|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: port forwarding into internal network
From: Francois.Perreault
VMD.DESJARDINS.COMDate: Fri Aug 11 2000 - 13:13:39 CDT
- Next message: Bráulio: "Re: port forwarding into internal network"
- Previous message: Gordon Messmer: "Re: port forwarding into internal network"
- Maybe in reply to: Kristof Goossens: "port forwarding into internal network"
- Next in thread: Francois.PerreaultVMD.DESJARDINS.COM: "Re: port forwarding into internal network"
- Maybe reply: Francois.PerreaultVMD.DESJARDINS.COM: "Re: port forwarding into internal network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In response to:
hello,
I'd like to configure a intern network with one firewall/gateway. But I
want an apacheserver, mailserver (using sendmail), ftp server,...
installed on a machine in the internal network. (I wouldn't like these
services to be on my firewall) So I guess I need a program that forwards
the requests on the default ports to the right machine in the subnet.
Does anyone know a program that does this properly and secure? Is it
possible to forward the requests on such a port 80 only when they where
allowed to pass the firewall?
thx in advance
Kristof
========================================
Bug? That's not a bug, that's a feature.
This is the setup I have at home.
The rc.firewall script uses '/usr/sbin/ipmasqadm' for port forwarding, and
ipchains for the rest.
(you can find these at www.rpmfind.com) you cal also search for TrinityOS on the
web.
Note: There are some IP addresses to change at the beginning and at the end
to reflect
your environment. Also, I would not forward FTP unless it was a
life-and-death
matter, instead, I use scp from the SSH package. Feel free to ask if
you have any
questions. (I suggest you read through this script and understand what it
does prior
to enabling it for production use.)
#!/bin/sh
#--------------------------------------------------------------------
# Author: David A. Ranch
FWVER="v3.53"
#--------------------------------------------------------------------
# This configuration assumes the following (DSL / Cablemodem setup):
#
# 1) The external interface is running on "eth0"
# 2) The external IP address is dynamically assigned
# 3) The internal IP Masqueraded network interface is "eth1"
# 4) The internal network is addressed within the private
# 192.168.0.x TCP/IP addressing scheme per RFC1918
#
# ****
# NOTE: All 2.2.x Linux kernels prior to 2.2.11 have a fragmentation
# **** bug that renders all strong IPCHAINS rulesets void. It
# is CRITICAL that users upgrade the Linux kernel to 2.2.11+
# for proper firewall security.
#
#--------------------------------------------------------------------
#********************************************************************
# Initializing
#********************************************************************
echo -e "\n\nLoading TrinityOS IPCHAINS Firewall $FWVER"
echo "----------------------------------------------------------------------"
#--------------------------------------------------------------------
# Variables
#--------------------------------------------------------------------
# The loopback interface and address
#
LOOPBACKIF="lo"
LOOPBACKIP="127.0.0.1"
EXTIF="eth1"
echo External Interface: $EXTIF
# IP address of the external interface
#
# *
# * If you have get a DYNAMIC IP address (regardless if you use PPP
# * with a modem or DHCP with Ethernet), you *MUST* make this firewall
# * ruleset understand your new IP address everytime you get a new
# * IP address. To do this, enable the following one-line script.
# *
#
# (Please note that the different single and double quote characters MATTER).
#
#
# NOTE: Red Hat users of DHCP to get TCP/IP addresses (Cablemodems, DSL, etc)
# will need to install and use a different DHCP client than the stock
# client called "pump". One recommended DHCP client is called "dhcpcd"
# and can found in Appendix A.
#
# The stock Red Hat DHCP client doesn't allow the ability to have scripts
# run when DHCP gets a TCP/IP address. Specifically, DHCP delves out
# TCP/IP addresses to its clients for a limited amount of time; this
# called a "lease". When a DHCP lease expires, the client will query the
# DHCP server for a lease renewal. Though the DHCP client will usually
# get back its original TCP/IP address, this is NOT always guaranteed.
# With this understood, if you receive a different TCP/IP address than
# the IPCHAINS firewall was configured for, the firewall will block ALL
# network access in and out of the Linux server because that was what it
# was configured to do.
#
# As mentioned above, the key to solve this problem is to use a DHCP
# client program that can re-run the /etc/rc.d/rc.firewall ruleset once a
# new TCP/IP address is set. The new ruleset will make the required
# changes to the rulesets to allow network traffic from and to your new
# TCP/IP address.
#
# With the dhcpcd program, it will need to executed with the following
# command line option to have the firewall ruleset re-run upon every DHCP
# lease renew (please note the -c syntax is depreciated in newer DHCPcd
# clients). Please see the DHCPcd section in TrinityOS for full details
# on how to edit the /sbin/ifup file.
#
# ABSOLUTELY CRITICAL: If you run the /etc/dhcpcd/dhcpcd-ethX.exe file
# (needed for DHCP'ed DSL and cablemodem users),
# you CANNOT also enable the
# /etc/rc.d/init.d/firewall
# script below.
#
# Static TCP/IP addressed users: For EXTIP, EXTBROAD, and EXTGW, simply replace
# the pipelines with your correct TCP/IP address, broadcast address, and
# external gateway, respectively.
#
# eg: EXTIP="100.200.0.212"
#
EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e
s/addr://`
if [ "$EXTIP" = '' ]; then
echo "Aborting: Unable to determine the IP of $EXTIF ... DHCP or PPP
problem?"
exit 1
fi
echo External IP: $EXTIP
# Broadcast address of the external network
#
# Static TCP/IP addressed users:
#
# Simply delete all of the text and including the single quotes and
# replace it with your correct TCP/IP netmask enclosed in double
# quotes.
#
# eg: EXTBROAD="100.200.0.255"
#
EXTBROAD=`/sbin/ifconfig | grep -A 1 $EXTIF | awk '/Bcast/ { print $3 }' | sed
-e s/Bcast://`
echo External broadcast: $EXTBROAD
# Gateway for the external network
#
# Static TCP/IP addressed users:
#
# Simply delete all of the text and including the single quotes and
# replace it with your correct TCP/IP default gateway or "next hop
# address".
#
# eg: DGW="100.200.0.1"
#
EXTGW=`/sbin/route -n | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW
echo " --- "
# Internal interface device.
INTIF="eth0"
echo Internal Interface: $INTIF
# IP address on the internal interface
INTIP="205.205.234.254"
echo Internal IP: $INTIP
# IP network address of the internal network
INTLAN="205.205.234.240/28"
echo Internal LAN: $INTLAN
echo " --- "
# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"
# IP Mask for broadcast transmissions
BROADCAST="255.255.255.255"
# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"
# Specification of X Window System (TCP) ports.
XWINDOWS_PORTS="6000:6010"
# The TCP/IP addresses of a specifically allowed EXTERNAL hosts
#
# Disabled by default.
#SECUREHOST="24.200.106.143"
#echo Secure Host 1 IP: $SECUREHOST
# TCP/IP addresses of INTENRAL hosts network allowed to directly
# connect to the Linux server. All internal hosts are allowed
# per default.
#
# Disabled by default
#HOST1IP="192.168.0.3"
#echo Internal Host 1 IP: $HOST1IP
# Logging state.
#
# Uncomment the " " line and comment the "-l" line if you want to
# disable logging of some of more important the IPCHAINS rulesets.
#
# The output of this logging can be found in the /var/log/messages
# file. It is recommended that you leave this setting enabled.
# If you need to reduce some of the logging, edit the rulesets and
# delete the "$LOGGING" syntax from the ruleset that you aren't
# interested in.
#
# LOGGING=" "
LOGGING="-l"
echo " --- "
echo "----------------------------------------------------------------------"
# Disable IP spoofing attacks.
#
# This drops traffic addressed for one network though it is being received on a
# different interface.
#
echo " - Disabling IP Spoofing attacks."
for file in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo "2" > $file
done
# Comment the following out of you are not using a dynamic address
#
echo " - Enabling dynamic TCP/IP address hacking."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#--------------------------------------------------------------------
# Masquerading Timeouts
#--------------------------------------------------------------------
# Set timeout values for masq sessions (seconds).
#
# Item #1 - 2 hrs timeout for TCP session timeouts
# Item #2 - 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# Item #3 - 60 sec timeout for UDP traffic
#
# Note to ICQ users: You might want to set the UDP timeout to something
# like 160.
#
echo " - Changing IP masquerading timeouts."
/sbin/ipchains -M -S 7200 10 160
#--------------------------------------------------------------------
# Masq Modules
#--------------------------------------------------------------------
# Most TCP/IP-enabled applications work fine behind a Linux IP
# Masquerade server. But, some applications need a special
# module to get their traffic in and out properly.
#
# Note: Some applications do NOT work though IP Masquerade server at ALL such
# as any H.323-based program. Please the IP-MASQ HOWTO for more details.
#
# Note #2: Only uncomment the modules that you REQUIRE to be loaded.
# The FTP module is loaded by default.
#--------------------------------------------------------------------
#echo " - Loading masquerading modules."
#/sbin/modprobe ip_masq_cuseeme
#/sbin/modprobe ip_masq_ftp
#/sbin/modprobe ip_masq_irc
#/sbin/modprobe ip_masq_quake
#/sbin/modprobe ip_masq_raudio
#/sbin/modprobe ip_masq_vdolive
# see /etc/rc.d/init.d/ipmasq (2345 11 *)
#--------------------------------------------------------------------
# Default Policies
#--------------------------------------------------------------------
# Set all default policies to REJECT and flush all old rules.
#--------------------------------------------------------------------
# Change default policies to REJECT.
#
# We want to only EXPLICTLY allow what traffic is allowed IN and OUT of the
# firewall. All other traffic will be implicitly blocked.
#
echo " - Set default policies to REJECT"
/sbin/ipchains -P input REJECT
/sbin/ipchains -P output REJECT
/sbin/ipchains -P forward REJECT
echo " - Flushing all old rules and setting all default policies to REJECT "
# Flush all old rulesets
#
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
#********************************************************************
# Input Rules
#********************************************************************
echo "----------------------------------------------------------------------"
echo "Input Rules:"
#--------------------------------------------------------------------
# Incoming Traffic on the Internal LAN
#--------------------------------------------------------------------
# This section controls the INPUT traffic allowed to flow within the internal
# LAN. This means that all input traffic on the local network is valid. If
# you want to change this default setting and only allow certain types of
# traffic within your internal network, you will need to comment this following
# line and configure individual ACCEPT lines for each TCP/IP address you want
# to let through. A few example ACCEPT lines are provided below for
# demonstration purposes.
#
# Sometimes it is useful to allow TCP connections in one direction but not the
# other. For example, you might want to allow connections to an external HTTP
# server but not connections from that server. The naive approach would be to
# block TCP packets coming from the server. However, the better approach is to
# use the -y flag which will block only the packets used to request a
# connection.
#--------------------------------------------------------------------
echo " - Setting input filters for traffic on the internal LAN."
# Local interface, local machines, going anywhere is valid.
#
# Comment this line out if you want to only allow specific traffic on the
# internal network.
/sbin/ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE
# Loopback interface is valid.
/sbin/ipchains -A input -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE
#--------------------------------------------------------------------
# Explicit Access from Internal LAN Hosts
#--------------------------------------------------------------------
# This section is provided as an example of how to allow only SPECIFIC hosts on
# the internal LAN to access services on the firewall server. Many people
# might feel that this is extreme but many system attacks occur from the
# INTERNAL networks.
#
# Examples given allow access via FTP, FTP-DATA, SSH, and TELNET.
#
# In order for this ruleset to work, you must first comment out the line above
# that provides full access to the internal LAN by all internal hosts. You will
# then need to enable the lines below to allow any access at all.
#--------------------------------------------------------------------
#echo " - Setting input filters for specific internal hosts."
# First allowed internal host to connect directly to the Linux server
#
# Disabled by default.
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP
ftp-data
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ssh
#/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP telnet
#--------------------------------------------------------------------
# Incoming Traffic from the External Interface
#--------------------------------------------------------------------
# This ruleset will control specific traffic that is allowed in from
# the external interface.
#--------------------------------------------------------------------
#
echo " - Setting input filters for traffic from the external interface."
# DHCP Clients.
#
# If you get a dynamic IP address for your ADSL or Cablemodem connection, you
# will need to enable these lines.
#
# Enabled by default.
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootps -d
$BROADCAST/0 bootpc
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootps -d
$BROADCAST/0 bootpc
# ICMP: Allow ICMP packets from all external TCP/IP addresses.
#
# NOTE: Disabling ICMP packets via the firewall ruleset can do far more than
# just stop people from pinging your machine. Many aspects of TCP/IP and its
# associated applications rely on various ICMP messages. Without ICMP, both
# your Linux server and internal Masq'ed computers might not work.
#
#
# TEST of DENY instead of ACCEPT ?
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP
# TELNET: Allow external computers to connect to the Linux server ITSELF for
# TELNET access.
#
# Disabled by default.
# echo "Optional parameter: TELNET server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP
telnet
# III
# SSH
#echo "Optional parameter: SSH server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ssh
# NTP
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP 123
# MAIL
echo "Optional parameter: SMTP server"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP smtp
#echo "Optional parameter: POP server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP pop-3
# HTTP
echo "Optional parameter: HTTP server"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP www
# FTP
#echo "Optional parameter: FTP server"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP
ftp-data
#--------------------------------------------------------------------
# Specific Input Rejections
#--------------------------------------------------------------------
# These rulesets reject specific traffic that you do not want out of
# the system.
#--------------------------------------------------------------------
echo " - Reject specific inputs."
# Remote interface, claiming to be local machines, IP spoofing, get lost & log
/sbin/ipchains -A input -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING
# NFS: Reject NFS traffic FROM and TO external machines.
#
# NOTE: NFS is one of the biggest security issues an administrator will face.
# Do NOT enable NFS over the Internet or any non-trusted networks unless you
# know exactly what you are doing.
#
# NOTE #2: the $LOGGING variable is NOT included here because if it was
# enabled, your logs would grow too quickly to manage.
#
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 2049
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 2049 -d $EXTIP
# SMB: Reject SMB traffic FROM and TO external machines.
#
# NOTE: SMB is one of the biggest security issues an administrator will face.
# Do NOT enable SMB over the Internet or any non-trusted networks unless you
# know exactly what you are doing.
#
# NOTE #2: the $LOGGING variable is NOT included here because if it was
# enabled, your logs would grow too quickly to manage.
#
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 137
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 138
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 139
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 137 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 138 -d $EXTIP
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 139 -d $EXTIP
#--------------------------------------------------------------------
# Incoming Traffic on all Interfaces
#--------------------------------------------------------------------
# This will control input traffic for all interfaces. This is
# usually used for what could be considered as public services.
#--------------------------------------------------------------------
echo " - Setting input filters for public services (all interfaces)."
# AUTH: Allow the authentication protocol, ident, to function on all
# interfaces but disable it in /etc/inetd.conf. The reason to
# allow this traffic in but block it via Inetd is because some
# legacy TCP/IP stacks don't deal with REJECTed "auth" requests
# properly.
#
/sbin/ipchains -A input -j REJECT -p tcp -s $UNIVERSE -d $UNIVERSE auth
# BOOTP/DHCP: Reject all stray bootp traffic.
#
# Disabled by default.
#/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE bootpc
# RIP: Reject all stray RIP traffic. Many improperly configured
# networks propagate network routing protocols to the edge of the
# network. The follow line will allow you explicitly filter it here
# without logging to SYSLOG.
#
# Disabled by default.
/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE -d $UNIVERSE route
#--------------------------------------------------------------------
# Specific Input Rejections from ANY interface
#--------------------------------------------------------------------
# These rulesets reject specific traffic that you do not want out of
# the system.
#--------------------------------------------------------------------
#echo " - Reject traffic for specific domains."
#Do not allow ANY internal hosts to be able to reach the following sites:
#
#Disabled by default.
#The Doubleclick example will filter ALL types of traffic to the given
# class-C networks including WWW, SMTP(email, etc traffic. If you
# want a slightly less restrictive example, see the AOL example.
#
#Doubleclick.net and .com is reknown for their WWW ad banners
#
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d
63.160.54.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d
128.11.92.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d
199.95.206.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d
199.95.207.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d
199.95.208.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d
199.95.210.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d
204.178.112.160/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d
204.253.104.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d
208.10.202.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d
208.203.243.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d
208.211.225.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d
208.228.86.0/24
#/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d
209.67.38.0/24
#AOL.com is reknown for their users sending SPAM to millions of people on
# the Inet. Though you might want to filter email from them, you
# might want to still be able to go look at some of their their
# WWW pages. This example ONLY filters EMAIL and nothing else.
#
#/sbin/ipchains -A input -j REJECT -p tcp -s $UNIVERSE -d 152.163.159.0/24 25
#/sbin/ipchains -A input -j REJECT -p tcp -s $UNIVERSE -d 205.188.157.0/24 25
#--------------------------------------------------------------------
# Explicit INPUT Access from external LAN Hosts
#--------------------------------------------------------------------
# This controls external access from specific external hosts (secure hosts).
# This example permits FTP, FTP-DATA, SSH, POP-3 and TELNET traffic from a
# secure host INTO the firewall. In addition to these input rules, we must also
# explicitly allow the traffic from the remote host to get out. See the rules
# in the output section for more details
#
# Disabled as default.
#--------------------------------------------------------------------
#echo " - Setting input filters for explicit external hosts."
# The secure host
#
#echo " * Allowing $SECUREHOST INPUT for ftp, ftp-data, ssh, pop-3, and
telnet"
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ftp
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP
ftp-data
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ssh
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP
pop-3
#/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP
telnet
# HIGH PORTS:
#
# Enable all high unprivileged ports for all reply TCP/UDP traffic
#
# NOTE: The use of the "! -y" flag filters TCP traffic that doesn't have the
# SYN bit set. In other words, this means that any traffic that is
# trying to initiate traffic to your server on a HIGH port will be
# rejected.
#
# The only HIGH port traffic that will be accepted is either return
# traffic that the server originally initiated or UDP-based traffic.
#
# NOTE2: Please note that port 20 for ACTIVE FTP sessions should NOT use
# SYN filtering. Because of this, we must specifically allow it in.
#
echo " - Enabling all input REPLY (TCP/UDP) traffic on high ports."
/sbin/ipchains -A input -j ACCEPT ! -y -p tcp -s $UNIVERSE -d $EXTIP
$UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE ftp-data -d $EXTIP
$UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS
#--------------------------------------------------------------------
# Catch All INPUT Rule
#--------------------------------------------------------------------
#
echo " - Final input catch all rule."
# All other incoming is denied and logged.
/sbin/ipchains -A input -j DENY -s $UNIVERSE -d $UNIVERSE $LOGGING
#********************************************************************
# Output Rules
#********************************************************************
echo "----------------------------------------------------------------------"
echo "Output Rules:"
#--------------------------------------------------------------------
# Outgoing Traffic on the Internal LAN
#--------------------------------------------------------------------
# This ruleset provides policies for traffic that is going out on the internal
# LAN.
#
# In this example, all traffic is allowed out. Therefore there is no
# requirement to implement individual filters. However, as with the input
# section above, examples are given for demonstrative purposes. It is also
# noted that the same rules, outlined above, apply regarding the order of the
# filtering rules.
#--------------------------------------------------------------------
echo " - Setting output filters for traffic on the internal LAN."
# Local interface, any source going to local net is valid.
/sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN
# Loopback interface is valid.
/sbin/ipchains -A output -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE
#--------------------------------------------------------------------
# Explicit Output from Internal LAN Hosts
#--------------------------------------------------------------------
# The following rulesets only allow SPECIFIC hosts on the internal LAN to
# access services on this firewall server itself. Many people might feel that
# this is extreme but many system attacks occur from the INTERNAL network as
# well.
#
# Examples given allow access via FTP, FTP-DATA, SSH, and TELNET.
#
# In order for this ruleset to work, you must first comment out the line above
# that provides full access to the internal LAN by all internal hosts.
#
# Disabled by default.
#--------------------------------------------------------------------
#echo " - Setting output filters for specific internal hosts."
# First host
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP
ftp-data
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ssh
#/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP
telnet
#--------------------------------------------------------------------
# Outgoing Traffic on the External Interface
#--------------------------------------------------------------------
# This ruleset will control what traffic can go out on the external interface.
#--------------------------------------------------------------------
echo " - Setting input filters for traffic to the external interface."
# DHCP Client: If your Linux server is connected via DSL or a Cablemodem
# connection and you get dynamic DHCP addresses, you will need to
# enable the following rulesets.
#
# Enabled by default.
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootpc -d
$UNIVERSE bootps
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootpc -d
$UNIVERSE bootps
#--------------------------------------------------------------------
# Outgoing Traffic on all Interfaces
#--------------------------------------------------------------------
# This will control output traffic for all interfaces. This is
# usually used for what could be considered as public services. It
# is noted that we provide a few rejection rulesets as examples but
# these are not required due to the overall REJECT statement above.
#--------------------------------------------------------------------
echo " - Setting output filters for public services on all interfaces."
# AUTH: Allow authentication tap indent on all interfaces (but disable it
# in /etc/inetd.conf).
#
/sbin/ipchains -A output -j ACCEPT -p tcp -s $UNIVERSE auth -d $UNIVERSE
# ICMP: Allow ICMP traffic out
#
# NOTE: Disabling ICMP packets via the firewall ruleset can do far
# more than just stop people from pinging your machine. Many aspects
# of TCP/IP and its associated applications rely on various ICMP
# messages. Without ICMP, both your Linux server and internal Masq'ed
# computers might not work.
#
/sbin/ipchains -A output -j ACCEPT -p icmp -s $UNIVERSE -d $UNIVERSE
# OOO
# ssh
#/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP ssh -d $UNIVERSE
# ntp
#/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP 123 -d $UNIVERSE
#/sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP 123 -d $UNIVERSE
# MAIL: If the Linux servers is either an authoritative SMTP server or
# relay, you must allow this ruleset.
#
/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP smtp -d $UNIVERSE
#/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP pop3 -d $UNIVERSE
# http
/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP www -d $UNIVERSE
# ftp
#/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP ftp -d $UNIVERSE
#/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP ftp-data -d $UNIVERSE
#--------------------------------------------------------------------
# Output to Explicit Hosts
#--------------------------------------------------------------------
# This controls output to specific external hosts (secure hosts). This example
# implementation allows ssh and pop-3 protocols out to the secure host. In
# addition to these rules, we must also explicitly allow the traffic in from
# the remote host. See the input rules above to see this take place.
#
# Disabled by default.
#--------------------------------------------------------------------
#echo " - Setting output filters for explicit external hosts."
# The secure host
#
#echo " * Allowing $SECUREHOST OUTPUT for ftp, ftp-data, ssh, pop-3, and
telnet"
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d
$SECUREHOST $UNPRIVPORTS
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d
$SECUREHOST $UNPRIVPORTS
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d
$SECUREHOST $UNPRIVPORTS
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP pop-3 -d
$SECUREHOST $UNPRIVPORTS
#/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d
$SECUREHOST $UNPRIVPORT
#--------------------------------------------------------------------
# Specific Output Rejections
#--------------------------------------------------------------------
# These rulesets reject specific traffic that you do not want out of
# the system.
#--------------------------------------------------------------------
echo " - Reject specific outputs."
# Reject outgoing traffic to the local net from the remote interface,
# stuffed routing; deny & log
/sbin/ipchains -A output -j REJECT -i $EXTIF -s $UNIVERSE -d $INTLAN $LOGGING
# Reject outgoing traffic from the local net from the external interface,
# stuffed masquerading, deny and log
/sbin/ipchains -A output -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING
# SMB
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 137
$LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 138
$LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 139
$LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 137 -d $UNIVERSE
137 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 138 -d $UNIVERSE
138 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 139 -d $UNIVERSE
139 $LOGGING
# RPC.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE
sunrpc $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP sunrpc -d
$UNIVERSE $LOGGING
# Mountd.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 635
$LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 635 -d $UNIVERSE
$LOGGING
# PPTP.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1723
$LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1723
$LOGGING
# Remote Winsock.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1745
$LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1745
$LOGGING
# NFS.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 2049
$LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 2049 -d $UNIVERSE
$LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 2049
$LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 2049 -d $UNIVERSE
$LOGGING
# PcAnywhere.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5631
$LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 5631
$LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5632
$LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 5632
$LOGGING
# Xwindows.
#
# NOTE: See variable section above for the example range (6000:6007 by default)
# Xwindows can use far more than just ports 6000-6007.
#
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE
$XWINDOWS_PORTS $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE
$XWINDOWS_PORTS $LOGGING
# NetBus.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12345
$LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12346
$LOGGING
# NetBus Pro.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0
20034 $LOGGING
# BackOrofice
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE/0
31337 $LOGGING
# Win Crash Trojan.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0
5742 $LOGGING
# Socket De Troye.
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0
30303 $LOGGING
# Unknown Trojan Horse (Master's Paradise [CHR])
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0
40421 $LOGGING
# Trinoo UDP flooder - Please note this port will probably change over time
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 27665 -d
$UNIVERSE/0 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 27444 -d
$UNIVERSE/0 $LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 31335 -d
$UNIVERSE/0 $LOGGING
#IPSEC VPNs
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 500 -d $UNIVERSE/0
$LOGGING
/sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 500
$LOGGING
#--------------------------------------------------------------------
# Allow all High Ports for return traffic.
#
# Some day this ruleset will be stateful and we won't have to do this
#
echo " - Enabling all output REPLY (TCP/UDP) traffic on high ports."
/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE
/sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE
#--------------------------------------------------------------------
# Catch All Output Rule
#--------------------------------------------------------------------
echo " - Final output catch all rule."
# All other outgoing is denied and logged. This ruleset should catch
# everything including samba that hasn't already been blocked.
#
/sbin/ipchains -A output -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING
#********************************************************************
# Forwarding Rules
#********************************************************************
#
echo "----------------------------------------------------------------------"
echo "Forwarding Rules:"
#--------------------------------------------------------------------
# Enable TCP/IP forwarding and masquerading from the Internal LAN
#--------------------------------------------------------------------
#--------------------------------------------------------------------
# Enable TCP/IP forwarding and masquerading from the Internal LAN
#--------------------------------------------------------------------
# Masquerade from local net on local interface to anywhere.
#
#echo " - Enable IP Masquerading from the internal LAN."
/sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE
# Turn on IP Forwarding in the Linux kernel
#
# There are TWO methods of turning on this feature. The first method is the
# Red Hat way. Edit the /etc/sysconfig/network file and change the
# "FORWARD_IPV4" line to say:
#
# FORWARD_IPV4=true
#
# The second method is shown below and can executed at any time while the
# system is running.
#
echo " - Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Catch all rule, all other forwarding is denied.
#
/sbin/ipchains -A forward -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING
#********************************************************************
# The end
#********************************************************************
echo "----------------------------------------------------------------------"
echo -e "TrinityOS IPCHAINS Firewall $FWVER implemented.\n\n"
echo
echo "----------------------------------------------------------------------"
echo "Port forwarding"
echo
echo " - Flushing old rules"
/usr/sbin/ipmasqadm portfw -f
echo " - SMTP to internalhostB"
/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 25 -R 192.168.16.20 25
#echo " - POP3 to internalhostB"
# /usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 110 -R 192.168.16.20 110
echo " - HTTP to internalhostC"
/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 80 -R 192.168.16.30 80
#echo " - FTP to internalhostA"
# /usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 21 -R 192.168.16.10 21
#echo " - Listing rules"
# /usr/sbin/ipmasqadm portfw -l
echo
echo "----------------------------------------------------------------------"
echo
echo "[eof]"
- Next message: Bráulio: "Re: port forwarding into internal network"
- Previous message: Gordon Messmer: "Re: port forwarding into internal network"
- Maybe in reply to: Kristof Goossens: "port forwarding into internal network"
- Next in thread: Francois.PerreaultVMD.DESJARDINS.COM: "Re: port forwarding into internal network"
- Maybe reply: Francois.PerreaultVMD.DESJARDINS.COM: "Re: port forwarding into internal network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]