/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Tom Elsesser wrote:
> I have a linux box (RH6.2) with an ADSL line hooked
> to it, from which 3 of us share for email, www, ftp,
> etc. Everything works fine & dandy, but I am concerned
> about security, as I concentrated more on getting
> everyone connected to the net than security, and also I
> am learning as I go. I have been following the mail
> list for a while, and have applied things I thought
> were necessary, but I'd appreciate it if someone could
> take a peek at my rulesets and tell me if there is
> something(s) I could change to lessen a chance of
> unwanted intrusion. I use 2 ethnernet cards eth0 and
> eth1. The DSL line is connected to eth0. If any more
> info is needed, please let me know.
>
> Thanks in advance.
>
> --
> Tom
the first thing to do to check how high your firewall is
is to download nmap from www.insecure.org, learn how to
use it and portscan your firewall host and/or internal
network from the inside and the outside as root. anything
we say on this list will not be as rigorous or reliable as
nmap.
> +++++++++++++++
>
> #!/bin/sh
> # Start and Stop masquerading
>
> NAME=$0
> case "$1" in
> start)
> echo -n "Starting IP Masquerading ............"
>
> # Flush any residual BS
> /sbin/ipchains -F
>
>
> # modules
> /sbin/depmod -a
>
> # Robt.Ziegler stuff
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> # echo 1 > /proc/sys/net/ipv4/ip_always_defrag
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> echo 1 >
> /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> # Spoofing Protection
> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 1 > $f
> done
> # Disable ICMP Redirect Acceptance
> for f in /proc/sys/net/ipv4/conf/*/accept_redirects;do
> echo 0 > $f
> done
> #Disable Source routed packets (?)
> for f in /proc/sys/net/ipv4/conf/*/accept_source_route;
> do
> echo 0 > $f
> done
> # Log spoofed packets,source routed packets, redirect
> packets
> for f in /proc/sys/net/ipv4/conf/*/log_martians; do
> echo 1 > $f
> done
>
>
> # Load modules
> /sbin/modprobe ip_masq_ftp
> /sbin/modprobe ip_masq_raudio
> /sbin/modprobe ip_masq_quake
> /sbin/modprobe ip_masq_vdolive
> /sbin/modprobe ip_masq_portfw
> /sbin/modprobe ip_masq_autofw
>
> # Try to optimize ftp & telnet
> /sbin/ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t
> 0x01 0x10
> /sbin/ipchains -A output -p tcp -d 0.0.0.0/0 ftp -t
> 0x01 0x10
> /sbin/ipchains -A output -p tcp -d 0.0.0.0/0 ftp-data
> -t 0x01 0x08
>
> # default is to deny packets
> /sbin/ipchains -P forward DENY
you should set the input and output policies to DENY/REJECT as well.
> # Accept local activities
> /sbin/ipchains -A input -i lo -j ACCEPT
> /sbin/ipchains -A output -i lo -j ACCEPT
>
> # Other machines here
> /sbin/ipchains -A input -i eth1 -s 0/0 -j ACCEPT
> /sbin/ipchains -A output -i eth1 -s 0/0 -j ACCEPT
>
> # Here it is ....
> /sbin/ipchains -A forward -s 192.168.0.2/24 -j MASQ
> /sbin/ipchains -A forward -s 192.168.0.3/24 -j MASQ
> /sbin/ipchains -A forward -s 192.168.0.5/24 -j MASQ
you don't need the last two of the rules immediately above.
they are subsumed by the first.
> # Whack
> #/sbin/ipchains -P input ACCEPT
> #/sbin/ipchains -l -i eth0 -p tcp --dport 20:1024 -j DENY
> #/sbin/ipchains -l -i eth0 -p tcp --dport 20:1024 -j DENY
>
> # Enable Telnet server
> /sbin/ipchains -A input -i eth0 -p tcp \
> --source-port 1024:65535 \
> -d 123.123.123.123 -j ACCEPT
> /sbin/ipchains -A output -i eth0 -p tcp \
> -s 123.123.123.123 23 \
> --destination-port 1024:65535 -j ACCEPT
instead of using the port range 1024:65535, you should use
1024:4999 for locally generated packets and 61000:65096 for
masqueraded packets. the first range can be obtained from
/proc/sys/net/ipv4/ip_local_port_range. that way, the majority
of ports that will never intentionally be used can be blocked.
> #Enable DNS
> /sbin/ipchains -A input -i eth0 -p tcp \
> --source-port 53 \
> -d 123.123.123.123 53:1024 -j ACCEPT
the port range 53:1024 doesn't make sense. packets will
come from port 53 or 1024:65535, not 53:1024. also, this
allows incoming dns connections. if you aren't running a
publically accessible dns server, this is unnecessary and
dangerous. if you are, it is only dangerous. make sure
you're always running the latest version.
> /sbin/ipchains -A output -i eth0 -p tcp \
> -s 123.123.123.123 53 \
> --destination-port 53:65535 -j ACCEPT
the port range 53:65535 isn't right (similar to above).
the port ranges will be 53 and 1024:65535.
> /sbin/ipchains -A input -i eth0 -p udp \
> --source-port 53 \
> -d 123.123.123.123 53:65535 -j ACCEPT
this doesn't allow external dns clients to make requests
of your dns server. they'd have packets coming from 1024:65535.
what about udp output?
> # Internal Netbios packets
> /sbin/ipchains -A input -i eth0 -p tcp \
> -s 123.123.123.123 138 \
> -d 123.123.123.255 138 -j ACCEPT
> /sbin/ipchains -A output -i eth0 -p tcp \
> -s 123.123.123.255 138 \
> -d 123.123.123.123 138 -j ACCEPT
> /sbin/ipchains -A input -i eth0 -p udp \
> -s 123.123.123.123 138 \
> -d 123.123.123.255 138 -j ACCEPT
> /sbin/ipchains -A output -i eth0 -p udp \
> -s 123.123.123.255 138 \
> -d 123.123.123.123 138 -j ACCEPT
>
> # Enable FTP server
> /sbin/ipchains -A input -i eth0 -p tcp \
> --source-port 1024:65535 \
> -d 123.123.123.123 21 -j ACCEPT
> /sbin/ipchains -A output -i eth0 -p tcp \
> -s 123.123.123.123 21 \
> --destination-port 1024:65535 -j ACCEPT
> /sbin/ipchains -A output -i eth0 -p tcp \
> -s 123.123.123.123 20 \
> --destination-port 1024:65535 -j ACCEPT
> /sbin/ipchains -A input -i eth0 -p tcp \
> --source-port 1024:65535 \
> -d 123.123.123.123 20 -j ACCEPT
it's very dangerous to run an internal ftp server.
if it's used for non-anonymous use, the usernames
and passwords can be sniffed. whether it's used
anonymously or not, it's a vector for breakins.
it's better to run the ftp server on a separate,
perimeter network, outside your internal network
if at all possible.
> # Allow mail
> /sbin/ipchains -A input -i eth0 -p tcp --dport 113 -j
> ACCEPT
>
> # Whack unwanted nasti's
> /sbin/ipchains -P input ACCEPT
an input policy of accept is very dangerous.
change it to reject or deny and start again
(you'll probably find that many things stop
working).
> /sbin/ipchains -A input -l -i eth0 -p tcp --dport
> 21:1024 -j DENY
> /sbin/ipchains -A input -l -i eth0 -p udp --dport
> 21:1024 -j DENY
>
> echo -n ".."
> echo "DONE"
> ;;
>
> stop)
> echo -n "Stopping all this masquerading
> ......................"
> /sbin/rmmod ip_masq_ftp
> /sbin/rmmod ip_masq_quake
> /sbin/rmmod ip_masq_raudio
> /sbin/rmmod ip_masq_vdolive
you should probably add "ipchains -F forward" here
to stop masquerading.
> echo "DONE."
> ;;
>
> *)
> echo -n "Get it right ... masq {start/stop}"
> exit 1
> esac
> exit 0
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
