FORWARD policies to DROP, but leave your nat table's PREROUTING, POSTROUTING, and OUTPUT chains set to ACCEPT. Same goes for your mangle and raw tables.
|
Thanks for the tip. I think I am actually making progress now, and the firewall is functioning as expected with new rules and such.
Thanks again,
David
|
|
|
08-30-2007, 09:39 AM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by davidz
Thanks for the tip.
|
You're very welcome.
Quote:
I think I am actually making progress now, and the firewall is functioning as expected with new rules and such.
|
Glad to hear that!
If you have any further questions down the line please don't hesitate to ask.
|
|
|
All times are GMT -5. The time now is 02:50 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|