|
Because your situation will be unique, it is impossible to provide a "cookbook" firewall for you. However, the following is a beginning firewall for a system with three NICs. The NICs have the following IP addresses:
Eth0 207.1.2.3/24
Eth1 192.168.1.1/24
Eth2 10.100.100.1/24
Thus, Eth0 represents the 207.1.2.0/24 network, Eth1 represents the 192.168.1.0/24 network, and Eth2 represents the 10.100.100.0/24 network. The intention is to create a firewall that allows the Eth1 and Eth2 networks to communicate freely with each other, as well as get on to the Internet and use any services (Web, e-mail, FTP, and so forth). However, no one from the Internet should be able to access internal ports below port 1023. Again, this configuration does not spend much time limiting egress (outbound) traffic. Rather, it focuses on trying to limit ingress (inbound) traffic. Any of the Ipchains or Iptables commands given in the following sections can be entered into any script, or into a directory or file such as /etc/rc.d/init.d/ or /etc/rc.d/rc.local. This way, your rules will be loaded automatically when you reboot your system.
Regardless of whether you are using Ipchains or Iptables, the first thing you will have to do for your firewall is to flush all existing rules using the –F option. Then, you need to use the –P option to set the firewall policies to deny all connections by default. The subsequent rules you create will then allow the protocols you really want. Then, use the necessary commands to enable forwarding and masquerading, as shown earlier in this chapter. Without this foundation, you will not be able to forward packets at all, and thus firewalling them would be superfluous.
Many times, a hacker will try to use your firewall as a default gateway and try to spoof internal packets. If a firewall's "Internet interface" (the one that is responsible for addressing packets to the Internet) is not configured to explicitly deny packets from the network, then you are susceptible to this attack. To deny spoofing, you would issue the following commands, depending on what kernel you are using:
ipchains -A input -s 192.168.1.0/24 -i eth0 -j deny ipchains -A input -s 10.100.100.0/24 -i eth0 -j deny iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP iptables -A FORWARD -s 10.100.100.0/24 -i eth0 -j DROP
You may want to log all of the attempts, just so you know how often you are attacked:
ipchains -A input -s 192.168.1.0/24 -i eth0 -l -j deny ipchains -A input -s 10.100.100.0/24 -i eth0 -l -j deny
The preceding rules are different only in that they specify the –l option. In Iptables, create two additional entries to log the traffic:
iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j LOG iptables -A FORWARD -s 10.100.100.0/24 -i eth0 -j LOG
Remember, if you have additional interfaces, you have to add a rule for each. Do not leave one interface open to a spoofing attack. You will be surprised how quickly a hacker can discover this vulnerability.
The following is an example of what you can do with your network when it comes to allowing inbound and outbound TCP connections. If you are using Ipchains, issue the following commands to allow TCP connections:
ipchains–A input –p tcp -d 192.16.1.0/24 ! 80 -y –b -j ACCEPT ipchains–A input –p tcp -d 10.100.100.0/24 ! 80 -y -b -j ACCEPT
The –y option prohibits remote hosts from initiating a connection to any port except port 80. This is because the ! character reverses the meaning of anything that is immediately in front of it. In this case, only connections meant for port 80 will be allowed; all others will be denied. This may seem strange, but remember, this rule is for the input chain, and many times these rules seem to be the reverse of common sense. The -b option "mirrors" the rule, which means that the rule applies to packets going in both directions. This rule allows one rule to do the same thing as repeating the command and reversing the source and destination flags (-s and –d).
If you are using Iptables, issue the following commands:
iptables –A FORWARD –m multiport –p tcp –d 192.168.1.0\24 --dports 25,110, 80, 443, 53 / ! –tcp flags SYN, ACK ACK -j ACCEPT iptables –A FORWARD –m multiport –p tcp –s 192.168. 1.0\24 --sports 25,110, 80, 443,53 / ! –tcp flags SYN, ACK ACK -j ACCEPT iptables –A FORWARD –m multiport –p tcp –d 10.100.100.0\24 --dports 25,110, 80, 443, 53 ! / –tcp flags SYN, ACK ACK -j ACCEPT iptables –A FORWARD –m multiport –p tcp –s 10.100.100.0\24 --sports 25,110, 80, 443, 53 ! / –tcp flags SYN, ACK ACK -j ACCEPT
The preceding rules allow ports to be opened above 1023, as long as they are continuing a connection that has first been established by a host inside the firewall. You can, of course, add additional ports, according to your needs. The / character is a simple line continuation character that you may have to specify in a script. As with Ipchains, the ! character reverses the meaning of anything that is in front of it. In this case, it means that any packet that does not have the SYN, SYN ACK, or ACK bit set is accepted.
You may want to allow certain outside hosts to initiate a connection to your firewall. If you do, you can issue the following commands.
For Ipchains, you would issue the following:
ipchains –A input –p tcp –I eth0 –d 192.168.1.0/24 80 –y –j ACCEPT
The difference between this command and those given previously is that this one specifies the interface, as opposed to the IP address.
For outgoing connections, you would issue the following:
ipchains –A input –p tcp –i eth0 –d 0/0 –j ACCEPT
For Iptables, you would do the following for standard TCP connections:
iptables -A FORWARD -m multiport -p tcp -i eth0 -d 192.168. 1.0/24 80--syn / --syn -j ACCEPT iptables -A FORWARD -m multiport -p tcp -i eth0 -d 10.100.100.0/24 80--syn / --syn -j ACCEPT
To allow for outgoing connections, you would issue the following:
iptables -A FORWARD -m multiport -p tcp -i eth0 -d 0/0 --syn -j ACCEPT iptables -A FORWARD -m multiport -p tcp -i eth1 -d 0/0 --syn -j ACCEPT iptables -A FORWARD -m multiport -p tcp -i eth2 -d 0/0 --syn -j ACCEPT
All other TCP traffic will be locked out.
To filter incoming and outgoing UDP, you would follow many of the same procedures as outlined earlier. However, you should allow both TCP port 53 and UDP port 53, at least at first. Most of the time, DNS uses UDP port 53. However, DNS can use TCP when a request grows too large, so you should account for this by creating explicit rules. For Ipchains, you would do the following to allow incoming connections:
ipchains–A input –p udp –i eth0 –d 192.168.1.0/24 53 –j ACCEPT ipchains–A input –p udp –i eth0 –d 10.100.100.0/24 –j ACCEPT
The preceding rule is necessary only if you plan to allow outside users to access your DNS server.
ipchains–A input –p udp –i eth0 –d 0/0 –j ACCEPT
For Iptables, you would issue the following commands:
iptables –A FORWARD –m multiport –p udp –i eth0 –d 192.168.1.0/24 / --dports 53–j ACCEPT iptables –A FORWARD –m multiport –p udp –i eth0 –s 192.168.1.0/24 / --dports 53–j ACCEPT
Outgoing UDP usually requires that you enable DNS lookups, which are usually at UDP port 53:
iptables –A FORWARD –m multiport –p udp –i eth0 –d 0/0 –dports 53–j ACCEPT iptables –A FORWARD –m multiport –p udp –i eth0 –s 0/0 –dports 53–j ACCEPT
It is possible that your network requires additional ports. For example, if you are running SNMP, you would have to open ports 160 and 161.
If you want to log these connections, do the following using Ipchains:
ipchains –A input –p tcp –l –j REJECT ipchains –A input –p udp –l –j REJECT ipchains –A input –p icmp –l –j REJECT
The preceding commands will log any packet that is matched. If you are using Iptables, the equivalent commands are:
iptables –A FORWARD –m tcp –p tcp –j LOG iptables –A FORWARD –m udp –p udp –j LOG iptables –A FORWARD –m udp –p icmp –j LOG
Usually, creating the ideal packet-filtering rules requires some trial and error, as well as research specific to your own situation. For more information about using Ipchains, consult the Ipchains man page, and the Ipchains-HOWTO available at www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html#toc1.
For more information about using Iptables, consult the Iptables man page, and the Iptables-HOWTO available at various sites, including www.guenthers.net/doc/howto/en/html/IP-Masquerade-HOWTO.html#toc2. Using the information in this chapter and additional resources, you will be able to create a firewall that blocks known attacks.
|