Complete.Org: Mailing Lists: Archives: linux-help: February 2001:
[linux-help] Re: packet filter
Home

[linux-help] Re: packet filter

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: linux-help@xxxxxxxxx
Subject: [linux-help] Re: packet filter
From: Weqaar Ali Janjua <wxjanjua@xxxxxxxxxxx>
Date: Mon, 26 Feb 2001 13:56:25 -0600
Reply-to: linux-help@xxxxxxxxx

Well I've gone through lots of HOWTOs, it doesnt help, although it has all the 
ifo regarding IPChains but it does not cover complicated setups, I'm again 
sending my IPChains script...well to be precise the problem is with 
packet-filtering decision OR the way EMUMAIL(webmail software) opens/closes 
tcp connections...my script follows:(just want a clue as what kinda mistake 
I'm making)

#!/bin/sh
# chkconfig: - 60 95
# description: Starts and stops the IPCHAINS Firewall
# used to provide Firewall network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/ipchains ]; then
exit 0
fi
# See how we were called.
case "$1" in
start)
echo "Starting Firewalling Services...: "
touch /var/run/pf.pid
# Some definitions for easy maintenance.
# ----------------------------------------------------------------------------
EXTERNAL_INTERFACE="eth0"               # Internet connected interface
LOOPBACK_INTERFACE="lo"         # Your local naming convention
LOOPBACK="127.0.0.1"
IPADDR="64.110.83.5"             # Your internet IP address
ANYWHERE="any/0"                # Match any IP address
NAMESERVER_1="64.110.83.5"       # Everyone must have at least one
NAMESERVER_2="64.110.83.4"       # Your secondary name server
NAMESERVER_INTERPACKET_1="216.226.222.62"# Your INTERPACKET(ns1) name server
NAMESERVER_INTERPACKET_2="209.198.244.2"# Your INTERPACKET(ns2) name server
NAMESERVER_INTERPACKET_3="209.198.248.226"# Your INTERPACKET(ns4) name server
SYSLOG_SERVER="64.110.83.6"     # Your syslog internal server
#SYSLOG_CLIENT="64.110.83.5"    # Your syslog internal client range
BROADCAST_SRC="0.0.0.0"         # Broadcast source address
BROADCAST_DEST="255.255.255.255" # Broadcast destination address
PRIVPORTS="0:1023"      # Well known, privileged port range
UNPRIVPORTS="1024:65535" # Unprivileged port range
RADIUS_SERVER="64.110.83.6"
#LIST OF TRUSTED HOSTS
TRUSTED_HOST1="64.110.83.17"
# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
ipchains -F
# Clearing all current rules and user defined chains
ipchains -X
# Set the default policy of the filter to deny.
# Don't even bother sending an error message back.
ipchains -P input DENY
ipchains -P output DENY 
ipchains -P forward DENY

# ----------------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse spoofed packets pretending to be from the external address.
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY
#--------------------------------------------------------------------------
#FOR INTERNET INTERFACE (64.110.83.5)
#--------------------------------------------------------------------------
# Refuse packets claiming to be from the loopback interface
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT
# Refuse broadcast address SOURCE packets
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY
# ----------------------------------------------------------------------------
# ICMP
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
## FOR INTERNET INTERFACE
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 0 -d $IPADDR -j 
ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 3 -d $IPADDR -j 
ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 4 -d $IPADDR -j 
ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 11 -d $IPADDR -j 
ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 12 -d $IPADDR -j 
ACCEPT
#icmp output
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -s $IPADDR 4 -d $ANYWHERE -j 
ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -s $IPADDR 8 -d $ANYWHERE -j 
ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -s $IPADDR 12 -d $ANYWHERE 
-j ACCEPT
# ----------------------------------------------------------------------------
# DNS CLIENT / SERVER TO QUERY OR RESPONSE
# ---------------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR $UNPRIVPORTS -d 
$ANYWHERE 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $ANYWHERE 53 -d $IPADDR 
$UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $ANYWHERE $UNPRIVPORTS -d 
$IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR 53 -d $ANYWHERE 
$UNPRIVPORTS -j ACCEPT
#DNS ZONE TRANSFERS
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d 
$NAMESERVER_2 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d 
$NAMESERVER_INTERPACKET_1 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d 
$NAMESERVER_INTERPACKET_2 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d 
$NAMESERVER_INTERPACKET_3 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $NAMESERVER_2 53 -d 
$IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s 
$NAMESERVER_INTERPACKET_1 53 -d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s 
$NAMESERVER_INTERPACKET_2 53 -d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s 
$NAMESERVER_INTERPACKET_3 53 -d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $NAMESERVER_2 $UNPRIVPORTS 
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 53 -d 
$NAMESERVER_2 $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $NAMESERVER_INTERPACKET_1 
$UNPRIVPORTS -d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 53 -d 
$NAMESERVER_INTERPACKET_1 $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $NAMESERVER_INTERPACKET_2 
$UNPRIVPORTS -d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 53 -d 
$NAMESERVER_INTERPACKET_2 $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $NAMESERVER_INTERPACKET_3 
$UNPRIVPORTS -d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 53 -d 
$NAMESERVER_INTERPACKET_3 $UNPRIVPORTS -j ACCEPT
# ----------------------------------------------------------------------------
# TCP accept only on selected ports
# ---------------------------------
#Telnet Server
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $TRUSTED_HOST1 $UNPRIVPORTS 
-d $IPADDR 23 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 23 -d 
$TRUSTED_HOST1 $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# HTTP server (80)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $UNPRIVPORTS -d 
$IPADDR 80 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 80 -d 
$ANYWHERE $UNPRIVPORTS -j ACCEPT
#--------------------------------------------------------------------------
# SYSLOG server (514)
# -----------------
# Provides full remote logging. Using this feature you're able to
# control all syslog messages on one host.
#ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $SYSLOG_CLIENT1 -d $IPADDR 
514 -j ACCEPT
#ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $SYSLOG_CLIENT2 -d $IPADDR 
514 -j ACCEPT
# SYSLOG client (514)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR 514  -d 
$SYSLOG_SERVER 514 -j ACCEPT
# ------------------------------------------------------------------
# AUTH server (113) -- for sendmail to work with ident.
# -----------------
# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE -d $IPADDR 113 -j 
REJECT
# ------------------------------------------------------------------
# RADIUS server (1812--auth & 1813--acct)
# ----------------
#RADIUS_CLIENT (pam_auth_radius)
ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR $UNPRIVPORTS -d 
$RADIUS_SERVER 1812:1813 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s $RADIUS_SERVER 1812:1813 -d 
$IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# SMTP server (25)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $UNPRIVPORTS -d 
$IPADDR 25 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 25 -d 
$ANYWHERE $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# POP server (110)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $UNPRIVPORTS -d 
$IPADDR 110 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR 110 -d 
$ANYWHERE $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# SMTP client (25)
# ----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d 
$ANYWHERE 25 -j ACCEPT -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 25 -d 
$IPADDR $UNPRIVPORTS -j ACCEPT -l
# ------------------------------------------------------------------
# FTP client (20, 21)
# -------------------
# outgoing request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 21 -d 
$IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d 
$ANYWHERE 21 -j ACCEPT
# NORMAL mode data channel
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE 20 -d $IPADDR 
$UNPRIVPORTS -j ACCEPT
# NORMAL mode data channel responses
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR $UNPRIVPORTS 
-d $ANYWHERE 20 -j ACCEPT
# PASSIVE mode data channel creation
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS -d 
$ANYWHERE $UNPRIVPORTS -j ACCEPT
# PASSIVE mode data channel responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE $UNPRIVPORTS 
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# OUTGOING TRACEROUTE
# -------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR 
$TRACEROUTE_SRC_PORTS -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT
# ----------------------------------------------------------------------------
# Enable logging for selected denied packets
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -d $IPADDR -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $IPADDR $PRIVPORTS -j DENY 
-l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $IPADDR $UNPRIVPORTS -j 
DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 5 -d $IPADDR -j 
DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE 13:255 -d 
$IPADDR -j DENY -l
# ----------------------------------------------------------------------------
;;
stop)
echo "Shutting Firewalling Services: "
rm -f /var/run/pf.pid
# Remove all existing rules belonging to this filter
ipchains -F
# Delete all user-defined chain to this filter
ipchains -X
# Reset the default policy of the filter to accept.
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
;;
status)
ch_packetfilter
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: firewall {start|stop|status|restart|reload}"
exit 1
esac
exit 0


>===== Original Message From linux-help@xxxxxxxxx =====
>You don't specify which packet filtering software you are wanting to
>use, so I will assume IP-Chains. The IPCHAINS-HOWTO actually has some
>pretty good information regarding your questions.
>
>http://www.ibiblio.org/mdw/HOWTO/IPCHAINS-HOWTO.html
>
>With IP chains you can essentially create chains of filter commands
>and then assign that chain to a particular interface either as an
>input filter, an output filter, or a forward filter.
>
>In general, it is a good idea to push the filtering as far to the edge
>of your network as you can. So if there are certain things that you do
>not want to come into your network at all, you should filter those at
>the outermost interface (your Cable/DSL/Dailup modem or whatever your
>upstream is).
>
>Section 7 of the IPCHAINS-HOWTO has a fairly complete example of a
>possible network. It might not be what you are planning to implement,
>but the explainations of how to make that example work are useful.
>
>
>On Mon, Feb 26, 2001 at 05:10:43PM +0530, Hareesh V H wrote:
>>
>>
>> hi! can somebody tell me more on this: when you develop a packet filter,
>> this is almost always to be run on a router/gateway. now, which interface
>> of the router is it attached to? and how is it done(in linux, specific)?
>>
>> what i mean is, packets attached to which iterface(2 ideally of the
>> routers) are given to the packet filter? in a case, i have read of 2
>> filters placed, on either side of ann app. gateway, one filtering incoming
>> packets and the other one filtering outgoing packets. is this possible for
>> one filter employed at a router(with 2 interfaces), the question is can
>> the packet filter access packets coming from both interfaces and how does
>> he make the decision of forwarding/not forwarding? sorry if this is
>> another faq. thanks in advance.
>>
>> regards,
>> Hareesh.
>>
>>
>>
>>
>>
>> -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
>> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
>
>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
>visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi

----------------------------------
A DREAM IS A GOAL WITH A DEADLINE!
Weqaar Ali Janjua
BS.Computer Engineering
WSU
----------------------------------


-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]