LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-29-2001, 11:08 AM   #1
ltrain
LQ Newbie
 
Registered: May 2001
Posts: 16

Rep: Reputation: 0

Hello all,

Using tcp wrappers, I would like to be able to allow only internal access to my Intranet EXCEPT for http connections to the web server (would like external users to gain access to web site). Any advice on how to properly set this up?
 
Old 05-29-2001, 11:17 AM   #2
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
What version of Linux you running ?

Type:
# uname -a

You can change the /etc/hosts.allow and deny files, but it would be better if you got a simple firewall to do the wrappers for you.

/Raz
 
Old 05-29-2001, 11:39 AM   #3
ltrain
LQ Newbie
 
Registered: May 2001
Posts: 16

Original Poster
Rep: Reputation: 0
RedHat 7.0 - v2.4.2

I made a poor attempt at configuring a firewall, now I am just looking at setting up the basics. I configured and used the firewall script posted on linux-firewall-tools.com web site and thought I had everything setup the way the documentation suggested but when I attempt to run the script I get run errors: 2 commands not found and EOF and have no clue what is causing the errors.

 
Old 05-29-2001, 11:49 AM   #4
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Type:

chkconfig --list | grep ipchains

Does it come back with:
ipchains 0: off 1: off 2: on 3: on 4: on 5: on 6: off

If so then tell me your internal interface and eth number and your external interface and eth number. "or make up a fake external internet IP address for this example"

I'll post you a script that will do what you ask.
you need to get the /etc/rc.d/rc.local file to run it.

/raz

[Edited by razbot on 05-29-2001 at 12:53 PM]
 
Old 05-29-2001, 11:58 AM   #5
ltrain
LQ Newbie
 
Registered: May 2001
Posts: 16

Original Poster
Rep: Reputation: 0
chckconfig shows as you reported.

For security reasons I will use a "fake" external ip address:

LAN = 192.168.0.1
External = 192.168.100.10

Thanks for your quick responses RAZ!

 
Old 05-30-2001, 04:28 AM   #6
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Ok here goes.

First make an empty script file in the directory /etc/rc.d
call it firewall.sh
make sure you "chmod 700 /etc/rc.d/firewall.sh" so it can run.
Then add the line at the end of /etc/rc.d/rc.local
/etc/rc.d/firewall.sh

Now I'm going to assume you have one network card for your two networks ip's.

LAN = 192.168.0.1 "eth0"
External = 192.168.100.10 "eth0:0"
-------------- oooo ---------------
Now put this into your /etc/rc.d/firewall.sh script.

# firewall script by Raz
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# clear all ipchains settings
ipchains -F

# Deny all access to server secure mode enabled.
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY

# sets timeout vaules for FIN flags etc..
ipchains -M -S 4800 15 200

# magic NAT setting for MASQing
# only used so internal lan can use firewall as gateway to access internet etc.
ipchains -A forward -s 192.168.0.0/24 -j MASQ

# allows access to server from Internal and local only
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
ipchains -A input -i eth0 -s 192.168.0.0/24 -j ACCEPT
ipchains -A output -i eth0 -d 192.168.0.0/24 -j ACCEPT

# stops spoof attacks and Windozes netbios crap
ipchains -A input -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A input -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A input -i eth0:0 -s 10.0.0.0/8 -d 0/0 -j DENY -l
ipchains -A input -i eth0:0 -s 172.16.0.0/12 -d 0/0 -j DENY -l
ipchains -A input -i eth0:0 -s 192.168.0.0/16 -d 0/0 -j DENY -l
ipchains -A input -i eth0:0 -s 127.0.0.0/8 -d 0/0 -j DENY -l
ipchains -A input -i eth0:0 -s 255.255.255.255 -j DENY -l
ipchains -A input -i eth0:0 -d 0.0.0.0 -j DENY -l

# turns off tracerouting to you, EXTERNAL IP used
ipchains -A input -p udp -d 192.168.100.10 -s 0/0 33434:33600 -j DENY -l

# access allowed from internet to website port 80 only:
ipchains -A input -p tcp -s 0/0 --sport 1023:65535 -d 192.168.100.10 --dport 80 -j ACCEPT
ipchains -A output -p tcp -s 192.168.100.10 --sport 80 -d 0/0 -j ACCEPT

# dont know your DNS's address so lets call it 154.67.86.2 & 154.67.85.2
# DNS lookup allowed only

ipchains -A output -p tcp -s 192.168.100.10 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 154.67.86.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT
# secondary DNS allow
ipchains -A input -p tcp ! -y -s 154.67.85.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT
# DNS lookup udp allowed
ipchains -A output -p udp -s 192.168.100.10 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp -s 154.67.86.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT
# secondary DNS allow UDP
ipchains -A input -p udp -s 154.67.85.2 --sport 53 -d 192.168.100.10 1023:65535 -j ACCEPT

# allow your firewall to surf the net and internal users
# that use the firewall as a gateway.
# HTTP 80,https and proxy access
# also improve the speed with TOS on internet connections
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 80 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 80 -d 192.168.100.10 1023:65535 -j ACCEPT
# HTTPS 443 access
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 443 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 443 -d 192.168.100.10 1023:65535 -j ACCEPT
# HTTP 8080 access
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 8080 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 8080 -d 192.168.100.10 1023:65535 -j ACCEPT

# example to allow users to use MSN
# MSN messenger
ipchains -A output -p tcp -s 192.168.100.10 1023:65535 --dport 1863 -j ACCEPT
ipchains -A input -p tcp ! -y -s 64.4.13.0/24 --sport 1863 -d 192.168.100.10 1023:65535 -j ACCEPT

# allow your private windozes box on the internal lan SSH
# or telnet access, only 192.168.0.122 is the windozes
# example ip address you use to remotely connect to the firewall
# change 22 to 23 if you need telnet access.
ipchains -A input -p tcp -s 192.168.0.122 --sport 22 -d 192.168.0.1 1023:65535 -j ACCEPT -l
# logs all connections for you to check with an IDS script
ipchains -A output -p tcp -s 192.168.0.1 --dport 22 -d 192.168.0.122 -j ACCEPT

# now the fun bit to log people trying to scan the firewall
# also stops people pinging it etc etc etc etc
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 2 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 3 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 4 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 5 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 6 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 7 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 8 -j DENY -l
# that looks for counting scans and log to messages file

ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 20 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 21 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 23 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 25 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 53 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 79 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 110 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 111 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 113 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 443 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 8080 -j DENY -l
ipchains -A input -p tcp -s 0/0 -d 192.168.100.10 --dport 6000 -j DENY -l

# icmp pings and pongs etc
ipchains -A output -p icmp -s 0/0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 3 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 4 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 9 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 11 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 12 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 14 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 18 -d 0/0 -j ACCEPT
# deny ICMP requests for security
# change this and you screw up the point of icmp to manage packets
ipchains -A input -p icmp -s 0/0 --icmp-type 8 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 5 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 10 -d 0/0 -j DENY -l
# done

# ---------- ooooo ------------

Now test the script by running it.
Should work, but most of this is from my head so good luck.

/Raz
 
Old 05-31-2001, 10:40 PM   #7
ltrain
LQ Newbie
 
Registered: May 2001
Posts: 16

Original Poster
Rep: Reputation: 0
Sorry it has taken me so long to post a reply but I tried the script you suggested (with adjustments ofcourse) and that didn't work either. So, knowing RH v7.1 kernel comes with built-in iptables and ipchains - I upgraded from 7.0. Used the firewall-config utility and everything seems to be working okay. I will be using Nessus to try and crack through my firewall and will go from there.

Razbot thanks for all of your help! It's people like you that make this all worth while! :')

 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
TCP Wrappers on LE2005 iggep Mandriva 1 10-31-2005 09:25 AM
netatalk and TCP wrappers greenhornet Linux - Networking 0 04-22-2004 11:47 PM
TCP Wrappers ? juanb Linux - Newbie 1 01-31-2004 01:35 PM
tcp wrappers and Slackware 9.0 pine0279 Slackware 1 07-05-2003 09:48 AM
tcp wrappers --with-tcp-wrappers ForumKid Linux - Security 2 01-04-2002 04:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration