[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] IPChains Firwall Help after HACK

Subject: [cobalt-users] IPChains Firwall Help after HACK
From: "Craig Napier" <craignapier@xxxxxxxxxxx>
Date: Sun Feb 11 04:16:10 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I apologize for the posting of the long script below, but I'm in dire needof someone's advice regarding the proper configuration/setup of a simplefirewall via IPChains.

My hacked server has been brought back online. I've quickly installed allthe updates and other security items back to the box (SSH/Portsentry/LogCheck/Turned off Telnet). Upon installing my IPChains, I noticed immediatelyHORDES of spammers trying to use my machine as a relay.. I've got it fairlynailed down, but I serious want to thwart any would-be hackers viaIPChains... I will be also installing ASP/mySQL/PHP3 on the box. I foundthis script below and was wondering if it would be a good start for fittingmy needs as a basic line of defense as a firewall?

I have three questions I was wondering if someone could assist me withregarding this script?

1) Should I change all the "ppp0" entries in the script below <from adialup> to "eth0", as my box is sitting in a NOC on a static IP?


2) I'm not clear on the correct settings for the top part of this script.

# Define the default network address
ALL="0.0.0.0/0"
# Define the private network's address
PRIV_NET="192.168.1.0/24"
# Define localhost address
LOCAL_HOME="127.0.0.1"

I know my servers IP address, Network address, Usable IP Range, Broadcastaddress, and Subnet Mask..

3) How should I call up the script..? I normally add start-up lines to/etc/rc.d/rc.local for various programs I want called at boot.. Should Ijust drop this file into /etc as say rc.firewall then add a line to rc.localthat calls up the script upon boot? I wasn't sure if it needed to be loadedearly during the boot process...

Any help with the above would be greatly appreciated... I've been sittinghere for almost 24 hours now, and I'm determined to nail down this box ifit's the last thing I do...


-Craig Napier


#!/bin/sh

# Paul Sery, pgsery@xxxxxxxx
# April 27, 1999
#
# Copyright (C) 1999 by Paul Sery

# Redistribution of this file is permitted under the terms of the GNU
# General Public License (GPL)

# This script was created for my new book Red Hat Linux in Small Business
#
# This script is intended to work as a firewall connecting a private network
# directly to the Internet. Its function is the same as firewall.simpl.

# The firewall created by this script allows one way communication to the
# Internet. You can optionally allow external connections via Secure Shell
# by removing the comments from the two ssh lines. Please see appendix A for
# instructions on how to use Secure Shell.
#
# In order to make this script as simple to understand as possible, only the
# three built-in chains - input, output and forward - are used; a chain is a
# set of IP filtering rules grouped together under a common name. Therefore,

# the ipchains capability of creating custom chains is not taken advantageof

# in this script. However, the script ipchains.rules.equiv, included on this
# CD-ROM, has been included and does make use of custom chains. That script
# provides the same functionality as this one and demonstrates the use of
# custom, user defined chains.

# This script makes use of the Type Of Server (TOS) capability of ipchains.

# TOS allows you to specify different priorities be used when passingvarious

# packet types. For instance, you can have ipchains pass interactive packets

# like WWW or Telnet through with minimal delay while trying to gainmaximimum

# throughput for protocols like FTP that are more interested in transferring

# data in bulk. The TOS rules were derived from Paul Russell'sIPCHAINS-HOWTO

# found in /usr/doc/ipchains*/HOWTO.txt.

# Please look for updates to these rules athttp://www.swcp.com/~pgsery/RHBIZ


# ------------- Define variables --------------

# High (non well-known ports)
HI="1024:65535"

# Define the default network address
ALL="0.0.0.0/0"
# Define the private network's address
PRIV_NET="192.168.1.0/24"
# Define localhost address
LOCAL_HOME="127.0.0.1"

# Get dynamic PPP IP address (your ISP assigns this to you at connectiontimePPP_IP=`ifconfig ppp0 |grep 'inet addr'| awk '{print $2}'|sed -e"s/addr\://"`

echo $PPP_IP

# ------------- General Rules ------------------

# Flush out all existing chains
ipchains -F
# Flush out any empty chains (just to be sure)
ipchains -X

# Set built-in filters to deny everything
ipchains -P input   DENY
ipchains -P output  DENY
ipchains -P forward DENY

# Allow all internal network traffic
ipchains -A input  -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT

# Allow all private network traffic (Ethernet)
ipchains -A input  -i eth0 -j ACCEPT
ipchains -A output -i eth0 -j ACCEPT

# Deny spoofed packets
ipchains -A input  -j DENY -i ppp0 -s $PPP_IP   -d $ALL
ipchains -A output -j DENY -i ppp0 -s $PRIV_NET -d $ALL


# Individual chains

# --- Going out to the Internet

# TCP

# Set minimum delay for interactive packets (telnet, www, etc.)
ipchains -A output -p TCP -j ACCEPT -i ppp0 -d $ALL telnet -t 0x01 0x10
ipchains -A output -p TCP -j ACCEPT -i ppp0 -d $ALL www	 -t 0x01 0x10
ipchains -A output -p TCP -j ACCEPT -i ppp0 -d $ALL ftp	 -t 0x01 0x10

# WWW secure server
ipchains -A output -p TCP -j ACCEPT -i ppp0 -d $ALL https -t 0x01 0x10

# Set maximimum throughput for data transfer packets (ftp, email, etc.)
ipchains -A output -p TCP -j ACCEPT -i ppp0 -d $ALL ftp-data -t 0x01 0x08
ipchains -A output -p TCP -j ACCEPT -i ppp0 -d $ALL nntp     -t 0x01 0x02
ipchains -A output -p TCP -j ACCEPT -i ppp0 -d $ALL pop-3    -t 0x01 0x02
ipchains -A output -p TCP -j ACCEPT -i ppp0 -d $ALL imap     -t 0x01 0x02
ipchains -A output -p TCP -j ACCEPT -i ppp0 -d $ALL smtp     -t 0x01 0x02

# UDP
ipchains -A output -p UDP -j ACCEPT -i ppp0 -d $ALL domain

# optionally allow secure shell connections originating from the outside
ipchains -A output -p TCP -j ACCEPT -i ppp0 -s $ALL ssh -t 0x01 0x10
ipchains -A output -p UDP -j ACCEPT -i ppp0 -s $ALL ssh -t 0x01 0x10

# --- Coming in from the Internet

# TCP

# Allow TCP SYN packets back in (originating from the private net).
ipchains -A input -p TCP -j ACCEPT -i ppp0 ! -y -s $ALL

# FTP data connections
ipchains -A input -p TCP -j ACCEPT -i ppp0 -s $ALL ftp-data

# UDP
ipchains -A input -p UDP -j ACCEPT -i ppp0 -s $ALL domain

# optionally allow SSH packets to go back out
ipchains -A input -p TCP -j ACCEPT -i ppp0 ! -y -d $ALL ssh -t 0x01 0x10
ipchains -A input -p UDP -j ACCEPT -i ppp0 -d $ALL ssh -t 0x01 0x10

# --- Masquerade (Network Address Translation) ----
# Masquerade your private network
# (see the section Configure Linux Networking for Masquerading
# in this chapter for more information.)
# (all local IPs appear on the Internet as your PPP IP address)
ipchains -A forward -j MASQ -s $PRIV_NET -d $ALL

#
# Optionally start fetchmail in daemon mode
# (this example checks for email every 5 minutes)
#/usr/bin/fetchmail -d 300

# log
echo "ipchains.rules up at `date`" >> /var/log/ipchains.log



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

Follow-Ups:
- Re: [cobalt-users] IPChains Firwall Help after HACK
  - From: Chip Thero

Prev by Date: [cobalt-users] os upgrade 4
Next by Date: Re: [cobalt-users] /var/cobalt logs.. all empty?
Previous by thread: RE: [cobalt-users] os upgrade 4
Next by thread: Re: [cobalt-users] IPChains Firwall Help after HACK

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index