On Sat, 21 Aug 1999, Steve Philp wrote:
> Axalon Bloodstone wrote:
> >
> > On Sat, 21 Aug 1999, Steve Fox wrote:
> >
> > > >
> > > > 5. I haven't found any package that will masquerade other LAN machines onto
> > > > the internet. Supposedly it can be done through ipchains scripts, but
> > > > I haven't made any work yet. I did use PaNTs which is supposed to work for
> > > > RedHat 6 but I can't get anything through it on port 80 (web access).
> > >
> > > echo 1> /proc/sys/net/ipv4/conf/eth0/forwarding
> > ipchains -P forward DENY
> > > ipchains -I forward -j MASQ -s 192.168.0.0/16 -i eth0 -d 0/0
> > > ipchains -I input -j DENY -s 192.168.0.0/16 -i ! eth0 -d 0/0 -l
> > >
>
> I haven't played with IP chains yet, but I get the notion that I may be
> using it to put a bigger choke mechanism on a web server box. Could you
> verify that my reading of the ipchains rules are correct?
>
> By default, deny all forwarding. Allow forwarding of packets sourced on
> 192.168. and received on eth0. Deny forwarding of 192.168. packets that
> did not get received on eth0.
>
> Is that correct?
First a demonstration of exactly what the above commands will accomplish
We have an existing private lan, operateing with non internet routable ip
addresses. Say we have two interfaces, *0 and *1, * can be any type of
network connection, eth ppp lo and all the others it doesn't matter.
Both will be ethernet, your basic highspeed connections.
We'll use eth0 for the private network (192.168.1.0/24 for this example)
eth1 for internet.
##end /etc/rc.d/rc.firewall
##Begin Masq
#Tell eth0 we want to be able to forward from it
echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
#Setup a default reject on forwarding
ipchains -P forward REJECT
#Now the catch all logger
ipchains -A forward -s 0/0 -d 0/0 -j DENY -l
#Setup forwarding from the lan to anything not on it
ipchains -I forward -s 192.168.1.0/24 -d \! 192.168.1.0/24 -i eth1 -j MASQ
##end Masq
So
only forward from eth0.
By default, REJECT all forwarding requests.
Append, a DENY on everything, and log it
(to many overly talented ipv4 people out there, congradulations i'm
paranoid)
Insert, a MASQ rule for our private lan. "outgoing" only
(again the paranoid thing, some very talented source route'ers)
Now some rules when createing scripts like this.
DOCUMENT every line or make some form of blocks, with comments, you WILL
forget eventualy.
Unless your really getting creative with custom chains,
Appends (-A) should be used for DENY/REJECT commands
Inserts (-I) should be used for ACCEPT/MASQ commands
This help you to keep (me) from gettign denied when you swore you added
the ip to the firewall, or prevent "well how the bleep did he even get to
telnet, i had it firewalled" type situations. It basicly just makes it
look nice also.
And now we tackle
> I've got the following setup: an ISDN connection that's terminated at a
> Cisco router with 2 ethernet connections running their PIX firewall
> software. On one ether port (192.168.4.x), is our "Internet" network.
> It currently houses one machine which acts as the web/email server for
> outside connections. Inside connections use that machine as their soul
> gateway to the outside world (junkbuster and squid along with pop3 and
> smtp services). The other ether port (192.168.3.x) connects to our
> internal network.
>
> I'd like to put a bigger limit on the kinds of things that the webserver
> will allow to be sent into the internal network. We need to allow the
> squid and junkbuster conversations in, and I also need to be able to
> talk to the machine via telnet from the internal connection.
>
> I'm not worried (much) about people being able to attack the internal
> network from the Internet, since they're all private IP net addresses
> that get nowhere when used on the Internet. However, if someone is able
> to break into the web box, they can see the internal network and talk to
> it from there. I'd prefer that not to be possible.
>
> Any ideas?
following the same basic princples, everybodys with me right? ,
because here comes the fun part.
setup:
ISDN to Cisco router,
2port Cisco router, supplying
192.168.4.0/24 (cisco1 for lack of a better name)
And an unused cisco0
192.168.4.254, Will be our gateway, with an internet IP (provided by
Cisco's PIX firewall)
This machine provides 192.168.3.0/24 with proxying via squid and
junkbuster
with 192.168.3.254, as it's internal IP
How can we strengthen this with ipchains you ask? well lets see
##
# First verify forwarding is disabled
echo 0 > /proc/sys/net/ipv4/conf/all/forwarding
# Default REJECT
ipchains -P forward REJECT
# DENY and log anyones attempts to forward thru us
ipchains -A forward -s 0/0 -d 0/0 -l -j DENY
# Ok thats pretty basic, now we get paranoid
# DENY, and log any connections to us from inside as anything but our
# gateway IP
ipchains -I input -s 192.168.3.0/24 -d ! 192.168.3.254/32 -j DENY -l
##
You could go on to setup blockage on all ports to the gateway except squid
and telnet from all but the admins IP, which would/should be excluded from
the dhcp pool if dhcp is in use.
If you were to use a custom setup only slightly more complex than this you
wind up with AOL's new security policys. You just need to figure out who's
loged into what machine (think remote logging(*nix), or netlogins(the
others). Combine that with dhcp log monitoring and a script that alters
ipchains to allow full access with masq, junkbuster or other such http
filtering, and you'll actualy beable to go relieve your self and grab a
coffee/beer/soda and know that your coworkers/employies/children aren't
learing at smut while your away.
--
MandrakeSoft http://www.mandrakesoft.com/
--Axalon
