LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-30-2004, 05:54 AM   #1
myguest
LQ Newbie
 
Registered: Jun 2004
Location: Zimbabwe
Distribution: redhat
Posts: 21

Rep: Reputation: 15
Setting up a firewall


I have a firewall where i added new rules ext-if and int-if for external and internal interfaces respectively

Firstly i flashed all built in rules and the deny everything

I then set up jumps to each chain as follows

iptables -A INPUT -i $EXT_IFACE -j ext-if
iptables -A INPUT -i $INT_IFACE -j int-if

The next rule i added is

iptables -A ext-if -j ACCEPT

If i list the rules in the chain the first rule seem to be accepting trafic from anywhere to anywhere.

What i want to achieve is to allow traffic to and fro my ISP only and for my box not to be used as an open proxy.

i tried to modify the above rule( iptables -A ext-if -j ACCEPT) as

iptables -A -s $source -d $INT_ADDR -j ACCEPT
iptables -A -s $INT_ADDR -d $source -j ACCEPT

where $source is ISP network and $INT_ADDR is my internal network

The result is i can't browse the internet

I then modified my rules as

1. iptables -A ext-if -j ACCEPT
2. iptables -A ext-if -s $source -d 127.0.0.1 -p tcp --dport 8080 -j ACCEPT
3. iptables -A ext-if -s $INT_ADDR -d $source -p tcp --sport 8080 -j ACCEPT
4. iptables -A ext-if -s ! $INT_ADDR -p tcp --syn -j DROP
5. iptables -A ext-if -j DROP

This seem to be working
I left out other rules for protocols and int-if

My question is how can i modify rule 1 to allow traffic to and fro the ISP only a.
I also ran netstat -a and i am worried about foreign addresses that 've established http and smtp connections. How can i verify that that the connection were initiated from my network.

Other info

Squid port 8080
Redhat 9.0
 
Old 07-30-2004, 07:43 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
If i list the rules in the chain the first rule seem to be accepting trafic from anywhere to anywhere.
Well, iptables processes the rules in order and stops with the first rule that matches the packet so that rule (which accepts everything) is the first match and iptables stops processing and moves on to the next packet.

Quote:
My question is how can i modify rule 1 to allow traffic to and fro the ISP only
I don't think you can do this. If I understand TCP/IP correctly, packets only "know" where they came from and their final destination, they don't have any concept of the route they take.

Quote:
How can i verify that that the connection were initiated from my network.
I'm not sure I entirely understand what you are trying to accomplish here. Are you trying to limit http and smtp connections to your LAN?
 
Old 07-30-2004, 09:06 AM   #3
myguest
LQ Newbie
 
Registered: Jun 2004
Location: Zimbabwe
Distribution: redhat
Posts: 21

Original Poster
Rep: Reputation: 15
I am not trying to limit smtp or http but i only want such traffic between my box and ISP.

what i want at the end of the day is to avoid open relay and open proxy
 
Old 07-30-2004, 09:43 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
If you are trying to avoid open relays and proxys you are better off doing this at the application level rather than at the firewall level.
 
Old 08-02-2004, 08:26 AM   #5
myguest
LQ Newbie
 
Registered: Jun 2004
Location: Zimbabwe
Distribution: redhat
Posts: 21

Original Poster
Rep: Reputation: 15
thankz

I 've configured access lists for squid and access file for stoping open RELAY.

But my worry was to accept traffic from the ISP to us not rather than this :

iptables -A ext-if -j ACCEPT

as my first rule
 
Old 08-02-2004, 12:32 PM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
If you have iptables -A -i ext-if -j ACCEPT as your first rule, you may as well not have a firewall at all. What would be better would be to use state matches. For example, if your first rule was

iptables -A input -i ext-if -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

Then you would only be accepting packets related to processes within your system. Someone trying to access your system from the outside wouldn't be able to. Now this would be a problem if you are running something like a web server you want others to access, but you could always open those specific ports in a later statement.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
firewall setting DanielTan Linux - Security 47 11-16-2005 10:09 PM
setting the firewall one_ro SUSE / openSUSE 2 02-17-2005 05:10 PM
Firewall setting up via iptables not able to get out countcobolt Linux - Networking 1 01-15-2004 06:43 PM
Setting up firewall linuxfond Linux - Newbie 3 02-21-2003 01:52 PM
setting up DNS behind a firewall..... archangel Linux - Networking 3 08-10-2002 10:43 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration