scott:
i used (and then modified heavily) the script in appendix b, pp 494-504. i
don't have a choke firewall, so i had to do some changes to get the firewall
to see the internet instead. not many though. the first thing i had to change
was (from page 496)
# $IPTABLES -t nat --policy PREROUTING DROP
# $IPTABLES -t nat --policy OUTPUT DROP
# $IPTABLES -t nat --policy POSTROUTING DROP
# $IPTABLES -t mangle --policy PREROUTING DROP
# $IPTABLES -t mangle --policy OUTPUT DROP
##################################################################
## allow anything from this machine out to the internet
if [ "$ALLOW_SCAN" = "1" ]; then
$IPTABLES -A OUTPUT -o $EXTERNAL -p udp \
-s $EXTERNAL_IP --sport $ANYPORT \
-d any/0 --dport $ANYPORT \
-m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL -p tcp \
-s $EXTERNAL_IP --sport $ANYPORT \
-d any/0 --dport $ANYPORT \
-m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL -p icmp \
-s $EXTERNAL_IP \
-d any/0 \
-m state --state NEW -j ACCEPT
fi
##################################################################
## don't allow Stealth Scans and TCP State Flags
(note: IPTABLES=/sbin/iptables)
the next problem i found was on page 499 on the line that starts after the
comment:
# allow outgoing pings to anywhere
if [ "$CONNECTION_TRACKING" = "1" ]; then
if you notice, neither of the two rules have anything to do with logging.
rather, they determine if the packet should be allowed in. i changed
$CONNECTION_TRACKING to $ALLOW_PING_OUT (and set it at the top of the script
where $CONNECTION_TRACKING is set. the same goes for the block following
dealing with incoming pings, except i changed $CONNECTION_TRACKING to
$ALLOW_PING_IN.
(on the incoming block, i changed that to limit the number of pings per
minute, and i set it where there are three possible states
0 - allow none
1 - allow from my isp's network
2 - allow from any)
on page 500, under
# DNS LAN clients in private server (53)
i changed this line in the first 3 rules from
-d LAN_IPADDR -dport 53
to
-dport 53
(i don't recall why!!!)
i added the necessary rules to come in from the internet to the DNS servers
as they serve my domain on the outside as well. (that's another story!) i
don't have the three rules on DNS caching and Forwarding. In their place, I
have rules that allows DNS slaves to get updates.
i changed quite a bit the section on mail: the mail server is on the firewall
server. i changed the pop section as well for the same reason.
under FTP, i added this section under the FTP section on page 502 *after* i
upgraded to RH 7.2. (something changed in RH 7.2, but i can't find it...:( )
##################################################################
# Passive mode FTP
#
$IPTABLES -A OUTPUT -o $EXTERNAL -p tcp \
-s $EXTERNAL_IP --sport $UNPRIVPORTS \
--dport $UNPRIVPORTS \
-m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL -p tcp ! --syn \
--sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT
i also added similar rules for server to lan passive ftp.
i commented out the forwarding rules in the http section to force users to
use junkbuster proxy. and i added rules to allow junkbuster access from the
lan machines.
i dropped the rule for print server forwarding on page 503.
i query three different time servers as a time source, so i made a loop
around the outbound time request rules. i also allow nntp port to nntp port
connections for the outbound, as well as the unpriv port to nntp port
connections.
on the dhcp, i added the following if around all the dhcp rules:
# accessing a local dhcp server...
if [ "$ALLOW_DHCP_SERVER" = "1" ]; then
as i don't currently have dhcp. but that might change.
i added some rules to allow netbios datagrams from the printserver.
otherwise, i got a lot of chatter in my log files about dropped datagrams. (
i probably could have just dropped them, but i didn't want to bother with
fuss... it is on my side of the firewall, after all. and i am looking at it
as i type this, so who cares?)
i also added rules to allow local telnet into the server.
and finally, i added rules to log all dropped datagrams.
i don't know if this is the best setup possible for my needs, but i seems to
work. i used nmap to look for weaknesses, and found none. again, i am not the
security expert, though i am working that way. if you would like a copy of
the script, i have no problem sharing it, though it has been heavily
modified, mainly due to the fact that i have two machines that are firewalls.
i wanted one script to work for both. in addition, there are two internal
networks, so i had to account for two internal lan ip's and networks.
i hope this long winded dissertation helps....
On Thursday 21 March 2002 06:01 pm, Scott Adamson pronounced:
> I have a similar problem, his host forwarding example doesn't work. If you
> were trying something similar (which it seem you were), then what changes
> did you make from Robert's example ?
> ----- Original Message -----
> From: "Allen Wayne Best" <[EMAIL PROTECTED]>
> To: "James Marcinek" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Friday, March 22, 2002 4:17 AM
> Subject: Re: Somebody help me Please!
>
>
> james:
>
> i found that "Linxu Firewalls" by Robert L. Ziegler, 2nd Edition, New
> Riders,
> ISBM 0-7357-1099-6, to be the most usable book on this subject. the book
> does
> contain some rather glaring errors, imo, but i was able to get around them
> by
> using information in the book (as to how things work sort of information).
> nat is weak; in fact, his example would not work for me. but i did get my
> lan
> working okay anyway via forwarders. everything on my lan works with the
> outside world (ssh, web, ftp, ping, time, mail), and the outside world can
> see my web, ssh, and mail server. limited ping is available
>
> On Thursday 21 March 2002 05:15 am, James Marcinek pronounced:
> > I'm a newbie at setting up a linux firewall router and
> > I'm running into some issues. I have a couple of books
> > that I got just to help me out in the Linux world;
> > however they don't seem to cover the topic's
> > adequately.If anybody can help me out I'd appreciate
> > it.
> >
> > I have installed RH 7.2 using the custom setting and
> > selected Router/Firewall role. I also disabled
> > IPCHAINS and made sure that IPTABLES is running in all
> > of the init levels.
> >
> > One of the major problems I'm running into is that my
> > outbound NIC eth1 is using dhcp from the internet
> > provider and I don't have static settings and cannot
> > determine my default gateway on this card. I'm not
> > sure how to configure my
> > /etc/sysconfig/network-scripts/ifcfg-eth1 file
> >
> > Do I have to use the route command to set up routes or
> > do I use IPTABLES to accomplish this?
> >
> > Basically what I want to accomplish is to use NAT
> > internally (I set up a 192.168.2.0 network
> > internally)and IP masquarading. I'm not currently
> > using a DNS server internally (I plan to use one as a
> > forwarder), so I have to use the ISP's.
> >
> > I plan to set up a web server and would allow incoming
> > port 80 traffic to be directed to this server.
> >
> > I also would like to allow all traffic going from my
> > internal LAN to go out.
> >
> > Any suggestions would be greatly appreciated. I've
> > been looking forward to setting up rules and getting
> > familiar with this but I'm not at that point yet.
> >
> > Thanks!
> >
> > James
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Movies - coverage of the 74th Academy Awards�
> > http://movies.yahoo.com/
> >
> >
> >
>
> --
> regards,
> allen wayne best, esq
> "your friendly neighborhood rambler owner"
> "my rambler will go from 0 to 105"
> Current date: 44:9:9::79:2002
>
> "I'm growing older, but not up."
> -- Jimmy Buffett
>
>
>
>
>
--
regards,
allen wayne best, esq
"your friendly neighborhood rambler owner"
"my rambler will go from 0 to 105"
Current date: 35:49:18::79:2002
FORTUNE DISCUSSES THE OBSCURE FILMS: #5
THE ATOMIC GRANDMOTHER:
This humorous but heart-warming story tells of an elderly woman
forced to work at a nuclear power plant in order to help the family
make ends meet. At night, granny sits on the porch, tells tales
of her colorful past, and the family uses her to cook barbecues
and to power small electrical appliances. Maureen Stapleton gives
a glowing performance.
