Re: [SLUG] Letting Stuff In...

From: Paul M Foster (paulf@quillandmouse.com)
Date: Sun Apr 14 2002 - 23:18:53 EDT

Next message: ramiro souto: "[SLUG] A personal message to Diego"
Previous message: Russell Hires: "[SLUG] Letting Stuff In..."
In reply to: Russell Hires: "[SLUG] Letting Stuff In..."
Next in thread: Russell Hires: "Re: [SLUG] Letting Stuff In..."
Reply: Russell Hires: "Re: [SLUG] Letting Stuff In..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Sun, Apr 14, 2002 at 09:33:44PM -0400, Russell Hires wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Okay...I've reverted back to the 2.2.x kernel series, because 2.4.x wasn't
> stable for me :-(
>
> Having done that, though, I'm beginning to probe my whole firewall setup, and
> what's going on in there. I realize that my firewall is made up of a simple
> script that was put there by PPPoE. It basically lets everything through my
> computer to the internel network, but it doesn't let anything get to the
> firewall. So, if I want to be able to ssh to my firewall computer from my
> sister's house, I can't. I also want to be able to serve up a web page or two
> while I'm at it, so I can play with my Zope server away from home, and if I'm
> really feeling good, I can VNC to my home computer, too.
>
> How would I modify my firewall script to allow these services?
>
> Thanks!
>
> Russell
> Here's what I'm working with...
>
> #!/bin/sh
> #
> # firewall-masq This script sets up firewall rules for a machine
> # acting as a masquerading gateway
> #
> # Copyright (C) 2000 Roaring Penguin Software Inc. This software may
> # be distributed under the terms of the GNU General Public License, version
> # 2 or any later version.
>
> # Interface to Internet
> EXTIF=ppp+
>
> ANY=0.0.0.0/0
>
> ipchains -P input ACCEPT
> ipchains -P output ACCEPT
> ipchains -P forward DENY
>
> ipchains -F forward
> ipchains -F input
> ipchains -F output
>
> # Deny TCP and UDP packets to privileged ports
> ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY
> ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY
>
> # Deny TCP connection attempts
> ipchains -A input -l -i $EXTIF -p tcp -y -j DENY
>
> # Deny ICMP echo-requests
> ipchains -A input -l -i $EXTIF -s $ANY echo-request -p icmp -j DENY
>
> # Do masquerading
> ipchains -A forward -j MASQ
> echo 1 > /proc/sys/net/ipv4/ip_forward
>

You have no output statement. Something like:

ipchains -A output -s $ANY -d $ANY -j ACCEPT

HOWEVER, beware that this allows any traffic, even spoofed traffic, to
emerge from behind your firewall. This would be a little better if you
added a variable at the beginning that gave your network addresses:

NET=192.168.10.0/24

then

ipchains -A output -s $NET -d $ANY -j ACCEPT

Also, if you specify your interior device, as

INTDEV=eth0

you can do

ipchains -A output -i $INTDEV -s $NET -d $ANY -j ACCEPT

There are obviously a hundred other additional statements which would
add security to this. The point is that you have no output statement,
and you need one.

HTH,

Paul

Next message: ramiro souto: "[SLUG] A personal message to Diego"
Previous message: Russell Hires: "[SLUG] Letting Stuff In..."
In reply to: Russell Hires: "[SLUG] Letting Stuff In..."
Next in thread: Russell Hires: "Re: [SLUG] Letting Stuff In..."
Reply: Russell Hires: "Re: [SLUG] Letting Stuff In..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:07:10 EDT