Hello all,
Using tcp wrappers, I would like to be able to allow only internal access to my Intranet EXCEPT for http connections to the web server (would like external users to gain access to web site). Any advice on how to properly set this up? |
What version of Linux you running ?
Type: # uname -a You can change the /etc/hosts.allow and deny files, but it would be better if you got a simple firewall to do the wrappers for you. /Raz |
RedHat 7.0 - v2.4.2
I made a poor attempt at configuring a firewall, now I am just looking at setting up the basics. I configured and used the firewall script posted on linux-firewall-tools.com web site and thought I had everything setup the way the documentation suggested but when I attempt to run the script I get run errors: 2 commands not found and EOF and have no clue what is causing the errors. |
Type:
chkconfig --list | grep ipchains Does it come back with: ipchains 0: off 1: off 2: on 3: on 4: on 5: on 6: off If so then tell me your internal interface and eth number and your external interface and eth number. "or make up a fake external internet IP address for this example" I'll post you a script that will do what you ask. you need to get the /etc/rc.d/rc.local file to run it. /raz [Edited by razbot on 05-29-2001 at 12:53 PM] |
chckconfig shows as you reported.
For security reasons I will use a "fake" external ip address: LAN = 192.168.0.1 External = 192.168.100.10 Thanks for your quick responses RAZ! |
Ok here goes.
First make an empty script file in the directory /etc/rc.d call it firewall.sh make sure you "chmod 700 /etc/rc.d/firewall.sh" so it can run. Then add the line at the end of /etc/rc.d/rc.local /etc/rc.d/firewall.sh Now I'm going to assume you have one network card for your two networks ip's. LAN = 192.168.0.1 "eth0" External = 192.168.100.10 "eth0:0" -------------- oooo --------------- Now put this into your /etc/rc.d/firewall.sh script. # firewall script by Raz echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/ip_always_defrag echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # clear all ipchains settings ipchains -F # Deny all access to server secure mode enabled. ipchains -P input DENY ipchains -P output REJECT ipchains -P forward DENY # sets timeout vaules for FIN flags etc.. ipchains -M -S 4800 15 200 # magic NAT setting for MASQing # only used so internal lan can use firewall as gateway to access internet etc. ipchains -A forward -s 192.168.0.0/24 -j MASQ # allows access to server from Internal and local only ipchains -A input -i lo -j ACCEPT ipchains -A output -i lo -j ACCEPT ipchains -A input -i eth0 -s 192.168.0.0/24 -j ACCEPT ipchains -A output -i eth0 -d 192.168.0.0/24 -j ACCEPT # stops spoof attacks and Windozes netbios crap ipchains -A input -p tcp -s 0/0 --dport 137:139 -j DENY ipchains -A input -p udp -s 0/0 --dport 137:139 -j DENY ipchains -A forward -p tcp -s 0/0 --dport 137:139 -j DENY ipchains -A forward -p udp -s 0/0 --dport 137:139 -j DENY ipchains -A output -p tcp -s 0/0 --dport 137:139 -j DENY ipchains -A output -p udp -s 0/0 --dport 137:139 -j DENY ipchains -A input -i eth0:0 -s 10.0.0.0/8 -d 0/0 -j DENY -l ipchains -A input -i eth0:0 -s 172.16.0.0/12 -d 0/0 -j DENY -l ipchains -A input -i eth0:0 -s 192.168.0.0/16 -d 0/0 -j DENY -l ipchains -A input -i eth0:0 -s 127.0.0.0/8 -d 0/0 -j DENY -l ipchains -A input -i eth0:0 -s 255.255.255.255 -j DENY -l ipchains -A input -i eth0:0 -d 0.0.0.0 -j DENY -l # turns off tracerouting to you, EXTERNAL IP used ipchains -A input -p udp -d 192.168.100.10 -s 0/0 33434:33600 -j DENY -l # access allowed from internet to website port 80 only: ipchains -A input -p tcp -s 0/0 --sport 1023:65535 -d 192.168.100.10 --dport 80 -j ACCEPT ipchains -A output -p tcp -s 192.168.100.10 --sport 80 -d 0/0 -j ACCEPT # dont know your DNS's address so lets call it 154.67.86.2 & 154.67.85.2 # DNS lookup allowed only ipchains -A output -p tcp -s 192.168.100.10 1023:65535 --dport 53 -j ACCEPT ipchains -A input -p tcp ! -y -s 154.67.86.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT # secondary DNS allow ipchains -A input -p tcp ! -y -s 154.67.85.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT # DNS lookup udp allowed ipchains -A output -p udp -s 192.168.100.10 1023:65535 --dport 53 -d 0/0 -j ACCEPT ipchains -A input -p udp -s 154.67.86.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT # secondary DNS allow UDP ipchains -A input -p udp -s 154.67.85.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT # allow your firewall to surf the net and internal users # that use the firewall as a gateway. # HTTP 80,https and proxy access # also improve the speed with TOS on internet connections ipchains -A output -p tcp -s 0/0 1023:65535 --dport 80 -t 0x01 0x10 -j ACCEPT ipchains -A input -p tcp ! -y -s 0/0 --sport 80 -d 192.168.100.10 1023:65535 -j ACCEPT # HTTPS 443 access ipchains -A output -p tcp -s 0/0 1023:65535 --dport 443 -j ACCEPT ipchains -A input -p tcp ! -y -s 0/0 --sport 443 -d 192.168.100.10 1023:65535 -j ACCEPT # HTTP 8080 access ipchains -A output -p tcp -s 0/0 1023:65535 --dport 8080 -t 0x01 0x10 -j ACCEPT ipchains -A input -p tcp ! -y -s 0/0 --sport 8080 -d 192.168.100.10 1023:65535 -j ACCEPT # example to allow users to use MSN # MSN messenger ipchains -A output -p tcp -s 192.168.100.10 1023:65535 --dport 1863 -j ACCEPT ipchains -A input -p tcp ! -y -s 64.4.13.0/24 --sport 1863 -d 192.168.100.10 1023:65535 -j ACCEPT # allow your private windozes box on the internal lan SSH # or telnet access, only 192.168.0.122 is the windozes # example ip address you use to remotely connect to the firewall # change 22 to 23 if you need telnet access. ipchains -A input -p tcp -s 192.168.0.122 --sport 22 -d 192.168.0.1 1023:65535 -j ACCEPT -l # logs all connections for you to check with an IDS script ipchains -A output -p tcp -s 192.168.0.1 --dport 22 -d 192.168.0.122 -j ACCEPT # now the fun bit to log people trying to scan the firewall # also stops people pinging it etc etc etc etc ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 2 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 3 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 4 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 5 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 6 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 7 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 8 -j DENY -l # that looks for counting scans and log to messages file ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 20 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 21 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 23 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 25 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 53 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 79 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 110 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 111 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 113 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 443 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 8080 -j DENY -l ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 6000 -j DENY -l # icmp pings and pongs etc ipchains -A output -p icmp -s 0/0 -d 0/0 -j ACCEPT ipchains -A input -p icmp -s 0/0 --icmp-type 0 -d 0/0 -j ACCEPT ipchains -A input -p icmp -s 0/0 --icmp-type 3 -d 0/0 -j ACCEPT ipchains -A input -p icmp -s 0/0 --icmp-type 4 -d 0/0 -j ACCEPT ipchains -A input -p icmp -s 0/0 --icmp-type 9 -d 0/0 -j ACCEPT ipchains -A input -p icmp -s 0/0 --icmp-type 11 -d 0/0 -j ACCEPT ipchains -A input -p icmp -s 0/0 --icmp-type 12 -d 0/0 -j ACCEPT ipchains -A input -p icmp -s 0/0 --icmp-type 14 -d 0/0 -j ACCEPT ipchains -A input -p icmp -s 0/0 --icmp-type 18 -d 0/0 -j ACCEPT # deny ICMP requests for security # change this and you screw up the point of icmp to manage packets ipchains -A input -p icmp -s 0/0 --icmp-type 8 -d 0/0 -j DENY -l ipchains -A input -p icmp -s 0/0 --icmp-type 5 -d 0/0 -j DENY -l ipchains -A input -p icmp -s 0/0 --icmp-type 10 -d 0/0 -j DENY -l # done # ---------- ooooo ------------ Now test the script by running it. Should work, but most of this is from my head so good luck. /Raz |
Sorry it has taken me so long to post a reply but I tried the script you suggested (with adjustments ofcourse) and that didn't work either. So, knowing RH v7.1 kernel comes with built-in iptables and ipchains - I upgraded from 7.0. Used the firewall-config utility and everything seems to be working okay. I will be using Nessus to try and crack through my firewall and will go from there.
Razbot thanks for all of your help! It's people like you that make this all worth while! :') |
All times are GMT -5. The time now is 07:57 PM. |