Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ok as your didn't supply enough info on the kind of settup you have, I'm going assume your using the Linux Box as a NAT system for your Windows PC's on the internal lan.
Also I'm going to asume these numbers for your IP's
eth0 = 32.21.2.233 "external IP"
eth1 = 192.168.0.5 "Internal IP"
Your DNS server1 = 32.21.67.12
Your DNS server2 = 32.12.2.11
Your POP server = 195.40.8.24
Your SMTP server = 195.40.8.23
# setup the ipv4 files for packet options
# tunes up the Stack adds some OS fingerprint deception
# All packets are fragged before firewall in 7.1 not 7.0
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.tcp_max_syn_backlog=256
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=7600
sysctl -w net.ipv4.icmp_echoreply_rate=20
sysctl -w net.ipv4.tcp_fin_timeout=180
sysctl -w net.ipv4.tcp_rfc1337=1
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# only use these four options if your using a DSL connection, not cable.
echo 262144 > /proc/sys/net/core/rmem_default
echo 262144 > /proc/sys/net/core/rmem_max
echo 262144 > /proc/sys/net/core/wmem_default
echo 262144 > /proc/sys/net/core/wmem_max
# Flush all chains
ipchains -F
# Deny all access to server, enable secure mode.
# Reject not Deny
ipchains -P input REJECT
ipchains -P output REJECT
ipchains -P forward REJECT
# sets timeout vaules for FIN flags etc..
ipchains -M -S 6800 15 200
# magic NAT setting for MASQing
ipchains -A forward -s 192.168.0.0/24 -j MASQ
# allows access to server from Internal Only.
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
# Stops Faked "Spoofed" Packets for hitting IPN on firewall and logs
ipchains -A input -i eth0 -s 10.0.0.0/8 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 172.16.0.0/12 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 192.168.0.0/16 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 127.0.0.0/8 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 255.255.255.255 -j REJECT -l
ipchains -A input -i eth0 -d 0.0.0.0 -j REJECT -l
# Stops Annoying Netbios windows Broadcasts & makes people think it's a NT system with a firewall running
# Note this needs modifying if your going to use Samba.
ipchains -A input -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A input -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p udp -s 0/0 --dport 137:139 -j DENY
# Allow Internal systems to connect via SSH to Linux box only
ipchains -A input -p tcp -s 192.168.0.0/24 --sport 22 -d 192.168.0.0/24 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 192.168.0.0/24 --dport 22 -d 192.168.0.0/24 -j ACCEPT
# DNS1 lookup allowed only to ISP from NATbox, SYN flag not allowed in
ipchains -A output -p tcp -s 32.21.2.233 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 32.21.67.12 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT
# DNS1 resolve udp allowed only from ISP Natbox, SYN flag not allowed in
ipchains -A output -p udp -s 32.21.2.233 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp ! -y -s 32.21.67.12 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT
# DNS2 lookup allowed only to ISP from NATbox, SYN flag not allowed in
ipchains -A output -p tcp -s 32.21.2.233 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 32.12.2.11 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT
# DNS2 resolve udp allowed only from ISP Natbox, SYN flag not allowed in
ipchains -A output -p udp -s 32.21.2.233 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp ! -y -s 32.12.2.11 --sport 53 -d 32.21.2.233 1023:65535 -j ACCEPT
# HTTP 80 access from Internal network to internet
# TOS setting on TCP given highest priority on web traffic.
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 80 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 80 -d 32.21.2.233 1023:65535 -j ACCEPT
# HTTPS 443 access
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 443 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 443 -d 32.21.2.233 1023:65535 -j ACCEPT
#Your POP and SMTP server
ipchains -A input -p tcp ! -y -s 195.40.8.23 --sport 110 -d 32.21.2.233 --dport 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 0/0 1023:65535 -d 195.40.8.23 --dport 110 -j ACCEPT
ipchains -A input -p tcp ! -y -s 195.40.8.24 --sport 25 -d 32.21.2.233 --dport 1023:65535 -j ACCEPT
ipchains -A output -p tcp -s 0/0 1023:65535 -d 195.40.8.24 --dport 25 -j ACCEPT
Could anyone give me a link to a good ipchains guide that they've used, that would be good for a newbie. I've been through the man page several times when I was fiddling with it, but Razs' post is a bit overwhelming!
Trust me Linux firewall rules are easy to setup, once you understand the fundamentals of what protocol is allowed to talk to what port and from where and why.
Then you start by drawing a diagram of your network layout and what services need to talk to what.
Then you start adding each service and testing it and fine tuning until you have a strong policy rule set.
This is the same principal for all firewalls, from Nokia FW1's to PIX's and WatchGuards.
The only book I use as my bible is "internet core protocols" from O'Reilly.
Get you head around that book and your sorted.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.