---> -----Message d'origine----- ---> De : John A. Sullivan III [mailto:john.sullivan@xxxxxxxxxxxxx] ---> Envoyé : jeudi 11 décembre 2003 14:05 ---> À : Tanen ---> Cc : 'Antony Stone'; netfilter@xxxxxxxxxxxxxxxxxxx ---> Objet : Re: RE : [IP ?] what ip must be filtered ? ---> ---> On Thu, 2003-12-11 at 06:42, Tanen wrote: ---> > Hellon ---> > Thanks for your help, ---> > This dedicated box, is on my local network, but don't be a ---> > reuters, ---> just a ---> > server, i have a hard reuters, with hard firewall integrate in ---> > this ---> reuters. ---> > My question is not realy clear, i try again to explain it : I ---> > want block, all attack, and all flood or other shit related to ---> > the hackers, of my server, for this, i have only forward few ---> > ports on my hardware reuters, 80, 110, 25, 143, 21, 53, 443, 993, ---> > all others are ---> blocked ---> > by the hardware firewall. Now i want prevent any thing would be ---> attempt by ---> > using this ports. So i want create an firewall for prevent this, ---> > and authorise ALL traffic in the local network, but filtering the ---> outgoing ---> > packets from the server, for not allow any other things that the ---> things ---> > requested by the puters itself. I'm not sure to be clear if no, i ---> > can ---> try ---> > again to explain it, but i'm not speaking english very well, ---> > that's ---> not my ---> > main language. I'm a realy begginer to Iptables, and a novice to ---> Linux. Ihe ---> > local network, but filtering the outgoing packets from the ---> > server, ---> for not ---> > allow any other things that the things requested by the puters ---> itself. I'm ---> > not sure to be clear if no, i can try again to explain it, but ---> > i'm ---> not ---> > speaking english very well, that's not my main language. I'm a ---> > realy begginer to Iptables, and a novice to Linux. I'm listening ---> > ALL help ---> ... :) ---> > and any help would be appreciated. ---> > <snip>---> > i'm filtering my local ip, or my external ip, my ---> > mail ---> server, isn't ---> > ---> getting ---> > ---> > any mail from www, someone can help me please ? ---> > ---> ---> > ---> The simplest way to do what you want is not to think about ---> > ---> IP ---> addresses ---> > ---> so ---> > ---> much as which interface they're connected to. ---> > ---> ---> > ---> Let's assume that your firewall has 192.168.0.100 on eth0 ---> (private, ---> > ---> internal) ---> > ---> and 63.x.y.z on eth1 (public, external) ---> > ---> ---> > ---> Then a good start to your ruleset would be: ---> > ---> ---> > ---> iptables -P FORWARD DROP ---> > ---> iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT iptables -A ---> > ---> FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED ---> > ---> -j ACCEPT ---> > ---> iptables -A POSTROUTING -t nat -o eth1 -j SNAT --to 63.x.y.z ---> > ---> ---> > ---> An improvement on the above rules would be to be more ---> restrictive about ---> > ---> what ---> > ---> traffic you allow from internal clients to the Internet, ---> > ---> however ---> this ---> > ---> is a ---> > ---> start. ---> > ---> ---> > ---> If you don't understand anything about the above rules feel ---> > ---> free ---> to ask ---> > ---> again. ---> > ---> ---> > ---> Antony. ---> <snip> ---> ---> Let me try to rephrase your question first so we can try to ---> understand it better. You have a physical router with a firewall ---> between your internal network ---> and the Internet. This is NOT the iptables firewall. It is forwarding ---> ports to your internal network. Are you saying that on that network ---> you ---> have an iptables firewall and you want to use it to restrict inbound ---> traffic to only be the reply packets to sessions the internal computers ---> have initiated? No, i will try to explain me better. Yes i have an hardware router with an integrate firewall, who redirect the minimal ports on the dedicated Linux box. By this router (hardware) i have other puters connected to internet, as the dedicated box, all work on the same local network, all can comunicate between them, as for samba, btw Windows --> Linux. On this Linux dedicated box, i have few servers : mail, ftp, dns, pop, pops, imap, imaps, smtp, smtps, ssh, http, https, samba. NO ONE of puters of local network are using the dedicated box to access to internet, ALL puters use the HARWARE router to access at internet. My question is, how set my dedicated box, with Iptables, for secure it, from attack, and hack shitting. I want my iptables rules, accept communication from other local network puters, but filtering this access (for limit the spoofing risk) at 3 or 4 static local ip address attributed by the HARDWARE DHCP router, and, in first plan, to secure ALL inbound traffic from internet on my dedicated box. I want get any problem of hack or other things, with my box, it's why i want filter ALL inbound traffic, to prevent any problems. For this, i'm asking what i must do. I hope have been a little bit most clear. I'm not wanting used my dedicated box, as a router, i don't want use nat or forward on it. I'm having only one Network card on the Linux box, with the ip 192.168.0.1 on eth0, here my route table : ---- Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.0.100 0.0.0.0 UG 0 0 0 eth0 --- My HARDWARE router with integrated firewall have as ip address 192.168.0.100, it's providing access at internet to local puters on the 192.168.0/24 mask. I'm sorry to boring you, with my bad english, and my bad quality of explication, i'm new to iptables as i've say before, i'm thinking i'm now paranoid too, "because of and old attack problem" and it's why i request help, and i wast your time :'( I hope you will help me, and i realy appreciate your help, and all the efforts that you made to understand me, and my request ! As i have can read on internet, i want prevent of any flood attack syn flood, and unwanted access port to an unwanted type of protocol,i want filtered all local traffic to prevent of an trojan use on a windows puter to access at the Linux box, it's for secure all my datas. In "two words", suggest me how and with what i must secure my box form internet to a "Hard level" and from local network to a "Medium level". Rely BIG THANKS to you. Sincerely, Tanen. ---> ---> If this is true, then your first problem is a routing one. How do ---> you get all packets to pass through the iptables device. Probably ---> the cleanest way is to create a new network so that the iptables ---> device has two interfaces - one connected to the router and the ---> other to an entirely different network - different IP address. ---> Then you can set the default gateway of the local computers to the ---> iptables computer. ---> ---> An alternative is to forward all traffic from the router to the ---> iptables server and set the default gateway of all the local ---> computers to be the iptables server. You must be careful to make ---> sure that no one is listening to redirection packets or the traffic ---> flow will be diverted from the iptables server to be directly ---> between the hardware router and the local computers. You will ---> generate a constant stream of redirection ---> notifications on you network unless you also turn off the ability to ---> send ICMP redirects. ---> ---> Once you have your routing straight, then we can worry about ---> filtering packets. As already described, the easiest way to assure ---> that only outbound initiated traffic is allowed is set DENY ---> policies and then ---> allow: ---> iptables -A FORWARD -i eth1 -m state --state NEW - j ACCEPT ---> iptables -A FORWARD -i eth0 -m state --state RELATED, ESTABLISHED -j ---> ACCEPT ---> ---> Do I correctly understand that you have an e-mail server? Are you ---> sure that you do not need to allow inbound initiated traffic to ---> this device? In other words, do other devices on the Internet send ---> e-mail to it without it first asking for the e-mail? If so, then ---> you will need to add rules to allow this inbound initiated traffic. ---> It would be wisest to put this "public" server on a separate ---> network connected to the iptables ---> server, a DMZ, to keep it away from the internal computers. ---> ---> Finally, you will need to worry about malicious traffic traveling ---> on the allowed ports. Here is an example of some rules that I load ---> with iptables-restore -n (thus the different syntax) for such ---> protection. I am sure they could be greatly improved: ---> ---> *mangle ---> :PREROUTING ACCEPT ---> :INPUT ACCEPT ---> :OUTPUT ACCEPT ---> :FORWARD ACCEPT ---> :POSTROUTING ACCEPT ---> -I PREROUTING 1 -p 6 -j ProtectionMangleTCP ---> -I PREROUTING 1 -p 1 -j ProtectionMangleICMP ---> -A ProtectionMangleBadTCP -p 6 -m tcp --tcp-flags SYN,ACK SYN,ACK ---> -m state --state NEW -m limit --limit 1/s -j LOG --log-level ---> warning --log-prefix "[SYN,ACK First Packet] " -A ---> ProtectionMangleBadTCP -p 6 -m tcp --tcp-flags SYN,ACK SYN,ACK -m ---> state --state NEW -j DROP -A ProtectionMangleBadTCP -m limit ---> --limit 1/s -j LOG --log-level warning --log-prefix "[Suspect TCP ---> Flags] " -A ProtectionMangleBadTCP -j DROP ---> -A ProtectionMangleTCP -p 6 -m tcp --tcp-flags SYN,ACK SYN,ACK -m state ---> --state NEW -j ProtectionMangleBadTCP ---> -A ProtectionMangleTCP -p 6 -m tcp --tcp-flags ALL ALL -j ---> ProtectionMangleBadTCP ---> -A ProtectionMangleTCP -p 6 -m tcp --tcp-flags ALL NONE -j ---> ProtectionMangleBadTCP ---> -A ProtectionMangleTCP -p 6 -m tcp --tcp-flags SYN,FIN SYN,FIN -j ---> ProtectionMangleBadTCP ---> -A ProtectionMangleTCP -p 6 -m tcp --tcp-flags SYN,RST SYN,RST -j ---> ProtectionMangleBadTCP ---> -A ProtectionMangleTCP -p 6 -m tcp --tcp-flags RST,FIN RST,FIN -j ---> ProtectionMangleBadTCP ---> -A ProtectionMangleTCP -p 6 -m tcp --tcp-flags ACK,FIN FIN -j ---> ProtectionMangleBadTCP ---> -A ProtectionMangleTCP -p 6 -m tcp --tcp-flags ACK,PSH PSH -j ---> ProtectionMangleBadTCP ---> -A ProtectionMangleTCP -p 6 -m tcp --tcp-flags URG,ACK URG -j ---> ProtectionMangleBadTCP ---> -A ProtectionMangleICMP -p 1 -m icmp --icmp-type 8 -d 255.255.255.255 - ---> m ---> limit --limit 1/s -j LOG --log-level warning --log-prefix "[Broadcast ---> Ping] " ---> -A ProtectionMangleICMP -p 1 -m icmp --icmp-type 8 -d 255.255.255.255 - ---> j ---> DROP ---> -A ProtectionMangleICMP -p 1 -m icmp --icmp-type 8 -m limit --limit ---> 200/s --limit-burst 500 -j RETURN ---> -A ProtectionMangleICMP -p 1 -m icmp --icmp-type 8 -m limit --limit 1/s ---> -j LOG --log-level warning --log-prefix "[Ping Flood] " ---> -A ProtectionMangleICMP -p 1 -m icmp --icmp-type 8 -j DROP ---> ---> mangle ---> -I PREROUTING 1 -f -i eth1 -j DROP # fragments ---> -A PREROUTING -i ! $PUBLICIF -s $PRIVATENETWORK -j DROP # ---> anti-spoofing COMMIT ---> ---> You may also want to look at some of the settings available to you ---> via /proc to handle spoofing, source route bridging, icmp ---> redirects, etc. ---> ---> You may want to take a tour through Oskar Andreasson's fine ---> tutorial on the netfilter web site. You can also find an iptables ---> slide show in the training section at http://iscs.sourceforge.net ---> ---> Have I understood your questions properly? ---> ---> -- ---> John A. Sullivan III ---> Chief Technology Officer ---> Nexus Management ---> +1 207-985-7880 ---> john.sullivan@xxxxxxxxxxxxx ---> --- ---> If you are interested in helping to develop a GPL enterprise class ---> VPN/Firewall/Security device management console, please visit ---> http://iscs.sourceforge.net
