On Thu, Sep 18, 2003 at 08:34:39PM +0000, Bob Crandell wrote: > The ComCast customers are DHCP so I don't have an IP. I don't want to open up to > their network. That leaves MAC addresses. I still don't see the correlation. I showed you how one would use the mac module, but again I don't see why you would need it. dhcp or no, mac address is datalink layer specific.
> >The scan is done. Either the machine is down or the firewall is too > >tight because there are no services available and I can't even get a > >fingerprint. > This is a good thing. I thought you wanted to provide services to the internet, like ssh and http. If so, this isn't a good thing because there are no services available. > # Setup Variables > BROADCAST="216.239.175.255" > LOOPNET="127.0.0.0/8" > NET1="64.28.48.0/24" > SNIPPED > NET9="216.239.175.0/24" > SNIPPED > > HOST1="64.112.226.198" > SNIPPED Are all of those IP addresses static? Where does the dhcp address come in? Are you manually editting the firewall when the dhcp client gets a new address?! > echo "Create Sort Chain." > # MAC address of router or firewall for DHCP sites like ComCast > # How is intfw defined? > # How is intnet defined? > #/usr/sbin/iptables -A FORWARD -s $intfw -m mac --mac-source > XX:XX:XX:XX:XX:XX -d ! $intnet -j ACCEPT 'for dhcp sites like comcast' Do you mean you want to allow some clients (ie home users) to have access to this server? So you are thinking that by using the mac address module you'll be able to do this? If so this won't work. Mac addresses are only good for a lan segment. As I mentioned above, they are the datalink layer. That means they don't route. A packet that comes across the internet only contains information from the application/presentation/session, transport and network layers. Datalink (ie, ethernet) and Physical (ie cat 5/coax) information from the source network is stripped off. Using the server's own mac address won't do any good either as it is just as identifiable as is 'eth0'. For "road warriors" (the semi-official term for remote dhcp clients), you need another mechanism. iptables doesn't have such a mechanism unless you 1) open up large blocks of ip addresses or 2) write your own custom iptables module to do some "trickery" (like port knocking). However such "trickery" would be able to be sniffed and replayed by an attacker unless you used encryption/authentication or tricky randomization and sequencing. There are mechanisms for providing remote services to such clients. > #You probably want this if the server needs to talk to the internet. > /usr/sbin/iptables -A sort -m state --state ESTABLISHED,RELATED -j ACCEPT This should go at the top of the sort rule, it is going to match successfully for all connections, once they have been established. Thus listing it first will save netfilter from processing 20 rules in front of it for every packet. > /usr/sbin/iptables -A INPUT -i eth0 -d $BROADCAST -j DROP Why is this here? It won't stop windows broadcasts. It just requires every packet to match against this rule. > /usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state > ESTABLISHED -j ACCEPT > /usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state > ESTABLISHED -j ACCEPT > /usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 81 -m state --state > ESTABLISHED -j ACCEPT > /usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 10000 -m state --state > ESTABLISHED -j ACCEPT Perhaps these are the services you want to open to the internet? If not, then you don't need them at all because the rule below (-j sort) opens up the firewall to everything listed in NET? and HOST?. If so then the lines above are incorrect. You probably mean --dport 22 instead of --sport. Packets coming to the machine are "destined" for port 22. What is on port 10,000? Do you want that open to the internet (it isn't now, but from your script it looks like you want 22, 80, 81 and so on open). Also, you don't need "-m state" here. This is already defined in your sort chain for everything. It said, allow ALL connections that are already established. The only other ones are those that have yet to be established. They are done so first through the input chain. Since you have the -m state....ESTABLISHED rule in your input chain (you put it there when you added the '-j sort' chain below. In order to open a port to the internet you need: /usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT > /usr/sbin/iptables -A INPUT -j sort > > echo "FORWARD Rule sets." > /usr/sbin/iptables -A FORWARD -j sort Why is this here? You said 'echo 0 > /proc/net/sys/ipv4/ip_forward' This disabled fowarding. You don't need forwarding rules that allow it! You aren't forwarding, you are proxying. > echo " OUTPUT Rule sets." > /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT > /usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state > NEW,ESTABLISHED -j ACCEPT > /usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state > NEW,ESTABLISHED -j ACCEPT > /usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 81 -m state --state > NEW,ESTABLISHED -j ACCEPT > /usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 10000 -m state --state > NEW,ESTABLISHED -j ACCEPT All of this does nothing. Your policy is set to -P OUTPUT ACCEPT. Thus when the above rules fail it reads the policy and accepts it. > echo "Redirect Web traffic through Dan's Guardian" > /usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j REDIRECT > --to-port 8080 > # or go around DansGuardian > #/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j REDIRECT > --to-port 3128 How does this redirect traffic? Web clients are configured to use port 80 by default, not 81. If you've configured them to use a proxy server on port 81, why not configure them to use a proxy on 8080 and forget about the redirect? Cory -- Cory Petkovsek Adapting Information Adaptable IT Consulting Technology to your (541) 914-8417 business [EMAIL PROTECTED] www.AdaptableIT.com _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
