Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: Iptables for newbies. PART II: Securing your Network
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
Maxwell
Tux's lil' helper
Tux's lil' helper


Joined: 10 Dec 2003
Posts: 96

PostPosted: Fri Jan 28, 2005 1:14 am    Post subject: Notebook and proxies Reply with quote

Hello

I have an Asus notebook and i use it in several networks, each of them using a different proxy. I'm thinking on setting all my icq, msn clients and firefox to use a direct connection to internet and use iptables to direct traffic to somewhere usefull (like the different proxies...).

But then i suppose i'll need a proxy running in my notebook...

So i ask for your advice: how should i configurate iptables to do this and do i need squid running? Light and fast solutions are appreciated!! :)

Thans in advance
_________________
Freedom works. Use it!
Linux, by Gentoo
Back to top
View user's profile Send private message
yaneurabeya
Veteran
Veteran


Joined: 13 May 2004
Posts: 1754
Location: Seattle

PostPosted: Thu Feb 03, 2005 5:10 am    Post subject: Reply with quote

Interesting. Gotta try out this sometime soon cause I hate being unfirewalled (even though I do run Gentoo =\...).
Back to top
View user's profile Send private message
mr.isomer
n00b
n00b


Joined: 16 Feb 2004
Posts: 47

PostPosted: Tue Feb 15, 2005 12:23 am    Post subject: Reply with quote

Ok I hope someone can help me out with this:

I use broadband to connect no ppp0... just eth0 ... how do I edit the script?

Do I set this:

EXTIF='eth0'

and get rid of INTIF ???


Great HOWTO BTW... I just hope it mentioned this
Back to top
View user's profile Send private message
Jerri
Guru
Guru


Joined: 03 Apr 2003
Posts: 353

PostPosted: Tue Feb 15, 2005 5:25 am    Post subject: Reply with quote

Looking at this bit of code

Code:
# External interface
EXTIF=ppp0
# Internal interface
INTIF1=eth1
INTIF2=eth2


we see that the external interface is configured for ppp0, and there are 2 ethernet cards used for the internal network.

If you are creating a router/firewall with broadband... using two network cards, one for external, one internal, you will want the following:

Code:
# External interface
EXTIF=etho
# Internal interface
INTIF1=eth1


then remove all instances of INTIF2 (unless of course, you wish to use multiple network cards for your internal network).
Back to top
View user's profile Send private message
mr.isomer
n00b
n00b


Joined: 16 Feb 2004
Posts: 47

PostPosted: Thu Feb 17, 2005 3:43 am    Post subject: Reply with quote

Jerri wrote:
Looking at this bit of code

Code:
# External interface
EXTIF=ppp0
# Internal interface
INTIF1=eth1
INTIF2=eth2


we see that the external interface is configured for ppp0, and there are 2 ethernet cards used for the internal network.

If you are creating a router/firewall with broadband... using two network cards, one for external, one internal, you will want the following:

Code:
# External interface
EXTIF=etho
# Internal interface
INTIF1=eth1


then remove all instances of INTIF2 (unless of course, you wish to use multiple network cards for your internal network).


thanks I'll try that... i only have 1 NIC tho... i guess this may not be for me...
Back to top
View user's profile Send private message
Jerri
Guru
Guru


Joined: 03 Apr 2003
Posts: 353

PostPosted: Fri Feb 18, 2005 2:15 am    Post subject: Reply with quote

mr.isomer,

I modified the script so that I could use it on my web server (one nic - outside the firewall). I'm not sure weather or not this was a useful thing to do, as far as security goes, since this script accepts connections from the internet (ssh, http, https). However, I guess closing uneeded ports can't hurt.



Code:
#!/bin/sh

# ********** VARIABLE DEFINITIONS **********
#
# External interface
EXTIF="eth0"

# Loop device/localhost
LPDIF="lo"
LPDIP="127.0.0.1"
LPDMSK="255.0.0.0"
LPDNET="$LPDIP/$LPDMSK"

# Text tools variables
IPT="/sbin/iptables"
IFC="/sbin/ifconfig"
G="/bin/grep"
SED="/bin/sed"
AWK="/bin/awk"


# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":"); split(a[2],a," ");print a[1];exit}'`"
EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTMSK="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"
EXTNET="$EXTIP/$EXTMSK"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"


# ********** INITIALIZATION **********
#
# Deny then accept: this keeps holes from opening up
# while we close ports and such
$IPT        -P INPUT       DROP
$IPT        -P OUTPUT      DROP
$IPT        -P FORWARD     DROP

# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
    $IPT -t $i -F
done
for i in $CHAINS;
do
    $IPT -t $i -X
done

# enable syncookies & ignore icmp broadcasts
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
done
# Log Martians
for i in /proc/sys/net/ipv4/conf/*/log_martians ; do
        echo 1 > $i
done


##################
# LOGGING CHAINS #
##################

# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl   2> /dev/null
$IPT -A DROPl   -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP BLOCKED:'
$IPT -A DROPl   -j DROP

$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT BLOCKED:'
$IPT -A REJECTl -j REJECT


# ********** SANE COMMON RULES **********
#
# Now we are going to accept all traffic from or to our loopback device
# if the IP matches any of our interfaces.
$IPT -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT
$IPT -A OUTPUT  -o $LPDIF -d   $LPDIP  -j ACCEPT
$IPT -A OUTPUT  -o $LPDIF -d   $EXTIP  -j ACCEPT
# Allow to ping out
$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP  --icmp-type 8 -m state --state NEW -j ACCEPT


#######################################
# ALLOWING INSIDE TO OUTSIDE SERVICES #
#######################################

# Add port numbers that you would like to open
# from localhost to the internet

NOIP="8245"
BITTORNADO="6881:6999"

EXTRA_SERV="nntp rsync"
EXTRA_PORT="8245 1863 5190 11371 10000 1046"
TCPSERV="$EXTRA_SERV $EXTRA_PORT domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time"
UDPSERV="domain time"

echo "---------------------------------------------------------------------"
echo "FW: Allowing inside systems to use services (tcp): "
for i in $TCPSERV;
do
   echo -n "$i "
   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""

echo "---------------------------------------------------------------------"
echo "FW: Allowing inside systems to use services (udp): "
for i in $UDPSERV;
do
    echo -n "$i "
    $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP  --dport $i -m state --state NEW -j ACCEPT
done
echo ""

#################################
# ALLOWING EXTERNAL ACCESS TO   #
#    SERVICES ON FIREWALL       #
#                               #
#     !!! Security Risk !!!     #
#################################

#Allowing external systems to use tcp services on localhost:
$IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport "ssh"   --syn -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport "http"  --syn -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport "https" --syn -m state --state NEW -j ACCEPT


##############################
# allow existing connections #
##############################

iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT


#######################################
# block / log what me may have forgot #
#                                     #
#       useful for debugging          #
#######################################

#$IPT -A INPUT             -j DROPl
#$IPT -A OUTPUT            -j REJECTl
#$IPT -A FORWARD           -j DROPl
Back to top
View user's profile Send private message
Nard`
Apprentice
Apprentice


Joined: 23 Jan 2005
Posts: 250

PostPosted: Mon Mar 07, 2005 12:29 pm    Post subject: Reply with quote

This is proboably a stupid question, but read through all the posts and i'm trying to establish one thing:

Is the script written in the starting post meant to be run at boot (in which case i should rc-update del iptables) or just once?

also, should this script/iptables init.d script be run after or before network devices being brought up? for security i'd say before but it might cause some problems referencing interfaces that aren't "up" yet

Thanks

EDIT: How are you transferring this script? I've been copying it from this into my router via ssh yet the md5sum is different every time I do it, don't know how to do it accurately...
_________________
Programming is the process of putting bugs in.
Debugging is the process of attempting to take bugs out, doing an ugly hack, hitting your computer, then claiming insurance.
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Mon Mar 07, 2005 3:53 pm    Post subject: Reply with quote

The iptables init.d script should not be placed in your run time. (rc-update del iptables)

You can create your own init script and put in local if you want it to start at boot.

It should be started after the interfaces are brought up or the dynamic interface parsing will not work ($INTNET, $EXTNET, etc).

The first thing the script does is set POLICY to deny, which serves as a safety net. It also does not enable ip_forwarding till the very end, so you are not actually forwarding any traffic till after the rules have been set.
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
Nard`
Apprentice
Apprentice


Joined: 23 Jan 2005
Posts: 250

PostPosted: Mon Mar 07, 2005 4:18 pm    Post subject: Reply with quote

Thanks, possibly (you've proboably already thought of this...) found a few problems:

You drop all packets, but then immediately after that you flush everything! During the (admittedly short time) beetween when you do that and you set the rules up you have a time whereby packets are non filtered. I'm proboably missing something there...

Also, i've been looking through it (and granted haven't looked at in too much detail yet) i'm not seeing what advantages these rules offer over say denying all incoming connections except on specified ports (and maybye limit that to just some ip's?). Or maybye that's exactly what it does (and logs it, which is nice despite perhaps it being slightly annoying they get lumped along with the kernel log, but thats not your fault, and could be changed by using ulog)

Oh and:

Code:

# Last but not least, the users
JAMES=192.168.1.77
TERESA=192.168.2.77


What's the point of that, it's only referenced once: in it's declaration

EDIT: forgot to mention, great tutorial :D
_________________
Programming is the process of putting bugs in.
Debugging is the process of attempting to take bugs out, doing an ugly hack, hitting your computer, then claiming insurance.
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Mon Mar 07, 2005 4:36 pm    Post subject: Reply with quote

Hehe,

--On the flushing, that is a very good point and oversight of mine. To be honest, I've switched platforms many months ago and stopped maintaining this tutorial after it was posted to the Gentoo Wiki where the community could easily improve as necessary. I have some vague memory that rule flushing does not remove the policies, but I could be completely off base on that.

---That's pretty much what it does....however it also has a good bit of egress filtering. Some would say this is an overkill security measure on a home system and they may be right. However, my philosophy was even in an uber secure network your 5 year old daughter can slap that floppy her teacher gave her in and circumvent it all. With this in mind, I always thought it made sense to place rules that would prevent such a worm or virus from sending itself out to the world from an infected network (if more admins practiced this, many worms viruses would be far less effective).

--Logging: Actually, I used syslog-ng (and metalog at one point) to place all the iptables rules into /var/log/iptables.log and when debugging placed all ACCEPT logs in /var/log/iptables-accept.log or some such. Since methods vary from logger to logger, I left that up to the user.


Thanks for the input, and please by all means check out the posting on the Wiki and improve on the script. I was a true iptables newbie when I started reading for this and I'm sure there's a lot of improvements that can be made and possible oversights as well. :)
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
Nard`
Apprentice
Apprentice


Joined: 23 Jan 2005
Posts: 250

PostPosted: Mon Mar 07, 2005 4:49 pm    Post subject: Reply with quote

On closer inspection, I think i'm wrong about the flushing, on my system at least:

Code:

chameleon# cat /proc/net/ip_tables_names
nat
filter


so INPUT,OUTPUT,FORWARD, remain intact. Actually that raises the worrying question about whether rules already in iptables prior to running the script could overide the ones in the script, but in a good setup that shouldn't really happen.
_________________
Programming is the process of putting bugs in.
Debugging is the process of attempting to take bugs out, doing an ugly hack, hitting your computer, then claiming insurance.
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Mon Mar 07, 2005 7:07 pm    Post subject: Reply with quote

Try this:

Run the script from a clean slate.

Type: iptables -L > myrules.txt

Take only the top part (where the POLICY is set and the rules are flushed) and put it in a separate file named flush.sh

Run the flush.sh (make sure you have local access as this should kill all networking).

Than run iptables -L > flushed.txt


Now diff the two (or visually compare). You should have listings like

[INPUT POLICY: DENY]

[OUTPUT POLICY: DENY]

or some such (I don't have a linux system to test on anymore). This would show that the rule flushing is working correctly. If you end up with POLICY: ALLOW or some such, than you have indeed spotted a small window/hole in the script.

-james
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
Morimando
Guru
Guru


Joined: 14 Feb 2005
Posts: 339
Location: Germany

PostPosted: Tue Mar 08, 2005 10:50 am    Post subject: Reply with quote

mightbe i have done something completely wrong but i always get

Code:
root@Doomsday morimando # $IPT -A FORWARD -o $INTIF1 -d   $INTBC1  -j DROPl
bash: -A: command not found
root@Doomsday morimando # $IPT -A FORWARD -o $INTIF2 -d   $INTBC2  -j DROPl
bash: -A: command not found


such errors when trying to follow your HowTo. However the first parts works smooth, its halfway through the 2nd where it starts, maybe i shouldn't have run all the code that you put in and did not explain how to run it in a scriptfile? i thought that would be okay?
_________________
That young girl is one of the least benightedly unintelligent organic life forms it has been my profound lack of pleasure not to be able to avoid meeting.
-- Marvin
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Tue Mar 08, 2005 4:14 pm    Post subject: Reply with quote

You run a script file like so:

Code:

#./myscript.sh


or

Code:

# sh myscript.sh

_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
SerfurJ
l33t
l33t


Joined: 10 Apr 2004
Posts: 824
Location: Texas

PostPosted: Wed Mar 09, 2005 5:30 pm    Post subject: Reply with quote

Jerri,

for some reason after using your script, "iptables -F" messes up my internet connection. any idea why? is there anything else i need to do to reset my configuration? i'm guessing
Code:
echo 0 /proc/sys/net/ipv4/<file>
, but i don't know what the defaults were.

thanks.
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Wed Mar 09, 2005 5:37 pm    Post subject: Reply with quote

In a pinch, you can run /etc/init.d/iptables start than stop to reset everything.

But the loop at the top of my script that deletes all chains and rules should do it too.
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
SerfurJ
l33t
l33t


Joined: 10 Apr 2004
Posts: 824
Location: Texas

PostPosted: Wed Mar 09, 2005 7:07 pm    Post subject: Reply with quote

that did it. but before it would let me start /etc/init.d/iptables, i had to save the rules myself
Code:
iptables-save > /var/lib/iptables/rules-save

thanks.
Back to top
View user's profile Send private message
woZa
Guru
Guru


Joined: 18 Nov 2003
Posts: 340
Location: The Steel City - UK

PostPosted: Fri Mar 11, 2005 11:54 am    Post subject: Reply with quote

Nice howto... Thanks.

Got things working well apart from printing. Clients can't access the cups server... anyone ever get this working???
_________________
A few months struggling with gentoo is better than a lifetime struggling with windoze!
Back to top
View user's profile Send private message
woZa
Guru
Guru


Joined: 18 Nov 2003
Posts: 340
Location: The Steel City - UK

PostPosted: Fri Mar 11, 2005 12:20 pm    Post subject: Reply with quote

Code:
# Allow clients to connect to CUPS server
$IPT -A INPUT   -i $INTIF -p tcp --dport 631 -j ACCEPT
$IPT -A OUTPUT  -o $INTIF -p tcp --sport 631 -j ACCEPT


seems to do the trick...
_________________
A few months struggling with gentoo is better than a lifetime struggling with windoze!
Back to top
View user's profile Send private message
SerfurJ
l33t
l33t


Joined: 10 Apr 2004
Posts: 824
Location: Texas

PostPosted: Fri Mar 11, 2005 8:24 pm    Post subject: Reply with quote

krunk,

nice tutorial, thanks.

suggestion: it would've been easier for me to follow your tutorial if there were three parts to the lesson. the second would be getting your script up to this level of complexity:

Code:
#!/bin/bash
IPTABLES='/sbin/iptables'

# set interface values
INET_IFACE='eth0'

# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

# set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# block netbios noise (for windows networks)
$IPTABLES -A INPUT -p UDP -i $INET_IFACE --dport 135:139 -j DROP

### trusted hosts ###
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -s xxx.xxx.xxx.xxx -j ACCEPT
$IPTABLES -A INPUT -s xxx.xxx.xxx.xxx -j ACCEPT

# Allow traffic from established connections
$IPTABLES -A INPUT -i $INET_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT

### services available to subnets ###
# allow access to the HTTP server
$IPTABLES -A INPUT -s xxx.xxx.xxx.xxx/24 --protocol tcp --dport 80 -j ACCEPT

### services available to internet ###
# allow access to the SSH server
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT


that way, someone like me (who doesn't need to build a complex router) would just stop after lesson two.
Back to top
View user's profile Send private message
HriBB
n00b
n00b


Joined: 15 Feb 2005
Posts: 13
Location: Slovenia, Kranj

PostPosted: Wed Mar 23, 2005 11:43 pm    Post subject: Reply with quote

If you are getting this error...
Code:
kernel: ip_conntrack: table full, dropping packet.

Do this...
Code:
echo "number" > /proc/sys/net/ipv4/ip_conntrack/ip_conntrack_max


Does anyone know how to flush /proc/net/ip_conntrack ?
_________________
http://hribb.homelinux.com/
Back to top
View user's profile Send private message
nadamsieee
Guru
Guru


Joined: 30 May 2003
Posts: 340
Location: Atlanta, GA, USA

PostPosted: Mon Mar 28, 2005 3:21 pm    Post subject: Reply with quote

How do I basically undo this script entirely? I had a very simple, working config, then decided to try this.

Everything seemed great until I rebooted. Then I could not start KDE because the firewall wouldn't allow the connection, nmap no longer works because its not allowed to scan, and my simple little script that just enabled NAT now breaks the Internet connection completely.

You might want to add a disclaimer that these rules are a bit too strict for a desktop system...
_________________
nadams (at) ieee (dot) org
Back to top
View user's profile Send private message
SerfurJ
l33t
l33t


Joined: 10 Apr 2004
Posts: 824
Location: Texas

PostPosted: Mon Mar 28, 2005 8:59 pm    Post subject: Reply with quote

nadamsieee,

see my first posts on this thread:
https://forums.gentoo.org/viewtopic-p-2171669.html#2171669
Back to top
View user's profile Send private message
Barshamm
n00b
n00b


Joined: 03 Jul 2004
Posts: 2
Location: Halas, Norrath

PostPosted: Tue May 03, 2005 3:09 am    Post subject: Reply with quote

Excellent work, this REALLY helps me a lot!
Back to top
View user's profile Send private message
lost+found
Guru
Guru


Joined: 15 Nov 2004
Posts: 508
Location: North~Sea~Coa~s~~t~~~

PostPosted: Sun May 08, 2005 8:57 am    Post subject: Reply with quote

i'm using the script (page2 of this thread) on a standalone pc by removing/commenting out lines, sections, things containing $INT*...
Bwa HA HA !!!

:lol:

P.S. i put the script in /etc/ppp/ip-up, to let pppd execute it every dialup.
P.P.S. test your TruStealth status here: ShieldsUP!!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5  Next
Page 4 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum