Re: [masq] [masq] FTP and firewalls
At 10:14 PM 1/28/99 -0600, Fuzzy Fox wrote: Clifford Hammerschmidt [EMAIL PROTECTED] wrote: ipchains -A input -j ACCEPT -y -p tcp -s 0.0.0.0/0 20 -d yourip 1024:65535 This is also the same an -P input ACCEPT... your allowing anyone to connect from their port 20 (easy enough to spoof) to your box on any port above 1023... not a great idea. I think he later changed it to encompass only the masq range, 61000- 65535, but still, the point is valid. Even with the looser ruleset, though, few important services are above the 1024 port range. The only ones that comes to mind are NFS and X, both of which can be specifically blocked. I wouldn't worry so much. Someone using NMap could scan all your upper ports easily. And what would they find there? Any backdoor or Trojan installed on your system by tampered code or previous hacks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] IPCHAINS Firewalls Sample rc.firewall
#!/bin/sh
#
# IPChains firewall and MASQ setup.
# Jan 12, 1999
#
# Version 1.0
#
# Mangled together by Clifford Hammerschmidt ([EMAIL PROTECTED]).
# Assumes eth0-internet (DHCP)
# eth1-intranet (192.168.1.x)
#
# Stolen from various HOW-TO's from around the net.
# For lots more info goto http://www.rustcorp.com/linux/ipchains/
#
# USE AT YOUR OWN RISK
#
echo "Clear all IPCHAINS"
/sbin/ipchains -F
echo "Enableing MASQ"
# if using modules uncomment the line below...
#(and add any other masq modules you need)
/sbin/modprobe ip_masq_ftp
# Get eth0's IP (eth0 connects to the internet.)
LOCALIP=`ifconfig eth0 | awk '/inet addr/ {print substr($2,6)}'`
ALL="0.0.0.0/0"
BCAST="255.255.255.255/32"
LANADDRS="192.168.1.0/24"
DNS1="209.53.0.1/32"
DNS2="209.53.0.17/32"
# MASQ
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -j MASQ -s $LANADDRS -d $ALL
/sbin/ipchains -M -S 7200 10 7200
echo "Enabling Firewall"
# Turn on Source Address Verification and get
# spoof protection on all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 $f
done
echo "done."
else
echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
fi
# Define two eth interfaces with input and output
echo "Creating eth0 chains"
/sbin/ipchains -N eth0-in
/sbin/ipchains -A input -i eth0 -j eth0-in
/sbin/ipchains -N eth0-out
/sbin/ipchains -A output -i eth0 -j eth0-out
echo "Creating eth1 chains"
/sbin/ipchains -N eth1-in
/sbin/ipchains -A input -i eth1 -j eth1-in
/sbin/ipchains -N eth1-out
/sbin/ipchains -A output -i eth1 -j eth1-out
# Close the door
echo "Deny all external incoming packets"
/sbin/ipchains -P input DENY
echo "Allow all ICMP on input"
/sbin/ipchains -A input -p ICMP -s $ALL -d $LOCALIP -j ACCEPT
echo "DENY and log eth0-in packets with LOCALIP as source"
/sbin/ipchains -A eth0-in -s $LOCALIP -d $LOCALIP -j DENY -l
echo "Allow all local packets"
/sbin/ipchains -A input -i lo -j ACCEPT
echo "Allow local on eth1"
/sbin/ipchains -A eth1-in -s $LANADDRS -j ACCEPT
echo "DENY local on eth0"
/sbin/ipchains -l -A eth0-in -s $LANADDRS -j DENY
echo "Setup rules for output (applys to all eth's)"
/sbin/ipchains -A output -p TCP -d $ALL telnet -t 0x01 0x10
/sbin/ipchains -A output -p TCP -s $ALL ftp-data -t 0x01 0x08
/sbin/ipchains -A output -p TCP -d $ALL pop-3 -t 0x01 0x02
echo "Setup rules for eth0-in"
echo "Allow DHCP"
/sbin/ipchains -A eth0-in -p UDP -s $ALL 68 -d $BCAST 67 -j ACCEPT
/sbin/ipchains -A eth0-in -p TCP -s $ALL 68 -d $BCAST 67 -j ACCEPT
echo "Allow DNS"
# sub in your own servers
/sbin/ipchains -A eth0-in -p UDP -s $DNS1 domain -d $LOCALIP -j ACCEPT
/sbin/ipchains -A eth0-in -p TCP -s $DNS1 domain -d $LOCALIP -j ACCEPT
/sbin/ipchains -A eth0-in -p UDP -s $DNS2 domain -d $LOCALIP -j ACCEPT
/sbin/ipchains -A eth0-in -p TCP -s $DNS2 domain -d $LOCALIP -j ACCEPT
echo "Allow FTP"
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP ftp -j ACCEPT
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP ftp-data -j ACCEPT
echo "Allow telnet"
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP telnet -j ACCEPT
echo "Allow httpd"
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP http -j ACCEPT
echo "Allow smtp (sendmail)"
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP smtp -j ACCEPT
echo "Allow ident"
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP auth -j ACCEPT
echo "Allow TCP Replies"
/sbin/ipchains -A input -p TCP \! -y -d $ALL 1024: -j ACCEPT
echo "Allow ssh"
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP ssh -j ACCEPT
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] [masq] Setting time limited masq rules?
To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED] ipfwadm -F -l -e -x This will list the forwarding rules, and will give 'byte counts'. Your cron job can check the rules, and when the byte counts are stable for too many minutes, you can delete the rules in question. You might want to try IPCHAINS (kernel 2.2.0) and have a separate chain for the users, you can then clear just that chain ... eg, - # stuff to create and place chain is right place if it doesn't already exist... # Flush existing rules, if any... ipchains -F user_chain # Add rules for this user... ipchains -A user_chain ... - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] IPChains MASQ/Firewall
Speaking of firewalls...
This is my first real try at making an ipchains firewall, so don't expect
greatness, but it hope it helps out all the 2.2.0-pre people.
#!/bin/sh
#
# IPChains firewall and MASQ setup.
# Jan 12, 1999
#
# Version 0.9 alpha
#
# Mangled together by Clifford Hammerschmidt ([EMAIL PROTECTED]).
# Assumes eth0-internet (DHCP)
# eth1-intranet (192.168.1.x)
#
# Stolen from various HOW-TO's from around the net.
# For lots more info goto http://www.rustcorp.com/linux/ipchains/
#
# Requires: awk in the path, used to get eth0's IP.
#
# USE AT YOUR OWN RISK
#
echo "Enableing MASQ"
#(and add any other masq modules you need)
/sbin/modprobe ip_masq_ftp
# MASQ
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0
/sbin/ipchains -M -S 7200 10 7200
echo "Enabling Firewall"
# Turn on Source Address Verification and get
# spoof protection on all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 $f
done
echo "done."
else
echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
fi
# Get eth0's IP (eth0 connects to the internet.)
LOCALIP=`ifconfig eth0 | awk '/inet addr/ {print substr($2,6)}'`
ALL="0.0.0.0/0"
BCAST="255.255.255.255/32"
LOCAL="192.168.1.0/24"
DNS1="209.53.0.1/32"
DNS2="209.53.0.17/32"
# Define two eth interfaces with input and output
echo "Creating eth0 chains"
/sbin/ipchains -N eth0-in
/sbin/ipchains -A input -i eth0 -j eth0-in
/sbin/ipchains -N eth0-out
/sbin/ipchains -A output -i eth0 -j eth0-out
echo "Creating eth1 chains"
/sbin/ipchains -N eth1-in
/sbin/ipchains -A input -i eth1 -j eth1-in
/sbin/ipchains -N eth1-out
/sbin/ipchains -A output -i eth1 -j eth1-out
# Close the door
echo "Deny all external incomming packets"
/sbin/ipchains -P input DENY
echo "Allow all ICMP on eth1"
/sbin/ipchains -A input -p ICMP -s $ALL -d $LOCALIP -j ACCEPT
echo "Allow all local packets"
/sbin/ipchains -A input -i lo -j ACCEPT
echo "Allow local on eth1"
/sbin/ipchains -A eth1-in -s $LOCAL -j ACCEPT
echo "DENY local on eth0"
/sbin/ipchains -l -A eth0-in -s $LOCAL -j DENY
echo "Setup rules for output (applys to all eth's)"
/sbin/ipchains -A output -p TCP -d $ALL telnet -t 0x01 0x10
/sbin/ipchains -A output -p TCP -s $ALL ftp-data -t 0x01 0x08
/sbin/ipchains -A output -p TCP -d $ALL pop-3 -t 0x01 0x02
echo "Setup rules for eth0-in"
echo "Allow DHCP"
/sbin/ipchains -A eth0-in -p UDP -s $ALL 68 -d $BCAST 67 -j ACCEPT
/sbin/ipchains -A eth0-in -p TCP -s $ALL 68 -d $BCAST 67 -j ACCEPT
echo "Allow DNS"
# sub in your own servers
/sbin/ipchains -A eth0-in -p UDP -s $DNS1 domain -d $LOCALIP -j ACCEPT
/sbin/ipchains -A eth0-in -p TCP -s $DNS1 domain -d $LOCALIP -j ACCEPT
/sbin/ipchains -A eth0-in -p UDP -s $DNS2 domain -d $LOCALIP -j ACCEPT
/sbin/ipchains -A eth0-in -p TCP -s $DNS2 domain -d $LOCALIP -j ACCEPT
echo "Allow FTP"
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP ftp -j ACCEPT
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP ftp-data -j ACCEPT
echo "Allow telnet"
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP telnet -j ACCEPT
echo "Allow httpd"
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP http -j ACCEPT
echo "Allow smtp (sendmail)"
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP smtp -j ACCEPT
echo "Allow ident"
/sbin/ipchains -A eth0-in -p TCP -s $ALL -d $LOCALIP auth -j ACCEPT
echo "Allow TCP Replies"
/sbin/ipchains -A input -p TCP \! -y -d $ALL 1024: -j ACCEPT
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
