Axalon Bloodstone wrote:
>
> On Sat, 21 Aug 1999, Steve Philp wrote:
>
> > Axalon Bloodstone wrote:
> > >
> > > On Sat, 21 Aug 1999, Steve Fox wrote:
> > >
> > > > >
> > > > > 5. I haven't found any package that will masquerade other LAN machines onto
> > > > > the internet. Supposedly it can be done through ipchains scripts, but
> > > > > I haven't made any work yet. I did use PaNTs which is supposed to work for
> > > > > RedHat 6 but I can't get anything through it on port 80 (web access).
> > > >
> > > > echo 1> /proc/sys/net/ipv4/conf/eth0/forwarding
> > > ipchains -P forward DENY
> > > > ipchains -I forward -j MASQ -s 192.168.0.0/16 -i eth0 -d 0/0
> > > > ipchains -I input -j DENY -s 192.168.0.0/16 -i ! eth0 -d 0/0 -l
> > > >
> >
> > I haven't played with IP chains yet, but I get the notion that I may be
> > using it to put a bigger choke mechanism on a web server box. Could you
> > verify that my reading of the ipchains rules are correct?
> >
> > By default, deny all forwarding. Allow forwarding of packets sourced on
> > 192.168. and received on eth0. Deny forwarding of 192.168. packets that
> > did not get received on eth0.
> >
> > Is that correct?
>
> First a demonstration of exactly what the above commands will accomplish
>
> We have an existing private lan, operateing with non internet routable ip
> addresses. Say we have two interfaces, *0 and *1, * can be any type of
> network connection, eth ppp lo and all the others it doesn't matter.
>
> Both will be ethernet, your basic highspeed connections.
> We'll use eth0 for the private network (192.168.1.0/24 for this example)
> eth1 for internet.
>
> ##end /etc/rc.d/rc.firewall
> ##Begin Masq
> #Tell eth0 we want to be able to forward from it
> echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
> #Setup a default reject on forwarding
> ipchains -P forward REJECT
> #Now the catch all logger
> ipchains -A forward -s 0/0 -d 0/0 -j DENY -l
> #Setup forwarding from the lan to anything not on it
> ipchains -I forward -s 192.168.1.0/24 -d \! 192.168.1.0/24 -i eth1 -j MASQ
> ##end Masq
>
> So
> only forward from eth0.
> By default, REJECT all forwarding requests.
> Append, a DENY on everything, and log it
> (to many overly talented ipv4 people out there, congradulations i'm
> paranoid)
> Insert, a MASQ rule for our private lan. "outgoing" only
> (again the paranoid thing, some very talented source route'ers)
>
> Now some rules when createing scripts like this.
> DOCUMENT every line or make some form of blocks, with comments, you WILL
> forget eventualy.
> Unless your really getting creative with custom chains,
> Appends (-A) should be used for DENY/REJECT commands
> Inserts (-I) should be used for ACCEPT/MASQ commands
> This help you to keep (me) from gettign denied when you swore you added
> the ip to the firewall, or prevent "well how the bleep did he even get to
> telnet, i had it firewalled" type situations. It basicly just makes it
> look nice also.
>
> And now we tackle
>
> > I've got the following setup: an ISDN connection that's terminated at a
> > Cisco router with 2 ethernet connections running their PIX firewall
> > software. On one ether port (192.168.4.x), is our "Internet" network.
> > It currently houses one machine which acts as the web/email server for
> > outside connections. Inside connections use that machine as their soul
> > gateway to the outside world (junkbuster and squid along with pop3 and
> > smtp services). The other ether port (192.168.3.x) connects to our
> > internal network.
> >
> > I'd like to put a bigger limit on the kinds of things that the webserver
> > will allow to be sent into the internal network. We need to allow the
> > squid and junkbuster conversations in, and I also need to be able to
> > talk to the machine via telnet from the internal connection.
> >
> > I'm not worried (much) about people being able to attack the internal
> > network from the Internet, since they're all private IP net addresses
> > that get nowhere when used on the Internet. However, if someone is able
> > to break into the web box, they can see the internal network and talk to
> > it from there. I'd prefer that not to be possible.
> >
> > Any ideas?
>
> following the same basic princples, everybodys with me right? ,
> because here comes the fun part.
>
> setup:
> ISDN to Cisco router,
> 2port Cisco router, supplying
> 192.168.4.0/24 (cisco1 for lack of a better name)
> And an unused cisco0
> 192.168.4.254, Will be our gateway, with an internet IP (provided by
> Cisco's PIX firewall)
> This machine provides 192.168.3.0/24 with proxying via squid and
> junkbuster
> with 192.168.3.254, as it's internal IP
>
> How can we strengthen this with ipchains you ask? well lets see
>
> ##
> # First verify forwarding is disabled
> echo 0 > /proc/sys/net/ipv4/conf/all/forwarding
> # Default REJECT
> ipchains -P forward REJECT
> # DENY and log anyones attempts to forward thru us
> ipchains -A forward -s 0/0 -d 0/0 -l -j DENY
>
> # Ok thats pretty basic, now we get paranoid
>
> # DENY, and log any connections to us from inside as anything but our
> # gateway IP
> ipchains -I input -s 192.168.3.0/24 -d ! 192.168.3.254/32 -j DENY -l
> ##
>
> You could go on to setup blockage on all ports to the gateway except squid
> and telnet from all but the admins IP, which would/should be excluded from
> the dhcp pool if dhcp is in use.
>
> If you were to use a custom setup only slightly more complex than this you
> wind up with AOL's new security policys. You just need to figure out who's
> loged into what machine (think remote logging(*nix), or netlogins(the
> others). Combine that with dhcp log monitoring and a script that alters
> ipchains to allow full access with masq, junkbuster or other such http
> filtering, and you'll actualy beable to go relieve your self and grab a
> coffee/beer/soda and know that your coworkers/employies/children aren't
> learing at smut while your away.
Thanks for the tips. I've printed them out to ponder over a cup of
coffee. I'll be putting a few more lockdowns on the machine on Monday.
Primarily, I'm not concerned with the internal network. The router is
setup to deny all Internet packets from inside that don't come from the
proxy machine. I've got junkbuster setup to only allow access to about
5 "approved" sites (default deny is a wonderful thing!). Squid is setup
to allow a select few to connect to it directly (mostly IS and executive
level -- those are assigned static IPs while the rest of the place is
DHCP), any other attempts at direct connections to Squid are sent
packing.
I'm mostly worried about closing up avenues to go from the .4.x machine
to the .3.x network. If (god forbid) that web/email machine gets
cracked, I want there to be very little possibility of getting into the
internal network. I suppose I could setup rules that only allow packets
originating from the 4.x machine and coming from ports 3128 and 8000
(squid, junkbuster) and to allow packets originating from inside on a
couple IPs.
Thanks again for the explanation of the IP chains stuff.
--
Steve Philp
Network Administrator
Advance Packaging Corp.
[EMAIL PROTECTED]
