Re: [gentoo-user] Re: iptables example on Gentoo
# Generated by iptables-save v1.3.2 on Thu Sep 8 12:32:48 2005 *nat :PREROUTING ACCEPT [34942:3100331] :POSTROUTING ACCEPT [106864:7597940] :OUTPUT ACCEPT [106858:7597722] :net_dnat - [0:0] :w1ad_masq - [0:0] -A PREROUTING -i w1ad -j net_dnat -A POSTROUTING -o w1ad -j w1ad_masq -A net_dnat -p udp -m multiport --dports What is the "[34942:3100331]" and "[106864:7597940]" references above? Without specifying options to iptables-save, it includes the counters in the format [packet-counter:byte-counter]. I don't use the counters myself, so I don't really know for sure what purpose they serve (I'm sure the doco could shed some light on it). My guess is that they are used for either QOS or throttling or something. These are all valid rules and are constructed by shorewall. Would they be the same if I hand-coded them? Absolutely not. I wouldn't have so many custom chains and would probably reorder the rules to give priorities to specific services. And, I would argue that whilst these rules are valid and do perform the firewall chores that I want/need, the format of the rules would leave a lot to be desired to try to maintain manually via the command line. If I understand this right: Shorewall, firehol, fwbuilder, etc., 'just-works', but it kludges the iptables? Some of these 'helpers' may also require you to learn some additional scripting format other than the conventional iptables. I don't think that 'kludges' is the right word for it. When hand-coding iptables scripts, it makes sense to create custom chains to organize your iptables script somewhat. Shorewall (and the others although I'm not familiar with their direct interactions with iptables) does this as well. The difficulty is that shorewall is capable of handling so many different configurations. The various custom chains that it creates are targeted towards someone that's using all of the various parts of shorewall; when you scale back to a limited setup with a small set of logical rules, shorewall still handles it easily but constructs all of the custom chains and interlinkings that would be used in a more complex setup. Which is why the iptables-save output I posted is a heck of a lot bigger than what my logical set of rules contains. I guess that's similar to using some HTML WYSIWYG instead of hand coding it yourself. That's a very good analogy, and more apropos to the actual output of shorewall et. al. Although the output of the tool is functionaly similar to what you would do by hand, it is typically more complicated and not close to what you would have done hand-coding it. -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] Re: iptables example on Gentoo
> -Original Message- > From: Dave Nebinger [mailto:[EMAIL PROTECTED] > Sent: 08 September 2005 17:42 > To: gentoo-user@lists.gentoo.org > Subject: Re: [gentoo-user] Re: iptables example on Gentoo > [snip] > It does generate iptable rules, but they are customized for > shorewall's > purposes. For example, my shorewall setup builds the > following iptables > rules: > > # Generated by iptables-save v1.3.2 on Thu Sep 8 12:32:48 2005 > *nat > :PREROUTING ACCEPT [34942:3100331] > :POSTROUTING ACCEPT [106864:7597940] > :OUTPUT ACCEPT [106858:7597722] > :net_dnat - [0:0] > :w1ad_masq - [0:0] > -A PREROUTING -i w1ad -j net_dnat > -A POSTROUTING -o w1ad -j w1ad_masq > -A net_dnat -p udp -m multiport --dports What is the "[34942:3100331]" and "[106864:7597940]" references above? > These are all valid rules and are constructed by shorewall. > Would they be > the same if I hand-coded them? Absolutely not. I wouldn't > have so many > custom chains and would probably reorder the rules to give > priorities to > specific services. > > And, I would argue that whilst these rules are valid and do > perform the > firewall chores that I want/need, the format of the rules > would leave a lot > to be desired to try to maintain manually via the command line. If I understand this right: Shorewall, firehol, fwbuilder, etc., 'just-works', but it kludges the iptables? Some of these 'helpers' may also require you to learn some additional scripting format other than the conventional iptables. I guess that's similar to using some HTML WYSIWYG instead of hand coding it yourself. -- Regards, Mick -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables example on Gentoo
On Thursday 08 September 2005 01:23 am, James wrote: > gentuxx gmail.com> writes: > > Why not just sit down and read the source? > > I'm sure that's going to happen too. But having a > working machine with iptables/netfilter is like > having a lab-class to go with the > (theory) lecture part of the class, methinks. > > YMMV. > > James That's what I'm doing just this minute. Old laptop on my home lan, iptables on gentoo and a copy of LINUX FIREWALLS 2nd Edition by Robert L. Ziegler. Pretty heady stuff, but a great way to pass the time before bed A little brandy doesn't hurt either. Cheers. -- ** Registered Linux User Number 185956 FSF Associate Member number 2340 since 05/20/2004 Join me in chat at #linux-users on irc.freenode.net Buy an Xbox for $149.00, run linux on it and Microsoft loses $150.00! 8:51pm up 52 days, 20:50, 2 users, load average: 0.00, 0.00, 0.00 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables example on Gentoo
James wrote: > OK, whatever this means Sorry to offend, but, I did not like having Shorewall or anything else shove down my throat. The title of the email was and is 'iptables example on Gentoo'. It a shame we had to get so heated before folks actually started talking about iptables/netfilter, and not some intermediary I think it's fairly rational for people to answer "I use Shorewall to create my iptables rules" in response to your original question. While not the answer you might have been looking for it does answer the question. And frankly I can do without the bad ol' days of writing my own ipchains rules... what a mess that was. I suspect most people who answered you feel the same way and would rather spend their time doing other things. In my case I have a set of firewalls I never touch and forty odd web servers. I believe my time is better spent letting a well respected program setup my firewall rather than mucking about myself. Much like I let Gentoo build packages for me rather than do my own source installs. To bring things full circle I *actually* had a chat with my motorcycle mechanic last week about carbs. I buy parts from him a little above market plus a six pack and he tells me how to install it or what to watch out for thus saving me $75/hour. This week I mentioned some overly complicated work I was planning that he suggested might not be in my engine's best interest. A point he punctuated after lecturing me 15 minutes for even mentioning the hard method by throwing 20lbs of broken carbs across the garage in my general direction. I think you got off easy in comparison. :-) The moral of the stories is two part: Sometimes the easy way is actually the best way; You can do it the hard way, but don't expect people to help. However feel free to get your hands dirty in iptables you may enjoy it and find it useful especially if you're a full time security guy. I've been there and have neither the interest nor time to do something by hand with decent tools availible. kashani, who found Fortran 77 a vast relief after Assembler for the IBM Mini Computer. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables example on Gentoo
On Thu, 8 Sep 2005 16:19:53 + (UTC), James wrote: > > By picking up a bunch of rules from some web site somewhere, you run > > the risk of learning from bad rules (like learning HTML by picking > > apart web sites). If a well known and well used program like > > Shorewall generated bad rules, they'd be picked up immediately. > > Looking at bad rules, learning why they fail, and watching an attack > (either generated by myself or others) with an IDS and other tools > running can be an excellent learning experience. Only if you know they are bad rules. Bearing in mind that you are unlikely to find a site that says "here are my iptables rules, aren't they crap?", how will you know whether you are learning from good or bad examples? -- Neil Bothwick What Aussies lack in Humour they make up for in Beer! pgpg0ewppBkeh.pgp Description: PGP signature
Re: [gentoo-user] Re: iptables example on Gentoo
OK, good point. But several folks have mentioned that shorewall is not a one-to-one tool for straight iptables/netfilters implementations. It has things that are not part of a raw usage of iptables/netfilters. My goal is to learn as much about iptables/netfilters on a Gentoo X86 firewall, before I plunge into iptables/netfilters on an embedded processor, most likely not x86. That is incorrect. Shorewall is, at it's heart, a scripting engine that builds iptables rules based upon the contents of the shorewall configuration files. Once the shorewall engine produces the iptables rules, the process goes away (there is no lingering shorewall process after it comes up). Looking at bad rules, learning why they fail, and watching an attack (either generated by myself or others) with an IDS and other tools running can be an excellent learning experience. I'm not sure I'll have Shorewall running on an embedded platform, nor to I want to generate things on one system and transfer them to a different system(arch) in an embedded enivronment, not just yet. Others have indirectly suggested that Shorewall does not directly generate iptables/netfilters rulesets. I'm looking to get as close to iptables/netfilters as I can, rather than an immediate need to have a robust linux base firewall. It does generate iptable rules, but they are customized for shorewall's purposes. For example, my shorewall setup builds the following iptables rules: # Generated by iptables-save v1.3.2 on Thu Sep 8 12:32:48 2005 *nat :PREROUTING ACCEPT [34942:3100331] :POSTROUTING ACCEPT [106864:7597940] :OUTPUT ACCEPT [106858:7597722] :net_dnat - [0:0] :w1ad_masq - [0:0] -A PREROUTING -i w1ad -j net_dnat -A POSTROUTING -o w1ad -j w1ad_masq -A net_dnat -p udp -m multiport --dports 27900,29900,27901,55123:55125,1500:4999,16567 -j DNAT --to-destination 192.168.0.10 -A net_dnat -p tcp -m multiport --dports 29900,29901,28910,4711 -j DNAT --to-destination 192.168.0.10 -A net_dnat -p tcp -m tcp --dport 5000:5201 -j DNAT --to-destination 192.168.0.10 -A net_dnat -p tcp -m tcp --dport 51000:52000 -j DNAT --to-destination 192.168.0.10 -A net_dnat -p tcp -m tcp --dport 10023 -j DNAT --to-destination 192.168.0.10 -A net_dnat -p tcp -m tcp --sport 8086 --dport 8085 -j DNAT --to-destination 192.168.0.10 -A w1ad_masq -s 255.255.255.255 -j MASQUERADE -A w1ad_masq -s 192.168.0.0/255.255.255.0 -j MASQUERADE COMMIT # Completed on Thu Sep 8 12:32:48 2005 # Generated by iptables-save v1.3.2 on Thu Sep 8 12:32:48 2005 *mangle :PREROUTING ACCEPT [11532470:15305239824] :INPUT ACCEPT [10012668:14215875107] :FORWARD ACCEPT [1519785:1089361813] :OUTPUT ACCEPT [8826128:782474663] :POSTROUTING ACCEPT [10353251:1873002122] :outtos - [0:0] :pretos - [0:0] -A PREROUTING -j pretos -A OUTPUT -j outtos -A outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 COMMIT # Completed on Thu Sep 8 12:32:49 2005 # Generated by iptables-save v1.3.2 on Thu Sep 8 12:32:49 2005 *filter :AllowFTP - [0:0] :AllowICMPs - [0:0] :Drop - [0:0] :DropDNSrep - [0:0] :DropSMB - [0:0] :DropUPnP - [0:0] :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [1:60] :Reject - [0:0] :RejectAuth - [0:0] :RejectSMB - [0:0] :all2all - [0:0] :blacklst - [0:0] :dropBcast - [0:0] :dropInvalid - [0:0] :dropNotSyn - [0:0] :dynamic - [0:0] :eth1_fwd - [0:0] :eth1_in - [0:0] :fw2loc - [0:0] :fw2net - [0:0] :loc2fw - [0:0] :loc2net - [0:0] :logflags - [0:0] :net2all - [0:0] :net2fw - [0:0] :net2loc - [0:0] :norfc1918 - [0:0] :reject - [0:0] :rfc1918 - [0:0] :shorewall - [0:0] :smurfs - [0:0] :tcpflags - [0:0] :w1ad_fwd - [0:0] :w1ad_in - [0:0] -A AllowFTP -p tcp -m tcp --dport 21 -j ACCEPT -A AllowICMPs -p icmp -m icmp --icmp-type 3/4 -j ACCEPT -A AllowICMPs -p icmp -m icmp --icmp-type 11 -j ACCEPT -A Drop -j RejectAuth -A Drop -j dropBcast -A Drop -p icmp -j AllowICMPs -A Drop -j dropInvalid -A Drop -j DropSMB -A Drop -j DropUPnP -A Drop -p tcp -j dropNotSyn -A Drop -j DropDNSrep -A DropDNSrep -p udp -m udp --sport 53 -j DROP -A DropSMB -p udp -m udp --dport 135 -j DROP -A DropSMB -p udp -m udp --dport 137:139 -j DROP -A DropSMB -p udp -m udp --dport 445 -j DROP -A DropSMB -p tcp -m tcp --dport 135 -j DROP -A DropSMB -p tcp -m tcp --dport 139 -j DROP -A DropSMB -p tcp -m tcp --dport 445 -j DROP -A DropUPnP -p udp -m udp --dport 1900 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -i w1ad
Re: [gentoo-user] Re: iptables example on Gentoo
On Thu, 2005-09-08 at 01:34 +, James wrote: > Bryan Whitehead megahappy.net> writes: > > > > > Wow, that is news to me... I've always just banged out iptables rules and > > then saved them... > > > Got anything to share? Surely a 3 nic firewall { > WAN(single IP), LAN and DMZ, with a web server and eventually > 2 dns servers on the DMZ is not really a big deal? > > Which kernel sources did you use? Anything tricky > in building the kernel? > > The system is only going to be a firewall/router > so only minimal necessary packages will be installed. > > > James > Hi James, Haven't tried all (only for a single card) but on the 'shorewall.net" site there are sample configs for a single, with two and three Lan card interfaces (WAN, LAN, DMZ). Used one myself. In the docs there are even graphical ;) screen-shots of the kernel-config options which you need to use to get all of shorewall features. Recommended iptables config. Don't think you believe there is a piece of software which doesn't have (now) or didn't have at some point of time a Bug or two or more. HTH. Rumen signature.asc Description: This is a digitally signed message part
Re: [gentoo-user] Re: iptables example on Gentoo
On Thu, 8 Sep 2005 01:23:26 + (UTC), James wrote: > > Why not just sit down and read the source? > > I'm sure that's going to happen too. But having a > working machine with iptables/netfilter is like > having a lab-class to go with the > (theory) lecture part of the class, methinks. So try out some of the standard configurations in Shorewall. Read the Shorewall scripts to see what they are trying to do then examine the iptables rules they create to see how it does it. That gives you exactly what you were asking for, a set of standard, working iptables rules to learn from, with no GUI in sight. Shorewall is not an automatic rule generator like Guarddog, it is more like a compiler, turning your source rules into iptable rules. By picking up a bunch of rules from some web site somewhere, you run the risk of learning from bad rules (like learning HTML by picking apart web sites). If a well known and well used program like Shorewall generated bad rules, they'd be picked up immediately. -- Neil Bothwick ASSISTANT MANAGER: Feminine form of the word manager (q.v.). pgpmSC7OSFtNv.pgp Description: PGP signature
Re: [gentoo-user] Re: iptables example on Gentoo
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James wrote: >Dave Nebinger joat.com> writes: > > > > < BIIIG SNIP > > > > >A beautiful woman once asked why she married the mechanic >out of all the numerous suitors beckoning to her. She replied >"because he torn it up on the first night, and has been >working on it ever since". I like to tear up low level >code and put it back together, piece by piece, too. That's >how I learn, and I find it throughly enjoyable. Why not just sit down and read the source? ;-) > >[SNIP] > >James > - -- gentux echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDH30HLYGSSmmWCZMRApNRAKDWk+iI4AjWDzWtM4Nhs0jr1abZ0wCbBHv+ 8KezxRR8XEe8ZN3/ERM43i4= =LS3H -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] Re: iptables example on Gentoo
> As far as functionality and rule set development, I don't think there > is that much of a difference between 2.4 and 2.6. I'm sure there are > tons of cool things that go on under the hood that I don't really know > about, but the implementation is basically the same. 2.6 kernels may > offer newer targets, different kernel hooks, etc., etc., but like I > said, that's a little beyond my current scope. Why not compile a 2.4 > kernel (with netfilter), build a ruleset, then load up your 2.6 kernel > and see what breaks (if anything)? There are new targets and matches in the 2.6 kernel. Also it is my understanding that the internal tables are managed differently, in that the 2.6 implementation is faster in the table processing. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables example on Gentoo
James schreef: > Holly Bostick planet.nl> writes: > > >> Good morning, this is the general users list. If you want the >> security experts, try > > >> gentoo-security For the discussion of security issues and fixes >> gentoo-hardened For a security hardened version of Gentoo > > > You mean I have to go to this group to find detailed documentation in > iptables/netfilter rulesets that are indeed secure, published, and > used in more than one place? I mean that if such documentation exists, that group would be much more likely to know where it is (because that group is focused on such issues and knowledge) than this group would be (where such knowledge is more likely to be a random roll of the dice as to whether anyone around today happens to know about it). Now, of course for detailed documentation on iptables/netfilter, the place to start, for me, at least, would be http://www.iptables.org/documentation/index.html#documentation-howto . As for 'published rulesets', well, so far I've found http://linux.unimelb.edu.au/server/course/fc3/iptables.html (see examples) http://www.hackinglinuxexposed.com/articles/20021008.html http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/examples/rc.firewall-iptables http://www.linux.org/docs/ldp/howto/IP-Masquerade-HOWTO/ (see http://www.linux.org/docs/ldp/howto/IP-Masquerade-HOWTO/stronger-firewall-examples.html#RC.FIREWALL-IPTABLES-STRONGER) http://www.linuxtopia.org/Linux_Firewall_iptables/index.html (see example scripts beginning at http://www.linuxtopia.org/Linux_Firewall_iptables/x5753.html) http://forums.gentoo.org/viewtopic-p-1436652-highlight-iptables+rulesets.html?sid=b777f7a8f3ef392e9cb4d14f0bcccfa1#1436652 That's all the Googling I feel like right now, but I'm sure that gentoo-security might know more places such things are likely to be found (especially any gentoo-specific resources). > > >> That's all I'm going to say in the face of all this needlessly >> insulting behaviour. > > > Holly, I have not nor do not intend to insult or constipate anyone. > Sincere apologies. However, I find this very strange that published > rulesets do not exist for iptables/netfilter, for simple and common > things lick a home-office router with (3) nics, including LAN, WAN > and DMZ with optional web and dns(internal) servers. If you find my > sharing these thoughts with you, and the 50 times I've had to write > that I'm interested in iptables/netfilters and not shorewall, then I > think you are a bit too sensitive about divergent opinions. >> The really funny thing is a year ago, this list was full of persons >> that debunked OpenBSD's security supremacy. Now all I'm getting is >> a lot of 'hot air' and 'bull-loney'. Why are so many people scared >> to manage there own firewall rulesets directly? This is not a 'divergent opinion'.. it is an opinion, true, but there is nothing for it to diverge from (since this is not a debate about OpenBSD's supremacy or lack thereof, nor about whether anyone is 'scared' to manage their own rulesets directly). >> I thought (gentoo)linux was suppose to be equal to or superior to >> OpenBSD for security and every other aspect of computing? This is not a 'divergent opinion', because this is again not a debate over, nor is this a forum for debate concerning, whether Gentoo is superior to anything at all, this is a user help mailing list. >> (Booo) Excuse me? This is somehow not a taunt? Whatever. Though what I wonder is, is iptables under BSD so radically different than iptables under Linux that somehow you can't simply use or adapt the oh-so-easy BSD rulesets that you already have to your current conditions? Or, I would wonder, if I didn't have concerns that I value higher taking priority over my thinking about this at all. Holly -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables example on Gentoo
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James wrote: >gentuxx gmail.com> writes: > > > >>I think, perhaps, you misunderstood what I was saying. My >>understanding of shorewall was that it was a script (or series of >>scripts) that look for the previously specified config files and do >>"cool stuff" with the information contained in them. I was simply >>stating that in order to put value to the information in the config >>files, that you would have to know what the scripts do. I was not, in >>any way, suggesting that you use Shorewall. I can completely >>understand and sympathize with your need to dissect iptables, and the >>security it provides. However, I tend to take a top-down approach, as >>opposed to the bottom-up approach you seem to prefer. > > >OK this is great!. However, I'm a C/assembler hack, with embedded >tendencies. Scripts are OK, as most are self explanatory. >As a hardware guy, I often start with a microP, and write/add >firmware to a custom bootloader. From there, often, as simple >state_machine with selected code creates wonderful things; >so I'm definately a bottoms up kind of guy. YMMV. > > >>Going back to your original questions, I'm not really sure I can help >>with Q1. However, in regards to Q2, there aren't any config files for >>iptables. The tables are stored in memory. You can do an >>"iptables-save", which will output a modified version of the rules >>currently in place, which can subsequently be modified (assuming you >>understand and duplicate the syntax) and restored (with any changes) >>using "iptables-restore". Otherwise, all of your editing should be >>done at the command line. I would recommend using a script (of your >>own design, if so desired) to ease repeatability, and reduce the >>possibility for mistakes (fat-fingering). Also, a script of this >>nature would be handy for starting the iptables upon boot (I believe >>the HOW-TO you referenced covers this). > > >Is this the one? >http://www.linuxguruz.com/iptables/scripts/rc.DMZ.firewall.txt No, this one. http://www.gentoo.org/doc/en/home-router-howto.xml >I've reference many urls. This one was written for 2.4 >based kernels and I'm not sure it's useful for 2.6. That was one >of my questions Can you look at it and suggest where it is >defective? That way, I can use it as a baseline to learn and develop >a more robust (in_memory) ruleset that spawns from a shell script >or elsewhere. Or maybe share a 2.6 based script? > >OK all of this is fantastic! All of the googling and reading >I've done has not revealed this. Most of what I find is circa 2.4 >and I'm not adept enough to discern what's relevant for 2.4 and 2.6 >kernels, yet. > >Thank you very, very much, >James As far as functionality and rule set development, I don't think there is that much of a difference between 2.4 and 2.6. I'm sure there are tons of cool things that go on under the hood that I don't really know about, but the implementation is basically the same. 2.6 kernels may offer newer targets, different kernel hooks, etc., etc., but like I said, that's a little beyond my current scope. Why not compile a 2.4 kernel (with netfilter), build a ruleset, then load up your 2.6 kernel and see what breaks (if anything)? - -- gentux echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDH0X1LYGSSmmWCZMRAlBDAJ9xan8nam9i93nWTKL8CkcFJsb1YgCdE2V4 Pw+Zo2IuXCqMabsrEEryjFQ= =qppu -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] Re: iptables example on Gentoo
> > That's all I'm going to say in the face of all this needlessly insulting > > behaviour. > > Holly, I have not nor do not intend to insult or constipate anyone. > Sincere apologies. However, I find this very strange that published > rulesets do not exist for iptables/netfilter, for simple and common > things lick a home-office router with (3) nics, including LAN, WAN > and DMZ with optional web and dns(internal) servers. If you find my > sharing these thoughts with you, and the 50 times I've had to write > that I'm interested in iptables/netfilters and not shorewall, then > I think you are a bit too sensitive about divergent opinions. Up to now I haven't really wanted to have someone bounced from the list; but your lack of sensitivity and generally insulting manners make you the first obvious candidate for such a bouncing. > > Good morning, this is the general users list. If you want the security > > experts, try > > > gentoo-security For the discussion of security issues and fixes > > gentoo-hardened For a security hardened version of Gentoo > > You mean I have to go to this group to find detailed documentation > in iptables/netfilter rulesets that are indeed secure, published, > and used in more than one place? Why do you think that iptables/netfilter is exclusive to gentoo? It is a general linux question; iptables is not a product of gentoo. There are no such published, shared rule sets because each site has it's own security requirements and places different priorities upon the rules. Some will prioritize the connection tracking rules above the service rules (to optimize outbound active connections over new service connections) whilst others will prioritize them in the opposite direction. And the services themselves can be prioritized differently. If you really want the down and dirty on iptables, go out and buy "Linux Firewalls" by Ziegler and Constantine. It describes every nook and cranny of iptables. In the mean time, welcome to my kill file. -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] Re: iptables example on Gentoo
> > > I think it might be important to point out here how Shorewall > > > handles/uses these files. I don't use Shorewall, so I can't really > > > shed light on it. But these config files are really only one side of > > > the mirror. > > Sorry, I HAVE ZERO INTEREST IN A GUI, UNLESS THE RESULTING RULESETS > ARE SIMILAR TO THOSE BUILT MANUALLY with a one-to-one correspondance > to iptables/netfilter. FWIW, shorewall does not have a gui. It reads the script files and builds appropriate iptables rules and applies them. > I'm not looking for advice on building firewalls as a newbie. > I'm looking for somebody that knows IPTABLES/NETFILTER, preferable > on Gentoo, and is willing to share a little information. I'm in the > process of building a gentoo based firewall to compare the robustness > against OpenBSD + pf. The really funny thing is a year ago, this > list was full of persons that debunked OpenBSD's security supremacy. > Now all I'm getting is a lot of 'hot air' and 'bull-loney'. Why are > so many people scared to manage there own firewall rulesets directly? I know iptables/netfilter. I've worked through all of the online documentation, I've read iptables books, I've implemented firewalls using just iptables. Knowing all of that information, I still suggest using a tool to help manage iptables. The reason is this: iptables, like PF on openbsd, allows for fine-grained control over every aspect of the network traffic going in and out of the box. Most folks, however, have little need for such fine-grained control over their firewall. They want a simple set of rules that allow outgoing traffic and certain incoming traffic. They don't care about masquerading vs DNAT/SNAT, what to enable/disable on the ICMP packets, which ones to reject vs deny, etc. They don't need a detailed explanation of why the order of the addition of rules to the table impact network performance as well as whether a certain rule actually disables traffic that a later rule would actually allow. So why is it so necessary to get down and dirty with iptables when there are supporting tools that manage all of these details quite well. > Personally, > when the occasional hacker does manage to penetrate a managerie > of obsticles, I like to watch what they do, and learn. Besides the > end result is there is nothing in my networks that if destroyed, > cannot be rebuilt. Anything of treasure value is protected by > a 4 foot air_gap. I guess I see talented penetration specialists > more as kindred spirits, as opposed to evil interlopers. This FEAR > of managing your own iptables/netfilters rulesets is not healthly. > Who the F*** wants to live life afraid? Conquer your demons > face to face, unless there really is truth to what the OpenBSD community > says about linux, 'linux based security is bullshit'. Oh, come on. Using a tool to assist in rules maintenance hardly qualifies as being afraid. Using a tool to assist in rules maintenance means you have better things to do with your time than operate at such a low level. Per your idiom, we should throw out higher-level programming languages because they take us all away from knowing microcode and assembler. The tools exist because they are an aid, not a crutch. > OpenBSD + PF is a piece of cake. OpenBSD comes secure right > out of the box. If the gentoo experts that peruse this list > read this email, surely they can direct one to examples where > the details of secure rulesets exist? > Surely someone is confident enough in their > iptables/netfilter rulesets to publish them? Being a gentoo and/or linux expert does not qualify one as an iptables expert. Perhaps the same cannot be said about openbsd wrt pf, but that's not for me to say. If you think iptables should be so easy to pick up, then go pick it up and make it work for you - no one is stopping you from that task. > Maybe the linux security models are not up to the task? > SElinux etc? They are up to the task, which is why linux is used a heck of a lot more than openbsd... > PF rulessets are quite elaborate, but easily discernable. Iptables, as well, can be quite elaborate. Discernable is another question entirely. If you know what you're doing, you can create a discernable set of rules using custom chains and appropriate ordering. Most often, though, what you'll see is the list of rules in some quasi order which is supposed to satisfy security and accessibility requirements, but hardly show up as being discernable. > If you have ruleset capabilities, then look at this example, > and tell me what's deficient with it? > http://www.linuxguruz.com/iptables/scripts/rc.DMZ.firewall.txt First of all the connection tracking rule is too far down in the INPUT chain; it should come close to the top to shorten the amount of rules an established connection would need to travel through before being accepted. Secondly there's no filtering of traffic headed outbound. Typically any windblows & ipp traffic should b
Re: [gentoo-user] Re: iptables example on Gentoo
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James wrote: >Dave Nebinger joat.com> writes: > > >>>I think it might be important to point out here how Shorewall >>>handles/uses these files. I don't use Shorewall, so I can't really >>>shed light on it. But these config files are really only one side of >>>the mirror. > > >Sorry, I HAVE ZERO INTEREST IN A GUI, UNLESS THE RESULTING RULESETS >ARE SIMILAR TO THOSE BUILT MANUALLY with a one-to-one correspondance >to iptables/netfilter. I think, perhaps, you misunderstood what I was saying. My understanding of shorewall was that it was a script (or series of scripts) that look for the previously specified config files and do "cool stuff" with the information contained in them. I was simply stating that in order to put value to the information in the config files, that you would have to know what the scripts do. I was not, in any way, suggesting that you use Shorewall. I can completely understand and sympathize with your need to dissect iptables, and the security it provides. However, I tend to take a top-down approach, as opposed to the bottom-up approach you seem to prefer. > >>Actually these files are typically the only ones you'll need to edit... > > > >I have a very robust OpenBSD based firewall. > >I'm not looking for advice on building firewalls as a newbie. >I'm looking for somebody that knows IPTABLES/NETFILTER, preferable >on Gentoo, and is willing to share a little information. I'm in the >process of building a gentoo based firewall to compare the robustness >against OpenBSD + pf. < ... snipping "BSD is better" rant ... > > >sincerely, from a dreamer and a looser, and an simpleton, > >(but, I'm not afraid of any stinking rule_set, are you?) > >James > Going back to your original questions, I'm not really sure I can help with Q1. However, in regards to Q2, there aren't any config files for iptables. The tables are stored in memory. You can do an "iptables-save", which will output a modified version of the rules currently in place, which can subsequently be modified (assuming you understand and duplicate the syntax) and restored (with any changes) using "iptables-restore". Otherwise, all of your editing should be done at the command line. I would recommend using a script (of your own design, if so desired) to ease repeatability, and reduce the possibility for mistakes (fat-fingering). Also, a script of this nature would be handy for starting the iptables upon boot (I believe the HOW-TO you referenced covers this). HTH. - -- gentux echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDHzQ7LYGSSmmWCZMRAgx1AKCT+7L3dXEppBtzjsZ8K/PLKYB4BQCff/AJ IWqjSAL5vD46NiY0sfquCe4= =hejB -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables example on Gentoo
James schreef: > > (Booo) > > > The really sad thing in this whole thread, is nobody > has even mentiond which (kernel) sources to use, what > to disable/enable and why. Is this some sort of deep secret > or is the gentoo community un_caring about those who > simply want to learn about iptables/netfilter in a 2.6 > kernel environment? Hell, if this list and the greater > gentoo community do not have this aggregated knowledge Good morning, this is the general users list. If you want the security experts, try gentoo-security For the discussion of security issues and fixes gentoo-hardened For a security hardened version of Gentoo If you want to discuss comparisons between Gentoo and BSD, this might be the place: gentoo-bsd Discussion about Gentoo/BSD That's all I'm going to say in the face of all this needlessly insulting behaviour. Holly -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables example on Gentoo
Hi, James escreveu: Dave Nebinger joat.com> writes: I think it might be important to point out here how Shorewall handles/uses these files. I don't use Shorewall, so I can't really shed light on it. But these config files are really only one side of the mirror. Sorry, I HAVE ZERO INTEREST IN A GUI, UNLESS THE RESULTING RULESETS ARE SIMILAR TO THOSE BUILT MANUALLY with a one-to-one correspondance to iptables/netfilter. IMHO shorewall isn't a GUI it's just a script (might be wrong here) with many config files for many (quite all) possible usages and with a manual (in pdf & other formats) which is around 500-600 pages. All the configuration is done by editing files in: /etc/shorewall/... directory (and they come heavily commented). ...SKIP... OpenBSD + PF is a piece of cake. OpenBSD comes secure right out of the box. If the gentoo experts that peruse this list read this email, surely they can direct one to examples where the details of secure rulesets exist? Surely someone is confident enough in their iptables/netfilter rulesets to publish them? IMO OpenBSD initial goal was just that - to be very secure even in it's default install. Haven't seen such claim for Gentoo (plain). Maybe the linux security models are not up to the task? SElinux etc? Have some experience with Grsec2+PaX and RSBAC (SElinux brother ;) IMHO they are significantly better than OpenBSD in overall security. The "new/next" version of OpenBSD will have some sort of protection against memory overflow attacks (writting this by memory only, might not be 100% correct) so they are slowing nest release to test this 'new' feature - which one and others too are already used by Hardened Gentoo. Check 'Adamantix' - Debian + PaX (memory protection) + RSBAC (DAC). Example: see 'gibraltar' router/firewall distro - uses RSBAC-kernel. PF rulessets are quite elaborate, but easily discernable. You know, 'the rat' culture is questionable, but, he's really quite talented and reasonable, once you get past the phasic behavior. OpenBSD comes secure, right out off the installation. Builing a really secure firewall is trivial. I thought (gentoo)linux was suppose to be equal to or superior to OpenBSD for security and every other aspect of computing? If you have ruleset capabilities, then look at this example, and tell me what's deficient with it? http://www.linuxguruz.com/iptables/scripts/rc.DMZ.firewall.txt It was created for 2.4 based kernels, but this simple website shows one how to prepare a 2.6 kernel as the basis of the firewall: http://www.gentoo.org/doc/en/home-router-howto.xml It is a bit shallow, but at least this author is not scared of iptables/netfilter fundamentals. (Booo) The really sad thing in this whole thread, is nobody has even mentiond which (kernel) sources to use, what to disable/enable and why. Is this some sort of deep secret or is the gentoo community un_caring about those who simply want to learn about iptables/netfilter in a 2.6 kernel environment? Hell, if this list and the greater gentoo community do not have this aggregated knowledge then let's develop it and document it and share it. This is how we, as the open_source community distinguish ourselves from the Vulture and his menion_buzzards that inhabit Redmond! sincerely, from a dreamer and a looser, and an simpleton, (but, I'm not afraid of any stinking rule_set, are you?) James No flames please, just my opinion. HTH. Rumen -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] Re: iptables example on Gentoo
> I think it might be important to point out here how Shorewall > handles/uses these files. I don't use Shorewall, so I can't really > shed light on it. But these config files are really only one side of > the mirror. Actually these files are typically the only ones you'll need to edit... /etc/shorewall/interfaces defines the interfaces that will be available to shorewall and provides some logical names for rules mapping. /etc/shorewall/masq defines the masquerades to use and provides a quick and easy way to say things like "eth1 traffic going out on eth0 should be masqueraded". /etc/shorewall/policy defines the default policies on the interfaces. /etc/shorewall/zones defines human-readable names for the interfaces, although I haven't really seen them used for much they are critical to the functionality (you'll get weird startup failure messages if they're missing). /etc/shorewall/rules is the critical file, and it defines the rules for what traffic will be allowed. My rules file, for example, indicates that incoming mail and other services are either allowed for the router box to handle or forwarded into the DMZ. It also defines what traffic to block (i.e. outbound windblows networking ports), what hosts to block (ip addresses that hit the ssh daemon), etc. Other files that you might edit are /etc/shorewall/blacklist, an optional blacklist file to block all traffic from these hosts, and /etc/shorewall/shorewall.conf, the general shorewall configuration file. Many other files exist in the directory but I'm willing to bet that 95% of the time you won't need to modify them. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables example on Gentoo
Also check out monmotha for a good script that should handle this. However, as others have pointed out, home brew firewall scripts, especially with someone who admits they are lost is a recipe for disaster. Pick something like shorewall or monmotha and modify - carefully. There is a very good reason they are so complex! BillK On Tue, 2005-09-06 at 17:02 -0700, gentuxx wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Dave Nebinger wrote: > > >>If shorewall is so easy, then just email > >>to me the config files for a 3 nic network, with DMZ based web server, > >> ... -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables example on Gentoo
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave Nebinger wrote: >>If shorewall is so easy, then just email >>to me the config files for a 3 nic network, with DMZ based web server, >>and only internally (LAN) initiated connections allowed, in the form >>of config files, OK? > > >Sure, there's 5 files you'd need to set up and, as per your request, it is >limited to web service on DMZ box and outbound connections only. Took me >all of 5 minutes to sketch this out and yes, it would work as-is. > >Hand-coding the iptables rules, while instructional, is really painful when >you're trying to work with a production server. When you get down to it, >iptables is not super difficult to learn, but the syntax and nuances can be >a pain to try to get straight. > >It is for that reason that I tend to push folks away from direct iptables >coding when the messages come up on the list; it is typically much simpler >to say 'set up shorewall like this' than it is to get them to understand >about defining the connection tracking rules before the general rules, >manage the default policies, include the bits and pieces of iptables that >can filter out bogus tcp/udp packets, etc. etc. I certainly wasn't trying >to rain on your educational parade. > >/etc/shorewall/interfaces: ># Assumes you're getting IP address from dhcp server >net eth0 detect dhcp,routefilter,norfc1918,tcpflags ># Assumes you're serving dhcp to internal systems >loc eth1 detect dhcp,tcpflags ># Assumes DMZ has fixed IP addresses >dmz eth2 detect tcpflags > >/etc/shorewall/masq: ># All outgoing traffic should be masqueraded as coming from the primary card >eth0 eth1 >eth0 eth2 > >/etc/shorewall/policy: ># Allow any outbound traffic from local network >loc net ACCEPT ># Allow any outbound traffic initiated from the DMZ >dmz net ACCEPT ># Allow traffic between DMZ and local zone >dmz loc ACCEPT >loc dmz ACCEPT ># Drop any incoming packets >net all DROP ># throw away the rest >all all REJECT > >/etc/shorewall/zones: >net Net Internet >loc Local Local Networks >dmz DMZ Demilitarized Zone > >/etc/shorewall/rules: ># Allow ports 80, 443 to go to the DMZ via dnat ># Assumes web server is at ip address below >DNAT net dmz:192.168.1.10 tcp 80,443 > > > I think it might be important to point out here how Shorewall handles/uses these files. I don't use Shorewall, so I can't really shed light on it. But these config files are really only one side of the mirror. Just my 2ยข. - -- gentux echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDHi4qLYGSSmmWCZMRAqTAAKDPZKtENYbobogeq5HWpjMJf9NT3gCfen9m elbeSFll/aKFpRZhJj4GgFE= =wSn/ -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] Re: iptables example on Gentoo
> It's not a parade, it's what old-timers do, it's how I learn. I started that way too (being an old-timer myself ;-) However after consuming info available on the net and buying/reading an iptables book, I quickly came to realize that it's quite easy to shoot yourself in the foot with iptables. Shorewall, and many of the other alternatives, end up handling the nuances of iptables quite nicely and take most of the bullets out of your gun, thus protecting your feet. > > /etc/shorewall/interfaces: > > # Assumes you're getting IP address from dhcp server > > net eth0 detect dhcp,routefilter,norfc1918,tcpflags > > # Assumes you're serving dhcp to internal systems > > loc eth1 detect dhcp,tcpflags > how about for a static > loc eht1 detect tcpflags Yes, /etc/shorewall/interfaces file has excessive documentation that explains what would go on the end. > > Thanks for your help. I think I've got enough here to get > it basically working. One I make the rulesets more complex, > I'll use shorewall generated rules and configs to see what I > have missed. You may be in a little trouble if you're talking about mixing shorewall & iptables... They really don't play well together. Shorewall (and many of the others) create custom chains to contain individual rules of varying types. The problem is that these custom chains tend to get intertwined with each other and trying to identify a shorewall-based iptable rule that you want to copy to a straight iptable implementation can be difficult. That plus if you start shorewall it basically clears all existing chains to load it's own info, so all firewall rules must be kept in the shorewall files. So you really have to pick one or the other but not both. Dave -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] Re: iptables example on Gentoo
> If shorewall is so easy, then just email > to me the config files for a 3 nic network, with DMZ based web server, > and only internally (LAN) initiated connections allowed, in the form > of config files, OK? Sure, there's 5 files you'd need to set up and, as per your request, it is limited to web service on DMZ box and outbound connections only. Took me all of 5 minutes to sketch this out and yes, it would work as-is. Hand-coding the iptables rules, while instructional, is really painful when you're trying to work with a production server. When you get down to it, iptables is not super difficult to learn, but the syntax and nuances can be a pain to try to get straight. It is for that reason that I tend to push folks away from direct iptables coding when the messages come up on the list; it is typically much simpler to say 'set up shorewall like this' than it is to get them to understand about defining the connection tracking rules before the general rules, manage the default policies, include the bits and pieces of iptables that can filter out bogus tcp/udp packets, etc. etc. I certainly wasn't trying to rain on your educational parade. /etc/shorewall/interfaces: # Assumes you're getting IP address from dhcp server net eth0 detect dhcp,routefilter,norfc1918,tcpflags # Assumes you're serving dhcp to internal systems loc eth1 detect dhcp,tcpflags # Assumes DMZ has fixed IP addresses dmz eth2 detect tcpflags /etc/shorewall/masq: # All outgoing traffic should be masqueraded as coming from the primary card eth0 eth1 eth0 eth2 /etc/shorewall/policy: # Allow any outbound traffic from local network loc net ACCEPT # Allow any outbound traffic initiated from the DMZ dmz net ACCEPT # Allow traffic between DMZ and local zone dmz loc ACCEPT loc dmz ACCEPT # Drop any incoming packets net all DROP # throw away the rest all all REJECT /etc/shorewall/zones: net Net Internet loc Local Local Networks dmz DMZ Demilitarized Zone /etc/shorewall/rules: # Allow ports 80, 443 to go to the DMZ via dnat # Assumes web server is at ip address below DNAT net dmz:192.168.1.10 tcp 80,443 -- gentoo-user@gentoo.org mailing list