> At 03:08 PM 2/15/99 +0200, Pieter Claassen wrote:
>>Just two questions please:
>>1. How do I civilly disable telnet login to a machine. We are running ssh
>>and I don't want the telnet deamon to start.
>
> check out /etc/inetd.
>
>>2. We are fedup with ipfwadm. As soon as we enable ipfwadm -I -p -deny and
>>only allow the specified ports to be open, then we get no traffic.
NO NO NO, ipfwadm is great - this may help you.. Feel free to comment!!!
It works well for us.
Regards,
Bruce
#!/bin/sh
#
# *************************************************************************
# This script sets the Firewall and IP Masquerading
# options for Mitsi
# *************************************************************************
# Created by O. B. Stephens, April 20th, 1998.
# Last updated on May 26th, 1998!!
# *************************************************************************
# Reference:
# Dial-on-Demand mini-HOWTO, [EMAIL PROTECTED]
# Version 1.0, 28th July, 1996
# updated and submitted 29th February 1997.
#
# Linux IP Masquerade mini HOWTO
# Ambrose Au, [EMAIL PROTECTED]
# version 1.00, 1 January, 1997.
# Ambrose Au, [EMAIL PROTECTED]
# version 1.20, 10 November 1997.
#
# Firewalling and Proxy Server HOWTO
# Mark Grennan, [EMAIL PROTECTED]
# v0.4, 8 November 1996.
#
# Linux NET-3-HOWTO, Linux Networking
# Terry Dawson, VK2KTJ, [EMAIL PROTECTED]
# v1.2, 20 August 1997
#
# AND the most important the Linux IP Masquerade Resource web page
#
# *************************************************************************
FW=/sbin/ipfwadm
# Initially, flush ALL IP Forwarding -
# Incoming and Outgoing firewall rules.
# *************************************************************************
# Check and if necessary turn IP forwarding on!!!!!!!
ipfrwd=`/bin/cat /proc/sys/net/ipv4/ip_forward`
if [ "$ipfrwd" = "0" ];
then
/bin/echo " IP Forwarding is off, enabling..." >> /var/log/messages
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
fi
ipfrwd=`/bin/cat /proc/sys/net/ipv4/ip_forward`
if [ "$ipfrwd" = "0" ];
then
/bin/cat /proc/sys/net/ipv4/ip_forward >> /var/log/messages
/bin/echo "Major problem enabling IP_forwarding" >> /var/log/messages
exit 1
fi
# *************************************************************************
${FW} -F -f
${FW} -I -f
${FW} -O -f
${FW} -A -f
# *************************************************************************
# Local ethernet interface addresses are 192.168.0.1, ..1.1 and ..2.1 (aliases)
lip0="192.168.0.1"
mplink=0
interface="none"
device=""
baud_rate=115200
server_ip_address="0.0.0.0"
remote_ip_address="0.0.0.0"
if [ -f /var/run/mitsi-server-ppp-up ]; then
mplink=`/bin/cat /var/run/mitsi-server-ppp-up`
fi
if [ "$mplink" = "1" ];
then
parameters=`/bin/cat /var/run/mitsi-server.parameters`
interface=`/bin/echo "$parameters" | /bin/awk '{print $1}'`
device=`/bin/echo "$parameters" | /bin/awk '{print $2}'`
baud_rate=`/bin/echo "$parameters" | /bin/awk '{print $3}'`
server_ip_address=`/bin/echo "$parameters" | /bin/awk '{print $4}'`
remote_ip_address=`/bin/echo "$parameters" | /bin/awk '{print $5}'`
fi
cip="$server_ip_address"
msk=32
# /bin/echo "Server or Local IP address is >>$cip/$msk<<" >> /var/log/messages
# *************************************************************************
# Setup the rules governing packets INCOMING TO the EXTERNAL interface first
# --- will need to change this for the Cyclades dialup facility.
# *************************************************************************
# To quote Terry Dawson - NET-3-HOWTO below...
# First off, seal off the PPP interface
# I'd love to use '-a deny' instead of '-a reject -y' but then it
# would be impossible to originate connections on that interface too.
# The -o causes all [rejected] datagrams to be logged. This trades
# disk space against knowledge of an attack or configuration error.
# *************************************************************************
# Change the default policy for INCOMING to 'accept'
${FW} -I -p accept
if [ "$mplink" = "1" ];
then
# Now start closing things down. We are trying to protect the server
# Nothing coming from the loopback network should ever be seen
${FW} -I -a deny -o -V $cip -S 127.0.0.0/8 -D $cip/$msk
# Reject and log any attempt to use the 192.168 addresses FROM the outside.
${FW} -I -a reject -o -P tcp -V $cip -S 192.168.0.0/16 -D 0/0
${FW} -I -a reject -o -P udp -V $cip -S 192.168.0.0/16 -D 0/0
# Reject and log spoofing from anyone claiming to be this server.
${FW} -I -a reject -o -P tcp -V $cip -S $cip/$msk -D 0/0
${FW} -I -a reject -o -P udp -V $cip -S $cip/$msk -D 0/0
# Don't respond to dangerous ports like NFS and Larry McVoy's NFS extension.
# If you run squid, add its port here. Not sure about this limitation.
# no specified incoming interface.
${FW} -I -a deny -o -P udp -V $cip -S 0/0 53 -D $cip/$msk 2049 2050
# Throw away certain kinds of obviously forged packets right away:
# Nothing should come from multicast/anycast/broadcast addresses
# 224 to 239 and anything greater than 239 is reserved
# NO SPECIFIED INCOMING INTERFACE.
# ${FW} -I -a reject -o -S 224.0/3 -D 0/0
# Reject any TCP (only) requests to the identd(113)
# We use 'reject' here so that the connecting host is told
# straight away not to bother continuing, otherwise we'd experience
# delays while ident timed out. NO SPECIFIED INCOMING INTERFACE
# Experimental : accept : May 1998
${FW} -I -a reject -o -P tcp -S 0/0 -D $cip/$msk 113
${FW} -I -a reject -o -P udp -S 0/0 -D $cip/$msk 113
# Accept incoming http(80) responses
${FW} -I -a accept -P tcp -V $cip -S 0/0 -D $cip/$msk 80
# Accept incoming ftp(20 and 21) connections
${FW} -I -a accept -P tcp -V $cip -S 0/0 -D $cip/$msk 20:21
# REJECT incoming telnet(23) requests
# Temporarily accept incoming telnet(23) requests
${FW} -I -a accept -o -P tcp -V $cip -S 0/0 -D $cip/$msk 23
# Accept incoming SMTP(25) connections to the local Mail Server.
${FW} -I -a accept -P tcp -V $cip -S 0/0 -D $cip/$msk 25
# Accept incoming POP3 responses.
${FW} -I -a accept -P tcp -V $cip -S 0/0 -D $cip/$msk 110
# Accept incoming DNS(53) requests, UDP as well as TCP
${FW} -I -a accept -P tcp -V $cip -S 0/0 -D $cip/$msk 53
${FW} -I -a accept -P udp -V $cip -S 0/0 -D $cip/$msk 53
${FW} -I -a accept -P tcp -V $cip -S 0/0 -D $cip/$msk 1024:65535
${FW} -I -a accept -P udp -V $cip -S 0/0 -D $cip/$msk 1024:65535
# Permit pings.
${FW} -I -a accept -P icmp -S 0/0 -D $cip/$msk
fi
# *************************************************************************
# Setup the rules governing packets INCOMING TO the INTERNAL interface
# Masquerading later.
# *************************************************************************
# Choice : Trust the internal users and allow general connections -
# or Allow SPECIFIC users to connect to the server.
${FW} -I -a accept -P tcp -V $lip0 -S 192.168.0.0/16 -D $lip0/32
${FW} -I -a accept -P udp -V $lip0 -S 192.168.0.0/16 -D $lip0/32
# *************************************************************************
# Change the default policy for OUTGOING to 'accept'
${FW} -O -p accept
# Accept outgoing from the local server to anywhere
if [ "$mplink" = "1" ];
then
${FW} -O -a accept -S $cip/32 -D 0/0
fi
${FW} -O -a accept -S 0/0 -D 192.168.0.0/16
${FW} -O -a accept -S 192.168.0.1/32 -D 192.168.0.0/16
${FW} -O -a accept -S 127.0.0.0/8 -D 127.0.0.0/8
# Masquerading and routing have failed in the following case.
if [ "$mplink" = "1" ];
then
${FW} -O -a deny -o -V $cip -S 192.168.0.0/16 -D 0/0
${FW} -O -a deny -o -V $cip -S 0/0 -D 192.168.0.0/16
fi
# Final catch rule, all other outgoing requests
${FW} -O -a deny -o -S 0/0 -D 0/0
# *************************************************************************
# Setup Masquerading options from the Internal network to the INTERNET
# *************************************************************************
# Change the default policy for FORWARDING to 'deny'
${FW} -F -p deny
# Masquerade from the local network to anywhere. Temporarily log
# NO SPECIFIED INCOMING INTERFACE.
${FW} -F -a masquerade -S 192.168.0.0/16 -D 0/0
${FW} -F -a deny -o -S 0/0 -D 0/0
# Define the rules specifying the thew masquerading timeout options.
# Masqueraded timeout values (tcp tcpfin udp)
${FW} -M -s 3600 0 0
# *************************************************************************
# Final catch rule, all other incoming requests
# THROUGH THE EXTERNAL INTERFACE for the local server are denied and logged.
# Both tcp and udp but not icmp, well not yet.
# *************************************************************************
if [ "$mplink" = "1" ];
then
${FW} -I -a reject -o -P tcp -V $cip -S 0/0 -D $cip/$msk
${FW} -I -a reject -o -P udp -V $cip -S 0/0 -D $cip/$msk
fi
# *************************************************************************
# Load the modules for the specific protocols
# *************************************************************************
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_vdolive
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_quake
# *************************************************************************
# Accept current accounting rules
# *************************************************************************
${FW} -A in -i -S 192.168.0.0/16 -D 0/0
${FW} -A out -i -S 192.168.0.0/16 -D 0/0
${FW} -A in -i -S 0/0 -D 192.168.0.0/16
${FW} -A out -i -S 0/0 -D 192.168.0.0/16
# ${FW} -F -l -n >> /var/log/messages
# ${FW} -I -l -n >> /var/log/messages
# ${FW} -I -l -n
# ${FW} -O -l -n
# ${FW} -F -l -n
# *************************************************************************
>>What is ironic is that http will get forwarded (masqueraded) to the subnet,
>>but the gateway machine cannot see any protocol|any port. I know that
>>ipfwadm pulls masqueraded packets away before the forwarding filter. What
>>about the input filter.
>
> Input filter's will be checked before anything else. This is especially
> true of masqueraded packets, because their not forwarded in quite the same
> way. On the way in (from the outside world), they look like packets
> directed at the firwall (not the machines behind it), so if the input
> filter is set to deny, nothing will ever get to the masquerading code. I
> didn't think the forwarding would be used for the masqueraded packets, just
> input-->masq-->output. But then I'm not much of an expert with this :-)
>
>>Is there any way that I can test what services are running on what ports
>>(ie. if some of the services on the machine was started with non
>>/etc/services port no.'s)
>
> netstat -ae will show all open sockets, including listening sockets.
>
>
> Tristan
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
