Linux IPCHAINS-HOWTO: A Serious Example.
7. A Serious Example.
This example was extracted from Michael Neuling and my March 1999 LinuxWorld
Tutorial; this is not the only way to solve the given problem, but it is
probably the simplest. I hope you will find it informative.
7.1 The Arrangement
Masqueraded internal network (various operating systems), which we call
"GOOD".
Exposed servers in a separate network (called "DMZ" for Demilitarized
Zone).
PPP Connection to the Internet (called "BAD").
External Network (BAD)
|
|
ppp0|
---------------
| 192.84.219.1| Server Network (DMZ)
| |eth0
| |----------------------------------------------
| |192.84.219.250 | | |
| | | | |
|192.168.1.250| | | |
--------------- -------- ------- -------
| eth1 | SMTP | | DNS | | WWW |
| -------- ------- -------
| 192.84.219.128 192.84.219.129 192.84.218.130
|
Internal Network (GOOD)
7.2 Goals
Packet Filter box:
PING any network
This is really useful to tell if a machine is down.
TRACEROUTE any network
Once again, useful for diagnosis.
Access DNS
To make ping and DNS more useful.
Within the DMZ:
Mail server
SMTP to external
Accept SMTP from internal and external
Accept POP-3 from internal
Name Server
Send DNS to external
Accept DNS from internal, external and packet filter box
Web server
Accept HTTP from internal and external
Rsync access from internal
Internal:
Allow WWW, ftp, traceroute, ssh to external
These are fairly standard things to allow: some places start by allowing
the internal machines to do just about everything, but here we're being
restrictive.
Allow SMTP to Mail server
Obviously, we want them to be able to send mail out.
Allow POP-3 to Mail server
This is how they read their mail.
Allow DNS to Name server
They need to be able to look up external names for WWW, ftp, traceroute and
ssh.
Allow rsync to Web server
This is how they synchronize the external web server with the internal one.
Allow WWW to Web server
Obviously, they should be able to connect to our external web server.
Allow ping to packet filter box
This is a courteous thing to allow: it means that they can test if the
firewall box is down (so we don't get blamed if an external site is broken).
7.3 Before Packet Filtering
Anti-spoofing
Since we don't have any asymmetric routing, we can simply turn on
anti-spoofing for all interfaces.
# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
#
Set filtering rules to DENY all:
We still allow local loopback traffic, but deny anything else.
# ipchains -A input -i ! lo -j DENY
# ipchains -A output -i ! lo -j DENY
# ipchains -A forward -j DENY
#
Set Up Interfaces
This is usually done in the boot scripts. Make sure the above steps are
done before the interfaces are configured, to prevent packet leakage before
the rules are set up.
Insert per-protocol masquerading modules.
We need to insert the masquerading module for FTP, so that active and
passive FTP `just work' from the internal network.
# insmod ip_masq_ftp
#
7.4 Packet Filtering for Through Packets
With masquerading, it's best to filter in the forward chain.
Split forward chain into various user chains depending on source/dest
interfaces; this breaks the problem down into managable chunks.
ipchains -N good-dmz
ipchains -N bad-dmz
ipchains -N good-bad
ipchains -N dmz-good
ipchains -N dmz-bad
ipchains -N bad-good
ACCEPTing standard error ICMPs is a common thing to do, so we create a chain
for it.
ipchains -N icmp-acc
Set Up Jumps From forward Chain
Unfortunately, we only know (in the forward chain) the outgoing interface.
Thus, to figure out what interface the packet came in on, we use the source
address (the anti-spoofing prevents address faking).
Note that we log anything which doesn't match any of these (obviously, this
should never happen).
ipchains -A forward -s 192.168.1.0/24 -i eth0 -j good-dmz
ipchains -A forward -s 192.168.1.0/24 -i ppp0 -j good-bad
ipchains -A forward -s 192.84.219.0/24 -i ppp0 -j dmz-bad
ipchains -A forward -s 192.84.219.0/24 -i eth1 -j dmz-good
ipchains -A forward -i eth0 -j bad-dmz
ipchains -A forward -i eth1 -j bad-good
ipchains -A forward -j DENY -l
Define the icmp-acc Chain
Packets which are one of the error ICMPs get ACCEPTed, otherwise, control
will pass back to the calling chain.
ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
Good (Internal) to DMZ (Servers)
Internal restrictions:
Allow WWW, ftp, traceroute, ssh to external
Allow SMTP to Mail server
Allow POP-3 to Mail server
Allow DNS to Name server
Allow rsync to Web server
Allow WWW to Web server
Allow ping to packet filter box
Could do masquerading from internal network into DMZ, but here we don't.
Since noone in the internal network should be trying to do evil things, we log
any packets that get denied.
ipchains -A good-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT
ipchains -A good-dmz -p tcp -d 192.84.219.128 pop-3 -j ACCEPT
ipchains -A good-dmz -p udp -d 192.84.219.129 domain -j ACCEPT
ipchains -A good-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT
ipchains -A good-dmz -p tcp -d 192.84.218.130 www -j ACCEPT
ipchains -A good-dmz -p tcp -d 192.84.218.130 rsync -j ACCEPT
ipchains -A good-dmz -p icmp -j icmp-acc
ipchains -A good-dmz -j DENY -l
Bad (external) to DMZ (servers).
DMZ restrictions:
Mail server
SMTP to external
Accept SMTP from internal and external
Accept POP-3 from internal
Name server
Send DNS to external
Accept DNS from internal, external and packet filter box
Web server
Accept HTTP from internal and external
Rsync access from internal
Things we allow from external network to DMZ.
Don't log violations, as they may happen.
ipchains -A bad-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT
ipchains -A bad-dmz -p udp -d 192.84.219.129 domain -j ACCEPT
ipchains -A bad-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT
ipchains -A bad-dmz -p tcp -d 192.84.218.130 www -j ACCEPT
ipchains -A bad-dmz -p icmp -j icmp-acc
ipchains -A bad-dmz -j DENY
Good (internal) to Bad (external).
Internal restrictions:
Allow WWW, ftp, traceroute, ssh to external
Allow SMTP to Mail server
Allow POP-3 to Mail server
Allow DNS to Name server
Allow rsync to Web server
Allow WWW to Web server
Allow ping to packet filter box
Many people allow everything from the internal to external networks, then
add restrictions. We're being fascist.
Log violations.
Passive FTP handled by masq. module.
ipchains -A good-bad -p tcp --dport www -j MASQ
ipchains -A good-bad -p tcp --dport ssh -j MASQ
ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
ipchains -A good-bad -p tcp --dport ftp --j MASQ
ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
ipchains -A good-bad -j REJECT -l
DMZ to Good (internal).
Internal restrictions:
Allow WWW, ftp, traceroute, ssh to external
Allow SMTP to Mail server
Allow POP-3 to Mail server
Allow DNS to Name server
Allow rsync to Web server
Allow WWW to Web server
Allow ping to packet filter box
If we were masquerading from the internal network to the DMZ, simply
refuse any packets coming the other way. As it is, only allow packets which
might be part of an established connection.
ipchains -A dmz-good -p tcp ! -y -s 192.84.219.128 smtp -j ACCEPT
ipchains -A dmz-good -p udp -s 192.84.219.129 domain -j ACCEPT
ipchains -A dmz-good -p tcp ! -y -s 192.84.219.129 domain -j ACCEPT
ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 www -j ACCEPT
ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 rsync -j ACCEPT
ipchains -A dmz-good -p icmp -j icmp-acc
ipchains -A dmz-bad -j DENY -l
DMZ to bad (external).
DMZ restrictions:
Mail server
SMTP to external
Accept SMTP from internal and external
Accept POP-3 from internal
Name server
Send DNS to external
Accept DNS from internal, external and packet filter box
Web server
Accept HTTP from internal and external
Rsync access from internal
ipchains -A dmz-bad -p tcp -s 192.84.219.128 smtp -j ACCEPT
ipchains -A dmz-bad -p udp -s 192.84.219.129 domain -j ACCEPT
ipchains -A dmz-bad -p tcp -s 192.84.219.129 domain -j ACCEPT
ipchains -A dmz-bad -p tcp ! -y -s 192.84.218.130 www -j ACCEPT
ipchains -A dmz-bad -p icmp -j icmp-acc
ipchains -A dmz-bad -j DENY -l
Bad (external) to Good (internal).
We don't allow anything (non-masqueraded) from the external network to the
internal network
ipchains -A bad-good -j REJECT
Packet Filtering for the Linux Box Itself
If we want to use packet filtering on packets coming into the box itself,
we need to do filtering in the input chain. We create one chain for each
destination interface:
ipchains -N bad-if
ipchains -N dmz-if
ipchains -N good-if
Create jumps to them:
ipchains -A input -d 192.84.219.1 -j bad-if
ipchains -A input -d 192.84.219.250 -j dmz-if
ipchains -A input -d 192.168.1.250 -j good-if
Bad (external) interface.
Packet Filter box:
PING any network
TRACEROUTE any network
Access DNS
External interface also receives replies to masqueraded packets, and ICMP
errors for them and PING replies.
ipchains -A bad-if -i ! ppp0 -j DENY -l
ipchains -A bad-if -p TCP --dport 61000:65096 -j ACCEPT
ipchains -A bad-if -p UDP --dport 61000:65096 -j ACCEPT
ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A bad-if -j icmp-acc
ipchains -A bad-if -j DENY
DMZ interface.
Packet Filter box restrictions:
PING any network
TRACEROUTE any network
Access DNS
DMZ interface receives DNS replies, ping replies and ICMP errors.
ipchains -A dmz-if -i ! eth0 -j DENY
ipchains -A dmz-if -p TCP ! -y -s 192.84.219.129 53 -j ACCEPT
ipchains -A dmz-if -p UDP -s 192.84.219.129 53 -j ACCEPT
ipchains -A dmz-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A dmz-if -j icmp-acc
ipchains -A dmz-if -j DENY -l
Good (internal) interface.
Packet Filter box restrictions:
PING any network
TRACEROUTE any network
Access DNS
Internal restrictions:
Allow WWW, ftp, traceroute, ssh to external
Allow SMTP to Mail server
Allow POP-3 to Mail server
Allow DNS to Name server
Allow rsync to Web server
Allow WWW to Web server
Allow ping to packet filter box
Internal interface receives pings, ping replies and ICMP errors.
ipchains -A good-if -i ! eth1 -j DENY
ipchains -A good-if -p ICMP --icmp-type ping -j ACCEPT
ipchains -A good-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A good-if -j icmp-acc
ipchains -A good-if -j DENY -l
7.5 Finally
Delete blocking rules:
ipchains -D input 1
ipchains -D forward 1
ipchains -D output 1
Wyszukiwarka
Podobne podstrony:
Linux IPCHAINS HOWTO Appendix Differences between ipchains and ipfwadmLinux IPCHAINS HOWTO I m confused! Routing, masquerading, portforwarding, ipautofwLinux IPCHAINS HOWTO MiscellaneousLinux Online Linux IPCHAINS HOWTO Packet Filtering BasicsLinux IPCHAINS HOWTOLinux Online Linux IPCHAINS HOWTO Appendix Differences between ipchains and ipfwadmLinux IPCHAINS HOWTO Packet Filtering BasicsLinux IPCHAINS HOWTO Appendix Using the ipfwadm wrapper scriptLinux Online Linux IPCHAINS HOWTO Appendix Using the ipfwadm wrapper scriptLinux Online Linux IPCHAINS HOWTO IP Firewalling ChainsLinux Online Linux IPCHAINS HOWTO IntroductionLinux Online Linux IPCHAINS HOWTO Appendix ThanksLinux IPCHAINS HOWTO IntroductionLinux Online Linux IPCHAINS HOWTOLinux Online Linux IPCHAINS HOWTO Common ProblemsLinux IPCHAINS HOWTOLinux IPCHAINS HOWTO Common ProblemsLinux IPCHAINS HOWTO IP Firewalling Chainswięcej podobnych podstron