sslug-teknik team mailing list archive

Thread
Date
Re: Opsætning af Linux router, firewall, webserver mm.

To: sslug-teknik@xxxxxxxx
From: donald_j_axel <donax@xxxxxxxxxx>
Date: Thu, 1 Jul 2004 10:42:31 +0200
Delivered-to: mailing list sslug-teknik@xxxxxxxx
Mailing-list: contact sslug-teknik-help@xxxxxxxx; run by ezmlm
Newsgroups: sslug.teknik
Organization: d-axel.dk
On Wed, 30 Jun 2004 21:16:57 +0200
Jesper wrote:

> 
> Så vidt jeg har forstået skal man bruge ipchains til både routeren og 
> firewallen. Er der nogen, der har nogle gode tip til hvordan det gøres - 
> eller nogle gode how-tos eller bøger (ud over linux-bøgerne)? Jeg har 
> også brug for at læse lidt om hvordan jeg konfigurerer de andre maskiner 
> til at anvende routeren (det har jeg heller ikke prøvet tidligere).

Hvis du ikke skal bruge alle de ekstra lag, som Rune snakker om, men
skal kunne gøre det uden ekstra software, som jo kan introducere flere
millioner nye fejlkilder;-) så er der en vejledning (af mig og flere andre
i FTAV-sikkerhed.

Læg lige mærke til at jeg har opdateret iptables kommandoen i forbindelse
med en kerneopdatering.

Ellers kommer her de vigtigste ting, som du bedes ændre IP-numre på
inden du bruger det:

======================================================================

#!/bin/ksh

# Dax script to remember how to setup a Linux 2.4.++ kernel
# netfilter tables. There are many more possibilities.

# We cannot make policy drop for one interface only. If we drop
# all input then the local network dies. Remember the machine is
# running remote (no screen etc!) so we better choose a method
# which does not endanger the local network. If we later choose
# to experiment with a closed input then here is the recipee:
# /usr/local/sbin/iptables -P INPUT DROP
# /usr/local/sbin/iptables -A INPUT -i eth0 -j ACCEPT

# This solution makes a chain which default drops everything from -i eth1.
# When making the tables then we start with the things which we want open, 
# and in the end we have a rule to drop everything.

# In order to be sure that everything is as we expect we start with
# flushing all filter and nat tables:

/usr/local/sbin/iptables -t filter -F
/usr/local/sbin/iptables -t nat -F

# We cannot flush door1 chain. We must delete it, then
# recreate it. This procedure will reset counters,
# so maybe we should read the counters and save them (somewhere TODO).
/usr/local/sbin/iptables -X door1 2> /dev/null


# Our strategy is to allow incoming ssh, http and nothing more -
# however, in order for this to work we need also to allow DNS
# and DHCP, which tele2adsl.dk requires; therefore we must allow
# bootps and bootpc. 

# Everything from eth1 is put though a user-defined chain, door1.
# First this door1 chain is defined:
/usr/local/sbin/iptables -N door1 2> /dev/null 1>&2

/usr/local/sbin/iptables -A door1 -m state --state INVALID              -j DROP
/usr/local/sbin/iptables -A door1 -p tcp --sport ssh  -j ACCEPT
/usr/local/sbin/iptables -A door1 -p tcp --dport ssh  -j ACCEPT
/usr/local/sbin/iptables -A door1 -p tcp --sport http -j ACCEPT
/usr/local/sbin/iptables -A door1 -p tcp --dport http -j ACCEPT
/usr/local/sbin/iptables -A door1 -p tcp --sport 53   -j ACCEPT
/usr/local/sbin/iptables -A door1 -p udp --sport 53   -j ACCEPT
/usr/local/sbin/iptables -A door1 -p tcp --sport bootps -j ACCEPT
/usr/local/sbin/iptables -A door1 -p udp --sport bootps -j ACCEPT

# The following two lines should possibly be supplemented with
# two lines accepting input for the bootp-client, I am not sure,
# it works fine as it is:
/usr/local/sbin/iptables -A door1 -p tcp --sport bootpc -j ACCEPT
/usr/local/sbin/iptables -A door1 -p udp --sport bootpc -j ACCEPT

# maybe add:
# /usr/local/sbin/iptables -A door1 -p tcp --dport bootpc -j ACCEPT
# /usr/local/sbin/iptables -A door1 -p udp --dport bootpc -j ACCEPT

/usr/local/sbin/iptables -A door1 -p tcp --sport ntp  -j ACCEPT
/usr/local/sbin/iptables -A door1 -p udp --sport ntp  -j ACCEPT

# The mail, smtp is wide open, but tele2adsl
# blocks any other host from contacting my port 25.
/usr/local/sbin/iptables -A door1 -p tcp --dport smtp -j ACCEPT
/usr/local/sbin/iptables -A door1 -p tcp --sport smtp -j ACCEPT

# For ping and traceroute:
/usr/local/sbin/iptables -A door1 -p icmp             -j ACCEPT

# stateful inspection here will allow connections which has been
# registered to go on. However, it also opens for spoofing and
# for outside requesters to change portnumbers! CAVEAT!

/usr/local/sbin/iptables -A door1 -m state \
                         --state ESTABLISHED,RELATED  -j ACCEPT
/usr/local/sbin/iptables -A door1 -j DROP

# Then we setup the INPUT chain so that it filters 
# everything coming from eth1 through our chain, door1:
/usr/local/sbin/iptables -A INPUT -m state \
                         --state NEW ! -i eth1        -j ACCEPT

/usr/local/sbin/iptables -A INPUT -i eth1 -j door1


# Now setup routing for LAN (localnet, 192.168.224.146).
# When using source natting we must specify the nat-tables (-t nat)
# Cannot use -i eth0 with POSTROUTING.

/usr/local/sbin/iptables -t nat -A POSTROUTING \
         --src 192.168.224.0/24 -o eth1 -j SNAT --to 129.142.192.25

# for that to work we need to enable forwarding:
echo 1 >> /proc/sys/net/ipv4/ip_forward


# Haaber det kan vaere en hjaelp!

-- 
donald_j_axel donax snabela get2net.dk -- http://d-axel.dk/
References

Opsætning af Linux router, firewall, webserver mm.
From: Jesper Larsen, 2004-06-30