qeldroma Posted April 30, 2003 Report Share Posted April 30, 2003 I want to integrate following on an corporate-server (DSL to Internet, two NICs to LAN). Should i change something? #!/bin/bash NET2SERVER="" LAN2SERVER="22 210 3306" SERVER2LAN="80 8080 443 22 10000" SERVER2NET="20 21 80 8080 443" NET2LAN="" LAN2NET="20 21 80 8080 110 119 443 995" NIC2NET="ppp0" NICs2LAN="eth1 eth2" allowedICMP="echo-request destination-unreachable source-quench time-exceeded parameter-problem" ############################################# ## Modules ## ############################################# depmod -a modprobe ip_tables modprobe ip_conntrack modprobe iptable_filter modprobe iptable_mangle modprobe iptable_nat modprobe ipt_LOG modprobe ipt_limit modprobe ipt_state modprobe ipt_owner modprobe ipt_REJECT modprobe ipt_MASQUERADE modprobe ip_conntrack_ftp modprobe ip_nat_ftp ############################################# ## Kernelparameter ## ############################################# for i in /proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,send_redirects} do echo 0 >$i done echo 1 >/proc/sys/net/ipv4/ip_forward echo 1 >/proc/sys/net/ipv4/tcp_syncookies ############################################# ## reset rules ## ############################################# iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ############################################# ## new Rules ## ############################################# iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p ALL -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # free IO iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT for port in $SERVER2NET; do iptables -A OUTPUT -p tcp --sport $port -j ACCEPT iptables -A OUTPUT -p udp --sport $port -j ACCEPT done for port in $NET2SERVER; do iptables -A INPUT -p tcp --dport $port -j ACCEPT iptables -A INPUT -p udp --dport $port -j ACCEPT done for port in $SERVER2LAN; do for NIC in $NICs2LAN; do iptables -A OUTPUT -i $NIC -p tcp --sport $port -j ACCEPT iptables -A OUTPUT -i $NIC -p udp --sport $port -j ACCEPT done done for port in $LAN2SERVER; do for NIC in $NICs2LAN; do iptables -A INPUT -i $NIC -p tcp --dport $port -j ACCEPT iptables -A INPUT -i $NIC -p udp --dport $port -j ACCEPT done done iptables -A FORWARD -o $NIC2NET -p ALL -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT for NIC in $NICs2LAN; do iptables -A FORWARD -o $NICs2LAN -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT done for port in $SERVER2NET; do iptables -A OUTPUT -p tcp --sport $port -j ACCEPT iptables -A OUTPUT -p udp --sport $port -j ACCEPT done for port in $SERVER2LAN; do for NIC in $NICs2LAN; do iptables -A OUTPUT -i $NIC -p tcp --sport $port -j ACCEPT iptables -A OUTPUT -i $NIC -p udp --sport $port -j ACCEPT done done iptables -t nat -A POSTROUTING -o $NIC2NET -j MASQUERADE iptables -A OUTPUT -p udp --sport 1024: --dport 53 -j ACCEPT iptables -A OUTPUT -p tcp --sport 1024: --dport 53 -j ACCEPT for DNS in $(cut -d ' ' -f 2 /etc/resolv.conf) do iptables -A INPUT -p udp -s $DNS --sport 53 -j ACCEPT iptables -A INPUT -p tcp -s $DNS --sport 53 -j ACCEPT done for type in $allowedICMP; do for NIC in $NICs2LAN; do iptables -A INPUT -i $NIC -p icmp --icmp-type $type -j ACCEPT iptables -A OUTPUT -o $NIC -p icmp --icmp-type $type -j ACCEPT done done ############################################# ## Logging ## ############################################# iptables -A INPUT -p tcp --dport netbios-ns -j DROP iptables -A INPUT -p tcp --dport netbios-dgm -j DROP iptables -A INPUT -p tcp --dport netbios-ssn -j DROP iptables -A INPUT -p udp --dport netbios-ns -j DROP iptables -A INPUT -p udp --dport netbios-dgm -j DROP iptables -A INPUT -p udp --dport netbios-ssn -j DROP iptables -A INPUT -p tcp --dport 631 -j DROP iptables -A INPUT -p udp --dport 631 -j DROP iptables -A INPUT -j LOG iptables -A OUTPUT -j LOG iptables -A INPUT -p tcp --dport auth -j REJECT --reject-with tcp-reset iptables -A INPUT -j DROP iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A OUTPUT -p udp -j REJECT iptables -A OUTPUT -j DROP Is that enough?? Quote Link to comment Share on other sites More sharing options...
Michel Posted April 30, 2003 Report Share Posted April 30, 2003 ever tried shorewall??:)..ok you're running a server and this way mayeb have more control..:), but I've also never typed in teh commands like that:).. Quote Link to comment Share on other sites More sharing options...
qeldroma Posted April 30, 2003 Author Report Share Posted April 30, 2003 Yo, tried shorewall, couldn't connect to the server any more, although ssh was freed. Kicked it off. Then tried iptables-generator. Could connect to server, but although i opened some ports, they didn't work. Kicked it off. After that i tried fwBuilder. Too complex. Thought i did it right, following the original tutorial. Cuoldn't get connected from LAN to the internet. Kicked it off. Now tried guarddog and firestarter. Configuration worked, but there was no way, to configure a LAN on a second NIC, i've got in this server. Kicked them off. ....and then i tried by hand, now all works, there is just this little feeling of insecuriness, i have until someone else likes this script..... Quote Link to comment Share on other sites More sharing options...
MottS Posted May 1, 2003 Report Share Posted May 1, 2003 (DSL to Internet, two NICs to LAN) I have no idea what your script is all about man .. you are too geeks for me :mystismiles: :mystismiles: But if you can explain in detail what the above quote means I could help you set your Firewall up with Shorewall and ICS from the MCC. .. well maybe a bit of tweaking in the config files but most of the stuff can be done from the MCC. Good luck What about that? --> http://www.mandrakeusers.org/viewtopic.php?t=4731 MOttS Quote Link to comment Share on other sites More sharing options...
Cannonfodder Posted May 1, 2003 Report Share Posted May 1, 2003 You probably already did this, but instead of feeling insecure, go to a web site and probe your system. Linux mag has a bunch of articles on security this month. Good reading.. Quote Link to comment Share on other sites More sharing options...
b Posted May 3, 2003 Report Share Posted May 3, 2003 Hi Other idea 1: Don't know enough to critique your iptables setup! Maybe attack that machine with latest nessus or something? Other idea 2: Other kernel ipv4 gizmo's to consider ? Most of following is in here somewhere: (no german version yet so) http://www.gentoo.org/doc/en/gentoo-security.xml Note: If your are running a firewall/expert system the following may not be necessary or usefull or advisable. kernel ipv4 settings #(Lot's of probably useless feedback on startup messages #in following [included just to make sure they are set as wished]) echo "Options /proc/sys/net/ipv4" if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then # if variable exist echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # set variable msg=`cat /proc/sys/net/ipv4/icmp_echo_ignore_all` # build feedback message echo -e "t${msg} = icmp_echo_ignore_all" # display feedback message fi if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts msg=`cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts` echo -e "t${msg} = icmp_echo_ignore_broadcasts" fi if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses msg=`cat /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses` echo -e "t${msg} = icmp_ignore_bogus_error_responses" fi if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo "1" > /proc/sys/net/ipv4/ip_forward #echo "0" >... if not gateway machine msg=`cat /proc/sys/net/ipv4/ip_forward` echo -e "t${msg} = ip_forward" fi echo " /proc/sys/net/ipv4/conf/*/rp_filter" for i in /proc/sys/net/ipv4/conf/*; do b_n=`basename ${i}` if [ -e $i/rp_filter ]; then echo "1" > $i/rp_filter msg=`cat $i/rp_filter` echo -e "t${msg} = $b_n" fi done echo " /proc/sys/net/ipv4/conf/all" if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route msg=`cat /proc/sys/net/ipv4/conf/all/accept_source_route` echo -e "t${msg} = accept_source_route" fi if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects msg=`cat /proc/sys/net/ipv4/conf/all/accept_redirects` echo -e "t${msg} = accept_redirects" fi if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians msg=`cat /proc/sys/net/ipv4/conf/all/log_martians` echo -e "t${msg} = log_martians" fi HIH Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.