Bob, First I recommend matching rules against ips and NOT interfaces with few exceptions. Those exceptions are lo and ipsecN (loopback, vpn) and anti-spoofing on input/output. The reason is to work in layers (clean design) and allow your interfaces to be independent of your ips, and to simplify the rule set (ease of admin understanding) and the amount of criteria for each rule (reduction of kernel processing).
On Wed, Sep 17, 2003 at 04:53:30PM +0000, Bob Crandell wrote: > Hi, > > I'm trying to restrict access to a few networks like 216.239.175.0/24 and > 64.28.48.0/24 and individual addresses like mine, 64.112.226.198. Here is my > problem: > > I need to redirect port 81 to 8080 which is the port DansGuardian listens to. > > Here is rc.iptables: > #=================================== > #/bin/sh > > LOOPNET="127.0.0.0/8" > LOCALNET="216.239.175.0/24" > > echo " Clearing existing configuration." > /usr/sbin/iptables -P INPUT ACCEPT > /usr/sbin/iptables -F INPUT > /usr/sbin/iptables -P OUTPUT ACCEPT > /usr/sbin/iptables -F OUTPUT > /usr/sbin/iptables -P FORWARD ACCEPT > /usr/sbin/iptables -F FORWARD These lines above completely disable and open your firewall. Everything else you've written below has no effect, except possibly the redirect. You need: iptables -P INPUT DROP and the same for OUTPUT and FORWARD. Then you need accurate rules that allow only the traffic you want in. > /usr/sbin/iptables -F -t nat > /usr/sbin/iptables -F logdrop > /usr/sbin/iptables -X logdrop > > echo "Create Drop Chain." > /usr/sbin/iptables -N logdrop > /usr/sbin/iptables -A logdrop -j LOG --log-level info > /usr/sbin/iptables -A logdrop -j DROP This will fill up your log files if you get hit with oh, a few port scans from nmap. Use the '-m limit' feature described in 'man iptables'. > echo "INPUT Rule sets." > /usr/sbin/iptables -A INPUT -i lo -j ACCEPT > /usr/sbin/iptables -A INPUT -i eth0 -j ACCEPT Again, the line above disables your firewall on eth0. If eth0 is connected to the internet, well then... you have no firewall. Get rid of this line. > /usr/sbin/iptables -A INPUT -i eth0 -s $LOOPNET -j logdrop > /usr/sbin/iptables -A INPUT -i eth0 -d $LOOPNET -j logdrop 127.0.0.0/8 is not on eth0. It is on lo. These two lines do nothing. > /usr/sbin/iptables -A INPUT -i eth0 -s $LOCALNET -j ACCEPT This line is ok, but provides no firewall to the local lan. I wouldn't do this. With a properly configured firewall, the attacker gets in through an application provided through the firewall, like a webserver. Once the attacker controls the webserver (sitting in a dmz) he then wants to get access to others. Now the firewall is open to the internal lan, so that's the next target. If he gets it, he has access to all incoming and outgoing data to either stop, modify or simply syphon. > echo "Redirect Web traffic through Dan's Guardian" > /usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j REDIRECT > --to-port 8080 iptables -t nat -A PREROUTING -p tcp -s $intnet -d $intip --dport 81 -j REDIRECT --to-port 8080 You have your proxy set to anything coming in on eth0. Instead match by ip address above. Also you are not using any state matching. That is one of the huge benefits to using netfilter and iptables! When you fix your policies, you'll need to use state matching or you'll have to use more complex, less effective ipchains-like rules. > The networks and IP addresses change over time so it needs to be easy to adjust > after it's in place. Just use variables at the beginning. Look at my scripts: http://www.euglug.org/stateful_firewalling.tgz Cory -- Cory Petkovsek Adapting Information Adaptable IT Consulting Technology to your (541) 914-8417 business [EMAIL PROTECTED] www.AdaptableIT.com _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
