Virtual Networking between Debian and Microsoft Windows systems
Virtual Networking between Debian and Microsoft Windows systems First of all, I'm not really looking for a detailed HOW-TO on how I could build this system, although if there is such a thing I will gladly read it. I'm mainly seeking discussion on the various methods of implementing this system and the various security issues involved as well as known good security policy practices for a system like this. HERE'S WHAT I WANT TO DO I want to set up a secure tunnel between my Debian system on a DSL line and a remote machine which will probably be running some version of Microsoft Windows that will most likely have a semi-fast connection to the Internet such as DSL, Cable or ISDN. The remote computer will possibly use some form of Kerberos authentication to access certain computers on my LAN or just to access the LAN its self. I want to set it up so that I don't have to worry about a remote machine, connected to my LAN in this manner, being able to packet sniff my network traffic, spoof IP addresses on my LAN or use ARP, etc. to hijack connections between my machines or connections between my machines and machines on the Internet. I would also like to know how to make a Debian machine act like a managed switch because I don't have money to purchase one. I might possibly be able to use firewall rules to do this but I don't know how. I don't have much knowledge in this area. Using a managed switch helps prevent the connection hijacking I talked about above as far as I know anyway. I think that this would possibly require a machine with a bunch of NIC's to act like a switch. Or I could possibly somehow make the ARP in my machine only listen to certain MAC addresses although MAC's can be faked. I think some of you might be running this system on a corporate or maybe a university system. I want to set this same system up at home for a small amount of users mainly for the security offered but also for the experience of learning how this can be implemented. I was reading that the Microsoft PPTP protocol isn't all that secure so I am trying to find an alternative type of tunneling protocol. As for the actual protocol, anything that is very secure that will run on both Debian and a Windows machine will be ok. I was thinking about using something like blowfish for the actual encryption. I was reading how using TCP/IP encapsulation (tunneling) over a TCP/IP type connections like pppd is really prone to failure and SLOW connections. What other kinds of connections are available for my application? I also need to know the types of software needed for both a Debian/Linux system on one end and a Microsoft Windows system on the other end. This system will possibly use LDAP and/or Kerberos type security with fire walls. Cost _IS_ a factor since I am mainly doing this as a hobby and not for a company, etc. I simply don't have money to spend buying some off the shelf type of tunneling system. I can compile source DEB packages, etc. but am NOT a coder and have a hard time applying a software patch unless it comes with detailed instructions. I don't really like doing this as it is hard to keep up to date with security patches when they are released because of the complexity of applying patches to everything. My eventual goal is to set up a secure corporate type of security system (on a smaller scale without compromising security) with my Debian. Using something similar to this maybe: (pardon my ASCII art skills) (I can use multiple computers on my side of the connection if necessary.) +-+ | Microsoft Windows machine | | +-+ ++ | +--+ | | remote user +--+ secure +-+-+ Internet | | | or a LAN| | tunnel | | +--+---+ | +-+ ++ || | | +-++ +-+ | | Debian system | | +---+--+ ++ | | | my local +--+ secure | | | | firewall | | tunnel | | | +--+ +---++ | | | | +---+--+ | +--+ ++---+ | access to systems or +--| my LAN | | services on my LAN | ++ +--+ I am probably leaving out some major details in my diagram. I would like to find a good network model for the system I am trying to implement. Currently, I use PuTTY with SSH to access my Debian which works ok, However, I was wanting additional secure access to my Debian system and my LAN from the outside. WHAT I WANT TO KNOW What cheap/free software solutions are available for implementing this on a Windows platform? What are the securi
Virtual Networking between Debian and Microsoft Windows systems
Virtual Networking between Debian and Microsoft Windows systems First of all, I'm not really looking for a detailed HOW-TO on how I could build this system, although if there is such a thing I will gladly read it. I'm mainly seeking discussion on the various methods of implementing this system and the various security issues involved as well as known good security policy practices for a system like this. HERE'S WHAT I WANT TO DO I want to set up a secure tunnel between my Debian system on a DSL line and a remote machine which will probably be running some version of Microsoft Windows that will most likely have a semi-fast connection to the Internet such as DSL, Cable or ISDN. The remote computer will possibly use some form of Kerberos authentication to access certain computers on my LAN or just to access the LAN its self. I want to set it up so that I don't have to worry about a remote machine, connected to my LAN in this manner, being able to packet sniff my network traffic, spoof IP addresses on my LAN or use ARP, etc. to hijack connections between my machines or connections between my machines and machines on the Internet. I would also like to know how to make a Debian machine act like a managed switch because I don't have money to purchase one. I might possibly be able to use firewall rules to do this but I don't know how. I don't have much knowledge in this area. Using a managed switch helps prevent the connection hijacking I talked about above as far as I know anyway. I think that this would possibly require a machine with a bunch of NIC's to act like a switch. Or I could possibly somehow make the ARP in my machine only listen to certain MAC addresses although MAC's can be faked. I think some of you might be running this system on a corporate or maybe a university system. I want to set this same system up at home for a small amount of users mainly for the security offered but also for the experience of learning how this can be implemented. I was reading that the Microsoft PPTP protocol isn't all that secure so I am trying to find an alternative type of tunneling protocol. As for the actual protocol, anything that is very secure that will run on both Debian and a Windows machine will be ok. I was thinking about using something like blowfish for the actual encryption. I was reading how using TCP/IP encapsulation (tunneling) over a TCP/IP type connections like pppd is really prone to failure and SLOW connections. What other kinds of connections are available for my application? I also need to know the types of software needed for both a Debian/Linux system on one end and a Microsoft Windows system on the other end. This system will possibly use LDAP and/or Kerberos type security with fire walls. Cost _IS_ a factor since I am mainly doing this as a hobby and not for a company, etc. I simply don't have money to spend buying some off the shelf type of tunneling system. I can compile source DEB packages, etc. but am NOT a coder and have a hard time applying a software patch unless it comes with detailed instructions. I don't really like doing this as it is hard to keep up to date with security patches when they are released because of the complexity of applying patches to everything. My eventual goal is to set up a secure corporate type of security system (on a smaller scale without compromising security) with my Debian. Using something similar to this maybe: (pardon my ASCII art skills) (I can use multiple computers on my side of the connection if necessary.) +-+ | Microsoft Windows machine | | +-+ ++ | +--+ | | remote user +--+ secure +-+-+ Internet | | | or a LAN| | tunnel | | +--+---+ | +-+ ++ || | | +-++ +-+ | | Debian system | | +---+--+ ++ | | | my local +--+ secure | | | | firewall | | tunnel | | | +--+ +---++ | | | | +---+--+ | +--+ ++---+ | access to systems or +--| my LAN | | services on my LAN | ++ +--+ I am probably leaving out some major details in my diagram. I would like to find a good network model for the system I am trying to implement. Currently, I use PuTTY with SSH to access my Debian which works ok, However, I was wanting additional secure access to my Debian system and my LAN from the outside. WHAT I WANT TO KNOW What cheap/free software solutions are available for implementing this on a Windows platform? What are the secur
Re: Bash scripting info needed.
Thor wrote: Hi I'm not sure I understand you correctly, but how about this: ## 0 == LOG ## 1 == DROP ## 2 == LOG & DROP LOGTCP=2; if [ $LOGTCP -eq 0 ]; then #Log forbidden TCP datagrams iptables -A TCP --protocol tcp -m limit --limit 1/minute \ --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' elif [ $LOGTCP -eq 1 ]; then # Disallow NEW and INVALID incoming from the external interface iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP # Drop all TCP iptables -A TCP -j DROP elif [ $LOGTCP -eq 2 ]; then #Log forbidden TCP datagrams iptables -A TCP --protocol tcp -m limit --limit 1/minute \ --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' iptables -A TCP --protocol tcp -m -j DROP fi - James if the question is the above then IMHO is better to use the "case" statement case "$LOGTCP" in 0) #Log forbidden TCP datagrams iptables -A TCP --protocol tcp -m limit --limit 1/minute \ --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '; ;; 1) # Disallow NEW and INVALID incoming from the external interface iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP; # Drop all TCP iptables -A TCP -j DROP; ;; 2) #Log forbidden TCP datagrams iptables -A TCP --protocol tcp -m limit --limit 1/minute \ --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '; iptables -A TCP --protocol tcp -m -j DROP; ;; esac --- ;---+---; bye | bye |hor Thanks for both of your replies. I guess my initial message might not have been to clear, I'm glad to see that you guys got the essential goal that I was working towards. Are there any books on bash scripting that any of you would recomemd? I have browsed through the Advanced BASH scrypting HOW-TO over at Linuxdoc, but I'd rather have something on paper. Thanks again, Stef
Re: Bash scripting info needed.
Thor wrote: >Hi > > >>I'm not sure I understand you correctly, but how about this: >> >>## 0 == LOG >>## 1 == DROP >>## 2 == LOG & DROP >>LOGTCP=2; >>if [ $LOGTCP -eq 0 ]; then >>#Log forbidden TCP datagrams >>iptables -A TCP --protocol tcp -m limit --limit 1/minute \ >> --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' >>elif [ $LOGTCP -eq 1 ]; then >># Disallow NEW and INVALID incoming from the external interface >>iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP >># Drop all TCP >>iptables -A TCP -j DROP >>elif [ $LOGTCP -eq 2 ]; then >>#Log forbidden TCP datagrams >>iptables -A TCP --protocol tcp -m limit --limit 1/minute \ >> --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' >>iptables -A TCP --protocol tcp -m -j DROP >>fi >> >>- James >> > >if the question is the above then IMHO is better to use the "case" statement > >case "$LOGTCP" in >0) #Log forbidden TCP datagrams > iptables -A TCP --protocol tcp -m limit --limit 1/minute \ >--limit-burst 4 -j LOG --log-level DEBUG --log-prefix >'Denied TCP: '; > ;; > 1) # Disallow NEW and INVALID incoming from the external interface > iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j >DROP; > # Drop all TCP > iptables -A TCP -j DROP; > ;; > 2) #Log forbidden TCP datagrams > iptables -A TCP --protocol tcp -m limit --limit 1/minute \ >--limit-burst 4 -j LOG --log-level DEBUG --log-prefix >'Denied TCP: '; > iptables -A TCP --protocol tcp -m -j DROP; > ;; >esac > > > > >--- >;---+---; >bye | >bye |hor > Thanks for both of your replies. I guess my initial message might not have been to clear, I'm glad to see that you guys got the essential goal that I was working towards. Are there any books on bash scripting that any of you would recomemd? I have browsed through the Advanced BASH scrypting HOW-TO over at Linuxdoc, but I'd rather have something on paper. Thanks again, Stef -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What about doing security updates automatically?
On the question: What about doing security updates automatically? I don't know about the rest of you, but here is my opinion... As a sysadmin, programmer, jack of to many trades I maintain a number of systems under a number of different operating systems. As such I have to keep track of bug fixes as well as security updates, etc. I feel if one goes to making a security update system, one should spend the time to make it more general and do it for regular bug fixes as well as general package upgrades too. I have nothing against automatic systems so long as I can selectively turn them on and off at the package and general levels. Ideally I'd like to be able to make a "test" suite that if it passes on an update the update is automatically accepted, but if it fails the update is backed out and I'm notified. It should track what changes have been made, and have the ability to undo those changes at a latter date. This means replaced, modified and or removed files, etc. must be saved so they can be restored. I feel that this is an esential ingrediant to the sucess of the system. This backups function must be done. I can see a local option that allows for disabling the backup function, but it should be on by default. Another thing to think about is if the update can't figure out how to upgrade the system in a "safe" manner it should not do the upgrade, but instead spool it for administrator input. As an example, think of changing a configuration file. If the admin has made local customizations then the upgrade system should not do the upgrade, but instead spool it for admin interaction. Here ends my input for now... -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen|
Re: Controlling the network throughput
On Fri Sep 07 2001 at 02:14:05PM +0200 'Marcin Krotkiewski' <[EMAIL PROTECTED]> wrote: > I'm quite aware this post is somewhat off-topic, but I couldn't find a > proper list. Still I hope someone will be able to help me. You should rather try the linux-net list. $ echo subscribe linux-net | mail [EMAIL PROTECTED] You can find the archives at http://marc.theaimsgroup.com/?l=linux-net. > And here is the problem... > How can I divide my network throughput between the users (not necessarily > evenly)? > I would like to limit the maximum speed with which someone is able to use my > connection. > I tried to use something like "iptables -m limit" with no success. You most probably want to search for CBQ in the linux-net archives. If you need any further assistance please contact me privately. Ciao Charl __ My opinions may have changed, but not the fact that I am right. __ [ Charl Matthee ] [ +27-11-721-3800 ] [ Reality Manufacturing ] [ +27-11-405-6508 ] __
Controlling the network throughput
hi, I'm quite aware this post is somewhat off-topic, but I couldn't find a proper list. Still I hope someone will be able to help me. And here is the problem... How can I divide my network throughput between the users (not necessarily evenly)? I would like to limit the maximum speed with which someone is able to use my connection. I tried to use something like "iptables -m limit" with no success. I would appreciate any advice. thanks. Marcin
Re: What about doing security updates automatically?
On the question: What about doing security updates automatically? I don't know about the rest of you, but here is my opinion... As a sysadmin, programmer, jack of to many trades I maintain a number of systems under a number of different operating systems. As such I have to keep track of bug fixes as well as security updates, etc. I feel if one goes to making a security update system, one should spend the time to make it more general and do it for regular bug fixes as well as general package upgrades too. I have nothing against automatic systems so long as I can selectively turn them on and off at the package and general levels. Ideally I'd like to be able to make a "test" suite that if it passes on an update the update is automatically accepted, but if it fails the update is backed out and I'm notified. It should track what changes have been made, and have the ability to undo those changes at a latter date. This means replaced, modified and or removed files, etc. must be saved so they can be restored. I feel that this is an esential ingrediant to the sucess of the system. This backups function must be done. I can see a local option that allows for disabling the backup function, but it should be on by default. Another thing to think about is if the update can't figure out how to upgrade the system in a "safe" manner it should not do the upgrade, but instead spool it for administrator input. As an example, think of changing a configuration file. If the admin has made local customizations then the upgrade system should not do the upgrade, but instead spool it for admin interaction. Here ends my input for now... -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Controlling the network throughput
On Fri Sep 07 2001 at 02:14:05PM +0200 'Marcin Krotkiewski' <[EMAIL PROTECTED]> wrote: > I'm quite aware this post is somewhat off-topic, but I couldn't find a > proper list. Still I hope someone will be able to help me. You should rather try the linux-net list. $ echo subscribe linux-net | mail [EMAIL PROTECTED] You can find the archives at http://marc.theaimsgroup.com/?l=linux-net. > And here is the problem... > How can I divide my network throughput between the users (not necessarily evenly)? > I would like to limit the maximum speed with which someone is able to use my >connection. > I tried to use something like "iptables -m limit" with no success. You most probably want to search for CBQ in the linux-net archives. If you need any further assistance please contact me privately. Ciao Charl __ My opinions may have changed, but not the fact that I am right. __ [ Charl Matthee ] [ +27-11-721-3800 ] [ Reality Manufacturing ] [ +27-11-405-6508 ] __ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Controlling the network throughput
hi, I'm quite aware this post is somewhat off-topic, but I couldn't find a proper list. Still I hope someone will be able to help me. And here is the problem... How can I divide my network throughput between the users (not necessarily evenly)? I would like to limit the maximum speed with which someone is able to use my connection. I tried to use something like "iptables -m limit" with no success. I would appreciate any advice. thanks. Marcin
Re: Bash scripting info needed.
Hi > I'm not sure I understand you correctly, but how about this: > > ## 0 == LOG > ## 1 == DROP > ## 2 == LOG & DROP > LOGTCP=2; > if [ $LOGTCP -eq 0 ]; then > #Log forbidden TCP datagrams > iptables -A TCP --protocol tcp -m limit --limit 1/minute \ > --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' > elif [ $LOGTCP -eq 1 ]; then > # Disallow NEW and INVALID incoming from the external interface > iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP > # Drop all TCP > iptables -A TCP -j DROP > elif [ $LOGTCP -eq 2 ]; then > #Log forbidden TCP datagrams > iptables -A TCP --protocol tcp -m limit --limit 1/minute \ > --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' > iptables -A TCP --protocol tcp -m -j DROP > fi if the question is the above then IMHO is better to use the "case" statement case "$LOGTCP" in 0) #Log forbidden TCP datagrams iptables -A TCP --protocol tcp -m limit --limit 1/minute \ --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '; ;; 1) # Disallow NEW and INVALID incoming from the external interface iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP; # Drop all TCP iptables -A TCP -j DROP; ;; 2) #Log forbidden TCP datagrams iptables -A TCP --protocol tcp -m limit --limit 1/minute \ --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '; iptables -A TCP --protocol tcp -m -j DROP; ;; esac --- ;---+---; bye | bye |hor > > - James > > -Original Message- > From: Stefan Srdic [mailto:[EMAIL PROTECTED] > Sent: Friday, September 07, 2001 8:55 AM > To: debian-security@lists.debian.org > Subject: Bash scripting info needed. > > > Hi, > > Once again I've re-written my firewall script. Only this time I've > attempted to make use of a few loops and if statements to make my script > prettier. I have no formal education in programming at all!! Please be > patient with me :-D For reference I have been using some of the well > written init scripts that come packaged with Debian. > > What I am attempting to do is have a variable that determines whether > IPtables LOGs or DROPs datagrams or does both functions. So far I'm half > way there. > > This is what I've come up with using the Linux Network Administrators > Guide and the internet as a reference: > > #!/bin/sh > > # Define our path > PATH=/sbin:/bin:/usr/sbin:/usr/bin > export PATH > > #LOGTCP=1 > > # Load IPTables module (s) > > depmod -a > modprobe ip_tables || exit 1 > > # Set the default policies on the filter table. > for p in INPUT FORWARD OUTPUT; do > iptables -t filter -P $p ACCEPT > done > > # flush all rules and erase all user defined chains on all tables > for t in filter nat mangle; do > iptables -t $t -F > iptables -t $t -X > done > > # TCP filters > # create a new chain for TCP communications > iptables -N TCP 2>/dev/null > > # divert all TCP datagrams on all interfaces into the TCP chain > iptables -A INPUT --protocol tcp -j TCP > iptables -A OUTPUT --protocol tcp -j TCP > > # Allow full access on our localhost > iptables -A TCP -i $LOOPBACK -j ACCEPT > iptables -A TCP -o $LOOPBACK -j ACCEPT > > # Allow full access between our LAN and our host > iptables -A TCP -i $LANIFACE -s $LAN -j ACCEPT > iptables -A TCP -o $LANIFACE -d $LAN -j ACCEPT > > # Allow established and related connections > iptables -A TCP -m state --state ESTABLISHED,RELATED -j ACCEPT > # Allow new connections on external interface > iptables -A TCP -m state --state NEW -i ! $EXTIFACE -j ACCEPT > > if [ "$LOGTCP" ]; then > #Log forbidden TCP datagrams > iptables -A TCP --protocol tcp -m limit --limit 1/minute \ > --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' > else > # Disallow NEW and INVALID incoming from the external interface > iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP > # Drop all TCP > iptables -A TCP -j DROP > fi > > I've found (through trial and error) that if I uncomment $LOGTCP things > are logged as they should be. However, I'm trying to figure out a way I > could declare whether my script logs, drops, or does both actions > according to the value of $LOGTCP. > > Is this possible > ? > > I would appreciate it if any of you could offer me some advice or even > some insight on the basics of these statements. > > Thanks, > > Stef > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
RE: Bash scripting info needed.
I'm not sure I understand you correctly, but how about this: ## 0 == LOG ## 1 == DROP ## 2 == LOG & DROP LOGTCP=2; if [ $LOGTCP -eq 0 ]; then #Log forbidden TCP datagrams iptables -A TCP --protocol tcp -m limit --limit 1/minute \ --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' elif [ $LOGTCP -eq 1 ]; then # Disallow NEW and INVALID incoming from the external interface iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP # Drop all TCP iptables -A TCP -j DROP elif [ $LOGTCP -eq 2 ]; then #Log forbidden TCP datagrams iptables -A TCP --protocol tcp -m limit --limit 1/minute \ --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' iptables -A TCP --protocol tcp -m -j DROP fi - James -Original Message- From: Stefan Srdic [mailto:[EMAIL PROTECTED] Sent: Friday, September 07, 2001 8:55 AM To: debian-security@lists.debian.org Subject: Bash scripting info needed. Hi, Once again I've re-written my firewall script. Only this time I've attempted to make use of a few loops and if statements to make my script prettier. I have no formal education in programming at all!! Please be patient with me :-D For reference I have been using some of the well written init scripts that come packaged with Debian. What I am attempting to do is have a variable that determines whether IPtables LOGs or DROPs datagrams or does both functions. So far I'm half way there. This is what I've come up with using the Linux Network Administrators Guide and the internet as a reference: #!/bin/sh # Define our path PATH=/sbin:/bin:/usr/sbin:/usr/bin export PATH #LOGTCP=1 # Load IPTables module (s) depmod -a modprobe ip_tables || exit 1 # Set the default policies on the filter table. for p in INPUT FORWARD OUTPUT; do iptables -t filter -P $p ACCEPT done # flush all rules and erase all user defined chains on all tables for t in filter nat mangle; do iptables -t $t -F iptables -t $t -X done # TCP filters # create a new chain for TCP communications iptables -N TCP 2>/dev/null # divert all TCP datagrams on all interfaces into the TCP chain iptables -A INPUT --protocol tcp -j TCP iptables -A OUTPUT --protocol tcp -j TCP # Allow full access on our localhost iptables -A TCP -i $LOOPBACK -j ACCEPT iptables -A TCP -o $LOOPBACK -j ACCEPT # Allow full access between our LAN and our host iptables -A TCP -i $LANIFACE -s $LAN -j ACCEPT iptables -A TCP -o $LANIFACE -d $LAN -j ACCEPT # Allow established and related connections iptables -A TCP -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow new connections on external interface iptables -A TCP -m state --state NEW -i ! $EXTIFACE -j ACCEPT if [ "$LOGTCP" ]; then #Log forbidden TCP datagrams iptables -A TCP --protocol tcp -m limit --limit 1/minute \ --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' else # Disallow NEW and INVALID incoming from the external interface iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP # Drop all TCP iptables -A TCP -j DROP fi I've found (through trial and error) that if I uncomment $LOGTCP things are logged as they should be. However, I'm trying to figure out a way I could declare whether my script logs, drops, or does both actions according to the value of $LOGTCP. Is this possible > ? I would appreciate it if any of you could offer me some advice or even some insight on the basics of these statements. Thanks, Stef -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bash scripting info needed.
Hi > I'm not sure I understand you correctly, but how about this: > > ## 0 == LOG > ## 1 == DROP > ## 2 == LOG & DROP > LOGTCP=2; > if [ $LOGTCP -eq 0 ]; then > #Log forbidden TCP datagrams > iptables -A TCP --protocol tcp -m limit --limit 1/minute \ > --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' > elif [ $LOGTCP -eq 1 ]; then > # Disallow NEW and INVALID incoming from the external interface > iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP > # Drop all TCP > iptables -A TCP -j DROP > elif [ $LOGTCP -eq 2 ]; then > #Log forbidden TCP datagrams > iptables -A TCP --protocol tcp -m limit --limit 1/minute \ > --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' > iptables -A TCP --protocol tcp -m -j DROP > fi if the question is the above then IMHO is better to use the "case" statement case "$LOGTCP" in 0) #Log forbidden TCP datagrams iptables -A TCP --protocol tcp -m limit --limit 1/minute \ --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '; ;; 1) # Disallow NEW and INVALID incoming from the external interface iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP; # Drop all TCP iptables -A TCP -j DROP; ;; 2) #Log forbidden TCP datagrams iptables -A TCP --protocol tcp -m limit --limit 1/minute \ --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '; iptables -A TCP --protocol tcp -m -j DROP; ;; esac --- ;---+---; bye | bye |hor > > - James > > -Original Message- > From: Stefan Srdic [mailto:[EMAIL PROTECTED]] > Sent: Friday, September 07, 2001 8:55 AM > To: [EMAIL PROTECTED] > Subject: Bash scripting info needed. > > > Hi, > > Once again I've re-written my firewall script. Only this time I've > attempted to make use of a few loops and if statements to make my script > prettier. I have no formal education in programming at all!! Please be > patient with me :-D For reference I have been using some of the well > written init scripts that come packaged with Debian. > > What I am attempting to do is have a variable that determines whether > IPtables LOGs or DROPs datagrams or does both functions. So far I'm half > way there. > > This is what I've come up with using the Linux Network Administrators > Guide and the internet as a reference: > > #!/bin/sh > > # Define our path > PATH=/sbin:/bin:/usr/sbin:/usr/bin > export PATH > > #LOGTCP=1 > > # Load IPTables module (s) > > depmod -a > modprobe ip_tables || exit 1 > > # Set the default policies on the filter table. > for p in INPUT FORWARD OUTPUT; do > iptables -t filter -P $p ACCEPT > done > > # flush all rules and erase all user defined chains on all tables > for t in filter nat mangle; do > iptables -t $t -F > iptables -t $t -X > done > > # TCP filters > # create a new chain for TCP communications > iptables -N TCP 2>/dev/null > > # divert all TCP datagrams on all interfaces into the TCP chain > iptables -A INPUT --protocol tcp -j TCP > iptables -A OUTPUT --protocol tcp -j TCP > > # Allow full access on our localhost > iptables -A TCP -i $LOOPBACK -j ACCEPT > iptables -A TCP -o $LOOPBACK -j ACCEPT > > # Allow full access between our LAN and our host > iptables -A TCP -i $LANIFACE -s $LAN -j ACCEPT > iptables -A TCP -o $LANIFACE -d $LAN -j ACCEPT > > # Allow established and related connections > iptables -A TCP -m state --state ESTABLISHED,RELATED -j ACCEPT > # Allow new connections on external interface > iptables -A TCP -m state --state NEW -i ! $EXTIFACE -j ACCEPT > > if [ "$LOGTCP" ]; then > #Log forbidden TCP datagrams > iptables -A TCP --protocol tcp -m limit --limit 1/minute \ > --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' > else > # Disallow NEW and INVALID incoming from the external interface > iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP > # Drop all TCP > iptables -A TCP -j DROP > fi > > I've found (through trial and error) that if I uncomment $LOGTCP things > are logged as they should be. However, I'm trying to figure out a way I > could declare whether my script logs, drops, or does both actions > according to the value of $LOGTCP. > > Is this possible > ? > > I would appreciate it if any of you could offer me some advice or even > some insight on the basics of these statements. > > Thanks, > > Stef > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bash scripting info needed.
Hi, Once again I've re-written my firewall script. Only this time I've attempted to make use of a few loops and if statements to make my script prettier. I have no formal education in programming at all!! Please be patient with me :-D For reference I have been using some of the well written init scripts that come packaged with Debian. What I am attempting to do is have a variable that determines whether IPtables LOGs or DROPs datagrams or does both functions. So far I'm half way there. This is what I've come up with using the Linux Network Administrators Guide and the internet as a reference: #!/bin/sh # Define our path PATH=/sbin:/bin:/usr/sbin:/usr/bin export PATH #LOGTCP=1 # Load IPTables module (s) depmod -a modprobe ip_tables || exit 1 # Set the default policies on the filter table. for p in INPUT FORWARD OUTPUT; do iptables -t filter -P $p ACCEPT done # flush all rules and erase all user defined chains on all tables for t in filter nat mangle; do iptables -t $t -F iptables -t $t -X done # TCP filters # create a new chain for TCP communications iptables -N TCP 2>/dev/null # divert all TCP datagrams on all interfaces into the TCP chain iptables -A INPUT --protocol tcp -j TCP iptables -A OUTPUT --protocol tcp -j TCP # Allow full access on our localhost iptables -A TCP -i $LOOPBACK -j ACCEPT iptables -A TCP -o $LOOPBACK -j ACCEPT # Allow full access between our LAN and our host iptables -A TCP -i $LANIFACE -s $LAN -j ACCEPT iptables -A TCP -o $LANIFACE -d $LAN -j ACCEPT # Allow established and related connections iptables -A TCP -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow new connections on external interface iptables -A TCP -m state --state NEW -i ! $EXTIFACE -j ACCEPT if [ "$LOGTCP" ]; then #Log forbidden TCP datagrams iptables -A TCP --protocol tcp -m limit --limit 1/minute \ --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' else # Disallow NEW and INVALID incoming from the external interface iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP # Drop all TCP iptables -A TCP -j DROP fi I've found (through trial and error) that if I uncomment $LOGTCP things are logged as they should be. However, I'm trying to figure out a way I could declare whether my script logs, drops, or does both actions according to the value of $LOGTCP. Is this possible > ? I would appreciate it if any of you could offer me some advice or even some insight on the basics of these statements. Thanks, Stef
RE: Bash scripting info needed.
I'm not sure I understand you correctly, but how about this: ## 0 == LOG ## 1 == DROP ## 2 == LOG & DROP LOGTCP=2; if [ $LOGTCP -eq 0 ]; then #Log forbidden TCP datagrams iptables -A TCP --protocol tcp -m limit --limit 1/minute \ --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' elif [ $LOGTCP -eq 1 ]; then # Disallow NEW and INVALID incoming from the external interface iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP # Drop all TCP iptables -A TCP -j DROP elif [ $LOGTCP -eq 2 ]; then #Log forbidden TCP datagrams iptables -A TCP --protocol tcp -m limit --limit 1/minute \ --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' iptables -A TCP --protocol tcp -m -j DROP fi - James -Original Message- From: Stefan Srdic [mailto:[EMAIL PROTECTED]] Sent: Friday, September 07, 2001 8:55 AM To: [EMAIL PROTECTED] Subject: Bash scripting info needed. Hi, Once again I've re-written my firewall script. Only this time I've attempted to make use of a few loops and if statements to make my script prettier. I have no formal education in programming at all!! Please be patient with me :-D For reference I have been using some of the well written init scripts that come packaged with Debian. What I am attempting to do is have a variable that determines whether IPtables LOGs or DROPs datagrams or does both functions. So far I'm half way there. This is what I've come up with using the Linux Network Administrators Guide and the internet as a reference: #!/bin/sh # Define our path PATH=/sbin:/bin:/usr/sbin:/usr/bin export PATH #LOGTCP=1 # Load IPTables module (s) depmod -a modprobe ip_tables || exit 1 # Set the default policies on the filter table. for p in INPUT FORWARD OUTPUT; do iptables -t filter -P $p ACCEPT done # flush all rules and erase all user defined chains on all tables for t in filter nat mangle; do iptables -t $t -F iptables -t $t -X done # TCP filters # create a new chain for TCP communications iptables -N TCP 2>/dev/null # divert all TCP datagrams on all interfaces into the TCP chain iptables -A INPUT --protocol tcp -j TCP iptables -A OUTPUT --protocol tcp -j TCP # Allow full access on our localhost iptables -A TCP -i $LOOPBACK -j ACCEPT iptables -A TCP -o $LOOPBACK -j ACCEPT # Allow full access between our LAN and our host iptables -A TCP -i $LANIFACE -s $LAN -j ACCEPT iptables -A TCP -o $LANIFACE -d $LAN -j ACCEPT # Allow established and related connections iptables -A TCP -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow new connections on external interface iptables -A TCP -m state --state NEW -i ! $EXTIFACE -j ACCEPT if [ "$LOGTCP" ]; then #Log forbidden TCP datagrams iptables -A TCP --protocol tcp -m limit --limit 1/minute \ --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: ' else # Disallow NEW and INVALID incoming from the external interface iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP # Drop all TCP iptables -A TCP -j DROP fi I've found (through trial and error) that if I uncomment $LOGTCP things are logged as they should be. However, I'm trying to figure out a way I could declare whether my script logs, drops, or does both actions according to the value of $LOGTCP. Is this possible > ? I would appreciate it if any of you could offer me some advice or even some insight on the basics of these statements. Thanks, Stef -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
