Ooops!
On Sat, 21 Aug 1999, Axalon Bloodstone wrote:
> On Sat, 21 Aug 1999, Steve Philp wrote:
>
> > Axalon Bloodstone wrote:
> > >
> > > On Sat, 21 Aug 1999, Steve Fox wrote:
> > >
> > > > >
> > > > > 5. I haven't found any package that will masquerade other LAN machines onto
> > > > > the internet. Supposedly it can be done through ipchains scripts, but
> > > > > I haven't made any work yet. I did use PaNTs which is supposed to work for
> > > > > RedHat 6 but I can't get anything through it on port 80 (web access).
> > > >
> > > > echo 1> /proc/sys/net/ipv4/conf/eth0/forwarding
> > > ipchains -P forward DENY
> > > > ipchains -I forward -j MASQ -s 192.168.0.0/16 -i eth0 -d 0/0
> > > > ipchains -I input -j DENY -s 192.168.0.0/16 -i ! eth0 -d 0/0 -l
> > > >
> >
> > I haven't played with IP chains yet, but I get the notion that I may be
> > using it to put a bigger choke mechanism on a web server box. Could you
> > verify that my reading of the ipchains rules are correct?
> >
> > By default, deny all forwarding. Allow forwarding of packets sourced on
> > 192.168. and received on eth0. Deny forwarding of 192.168. packets that
> > did not get received on eth0.
> >
> > Is that correct?
>
> First a demonstration of exactly what the above commands will accomplish
>
> We have an existing private lan, operateing with non internet routable ip
> addresses. Say we have two interfaces, *0 and *1, * can be any type of
> network connection, eth ppp lo and all the others it doesn't matter.
>
> Both will be ethernet, your basic highspeed connections.
> We'll use eth0 for the private network (192.168.1.0/24 for this example)
> eth1 for internet.
>
> ##end /etc/rc.d/rc.firewall
> ##Begin Masq
> #Tell eth0 we want to be able to forward from it
> echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
# Tell eth1 we want to beable to forward to it
echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
> #Setup a default reject on forwarding
> ipchains -P forward REJECT
> #Now the catch all logger
> ipchains -A forward -s 0/0 -d 0/0 -j DENY -l
> #Setup forwarding from the lan to anything not on it
> ipchains -I forward -s 192.168.1.0/24 -d \! 192.168.1.0/24 -i eth1 -j MASQ
> ##end Masq
>
> So
> only forward from eth0.
> By default, REJECT all forwarding requests.
> Append, a DENY on everything, and log it
> (to many overly talented ipv4 people out there, congradulations i'm
> paranoid)
> Insert, a MASQ rule for our private lan. "outgoing" only
> (again the paranoid thing, some very talented source route'ers)
>
> Now some rules when createing scripts like this.
> DOCUMENT every line or make some form of blocks, with comments, you WILL
> forget eventualy.
> Unless your really getting creative with custom chains,
> Appends (-A) should be used for DENY/REJECT commands
> Inserts (-I) should be used for ACCEPT/MASQ commands
> This help you to keep (me) from gettign denied when you swore you added
> the ip to the firewall, or prevent "well how the bleep did he even get to
> telnet, i had it firewalled" type situations. It basicly just makes it
> look nice also.
>
>
> And now we tackle
>
> > I've got the following setup: an ISDN connection that's terminated at a
> > Cisco router with 2 ethernet connections running their PIX firewall
> > software. On one ether port (192.168.4.x), is our "Internet" network.
> > It currently houses one machine which acts as the web/email server for
> > outside connections. Inside connections use that machine as their soul
> > gateway to the outside world (junkbuster and squid along with pop3 and
> > smtp services). The other ether port (192.168.3.x) connects to our
> > internal network.
> >
> > I'd like to put a bigger limit on the kinds of things that the webserver
> > will allow to be sent into the internal network. We need to allow the
> > squid and junkbuster conversations in, and I also need to be able to
> > talk to the machine via telnet from the internal connection.
> >
> > I'm not worried (much) about people being able to attack the internal
> > network from the Internet, since they're all private IP net addresses
> > that get nowhere when used on the Internet. However, if someone is able
> > to break into the web box, they can see the internal network and talk to
> > it from there. I'd prefer that not to be possible.
> >
> > Any ideas?
>
> following the same basic princples, everybodys with me right? ,
> because here comes the fun part.
>
> setup:
> ISDN to Cisco router,
> 2port Cisco router, supplying
> 192.168.4.0/24 (cisco1 for lack of a better name)
> And an unused cisco0
> 192.168.4.254, Will be our gateway, with an internet IP (provided by
> Cisco's PIX firewall)
> This machine provides 192.168.3.0/24 with proxying via squid and
> junkbuster
> with 192.168.3.254, as it's internal IP
>
>
> How can we strengthen this with ipchains you ask? well lets see
>
>
> ##
> # First verify forwarding is disabled
> echo 0 > /proc/sys/net/ipv4/conf/all/forwarding
> # Default REJECT
> ipchains -P forward REJECT
> # DENY and log anyones attempts to forward thru us
> ipchains -A forward -s 0/0 -d 0/0 -l -j DENY
>
> # Ok thats pretty basic, now we get paranoid
>
> # DENY, and log any connections to us from inside as anything but our
> # gateway IP
> ipchains -I input -s 192.168.3.0/24 -d ! 192.168.3.254/32 -j DENY -l
> ##
>
> You could go on to setup blockage on all ports to the gateway except squid
> and telnet from all but the admins IP, which would/should be excluded from
> the dhcp pool if dhcp is in use.
>
> If you were to use a custom setup only slightly more complex than this you
> wind up with AOL's new security policys. You just need to figure out who's
> loged into what machine (think remote logging(*nix), or netlogins(the
> others). Combine that with dhcp log monitoring and a script that alters
> ipchains to allow full access with masq, junkbuster or other such http
> filtering, and you'll actualy beable to go relieve your self and grab a
> coffee/beer/soda and know that your coworkers/employies/children aren't
> learing at smut while your away.
>
>
>
> --
> MandrakeSoft http://www.mandrakesoft.com/
> --Axalon
>
>
--
MandrakeSoft http://www.mandrakesoft.com/
--Axalon