Re: [gentoo-user] Re: iptables example on Gentoo

Thu, 08 Sep 2005 09:47:52 -0700 

OK, good point. But several folks have mentioned that shorewall is
not a one-to-one tool for straight iptables/netfilters implementations.
It has things that are not part of a raw usage of iptables/netfilters.
My goal is to learn as much about iptables/netfilters on a Gentoo X86
firewall, before I plunge into iptables/netfilters on an embedded
processor, most likely not x86.



That is incorrect.  Shorewall is, at it's heart, a scripting engine that 
builds iptables rules based upon the contents of the shorewall configuration 
files.  Once the shorewall engine produces the iptables rules, the process 
goes away (there is no lingering shorewall process after it comes up).



Looking at bad rules, learning why they fail, and watching an attack
(either generated by myself or others) with an IDS and other tools running
can be an excellent learning experience. I'm not sure I'll have Shorewall
running on an embedded platform, nor to I want to generate things on
one system and transfer them to a different system(arch) in an embedded
enivronment, not just yet.

Others have indirectly suggested that Shorewall does not directly generate

iptables/netfilters rulesets. I'm looking to get as close to 
iptables/netfilters
as I can, rather than an immediate need to have a robust linux base 
firewall.



It does generate iptable rules, but they are customized for shorewall's 
purposes.  For example, my shorewall setup builds the following iptables 
rules:


# Generated by iptables-save v1.3.2 on Thu Sep  8 12:32:48 2005
*nat
:PREROUTING ACCEPT [34942:3100331]
:POSTROUTING ACCEPT [106864:7597940]
:OUTPUT ACCEPT [106858:7597722]
:net_dnat - [0:0]
:w1ad_masq - [0:0]
-A PREROUTING -i w1ad -j net_dnat
-A POSTROUTING -o w1ad -j w1ad_masq

-A net_dnat -p udp -m multiport --dports 
27900,29900,27901,55123:55125,1500:4999,16567 -j DNAT --to-destination 
192.168.0.10
-A net_dnat -p tcp -m multiport --dports 29900,29901,28910,4711 -j 
DNAT --to-destination 192.168.0.10
-A net_dnat -p tcp -m tcp --dport 5000:5201 -j DNAT --to-destination 
192.168.0.10
-A net_dnat -p tcp -m tcp --dport 51000:52000 -j DNAT --to-destination 
192.168.0.10
-A net_dnat -p tcp -m tcp --dport 10023 -j DNAT --to-destination 
192.168.0.10
-A net_dnat -p tcp -m tcp --sport 8086 --dport 8085 -j DNAT --to-destination 
192.168.0.10

-A w1ad_masq -s 255.255.255.255 -j MASQUERADE
-A w1ad_masq -s 192.168.0.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Thu Sep  8 12:32:48 2005
# Generated by iptables-save v1.3.2 on Thu Sep  8 12:32:48 2005
*mangle
:PREROUTING ACCEPT [11532470:15305239824]
:INPUT ACCEPT [10012668:14215875107]
:FORWARD ACCEPT [1519785:1089361813]
:OUTPUT ACCEPT [8826128:782474663]
:POSTROUTING ACCEPT [10353251:1873002122]
:outtos - [0:0]
:pretos - [0:0]
-A PREROUTING -j pretos
-A OUTPUT -j outtos
-A outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
COMMIT
# Completed on Thu Sep  8 12:32:49 2005
# Generated by iptables-save v1.3.2 on Thu Sep  8 12:32:49 2005
*filter
:AllowFTP - [0:0]
:AllowICMPs - [0:0]
:Drop - [0:0]
:DropDNSrep - [0:0]
:DropSMB - [0:0]
:DropUPnP - [0:0]
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [1:60]
:Reject - [0:0]
:RejectAuth - [0:0]
:RejectSMB - [0:0]
:all2all - [0:0]
:blacklst - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:eth1_fwd - [0:0]
:eth1_in - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:loc2fw - [0:0]
:loc2net - [0:0]
:logflags - [0:0]
:net2all - [0:0]
:net2fw - [0:0]
:net2loc - [0:0]
:norfc1918 - [0:0]
:reject - [0:0]
:rfc1918 - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
:w1ad_fwd - [0:0]
:w1ad_in - [0:0]
-A AllowFTP -p tcp -m tcp --dport 21 -j ACCEPT
-A AllowICMPs -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A AllowICMPs -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Drop -j RejectAuth
-A Drop -j dropBcast
-A Drop -p icmp -j AllowICMPs
-A Drop -j dropInvalid
-A Drop -j DropSMB
-A Drop -j DropUPnP
-A Drop -p tcp -j dropNotSyn
-A Drop -j DropDNSrep
-A DropDNSrep -p udp -m udp --sport 53 -j DROP
-A DropSMB -p udp -m udp --dport 135 -j DROP
-A DropSMB -p udp -m udp --dport 137:139 -j DROP
-A DropSMB -p udp -m udp --dport 445 -j DROP
-A DropSMB -p tcp -m tcp --dport 135 -j DROP
-A DropSMB -p tcp -m tcp --dport 139 -j DROP
-A DropSMB -p tcp -m tcp --dport 445 -j DROP
-A DropUPnP -p udp -m udp --dport 1900 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i w1ad -j w1ad_in
-A INPUT -i eth1 -j eth1_in
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -j reject
-A FORWARD -i w1ad -j w1ad_fwd
-A FORWARD -i eth1 -j eth1_fwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -j reject
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o w1ad -p udp -m udp --dport 67:68 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp --dport 67:68 -j ACCEPT
-A OUTPUT -o w1ad -j fw2net
-A OUTPUT -o eth1 -j fw2loc
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
-A OUTPUT -j reject
-A Reject -j RejectAuth
-A Reject -j dropBcast
-A Reject -p icmp -j AllowICMPs
-A Reject -j dropInvalid
-A Reject -j RejectSMB
-A Reject -j DropUPnP
-A Reject -p tcp -j dropNotSyn
-A Reject -j DropDNSrep
-A RejectAuth -p tcp -m tcp --dport 113 -j reject
-A RejectSMB -p udp -m udp --dport 135 -j reject
-A RejectSMB -p udp -m udp --dport 137:139 -j reject
-A RejectSMB -p udp -m udp --dport 445 -j reject
-A RejectSMB -p tcp -m tcp --dport 135 -j reject
-A RejectSMB -p tcp -m tcp --dport 139 -j reject
-A RejectSMB -p tcp -m tcp --dport 445 -j reject
-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2all -j Reject
-A all2all -j LOG --log-prefix "Shorewall:all2all:REJECT:" --log-level 6
-A all2all -j reject

-A blacklst -s 213.131.253.24 -j LOG --log-prefix 
"Shorewall:blacklst:DROP:" --log-level 5

-A blacklst -s 213.131.253.24 -j DROP

-A blacklst -s 221.12.14.7 -j LOG --log-prefix 
"Shorewall:blacklst:DROP:" --log-level 5

-A blacklst -s 221.12.14.7 -j DROP

-A blacklst -s 59.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j 
LOG --log-prefix "Shorewall:blacklst:DROP:" --log-level 5

-A blacklst -s 59.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP
-A dropBcast -m pkttype --pkt-type broadcast -j DROP
-A dropBcast -m pkttype --pkt-type multicast -j DROP
-A dropInvalid -m state --state INVALID -j DROP
-A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A eth1_fwd -m state --state INVALID,NEW -j dynamic
-A eth1_fwd -p tcp -j tcpflags
-A eth1_fwd -o w1ad -j loc2net
-A eth1_in -m state --state INVALID,NEW -j dynamic
-A eth1_in -p udp -m udp --dport 67:68 -j ACCEPT
-A eth1_in -p tcp -j tcpflags
-A eth1_in -j loc2fw
-A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2loc -p icmp -j ACCEPT
-A fw2loc -j ACCEPT
-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2net -p tcp -m tcp --dport 631 -j DROP
-A fw2net -p tcp -m tcp --dport 2401 -j ACCEPT
-A fw2net -p udp -m udp --dport 2401 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 53 -j ACCEPT
-A fw2net -p udp -m udp --dport 53 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 123 -j ACCEPT
-A fw2net -p udp -m udp --dport 123 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 873 -j ACCEPT
-A fw2net -p udp -m udp --dport 873 -j ACCEPT
-A fw2net -p icmp -j ACCEPT
-A fw2net -d 206.46.232.12 -p tcp -m tcp --dport 25 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 110 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 113 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 119 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 2703 -j ACCEPT
-A fw2net -p udp -m udp --dport 6277 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 80 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 21 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 20 -j ACCEPT
-A fw2net -j AllowFTP
-A fw2net -j all2all
-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 8085 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 873 -j ACCEPT
-A loc2fw -p udp -m udp --dport 873 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 10022 -j ACCEPT
-A loc2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 25 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 110 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 113 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 119 -j ACCEPT
-A loc2fw -p udp -m udp --dport 6277 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 3306 -j ACCEPT
-A loc2fw -j AllowFTP

-A loc2fw -p udp -m multiport --dports 1026,1027,1028,1029 -j 
LOG --log-prefix "Shorewall:loc2fw:DROP:" --log-level 6

-A loc2fw -p udp -m multiport --dports 1026,1027,1028,1029 -j DROP
-A loc2fw -j ACCEPT
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2net -p tcp -m tcp --dport 631 -j DROP
-A loc2net -j AllowFTP
-A loc2net -p udp -m udp --dport 6346 -j DROP
-A loc2net -p tcp -m tcp --dport 6346 -j DROP
-A loc2net -p udp -m multiport --dports 67,68 -j DROP
-A loc2net -j ACCEPT

-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 
6 --log-ip-options

-A logflags -j DROP
-A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2all -j Drop
-A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6
-A net2all -j DROP
-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2fw -p tcp -m tcp --dport 22 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 8085 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 10022 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 8085 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 25 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 110 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 113 -j ACCEPT
-A net2fw -p udp -m udp --dport 6277 -j ACCEPT
-A net2fw -j AllowFTP
-A net2fw -p udp -m udp --dport 6346 -j DROP
-A net2fw -p tcp -m tcp --dport 6346 -j DROP
-A net2fw -p udp -m multiport --dports 1026,1027,1028,1029 -j DROP
-A net2fw -j net2all
-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT

-A net2loc -d 192.168.0.10 -p udp -m multiport --dports 
27900,29900,27901,55123:55125,1500:4999,16567 -j ACCEPT
-A net2loc -d 192.168.0.10 -p tcp -m multiport --dports 
29900,29901,28910,4711 -j ACCEPT

-A net2loc -p tcp -m tcp --dport 5000:5201 -j ACCEPT
-A net2loc -d 192.168.0.10 -p tcp -m tcp --dport 5000:5201 -j ACCEPT
-A net2loc -d 192.168.0.10 -p tcp -m tcp --dport 51000:52000 -j ACCEPT
-A net2loc -d 192.168.0.10 -p tcp -m tcp --dport 10023 -j ACCEPT
-A net2loc -d 192.168.0.10 -p tcp -m tcp --sport 8086 --dport 8085 -j ACCEPT

-A net2loc -p udp -m multiport --sports 67,68 -j LOG --log-prefix 
"Shorewall:net2loc:DROP:" --log-level 6

-A net2loc -p udp -m multiport --sports 67,68 -j DROP
-A net2loc -j net2all
-A norfc1918 -s 172.16.0.0/255.240.0.0 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 172.16.0.0/12 -j rfc1918
-A norfc1918 -s 192.168.0.0/255.255.0.0 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 192.168.0.0/16 -j rfc1918
-A norfc1918 -s 10.0.0.0/255.0.0.0 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 10.0.0.0/8 -j rfc1918
-A reject -m pkttype --pkt-type broadcast -j DROP
-A reject -m pkttype --pkt-type multicast -j DROP
-A reject -s 71.114.131.255 -j DROP
-A reject -s 192.168.0.255 -j DROP
-A reject -s 255.255.255.255 -j DROP
-A reject -s 224.0.0.0/240.0.0.0 -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A rfc1918 -j LOG --log-prefix "Shorewall:rfc1918:DROP:" --log-level 6
-A rfc1918 -j DROP

-A smurfs -s 71.114.131.255 -j LOG --log-prefix 
"Shorewall:smurfs:DROP:" --log-level 6

-A smurfs -s 71.114.131.255 -j DROP

-A smurfs -s 192.168.0.255 -j LOG --log-prefix 
"Shorewall:smurfs:DROP:" --log-level 6

-A smurfs -s 192.168.0.255 -j DROP

-A smurfs -s 255.255.255.255 -j LOG --log-prefix 
"Shorewall:smurfs:DROP:" --log-level 6

-A smurfs -s 255.255.255.255 -j DROP

-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix 
"Shorewall:smurfs:DROP:" --log-level 6

-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP

-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j 
logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j 
logflags

-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags

-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j 
logflags

-A w1ad_fwd -m state --state INVALID,NEW -j dynamic
-A w1ad_fwd -m state --state INVALID,NEW -j blacklst
-A w1ad_fwd -m state --state NEW -j norfc1918
-A w1ad_fwd -p tcp -j tcpflags
-A w1ad_fwd -o eth1 -j net2loc
-A w1ad_in -m state --state INVALID,NEW -j dynamic
-A w1ad_in -m state --state INVALID,NEW -j blacklst
-A w1ad_in -p udp -m udp --dport 67:68 -j ACCEPT
-A w1ad_in -m state --state NEW -j norfc1918
-A w1ad_in -p tcp -j tcpflags
-A w1ad_in -j net2fw
COMMIT
# Completed on Thu Sep  8 12:32:49 2005

Values unique to my environment:
 w1ad - my ADSL card which is connected to the internet
 fw - The box that is the firewall
 loc - The local network inside the firewall
 net - The internet as a whole.
 eth0 - My DMZ card, currently not being used.
 eth1 - My intranet card, currently in use.


These are all valid rules and are constructed by shorewall.  Would they be 
the same if I hand-coded them?  Absolutely not.  I wouldn't have so many 
custom chains and would probably reorder the rules to give priorities to 
specific services.



And, I would argue that whilst these rules are valid and do perform the 
firewall chores that I want/need, the format of the rules would leave a lot 
to be desired to try to maintain manually via the command line.




So If I use Guarddog or Shorewall to generate rulesets, then I can issue:
/etc/init.d/iptables save



Don't know about guarddog, but with shorewall the answer is yes (as 
demonstrated by the output above).



and look at the rules. Then I can manually adjust the rules at the command
line, once again issue '/etc/init.d/iptables save' and look at the rules,

make manual(command line) adjustments and continue the learning and 
testing

process? If this is true, then I can use an x86 firewall with Gentoo on
it to build and test a firewall and then manually implement the ruleset
on an embedded linux project, and similarly test the ruleset (and the
security robustness of the embedded linux kernel and the ip stack
(note: some of the low level driver code for networking will most likely
be 'non standard' code).

Is this logical and correct?

I do appreciate your input and the input from others. I do apologize if
I have offended any, as I do get a little 'wacked' when I'm frustrated.



You'll soon learn that, whilst this community loves to get people up and 
running using gentoo/linux, we don't respond well to the tones of your 
messages in previous days.  Holly, especially, is a wonderful resource and 
really didn't deserve the response that she got.


--
gentoo-user@gentoo.org mailing list























					Reply via email to