RE: apache setup questions

Burke, Thomas G. Fri, 03 Jan 2003 11:51:32 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't think this is the issue, as this script is nearly identical
to the one I used to use...  On the off chance, though, I'm using
ipchains, and the script follows.


#!/bin/sh
#
#
######################################################################
######
#
# rc.firewall
#     Heavily plagiarized from Hal Burgiss ([EMAIL PROTECTED])
#
# Tom Burke - 5 May 00 (tom-ii at directvinternet.com)
#
######################################################################
######
#
# variables
#
# internal interface
INTERNAL_IF=eth0
INTERNAL_IP=192.168.68.1
INTERNAL_MASK=255.255.255.0
INTERNAL_NET=$INTERNAL_IP/$INTERNAL_MASK
#
#
# external interface
EXTERNAL_IF=eth1
#
#   These lines for dynamic IP
# EXTERNAL_IP=ifconfig $EXTERNAL_IF | grep inet | cut -d : -f 2 | cut
- -d \ -f 1
# EXTERNAL_MASK=ifconfig $LOCALIF | grep Mask | cut -d : -f 4
#
#  If dynamic IP is being used, comment these lines out...
EXTERNAL_IP=65.187.98.9
EXTERNAL_MASK=255.255.255.252
EXTERNAL_NET=$EXTERNAL_IP/$EXTERNAL_MASK
echo -n "External net -> "
echo $EXTERNAL_NET
#
#
# Loopback Interface
LOOPBACK=lo
#
#
# All addresses
ALLADDR=0/0
#
#
# location of ipchains
IPCHAINS=/sbin/ipchains
#
#
#
######################################################################
######
##
# We assume that all interfaces are up...
#     Maybe this should be run in the PPP sartup script?
#
# First, we flush all rules
echo -n "Flushing all rules"
#
# Flush empty chains
$IPCHAINS -X
echo -n "."
#
# Flush Incoming rules (packets from the outside network)
$IPCHAINS -F input
echo -n "."
#
# Flush Outgoing rules (packets from the internal network)
$IPCHAINS -F output
echo -n "."
#
# Flush forwarding rules (masquerading stuff, etc)
$IPCHAINS -F forward
echo -n "."
echo "Done!"
#
######################################################################
######
#
#
# Handle the loopback device - we should accept anything coming from
#     or going to this device, otherwise we'll break the system.
#
echo -n "Loopback.."
$IPCHAINS -A input -i $LOOPBACK -s $ALLADDR -d $ALLADDR -j ACCEPT
$IPCHAINS -A output -i $LOOPBACK -s $ALLADDR -d $ALLADDR -j ACCEPT
echo -n ".."
echo "Done!"
#
######################################################################
######
#
# Different system tweaks
echo -n "/proc tweaks.."
#
# IP Spoofing protection
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
     for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
         echo 1 > $i
     done
fi
echo -n "."
#
# Block all ICMP echo requests (will this break my internal boxes'
#     ability to ping the outside world?) - Answer is no, just keeps
#     us from being pinged by the outside world.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo -n "."
#
# Disable ICMP Redirect Acceptance
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
     echo 0 > $i
done
echo -n "."
#
# Disable Source Routed Packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
     echo 0 > $i
     done
echo -n "."
#
# Start IP Fragment Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo -n "."
#
# Start ICMP Broadcast Echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo -n "."
#
# Start Bogus Error Response Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo -n "."
#
# Start SYN COOKIES protection
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
     echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
echo -n "."
echo "Done!"
#
######################################################################
#####
#
# Block nonroutable IPs from entering our box
#
#     Block 192.168.0.0/16 on outer interface, only
#
######################################################################
#####
#
echo -n "Blocking non-routable addresses.."
$IPCHAINS -A input -s 10.0.0.0/8 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -s 127.0.0.0/8 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -s 172.16.0.0/12 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -i $EXTERNAL_IF -s 192.168.0.0/16 -d $EXTERNAL_NET
- -j DENY
echo -n "."
echo "Done!"
#
######################################################################
#####
#
# Banned Networks
#
# Put troublemakers here - Rules to specifically block connections
#     from hosts/nets that are known to cause problems.  Packets are
logged.
#
######################################################################
#####
#
echo -n "Banned Networks.."
#
# Generic blocker/logger
# $IPCHAINS -A input -l -s [banned host/net] -d $EXTERNAL_NET [ports]
- -j DENY
# echo -n "."
#
# This one blocks ICMP attacks
# $IPCHAINS -A input -l -b -i $EXTERNAL_IF -p icmp -s [host/net] -d
$EXTERNAL_NET -j DENY
# echo -n "."
# echo "Done!"
#
$IPCHAINS -A input -l -s 64.23.24.254 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -l -s 207.110.40.160 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -l -s 209.203.36.68 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -l -s 216.3.223.49 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -l -s 216.216.57.161 -d $EXTERNAL_NET -j DENY
echo -n "."
$IPCHAINS -A input -l -s 209.249.182.198 -d $EXTERNAL_NET -j DENY
echo -n "."
#
echo "Done!"
#
######################################################################
######
#
# Specific blocks/logging on external interface
#
# blocks off ports with known vulnerabilities
#
######################################################################
######
#
echo -n "Port Blocks and traps.."
#
# linuxconfig - all interfaces
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 98 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 98 -j DENY
echo -n "."
#
# NetBEUI/Samba/NetBios - only on external interface
#     Do not log - to much traffic
$IPCHAINS -A input -i $EXTERNAL_IF -p tcp -s $ALLADDR -d
$EXTERNAL_NET 137:139 -j DENY
$IPCHAINS -A input -i $EXTERNAL_IF -p udp -s $ALLADDR -d
$EXTERNAL_NET 137:139 -j DENY
echo -n "."
#
# Deny SWAT to the outside world (web interface for SAMBA) - only on
external interface
$IPCHAINS -A input -i $EXTERNAL_IF -p tcp -s $ALLADDR -d
$EXTERNAL_NET 901 -j DENY
$IPCHAINS -A input -i $EXTERNAL_IF -p udp -s $ALLADDR -d
$EXTERNAL_NET 901 -j DENY
echo -n "."
#
# Microsoft SQL - all interfaces
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 1433 -j
DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 1433 -j
DENY
echo -n "."
#
# Postgres SQL
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 5432 -j
DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 5432 -j
DENY
echo -n "."
#
# NFS
#  Does this block mail? - Doesn't appear to....
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 2049 -j
DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 2049 -j
DENY
echo -n "."
#
# Back Orifice
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 31337 -j
DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 31337 -j
DENY
echo -n "."
#
# NetBus
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 12345:12346
- -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 12345:12346
- -j DENY
echo -n "."
#
# Trin00
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 1524 -j
DENY
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 27655 -j
DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 27444 -j
DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 31335 -j
DENY
echo -n "."
#
# Multicast
$IPCHAINS -A input -s 224.0.0.0/8 -d $ALLADDR -j DENY
$IPCHAINS -A input -s $ALLADDR -d 224.0.0.0/8 -j DENY
echo -n "."
echo "Done!"
#
######################################################################
#####
#
# Trusted networks and services
#      Put in rules to unconditionally allow connections from
#      hosts/nets that might otherwise be blocked.
#
#      Any services that we want global, unfiltered access to
#      go here
#
#      Currently, global unfiltered access is only
#           allowed to our internal network.
#
#      External network (the internet) can have full access to
#           http, snmp, ftp, ssh, and nothing else
######################################################################
#####
echo -n "Trusted Networks.."
#
# Add the internal net's unconditional access, here.
echo -n "Internal Network..."
$IPCHAINS -A input -i $INTERNAL_IF -s $INTERNAL_NET -d $ALLADDR -j
ACCEPT
#
#
# Stuff we want the outside world to be able to use...
echo -n "Global Services..."
#
# http (80)
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 80 -j ACCEPT
echo -n "."
#
# ftp (20,21) - Usee SSH2, now
#$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 20 -j ACCEPT
#$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 21 -j ACCEPT
echo -n "."
#
# smtp (25)
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 25 -j ACCEPT
#
# ssh (22)
$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 22 -j ACCEPT
echo -n "."
echo "Done!"
#
# DNS
#     May need to enable this so MASQ'd network can do DNS lookups
#     to ISP's DNS machine  (Seems to be working without it)
#$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 53 -j ACCEPT
#$IPCHAINS -A input -p udp -s $ALLADDR -d $EXTERNAL_NET 53 -j ACCEPT
#
######################################################################
####
#
# All I/O rules are done(?) - set up masquerade
#
######################################################################
####
#
echo -n "Masquerading.."
#
# Install any helpers we might need - Our CU_SeeMe seems to
#     work without the cuseeme module - Seems to work a little
#     better with it, though...
/sbin/depmod -a > /dev/null 2>&1
/sbin/modprobe ip_masq_ftp > /dev/null 2>&1
/sbin/modprobe ip_masq_raudio > /dev/null 2>&1
/sbin/modprobe ip_masq_irc > /dev/null 2>&1
/sbin/modprobe ip_masq_icq > /dev/null 2>&1
/sbin/modprobe ip_masq_quake > /dev/null 2>&1
/sbin/modprobe ip_masq_user > /dev/null 2>&1
/sbin/modprobe ip_masq_vdolive > /dev/null 2>&1
#/sbin/modprobe ip_masq_mfw > /dev/null 2>&1
#/sbin/modprobe ip_masq_autofw > /dev/null 2>&1
#/sbin/modprobe ip_masq_portfw > /dev/null 2>&1
/sbin/modprobe ip_masq_cuseeme > /dev/null 2>&1
echo -n "."
#
# Masq timeouts - tcp 8hrs, tcp after fin pkt 60s, udp 10min
$IPCHAINS -M -S 14400 60 600
echo -n "."
#
# Tell kernel to allow masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward
echo -n "."
#
# Tell kernel to alow dynamic IP masquerading
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo -n "."
#
# Don't masq internal traffic
$IPCHAINS -A forward -s $INTERNAL_NET -d $INTERNAL_NET -j ACCEPT
echo -n "."
#
# Don't masq external interface direct
$IPCHAINS -A forward -s $EXTERNAL_NET -d $ALLADDR -j ACCEPT
echo -n "."
#
# Masq all internal IPs going outside
$IPCHAINS -A forward -s $INTERNAL_NET -d $ALLADDR -j MASQ
echo -n "."
#
# Set default rule on MASQ chain to deny
$IPCHAINS -P forward DENY
echo -n "."
#
## Allow all connections from the network to the outside
$IPCHAINS -A input -s $INTERNAL_NET -d $ALLADDR -j ACCEPT
$IPCHAINS -A output -s $INTERNAL_NET -d $ALLADDR -j ACCEPT
echo -n "."
echo "Done!"
#
######################################################################
###
#
#This section manipulates the Type Of Service (TOS) bits of the
# packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
# in your kernel
echo -n "Tweak TOS bits for minimum delay.."
#
# Set telnet, www, smtp, pop3 and FTP for minimum delay
$IPCHAINS -A output -p tcp -d 0/0 80 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 22 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 23 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 21 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 110 -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 25 -t 0x01 0x10
echo -n "."
#
# Set ftp-data for maximum throughput
$IPCHAINS -A output -p tcp -d 0/0 20 -t 0x01 0x08
echo -n "."
echo "Done!"
#
# Allow outgoing ICMP
echo -n "Allow outgoing ICMP.."
$IPCHAINS -A output -p icmp -s $INTERNAL_NET -d $ALLADDR -j ACCEPT
echo -n "."
echo "Done!"
#
echo -n "firing up PortSentry..."
/usr/psionic/portsentry/portsentry -atcp
/usr/psionic/portsentry/portsentry -audp
echo "Done!"
#
# end of firewall
#
############################################################
#  Allow www.dialpad.com calls - not naymore, they started to charge
:(
#echo -n "DialPad.."
#/usr/sbin/ipmasqadm autofw -A -v -u -r udp 51200 51201 -c tcp 7175
#echo -n "."
#/usr/sbin/ipmasqadm autofw -A -v -u -r tcp 51200 51201 -c tcp 7175
#echo -n "."
#echo "Done!"

- -----Original Message-----
From: Bret Hughes [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 03, 2003 2:30 PM
To: [EMAIL PROTECTED]
Subject: RE: apache setup questions


On Fri, 2003-01-03 at 13:04, Burke, Thomas G. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> OK, apache is working from the local machine...
> 
> I can log in from the local machine, & I get the test page that
> shipped with it.
> 
> However, when I try to get there from outside (work, in this case),
> I get the connecting message (in netscape at the bottom, explorer
> gives me nada), and then it eventually times out.  this is
> apparently
> something in the config file doing this, as I could get the error
> message from work, earlier.  I am attaching my httpd.conf file, so
> you guys can take a look...
> 

My guess is that you are now hitting firewall constraints.  Sorry if
this has been addressed previously. 

What are the FW rules that are in place?

Bret



- -- 
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQA/AwUBPhXpU9PjBkUEZx5AEQLvjQCg/i5nFeNNB6cEUwJjW3dreXxkguEAoJLv
izom73OVVEH9YUgS+ozSy7xV
=qWwQ
-----END PGP SIGNATURE-----



-- 
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list

RE: apache setup questions

Reply via email to