Linux Firewall
Theory
IP chains is used as packet filtering, while IP masquerading is used for address translation (NAT or PAT.) IP chains uses three basic rulesets (INPUT, FORWARD, OUTPUT), called chains, to which you can add user-defined rulesets. A rule indicates whether a packet is allowed in (ACCEPT), or denied access (REJECT or DENY; DENY means that the packet is silently sent to /dev/null while REJECT returns an error message. REJECT is a safer method as hackers cannot tell whether the target daemon is running or is being protected through a packet-filtering firewall.
Question: As added security, is using IP chains for a regular host (ie. not a firewall, so only has one NIC) a good idea, or is performance a problem?
Practice
Anti-spoofing
#!/sbin/sh
for file in /proc/sys/net/ipV4/conf/*/rp_filter
do
echo "1" > $file
done
IP Forward
echo "1" > /proc/sys/net/ipv4/ip_forward
If using Red Hat, just edit /etc/sysconfig/network:
FORWARD_IPV4=true
Chains
Note: eth0 is the public interface, and eth1 is the private interface
ipchains -F input
ipchains -F forward
ipchains -F output
ipchains -I input 1 -j REJECT
//KISS: bad packets are blocked in the input chain
ipchains -I forward 1 -j ACCEPT
//You don't care about outgoing packets, only incoming...
ipchains -I output 1 -j ACCEPT
ipchains -P input REJECT
ipchains -P forward ACCEPT
ipchains -P output ACCEPT
//Fine-tune the input chain to allow outgoing packets
ipchains -A input -i eth1 -j ACCEPT
ipchains -A input -i lo -j ACCEPT
//Fine-tune the input chain to allow incoming packets
ipchains -A input -p icmp --icmp-type echo-reply -i eth0 -j ACCEPT
ipchains -A input -i eth0 -d mail.audientia.com smtp -j ACCEPT
ipchains -A input -i eth0 -d www.audientia.com www -j ACCEPT
//Do we need this for replies from the Net ? -y = SYNC and ! -y = ACK?
ipchains -A input -i eth0 ! -y -j ACCEPT
Things to check
- Does -F flush all chains?
- OK to only use -i w/out specifying -s and -d?
- OK to use 0/0 instead of 0.0.0.0/0?
- OK to use hostnames instead of IP addresses?
- If using IP host addresses, must use /32?
- Where is port # set?
- In the reply packet from eg. an Internet web server, is the source port www or an unprivileged port?
- Still need to allow outgoing FTP connections....
# Give ports you wish to open to the entire internet using tcp:
# 1023:4999 are unprivileged ports and used by clients such as rlogin ftp
# 61000+ is used by masquerading
openPortsTcp="ssh smtp www auth ntp 1024:4999 6100:"
# Give ports you wish to open to the entire internet using udp:
# 33434 is used by traceroute
openPortsUdp="ntp 1024:4999 6100:"
Resources