LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-12-2001, 03:27 PM   #1
barDo
LQ Newbie
 
Registered: Jul 2001
Location: Nicaragua
Distribution: RH 7.1
Posts: 18

Rep: Reputation: 0
Post Ipchains configuration


Hi, i am new with Linux and i'm trying to configure ipchains to secure a server, i am using Red Hat 7.1.

The ipchains is the only that i need to setup for a Firewall??

I read all your comments but i did'nt find anyting like seting up ipchains using 2 NICs: eth0 and eth1.

eth0 - public
eth1 - internal LAN

thanx
 
Old 07-13-2001, 04:53 AM   #2
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Ok as your didn't supply enough info on the kind of settup you have, I'm going assume your using the Linux Box as a NAT system for your Windows PC's on the internal lan.

Also I'm going to asume these numbers for your IP's
eth0 = 32.21.2.233 "external IP"
eth1 = 192.168.0.5 "Internal IP"
Your DNS server1 = 32.21.67.12
Your DNS server2 = 32.12.2.11
Your POP server = 195.40.8.24
Your SMTP server = 195.40.8.23

# setup the ipv4 files for packet options
# tunes up the Stack adds some OS fingerprint deception
# All packets are fragged before firewall in 7.1 not 7.0
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.tcp_max_syn_backlog=256
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=7600
sysctl -w net.ipv4.icmp_echoreply_rate=20
sysctl -w net.ipv4.tcp_fin_timeout=180
sysctl -w net.ipv4.tcp_rfc1337=1
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# only use these four options if your using a DSL connection, not cable.
echo 262144 > /proc/sys/net/core/rmem_default
echo 262144 > /proc/sys/net/core/rmem_max
echo 262144 > /proc/sys/net/core/wmem_default
echo 262144 > /proc/sys/net/core/wmem_max

# Flush all chains
ipchains -F

# Deny all access to server, enable secure mode.
# Reject not Deny
ipchains -P input REJECT
ipchains -P output REJECT
ipchains -P forward REJECT

# sets timeout vaules for FIN flags etc..
ipchains -M -S 6800 15 200

# magic NAT setting for MASQing
ipchains -A forward -s 192.168.0.0/24 -j MASQ

# allows access to server from Internal Only.
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT

# Stops Faked "Spoofed" Packets for hitting IPN on firewall and logs
ipchains -A input -i eth0 -s 10.0.0.0/8 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 172.16.0.0/12 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 192.168.0.0/16 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 127.0.0.0/8 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 255.255.255.255 -j REJECT -l
ipchains -A input -i eth0 -d 0.0.0.0 -j REJECT -l

# Stops Annoying Netbios windows Broadcasts & makes people think it's a NT system with a firewall running
# Note this needs modifying if your going to use Samba.
ipchains -A input -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A input -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p udp -s 0/0 --dport 137:139 -j DENY

# Allow Internal systems to connect via SSH to Linux box only
ipchains -A input -p tcp -s 192.168.0.0/24 --sport 22 -d 192.168.0.0/24 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 192.168.0.0/24 --dport 22 -d 192.168.0.0/24 -j ACCEPT

# DNS1 lookup allowed only to ISP from NATbox, SYN flag not allowed in
ipchains -A output -p tcp -s 32.21.2.233 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 32.21.67.12 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT
# DNS1 resolve udp allowed only from ISP Natbox, SYN flag not allowed in
ipchains -A output -p udp -s 32.21.2.233 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp ! -y -s 32.21.67.12 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT
# DNS2 lookup allowed only to ISP from NATbox, SYN flag not allowed in
ipchains -A output -p tcp -s 32.21.2.233 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 32.12.2.11 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT
# DNS2 resolve udp allowed only from ISP Natbox, SYN flag not allowed in
ipchains -A output -p udp -s 32.21.2.233 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp ! -y -s 32.12.2.11 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT

# HTTP 80 access from Internal network to internet
# TOS setting on TCP given highest priority on web traffic.
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 80 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 80 -d 32.21.2.233 1023:65535 -j ACCEPT
# HTTPS 443 access
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 443 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 443 -d 32.21.2.233 1023:65535 -j ACCEPT


#Your POP and SMTP server
ipchains -A input -p tcp ! -y -s 195.40.8.23 --sport 110 -d 32.21.2.233 --dport 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 0/0 1023:65535 -d 195.40.8.23 --dport 110 -j ACCEPT
ipchains -A input -p tcp ! -y -s 195.40.8.24 --sport 25 -d 32.21.2.233 --dport 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 0/0 1023:65535 -d 195.40.8.24 --dport 25 -j ACCEPT


# log hack attacks to these services
# look for scans in orders
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 2 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 3 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 4 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 5 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 6 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 7 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 8 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 20 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 21 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 22 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 23 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 25 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 53 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 79 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 80 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 110 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 111 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 113 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 443 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 8080 -j REJECT -l
ipchains -A input -p tcp -s 0/0 -d 32.21.2.233 --dport 6000 -j REJECT -l

# icmp pings and pongs etc
# needed for icmp to manage network correctly
ipchains -A output -p icmp -s 0/0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 3 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 4 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 9 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 12 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 14 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 18 -d 0/0 -j ACCEPT

# deny inbound ICMP requests that shouldn't be allowed.
ipchains -A input -p icmp -s 0/0 --icmp-type 8 -d 0/0 -j DENY -l
# Turns off traceroute from windows boxes
ipchains -A input -p icmp -s 0/0 --icmp-type 11 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 10 -d 0/0 -j DENY -l
# turns off traceroute from Unix boxes
ipchains -A input -p udp -d 32.21.2.233 -s 0/0 33434:33600 -j REJECT -l


-------------- 000 ------------
Play around with the setting one at a time until you get them working.

/Raz
 
Old 07-26-2001, 12:15 PM   #3
barDo
LQ Newbie
 
Registered: Jul 2001
Location: Nicaragua
Distribution: RH 7.1
Posts: 18

Original Poster
Rep: Reputation: 0
Thanx

Ok raz, thanks a lot. I'll try it and i tell you later about my work.
 
Old 07-27-2001, 03:53 AM   #4
glj
Member
 
Registered: Jul 2001
Location: London
Distribution: RH 9
Posts: 151

Rep: Reputation: 30
Could anyone give me a link to a good ipchains guide that they've used, that would be good for a newbie. I've been through the man page several times when I was fiddling with it, but Razs' post is a bit overwhelming!

Cheers

glj
 
Old 07-27-2001, 04:25 AM   #5
cinnix
Member
 
Registered: Jun 2001
Location: Northern Ohio
Distribution: RedHat, Engarde and LFS
Posts: 237

Rep: Reputation: 30
I could use a little info too, but more than anything I want to read what raz read. It looks like he writes firewall rules in his sleep.
 
Old 07-27-2001, 04:35 AM   #6
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Hi,

Checkout this link.
http://logi.cc/linux/athome-firewall.php3

it's full of useful info on setting up a firewall.


Then use this site to scan your ip address and check what can be seen from outside.

http://scan.sygatetech.com/

/Raz
 
Old 07-27-2001, 05:04 AM   #7
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Trust me Linux firewall rules are easy to setup, once you understand the fundamentals of what protocol is allowed to talk to what port and from where and why.

Then you start by drawing a diagram of your network layout and what services need to talk to what.
Then you start adding each service and testing it and fine tuning until you have a strong policy rule set.

This is the same principal for all firewalls, from Nokia FW1's to PIX's and WatchGuards.

The only book I use as my bible is "internet core protocols" from O'Reilly.
Get you head around that book and your sorted.

/Raz
 
Old 07-27-2001, 05:31 AM   #8
cinnix
Member
 
Registered: Jun 2001
Location: Northern Ohio
Distribution: RedHat, Engarde and LFS
Posts: 237

Rep: Reputation: 30
thanks. that was just what I was lookin for. The syntax for ipchains doesn't seem that difficult but it was the core reasong that was confusing me.
 
Old 07-27-2001, 05:39 AM   #9
glj
Member
 
Registered: Jul 2001
Location: London
Distribution: RH 9
Posts: 151

Rep: Reputation: 30
Same here.

Cheers for the info Raz

glj
 
Old 07-28-2001, 01:57 PM   #10
aimstr8
Member
 
Registered: Mar 2001
Posts: 40

Rep: Reputation: 15
Cool ipchains guide

I have also found this useful:

http://64.81.50.241/ipchains/ipchains-script.shtml

Last edited by aimstr8; 09-11-2001 at 01:17 AM.
 
Old 08-01-2001, 03:48 AM   #11
cinnix
Member
 
Registered: Jun 2001
Location: Northern Ohio
Distribution: RedHat, Engarde and LFS
Posts: 237

Rep: Reputation: 30
Here is a great place for some networking information.

These documents are showing me the light on IP addresses. It seems to go real in depth and it is helping me understand things a little more clearly.
 
Old 08-01-2001, 04:03 AM   #12
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Cinnix,

Did you forget to paste the link or are you referring to one of the URL's already posted.

Cheers,
Raz
 
Old 08-01-2001, 10:25 AM   #13
cinnix
Member
 
Registered: Jun 2001
Location: Northern Ohio
Distribution: RedHat, Engarde and LFS
Posts: 237

Rep: Reputation: 30
Whoopsie, sorry about that.

These are pretty technical documents but I cant beleive how much I learned off of so few pages.

http://www.3com.com/solutions/en_US/ncs/501302.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ipchains juanb Linux - Newbie 1 12-28-2003 03:22 PM
Ipchains Deepakm Linux - Software 6 06-20-2003 12:14 PM
Ipchains whaase Linux - Networking 4 02-17-2003 12:14 PM
ipchains gigya Linux - Networking 2 09-21-2002 07:18 AM
Ipchains mikeyt_3333 Linux - Security 3 10-02-2001 06:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration