Complete.Org: Mailing Lists: Archives: linux-help: February 2001:
[linux-help] Packet filtering with IPChains.
Home

[linux-help] Packet filtering with IPChains.

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: linux-help@xxxxxxxxx
Subject: [linux-help] Packet filtering with IPChains.
From: Weqaar Ali Janjua <wxjanjua@xxxxxxxxxxx>
Date: Sun, 25 Feb 2001 13:35:41 -0600
Reply-to: linux-help@xxxxxxxxx

Hello,
   One of my machines are running the following servies on a redhat linux 
box(kernel 2.2.17):
*)BIND
*)SENDMAIL (using virtual smtp)
*)POP3d (with vpop3d)
*)Apache httpd
*)Syslogd
*)Radius_client(pam_radiusd)
*)EMUMAIL(Webmail -- www.emumail.com)

I'm having a connectivity problem with Emumail, I've sent couple of emails to 
emumail guyz but they replied with "we cant figure out the problem!", the 
problem whenever somebody logs in to emumail web-interface and tries to SEND 
email, webmail keeps trying to send it and tcp connection terminates after a 
minute or two, it cant communicate with the smtpd...I've done TCPDUMP but I 
always get the perfect trace...anybody have a clue?? My IPChains script is as 
follows:

#!/bin/sh
# chkconfig: - 60 95
# description: Starts and stops the IPCHAINS Firewall
# SCRIPT BY: Weqaar Ali Janjua , Please do not modify the code without my      
# permission! <weqaar@xxxxxxxxxxx>
# used to provide Firewall network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/ipchains ]; then
exit 0
fi
# See how we were called.
case "$1" in
start)
echo "Starting Firewalling Services...: "
touch /var/run/pf.pid
# Some definitions for easy maintenance.
# ----------------------------------------------------------------------------
EXTERNAL_INTERFACE="eth0"               # Internet connected interface
LOOPBACK_INTERFACE="lo"                 # Your local naming convention
LOOPBACK="127.0.0.1"
IPADDR="64.110.83.5"                    # Your internet IP address
ANYWHERE="any/0"                        # Match any IP address
NAMESERVER_1="64.110.83.5"              # Everyone must have at least one
NAMESERVER_2="64.110.83.4"              # Your secondary name server
NAMESERVER_INTERPACKET_1="216.226.222.62"# Your INTERPACKET(ns1) name server
NAMESERVER_INTERPACKET_2="209.198.244.2"# Your INTERPACKET(ns2) name server
NAMESERVER_INTERPACKET_3="209.198.248.226"# Your INTERPACKET(ns4) name server
SYSLOG_SERVER="64.110.83.6"      # Your syslog internal server
#SYSLOG_CLIENT="64.110.83.5"    # Your syslog internal client range
BROADCAST_SRC="0.0.0.0"         # Broadcast source address
BROADCAST_DEST="255.255.255.255" # Broadcast destination address
PRIVPORTS="0:1023"              # Well known, privileged port range
UNPRIVPORTS="1024:65535"        # Unprivileged port range
RADIUS_SERVER="64.110.83.6"
#LIST OF TRUSTED HOSTS
TRUSTED_HOST1="64.110.83.17"
# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
ipchains -F
# Clearing all current rules and user defined chains
ipchains -X
# Set the default policy of the filter to deny.
# Don't even bother sending an error message back.
ipchains -P input DENY
ipchains -P output DENY 
ipchains -P forward DENY

# ----------------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse spoofed packets pretending to be from the external address.
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY
#--------------------------------------------------------------------------
#FOR INTERNET INTERFACE (64.110.83.5)
#--------------------------------------------------------------------------
# Refuse packets claiming to be from the loopback interface
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT
# Refuse broadcast address SOURCE packets
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY
# ----------------------------------------------------------------------------
# ICMP
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
## FOR INTERNET INTERFACE
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 0 -d $IPADDR -j 
ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 3 -d $IPADDR -j 
ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 4 -d $IPADDR -j 
ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 11 -d $IPADDR -j 
ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 12 -d $IPADDR -j 
ACCEPT
#icmp output
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -s $IPADDR 4 -d $ANYWHERE -j 
ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -s $IPADDR 8 -d $ANYWHERE -j 
ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -s $IPADDR 12 -d $ANYWHERE 
-j ACCEPT
# ----------------------------------------------------------------------------
# DNS CLIENT / SERVER TO QUERY OR RESPONSE
# ---------------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR $UNPRIVPORTS -d 
$ANYWHERE 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $ANYWHERE 53 -d $IPADDR 
$UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $ANYWHERE $UNPRIVPORTS -d 
$IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR 53 -d $ANYWHERE 
$UNPRIVPORTS -j ACCEPT
#DNS ZONE TRANSFERS
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d 
$NAMESERVER_2 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d 
$NAMESERVER_INTERPACKET_1 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d 
$NAMESERVER_INTERPACKET_2 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d 
$NAMESERVER_INTERPACKET_3 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $NAMESERVER_2 53 -d 
$IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s 
$NAMESERVER_INTERPACKET_1 53 -d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s 
$NAMESERVER_INTERPACKET_2 53 -d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s 
$NAMESERVER_INTERPACKET_3 53 -d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $NAMESERVER_2 $UNPRIVPORTS 
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 53 -d 
$NAMESERVER_2 $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $NAMESERVER_INTERPACKET_1 
$UNPRIVPORTS -d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 53 -d 
$NAMESERVER_INTERPACKET_1 $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $NAMESERVER_INTERPACKET_2 
$UNPRIVPORTS -d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 53 -d 
$NAMESERVER_INTERPACKET_2 $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $NAMESERVER_INTERPACKET_3 
$UNPRIVPORTS -d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 53 -d 
$NAMESERVER_INTERPACKET_3 $UNPRIVPORTS -j ACCEPT
# ----------------------------------------------------------------------------
# TCP accept only on selected ports
# ---------------------------------
#Telnet Server
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $TRUSTED_HOST1 $UNPRIVPORTS 
-d $IPADDR 23 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 23 -d 
$TRUSTED_HOST1 $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# HTTP server (80)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $UNPRIVPORTS -d 
$IPADDR 80 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 80 -d 
$ANYWHERE $UNPRIVPORTS -j ACCEPT
#--------------------------------------------------------------------------
# SYSLOG server (514)
# -----------------
# Provides full remote logging. Using this feature you're able to
# control all syslog messages on one host.
#ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $SYSLOG_CLIENT1 -d $IPADDR 
514 -j ACCEPT
#ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $SYSLOG_CLIENT2 -d $IPADDR 
514 -j ACCEPT
# SYSLOG client (514)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR 514  -d 
$SYSLOG_SERVER 514 -j ACCEPT
# ------------------------------------------------------------------
# AUTH server (113) -- for sendmail to work with ident.
# -----------------
# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE -d $IPADDR 113 -j 
REJECT
# ------------------------------------------------------------------
# RADIUS server (1812--auth & 1813--acct)
# ----------------
#RADIUS_CLIENT (pam_auth_radius)
ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR $UNPRIVPORTS -d 
$RADIUS_SERVER 1812:1813 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $RADIUS_SERVER 1812:1813 -d 
$IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# SMTP server (25)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $UNPRIVPORTS -d 
$IPADDR 25 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 25 -d 
$ANYWHERE $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# POP server (110)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $UNPRIVPORTS -d 
$IPADDR 110 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 110 -d 
$ANYWHERE $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# SMTP client (25)
# ----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d 
$ANYWHERE 25 -j ACCEPT -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 25 -d 
$IPADDR $UNPRIVPORTS -j ACCEPT -l
# ------------------------------------------------------------------
# FTP client (20, 21)
# -------------------
# outgoing request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 21 -d 
$IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d 
$ANYWHERE 21 -j ACCEPT
# NORMAL mode data channel
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE 20 -d $IPADDR 
$UNPRIVPORTS -j ACCEPT
# NORMAL mode data channel responses
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR $UNPRIVPORTS 
-d $ANYWHERE 20 -j ACCEPT
# PASSIVE mode data channel creation
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d 
$ANYWHERE $UNPRIVPORTS -j ACCEPT
# PASSIVE mode data channel responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE $UNPRIVPORTS 
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# OUTGOING TRACEROUTE
# -------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR 
$TRACEROUTE_SRC_PORTS -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT
# ----------------------------------------------------------------------------
# Enable logging for selected denied packets
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -d $IPADDR -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $IPADDR $PRIVPORTS -j DENY 
-l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $IPADDR $UNPRIVPORTS -j 
DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 5 -d $IPADDR -j 
DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 13:255 -d 
$IPADDR -j DENY -l
# ----------------------------------------------------------------------------
;;
stop)
echo "Shutting Firewalling Services: "
rm -f /var/run/pf.pid
# Remove all existing rules belonging to this filter
ipchains -F
# Delete all user-defined chain to this filter
ipchains -X
# Reset the default policy of the filter to accept.
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
;;
status)
ch_packetfilter
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: firewall {start|stop|status|restart|reload}"
exit 1
esac
exit 0

-----------------------
Thanks,
Weqaar Ali Janjua
BS.Computer Engineering
WSU
------------------------


-------------------
FOLLOW YOUR DREAMS!
WAJ
-------------------


-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]
  • [linux-help] Packet filtering with IPChains., Weqaar Ali Janjua <=