Cory Petkovsek ([EMAIL PROTECTED]) wrote: > >On Thu, Sep 18, 2003 at 08:34:39PM +0000, Bob Crandell wrote: >> The ComCast customers are DHCP so I don't have an IP. I don't want to open up to >> their network. That leaves MAC addresses. >I still don't see the correlation. I showed you how one would use the >mac module, but again I don't see why you would need it. dhcp or no, >mac address is datalink layer specific. Bummer. How do I let a person or company in that does not have a static IP address?
> >> >The scan is done. Either the machine is down or the firewall is too >> >tight because there are no services available and I can't even get a >> >fingerprint. >> This is a good thing. >I thought you wanted to provide services to the internet, like ssh and >http. If so, this isn't a good thing because there are no services >available. I can ssh in. DansGuardian and Webmin works. I was expecting you to find 3 or 4 ports open. The fact that you didn't find any is a plus. > >> # Setup Variables >> BROADCAST="216.239.175.255" >> LOOPNET="127.0.0.0/8" >> NET1="64.28.48.0/24" >> SNIPPED >> NET9="216.239.175.0/24" >> SNIPPED >> >> HOST1="64.112.226.198" >> SNIPPED >Are all of those IP addresses static? Where does the dhcp address come >in? Are you manually editting the firewall when the dhcp client gets a >new address?! There is dhcp on each of the NET# networks. The HOST#s are static. The only time I have to edit the list is if uspops changes their addressing scheme or if I want to add or remove a specific HOST. > >> echo "Create Sort Chain." >> # MAC address of router or firewall for DHCP sites like ComCast >> # How is intfw defined? >> # How is intnet defined? >> #/usr/sbin/iptables -A FORWARD -s $intfw -m mac --mac-source >> XX:XX:XX:XX:XX:XX -d ! $intnet -j ACCEPT >'for dhcp sites like comcast' Do you mean you want to allow some >clients (ie home users) to have access to this server? So you are >thinking that by using the mac address module you'll be able to do this? >If so this won't work. Mac addresses are only good for a lan segment. >As I mentioned above, they are the datalink layer. That means they >don't route. A packet that comes across the internet only contains >information from the application/presentation/session, transport and >network layers. Datalink (ie, ethernet) and Physical (ie cat 5/coax) >information from the source network is stripped off. Using the server's >own mac address won't do any good either as it is just as identifiable >as is 'eth0'. Bummer continued. > >For "road warriors" (the semi-official term for remote dhcp clients), >you need another mechanism. iptables doesn't have such a mechanism >unless you 1) open up large blocks of ip addresses or 2) write your own >custom iptables module to do some "trickery" (like port knocking). >However such "trickery" would be able to be sniffed and replayed by an >attacker unless you used encryption/authentication or tricky >randomization and sequencing. There are mechanisms for providing remote >services to such clients. I think my head is going to explode. > >> #You probably want this if the server needs to talk to the internet. >> /usr/sbin/iptables -A sort -m state --state ESTABLISHED,RELATED -j ACCEPT >This should go at the top of the sort rule, it is going to match >successfully for all connections, once they have been established. Thus >listing it first will save netfilter from processing 20 rules in front >of it for every packet. Ok. I'll move it. That will make it a little faster. Yes? > >> /usr/sbin/iptables -A INPUT -i eth0 -d $BROADCAST -j DROP >Why is this here? It won't stop windows broadcasts. It just requires >every packet to match against this rule. It is to prevent this box from accepting broadcasts. > >> /usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state >> ESTABLISHED -j ACCEPT >> /usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state >> ESTABLISHED -j ACCEPT >> /usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 81 -m state --state >> ESTABLISHED -j ACCEPT >> /usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 10000 -m state --state >> ESTABLISHED -j ACCEPT >Perhaps these are the services you want to open to the internet? If >not, then you don't need them at all because the rule below (-j sort) >opens up the firewall to everything listed in NET? and HOST?. If so >then the lines above are incorrect. You probably mean --dport 22 >instead of --sport. Packets coming to the machine are "destined" for >port 22. They are open to the internet. There is something about this script doesn't let you "browse" for them. I like that. So you are saying that if I enabled telnet in inetd that someone could get in because of (-j sort)? I don't like that. All I want available to the internet are these 4 ports and only to those listed in NET? and HOST? On page http://www.sns.ias.edu/~jns/security/iptables/rules.html he has --sport on his INPUT rule and --dport on his OUTPUT rule > >What is on port 10,000? Do you want that open to the internet (it isn't >now, but from your script it looks like you want 22, 80, 81 and so on >open). This is Webmin. It's limited within Webmin to a couple of addresses. > >Also, you don't need "-m state" here. This is already defined in your >sort chain for everything. It said, allow ALL connections that are >already established. The only other ones are those that have yet to be >established. They are done so first through the input chain. > >Since you have the -m state....ESTABLISHED rule in your input chain >(you put it there when you added the '-j sort' chain below. In order to >open a port to the internet you need: > >/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT Does this include a port FROM the internet? > >> /usr/sbin/iptables -A INPUT -j sort >> >> echo "FORWARD Rule sets." >> /usr/sbin/iptables -A FORWARD -j sort >Why is this here? You said 'echo 0 > /proc/net/sys/ipv4/ip_forward' >This disabled fowarding. You don't need forwarding rules that allow >it! You aren't forwarding, you are proxying. Ok. I'll take this out. > > >> echo " OUTPUT Rule sets." >> /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT >> /usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state >> NEW,ESTABLISHED -j ACCEPT >> /usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state >> NEW,ESTABLISHED -j ACCEPT >> /usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 81 -m state --state >> NEW,ESTABLISHED -j ACCEPT >> /usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 10000 -m state --state >> NEW,ESTABLISHED -j ACCEPT >All of this does nothing. Your policy is set to -P OUTPUT ACCEPT. Thus >when the above rules fail it reads the policy and accepts it. Ok. I'll take this out. Or, thinking about your worm, would it be better to leave these in and make the policy DROP? > > >> echo "Redirect Web traffic through Dan's Guardian" >> /usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j REDIRECT >> --to-port 8080 >> # or go around DansGuardian >> #/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j REDIRECT >> --to-port 3128 > >How does this redirect traffic? Web clients are configured to use port >80 by default, not 81. If you've configured them to use a proxy server >on port 81, why not configure them to use a proxy on 8080 and forget >about the redirect? This box is replacing a older one that is being phased out. The computers pointing to it are already using port 81 in their proxy settings. It's easier to just add this line. This box is offering up a web filtering service to BauerCom's customers who want it. he is also willing to offer this service to anyone else ($25.00/mo). I'm already getting requests from companies that are interested. If you think I'm going in the wrong direction with this, call me. Thanks > >Cory > >EuG-LUG mailing list >[EMAIL PROTECTED] >http://mailman.efn.org/cgi-bin/listinfo/eug-lug > -- Bob Crandell Assured Computing When you need to be sure. [EMAIL PROTECTED] www.assuredcomp.com Voice - 541-689-9159 FAX - 541-463-1627 Eugene, Oregon _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
