Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Using tcp wrappers, I would like to be able to allow only internal access to my Intranet EXCEPT for http connections to the web server (would like external users to gain access to web site). Any advice on how to properly set this up?
I made a poor attempt at configuring a firewall, now I am just looking at setting up the basics. I configured and used the firewall script posted on linux-firewall-tools.com web site and thought I had everything setup the way the documentation suggested but when I attempt to run the script I get run errors: 2 commands not found and EOF and have no clue what is causing the errors.
Does it come back with:
ipchains 0: off 1: off 2: on 3: on 4: on 5: on 6: off
If so then tell me your internal interface and eth number and your external interface and eth number. "or make up a fake external internet IP address for this example"
I'll post you a script that will do what you ask.
you need to get the /etc/rc.d/rc.local file to run it.
First make an empty script file in the directory /etc/rc.d
call it firewall.sh
make sure you "chmod 700 /etc/rc.d/firewall.sh" so it can run.
Then add the line at the end of /etc/rc.d/rc.local
/etc/rc.d/firewall.sh
Now I'm going to assume you have one network card for your two networks ip's.
LAN = 192.168.0.1 "eth0"
External = 192.168.100.10 "eth0:0"
-------------- oooo ---------------
Now put this into your /etc/rc.d/firewall.sh script.
# Deny all access to server secure mode enabled.
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY
# sets timeout vaules for FIN flags etc..
ipchains -M -S 4800 15 200
# magic NAT setting for MASQing
# only used so internal lan can use firewall as gateway to access internet etc.
ipchains -A forward -s 192.168.0.0/24 -j MASQ
# allows access to server from Internal and local only
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
ipchains -A input -i eth0 -s 192.168.0.0/24 -j ACCEPT
ipchains -A output -i eth0 -d 192.168.0.0/24 -j ACCEPT
# allow your firewall to surf the net and internal users
# that use the firewall as a gateway.
# HTTP 80,https and proxy access
# also improve the speed with TOS on internet connections
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 80 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 80 -d 192.168.100.10 1023:65535 -j ACCEPT
# HTTPS 443 access
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 443 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 443 -d 192.168.100.10 1023:65535 -j ACCEPT
# HTTP 8080 access
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 8080 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 8080 -d 192.168.100.10 1023:65535 -j ACCEPT
# example to allow users to use MSN
# MSN messenger
ipchains -A output -p tcp -s 192.168.100.10 1023:65535 --dport 1863 -j ACCEPT
ipchains -A input -p tcp ! -y -s 64.4.13.0/24 --sport 1863 -d 192.168.100.10 1023:65535 -j ACCEPT
# allow your private windozes box on the internal lan SSH
# or telnet access, only 192.168.0.122 is the windozes
# example ip address you use to remotely connect to the firewall
# change 22 to 23 if you need telnet access.
ipchains -A input -p tcp -s 192.168.0.122 --sport 22 -d 192.168.0.1 1023:65535 -j ACCEPT -l
# logs all connections for you to check with an IDS script
ipchains -A output -p tcp -s 192.168.0.1 --dport 22 -d 192.168.0.122 -j ACCEPT
# now the fun bit to log people trying to scan the firewall
# also stops people pinging it etc etc etc etc
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 2 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 3 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 4 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 5 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 6 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 7 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 8 -j DENY -l
# that looks for counting scans and log to messages file
Sorry it has taken me so long to post a reply but I tried the script you suggested (with adjustments ofcourse) and that didn't work either. So, knowing RH v7.1 kernel comes with built-in iptables and ipchains - I upgraded from 7.0. Used the firewall-config utility and everything seems to be working okay. I will be using Nessus to try and crack through my firewall and will go from there.
Razbot thanks for all of your help! It's people like you that make this all worth while! :')
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.