Masq and firewall experts:
I have been working on customizing a firewall + masq script, but am
running into some trouble. I have gone through my rules, and i can't
understand what is causing the problem.
My setup is this:
Slackware 3.5 server with 2 NICs, one connected to cable modem (static
ip), one connected to local network.
The symtoms are this:
When my default firewall policies for input and output are "accept",
everything works (from masqued computers as well as server), but security
is obviously compromised. When input + output are deny, the server and the
masqued computers lose access. From the server i get the error:
/etc/rc.d# ftp sunsite.unc.edu
ftp: sunsite.unc.edu: Host name lookup failure.
My dns works fine, when default policies are accept. But they should even
work for deny, because of the rules below. But its not just dns, even
using the ip number fails.
If any of you could help me I would be most appreciative. I can't put my
server back up until it is secure. The server was just hacked this
weekend, and i had to completly reinstall.
Thanks,
Jon Kra
Here is my script:
#!/bin/sh
#
# This script sets up a basic firewall for a 10.0 private network
# with a ethernet internet connection. The local network is masqueraded
# and rules set up so that the ethernet
# machines have Internet access through the server. The server is
protected
# from a range
# of attacks and there is no easy way to attack the machines which get
# access by masquerading.
# Note that the masquerading is the very last thing that is set up, after
# all the other security checks are in place.
#
# Script based on Dan Shearer's <[EMAIL PROTECTED]> incorporating
bits by
# Jos Vos <[EMAIL PROTECTED]> and Ambrose Au <[EMAIL PROTECTED]>
# Possible improvements include... 1 add special incomming traffic ie
raudio, aol, irc
# 2 only allow specified outgoing
trafic(weirdoutgoing)
# First some global variable definitions for easy maintenance.
#
PATH=$PATH:/sbin
IFEXTERN="a.b.c.d"
IFINTERN="10.0.0.1"
LOCALNET="10.0.0.0/24"
ANYWHERE="0.0.0.0/0"
UNPRIVPORTS="1024:65535"
MASQPORTS="60000:65535"
PRIVPORTS="0:1024"
# Now set paranoid defaults. Paranoid is normal. Normal is good. There are
# also some catch-all rules at the bottom which achieve much the same
thing,
# however this stops enterprising hackers getting in while the rules are
# being set up.
ipfwadm -I -p deny
ipfwadm -O -p deny
ipfwadm -F -p deny
# Flush rules of all types, ie start all over again. Flushing
# does not change the default policy for a filter.
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
# Stop the bastard who hacked this system on Oct 29, 1998
ipfwadm -I -i deny -V $IFEXTERN -S 38.11.224.131 -D $ANYWHERE
# deny incomming on the external interface whose source is the local.
# Handle spoofed packets. It shouldn't be possible to pretend to
# to be a 192.168 network address since the router on the outside should
# not forward on packets from this network, but take no chances.
ipfwadm -I -a deny -V $IFEXTERN -S $LOCALNET -D $ANYWHERE
# deny incomming on the external interface whose source is the ext. inter.
# The following is possible though there would not normally be anything
# advertising this address so it is not easy for crackers to get to know
it.
ipfwadm -I -a deny -V $IFEXTERN -S $IFEXTERN -D $ANYWHERE
# deny all outgoing on the external whose destination is the internal
# This might happen if the routing falls apart and sends internal packets
# out the eth0 interface.
ipfwadm -O -a deny -V $IFEXTERN -S $ANYWHERE -D $LOCALNET
# allow all incoming and outgoing on the internal interface
# Unlimited traffic within the local network for all protocols
ipfwadm -I -a accept -V $IFINTERN -S $ANYWHERE -D $ANYWHERE
ipfwadm -O -a accept -V $IFINTERN -S $ANYWHERE -D $ANYWHERE
# And also the localhost (i don't think i need this)- but login slow
otherwise
ipfwadm -I -a accept -V 127.0.0.1 -S $ANYWHERE -D $ANYWHERE
ipfwadm -O -a accept -V 127.0.0.1 -S $ANYWHERE -D $ANYWHERE
# allow all outgoing on the external whose source is externip
# And unlimited traffic out to the internet
ipfwadm -O -a accept -V $IFEXTERN -D $ANYWHERE
# Limit ICMP traffic (eg ping, traceroute). Note that normally ping
# does not work for masqueraded networks anyway. ping should not be
# regarded as a safe thing to allow - many OS can be attacked via ping.
# ipfwadm -I -a deny -P icmp -V $IFEXTERN -D $ANYWHERE
# Outgoing pings are useless if we can't hear the replies, so block them.
# ipfwadm -O -a deny -P icmp -V $IFEXTERN -S $ANYWHERE -D $ANYWHERE
# This is for accessing the server from the external network
# on a range of common protocols. Further
# protection can be installed by the use of proxies (which may also
# increase performance.) These are not all bidirectional, eg DNS which
# we are allowing to connect to the low port number going out but not in.
# We are not going to be authoritative for anything so we should deny it.
ipfwadm -I -a accept -P tcp -V $IFEXTERN -S $ANYWHERE -D $IFEXTERN
telnet smtp
ipfwadm -I -a accept -P icmp -V $IFEXTERN -S $ANYWHERE -D $IFEXTERN
# aren't these covered in the allowing of regular internet trafic?
# ipfwadm -I -a accept -k -P tcp -V $IFEXTERN -S $ANYWHERE -D $ANYWHERE
ftp-data
# ipfwadm -O -a accept -P tcp -V $IFEXTERN -S $IFEXTERN smtp ftp ftp-data
www domain -D $ANYWHERE
# ipfwadm -O -a accept -P udp -V $IFEXTERN -S $IFEXTERN -D $ANYWHERE
# TCP/IP assigns a random unpriveliged port number as the sending
# port when going to a privelived port elsewhere. Therefore we have to
# allow access to all unpriveliged ports or no replies to telnet dns etc
# requests will ever be received.
ipfwadm -I -a accept -P tcp -V $IFEXTERN -S $ANYWHERE -D $IFEXTERN
$UNPRIVPORTS
ipfwadm -I -a accept -P udp -V $IFEXTERN -S $ANYWHERE -D $IFEXTERN
$UNPRIVPORTS
# Now turn on masquerading for the 10.0.0. network. Do this last of all to
# avoid giving a small window of opportunity.
ipfwadm -F -a m -b -S 10.0.0.2 -D $ANYWHERE
ipfwadm -F -a m -b -S 10.0.0.3 -D $ANYWHERE
ipfwadm -F -a m -b -S 10.0.0.4 -D $ANYWHERE
ipfwadm -F -a m -b -S 10.0.0.5 -D $ANYWHERE
ipfwadm -F -a m -b -S 10.0.0.6 -D $ANYWHERE
ipfwadm -F -a m -b -S 10.0.0.21 -D $ANYWHERE
# Extending MASQ timeouts
ipfwadm -M -s 7200 10 120
# Catch-all rules, all other packets are denied and logged. Pity there is
no
# log option on the policy but this does the job instead. In many sites the
# -I rule is the important one for security and the others are just for
# debugging.
# Block everything that I have not explicitly allowed
# Internal interface
/sbin/ipfwadm -I -a deny -P all -V $IFINTERN -S $ANYWHERE -D $ANYWHERE -o
/sbin/ipfwadm -O -a deny -P all -V $IFINTERN -S $ANYWHERE -D $ANYWHERE -o
# Local interface
/sbin/ipfwadm -I -a deny -P all -V 127.0.0.1 -S $ANYWHERE -D $ANYWHERE -o
#/sbin/ipfwadm -O -a deny -P all -V 127.0.0.1 -S $ANYWHERE -D $ANYWHERE -o
# External interface
/sbin/ipfwadm -I -a deny -P all -V $IFEXTERN -S $ANYWHERE -D $ANYWHERE -o
/sbin/ipfwadm -O -a deny -P all -V $IFEXTERN -S $ANYWHERE -D $ANYWHERE -o
#Done.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
