On Sun, Apr 14, 2002 at 09:33:44PM -0400, Russell Hires wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Okay...I've reverted back to the 2.2.x kernel series, because 2.4.x wasn't
> stable for me :-(
>
> Having done that, though, I'm beginning to probe my whole firewall setup, and
> what's going on in there. I realize that my firewall is made up of a simple
> script that was put there by PPPoE. It basically lets everything through my
> computer to the internel network, but it doesn't let anything get to the
> firewall. So, if I want to be able to ssh to my firewall computer from my
> sister's house, I can't. I also want to be able to serve up a web page or two
> while I'm at it, so I can play with my Zope server away from home, and if I'm
> really feeling good, I can VNC to my home computer, too.
>
> How would I modify my firewall script to allow these services?
>
> Thanks!
>
> Russell
> Here's what I'm working with...
>
> #!/bin/sh
> #
> # firewall-masq This script sets up firewall rules for a machine
> # acting as a masquerading gateway
> #
> # Copyright (C) 2000 Roaring Penguin Software Inc. This software may
> # be distributed under the terms of the GNU General Public License, version
> # 2 or any later version.
>
> # Interface to Internet
> EXTIF=ppp+
>
> ANY=0.0.0.0/0
>
> ipchains -P input ACCEPT
> ipchains -P output ACCEPT
> ipchains -P forward DENY
>
> ipchains -F forward
> ipchains -F input
> ipchains -F output
>
> # Deny TCP and UDP packets to privileged ports
> ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY
> ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY
>
> # Deny TCP connection attempts
> ipchains -A input -l -i $EXTIF -p tcp -y -j DENY
>
> # Deny ICMP echo-requests
> ipchains -A input -l -i $EXTIF -s $ANY echo-request -p icmp -j DENY
>
> # Do masquerading
> ipchains -A forward -j MASQ
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
You have no output statement. Something like:
ipchains -A output -s $ANY -d $ANY -j ACCEPT
HOWEVER, beware that this allows any traffic, even spoofed traffic, to
emerge from behind your firewall. This would be a little better if you
added a variable at the beginning that gave your network addresses:
NET=192.168.10.0/24
then
ipchains -A output -s $NET -d $ANY -j ACCEPT
Also, if you specify your interior device, as
INTDEV=eth0
you can do
ipchains -A output -i $INTDEV -s $NET -d $ANY -j ACCEPT
There are obviously a hundred other additional statements which would
add security to this. The point is that you have no output statement,
and you need one.
HTH,
Paul
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:07:10 EDT