Chapter 10


Scenario: You have a Fedora Core 2 system that is to function as a Web proxy server. Client machines are on the 192.168.1/24 network. The Internet connection is via a router on the 172.20.5/24 network. Your proxy server has two network interfaces: eth0 is 192.168.1.100 and eth1 is 172.20.5.17 . Both interfaces use a subnet mask of 255.255.255.0 (24-bits). Assume that the network routes and proxy services ( squid and named ) are correctly configured.

Design firewall rules (using iptables ) to implement the following requirements.

a. No incoming connections are allowed on the 172.20.5.17 interface.

b. The only permitted outgoing connections on the 172.20.5.17 interface are for DNS, FTP, HTTP, and HTTPS traffic from the proxy server.

c. Two machines (IP addresses 192.168.1.201 and 192.168.1.155 ) are to be allowed to connect using SSH.

d. All other machines in the 192.168.1/24 network are allowed to connect on port 3128 only (the port that the Squid Web proxy server is listening on) and port 53 (for DNS queries).

e. Allow ICMP traffic.

f. All other connections (incoming or outgoing) must be blocked.

g. Log attempts by machines on the 192.168.1/24 network to use Telnet or FTP to access the proxy server.

1.

Note

The solutions given here are just some of the many possible sets of iptables rules that will meet the stated requirements. If you are going to try these out on a remote machine (that is, one where you have to connect via a network), you run the risk of blocking your own connection that you are using to configure iptables and therefore not being able to correct the problem.

One way to prevent yourself from being locked out is to set up an at job that will disable the firewall in, say, 15 minutes so that if your connections do get blocked, you will have to wait only 15 minutes at most before being able to reconnect and fix the problem. The command to do this is:

 echo "/sbin/service iptables stop "  at now + 15 minutes 

The system will respond with a message similar to this:

   job 11 at 2004-05-20 17:43   

Now you can set up your iptables rules, remembering to save them frequently with this command because they will get cleared when the at job runs.

 service iptables save 

(Alternatively, you can edit the file /etc/sysconfig/iptables-config and set the IPTABLES_SAVE_ON_STOP variable to yes and remove the # from the start of the line where it is set). If you are happy with the firewall configuration and want to stop the at job from running, use the following command:

 atrm job# 

where job# is the job number you were given when you set up the at job (11 in the preceding example).

deal with each firewall chain ( input , output , and forward ) separately. for each chain, start by flushing the existing firewall rules set up by the system-config-securitylevel application, and set the default policy to drop. # input chainiptables -f input# flush existing rules iptables -p input drop # default policy set to drop# accept incoming ssh connections on eth0 from 192.168.1.155. # there is one rule for tcp and a similar one for udp. # use the state module (-m state) so that the rule matches only # new connections (--state new). iptables -a input -p tcp -i eth0 -s 192.168.1.155 --dport ssh \ -m state --state new -j accept iptables -a input -p udp -i eth0 -s 192.168.1.155 --dport ssh \ -m state --state new -j accept# as previous pair of rules but for different source ip address iptables -a input -p tcp -i eth0 -s 192.168.1.201 --dport ssh \ -m state --state new -j accept iptables -a input -p udp -i eth0 -s 192.168.1.201 --dport ssh \ -m state --state new -j accept# accept incoming connections on port 3128 from 192.168.1/24 network iptables -a input -p tcp -i eth0 -s 192.168.1/24 --dport squid -j accept iptables -a input -p udp -i eth0 -s 192.168.1/24 --dport squid -j accept# accept incoming connections on port 53 from 192.168.1/24 network iptables -a input -p tcp -i eth0 -s 192.168.1/24 --dport domain -j accept iptables -a input -p udp -i eth0 -s 192.168.1/24 --dport domain -j accept# allow icmp packets iptables -a input -p icmp -j accept# log unauthorized attempt to use telnet or ftp iptables -a input -p tcp -i eth0 -s 192.168.1/24 --dport telnet -j log iptables -a input -p udp -i eth0 -s 192.168.1/24 --dport telnet -j log iptables -a input -p tcp -i eth0 -s 192.168.1/24 --dport ftp -j log iptables -a input -p udp -i eth0 -s 192.168.1/24 --dport ftp -j log# accept packets on any interface that are related to established connections iptables -a input -m state --state established,related -j accept # # # # output chain # iptables -f output iptables -p output drop# allow outgoing packets on any interface that are part of established connections iptables -a output -m state --state established,related -j accept# allow outgoing packets on eth1 for http, ftp, https and dns.using the # multiport match extension reduces the number of rules to two (one for # udp the other for tcp).note that the service name used by dns is `domain`.iptables -a output -p udp -i eth1 -m multiport --dports http, ftp, ftp-data, \ https, domain -j accept iptables -a output -p tcp -i eth1 -m multiport --dports http, ftp, ftp-data, \ https, domain -j accept# allow proxy to send icmp packets iptables -a output -p icmp -j accept# forward chain# the proxy server should not forward any packets, so drop everything. iptables -f forward iptables -p forward drop

2.

Make sure your rules will be applied each time the system boots.

your customized iptables rules are saved to the file /etc/sysconfig/iptables by running the following command: service iptables save . rules in /etc/sysconfig/iptables are applied when the system boots and the iptables service starts. it is a good idea to make a backup of this configuration file.

3.

After your proxy server has been running for a while, a new requirement is identified. Machines on the 192.168.1/24 network need to be able to make PPTP connections to an external VPN server with an IP address of 10.1.3.97 . Update the iptables rules to satisfy this requirement. (Assume that IP forwarding is enabled on your proxy server).

pptp connections use tcp port 1723 and the gre protocol (protocol number 47). add the following rules to the rules defined in exercise 1: # forward chain # # additions for pptp support.these two rules specify the interfaces # so that the pptp control traffic on port 1723 is only forwarded in # one direction - the vpn server iptables -a forward -p tcp -i eth0 -o eth1 -d 10.1.3.97 --dport 1723 -j accept iptables -a forward -p tcp -i eth1 -o eth0 -s 10.1.3.97 --sport 1723 -j accept# pass gre traffic between networks. iptables -a forward -p gre -j accept

Answers

1.

Deal with each firewall chain ( INPUT , OUTPUT , and FORWARD ) separately. For each chain, start by flushing the existing firewall rules set up by the system-config-securitylevel application, and set the default policy to DROP.

 # INPUT chain iptables -F INPUT              # Flush existing rules iptables -P INPUT DROP         # Default policy set to DROP # Accept incoming SSH connections on eth0 from 192.168.1.155. # There is one rule for TCP and a similar one for UDP. # Use the state module (-m state) so that the rule matches only # new connections (--state NEW). iptables -A INPUT -p tcp -i eth0 -s 192.168.1.155 --dport ssh \ -m state --state NEW -j ACCEPT iptables -A INPUT -p udp -i eth0 -s 192.168.1.155 --dport ssh \ -m state --state NEW -j ACCEPT # As previous pair of rules but for different source IP address iptables -A INPUT -p tcp -i eth0 -s 192.168.1.201 --dport ssh \ -m state --state NEW -j ACCEPT iptables -A INPUT -p udp -i eth0 -s 192.168.1.201 --dport ssh \ -m state --state NEW -j ACCEPT # Accept incoming connections on port 3128 from 192.168.1/24 network iptables -A INPUT -p tcp -i eth0 -s 192.168.1/24 --dport squid -j ACCEPT iptables -A INPUT -p udp -i eth0 -s 192.168.1/24 --dport squid -j ACCEPT # Accept incoming connections on port 53 from 192.168.1/24 network iptables -A INPUT -p tcp -i eth0 -s 192.168.1/24 --dport domain -j ACCEPT iptables -A INPUT -p udp -i eth0 -s 192.168.1/24 --dport domain -j ACCEPT # Allow ICMP packets iptables -A INPUT -p icmp -j ACCEPT # Log unauthorized attempt to use Telnet or FTP iptables -A INPUT -p tcp -i eth0 -s 192.168.1/24 --dport telnet -j LOG iptables -A INPUT -p udp -i eth0 -s 192.168.1/24 --dport telnet -j LOG iptables -A INPUT -p tcp -i eth0 -s 192.168.1/24 --dport ftp -j LOG iptables -A INPUT -p udp -i eth0 -s 192.168.1/24 --dport ftp -j LOG # Accept packets on any interface that are related to established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # # # OUTPUT chain # iptables -F OUTPUT iptables -P OUTPUT DROP # Allow outgoing packets on any interface that are part of established connections iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing packets on eth1 for HTTP, FTP, HTTPS and DNS.  Using the # multiport match extension reduces the number of rules to two (one for # UDP the other for TCP).  Note that the service name used by DNS is "domain". iptables -A OUTPUT -p udp -i eth1 -m multiport --dports http, ftp, ftp-data, \           https, domain -j ACCEPT iptables -A OUTPUT -p tcp -i eth1 -m multiport --dports http, ftp, ftp-data, \           https, domain -j ACCEPT # Allow proxy to send ICMP packets iptables -A OUTPUT -p icmp -j ACCEPT # FORWARD chain # The proxy server should not forward any packets, so drop everything. iptables -F FORWARD iptables -P FORWARD DROP 

2.

Your customized iptables rules are saved to the file /etc/sysconfig/iptables by running the following command: service iptables save .

Rules in /etc/sysconfig/iptables are applied when the system boots and the iptables service starts. It is a good idea to make a backup of this configuration file.

3.

PPTP connections use TCP port 1723 and the GRE protocol (protocol number 47). Add the following rules to the rules defined in Exercise 1:

 # FORWARD chain # # Additions for PPTP support.  These two rules specify the interfaces # so that the PPTP control traffic on port 1723 is only forwarded in # one direction - the VPN server iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.3.97 --dport 1723 -j ACCEPT iptables -A FORWARD -p tcp -i eth1 -o eth0 -s 10.1.3.97 --sport 1723 -j ACCEPT # Pass GRE traffic between networks. iptables -A FORWARD -p gre -j ACCEPT 



Beginning Fedora 2
Beginning Fedora 2
ISBN: 0764569961
EAN: 2147483647
Year: 2006
Pages: 170

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net