Re: [expert] Linux Mandrake 6.0 Question (Ip Masq Tutorial. v0.0.1)
On Sun, 22 Aug 1999, Steve Philp wrote: > Thanks for the tips. I've printed them out to ponder over a cup of > coffee. I'll be putting a few more lockdowns on the machine on Monday. > > Primarily, I'm not concerned with the internal network. The router is > setup to deny all Internet packets from inside that don't come from the > proxy machine. I've got junkbuster setup to only allow access to about > 5 "approved" sites (default deny is a wonderful thing!). Squid is setup > to allow a select few to connect to it directly (mostly IS and executive > level -- those are assigned static IPs while the rest of the place is > DHCP), any other attempts at direct connections to Squid are sent > packing. > > I'm mostly worried about closing up avenues to go from the .4.x machine > to the .3.x network. If (god forbid) that web/email machine gets > cracked, I want there to be very little possibility of getting into the > internal network. I suppose I could setup rules that only allow packets > originating from the 4.x machine and coming from ports 3128 and 8000 > (squid, junkbuster) and to allow packets originating from inside on a > couple IPs. something like ipchains -A input -s 192.168.3.0/24 -d 0/0 -j DENY -l -b ipchains -A output -s 192.168.3.0/24 -d 0/0 -j DENY -l -b that should pretty much throw a wrench into things, and you'll need to make a hole for the proxies. > Thanks again for the explanation of the IP chains stuff. > > -- MandrakeSoft http://www.mandrakesoft.com/ --Axalon
Re: [expert] Linux Mandrake 6.0 Question (Ip Masq Tutorial. v0.0.1)
Axalon Bloodstone wrote: > > On Sat, 21 Aug 1999, Steve Philp wrote: > > > Axalon Bloodstone wrote: > > > > > > On Sat, 21 Aug 1999, Steve Fox wrote: > > > > > > > > > > > > > 5. I haven't found any package that will masquerade other LAN machines onto > > > > > the internet. Supposedly it can be done through ipchains scripts, but > > > > > I haven't made any work yet. I did use PaNTs which is supposed to work for > > > > > RedHat 6 but I can't get anything through it on port 80 (web access). > > > > > > > > echo 1> /proc/sys/net/ipv4/conf/eth0/forwarding > > > ipchains -P forward DENY > > > > ipchains -I forward -j MASQ -s 192.168.0.0/16 -i eth0 -d 0/0 > > > > ipchains -I input -j DENY -s 192.168.0.0/16 -i ! eth0 -d 0/0 -l > > > > > > > > I haven't played with IP chains yet, but I get the notion that I may be > > using it to put a bigger choke mechanism on a web server box. Could you > > verify that my reading of the ipchains rules are correct? > > > > By default, deny all forwarding. Allow forwarding of packets sourced on > > 192.168. and received on eth0. Deny forwarding of 192.168. packets that > > did not get received on eth0. > > > > Is that correct? > > First a demonstration of exactly what the above commands will accomplish > > We have an existing private lan, operateing with non internet routable ip > addresses. Say we have two interfaces, *0 and *1, * can be any type of > network connection, eth ppp lo and all the others it doesn't matter. > > Both will be ethernet, your basic highspeed connections. > We'll use eth0 for the private network (192.168.1.0/24 for this example) > eth1 for internet. > > ##end /etc/rc.d/rc.firewall > ##Begin Masq > #Tell eth0 we want to be able to forward from it > echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding > #Setup a default reject on forwarding > ipchains -P forward REJECT > #Now the catch all logger > ipchains -A forward -s 0/0 -d 0/0 -j DENY -l > #Setup forwarding from the lan to anything not on it > ipchains -I forward -s 192.168.1.0/24 -d \! 192.168.1.0/24 -i eth1 -j MASQ > ##end Masq > > So > only forward from eth0. > By default, REJECT all forwarding requests. > Append, a DENY on everything, and log it > (to many overly talented ipv4 people out there, congradulations i'm > paranoid) > Insert, a MASQ rule for our private lan. "outgoing" only > (again the paranoid thing, some very talented source route'ers) > > Now some rules when createing scripts like this. > DOCUMENT every line or make some form of blocks, with comments, you WILL > forget eventualy. > Unless your really getting creative with custom chains, > Appends (-A) should be used for DENY/REJECT commands > Inserts (-I) should be used for ACCEPT/MASQ commands > This help you to keep (me) from gettign denied when you swore you added > the ip to the firewall, or prevent "well how the bleep did he even get to > telnet, i had it firewalled" type situations. It basicly just makes it > look nice also. > > And now we tackle > > > I've got the following setup: an ISDN connection that's terminated at a > > Cisco router with 2 ethernet connections running their PIX firewall > > software. On one ether port (192.168.4.x), is our "Internet" network. > > It currently houses one machine which acts as the web/email server for > > outside connections. Inside connections use that machine as their soul > > gateway to the outside world (junkbuster and squid along with pop3 and > > smtp services). The other ether port (192.168.3.x) connects to our > > internal network. > > > > I'd like to put a bigger limit on the kinds of things that the webserver > > will allow to be sent into the internal network. We need to allow the > > squid and junkbuster conversations in, and I also need to be able to > > talk to the machine via telnet from the internal connection. > > > > I'm not worried (much) about people being able to attack the internal > > network from the Internet, since they're all private IP net addresses > > that get nowhere when used on the Internet. However, if someone is able > > to break into the web box, they can see the internal network and talk to > > it from there. I'd prefer that not to be possible. > > > > Any ideas? > > following the same basic princples, everybodys with me right? , > because here comes the fun part. > > setup: > ISDN to Cisco router, > 2port Cisco router, supplying > 192.168.4.0/24 (cisco1 for lack of a better name) > And an unused cisco0 > 192.168.4.254, Will be our gateway, with an internet IP (provided by > Cisco's PIX firewall) > This machine provides 192.168.3.0/24 with proxying via squid and > junkbuster > with 192.168.3.254, as it's internal IP > > How can we strengthen this with ipchains you ask? well lets see > > ## > # First verify forwarding is disabled > echo 0 > /proc/sys/net/ipv4/conf/all/forwarding > # Default REJECT > ipchains -P forward REJECT > # DENY and log anyones attempts to fo
Re: [expert] Linux Mandrake 6.0 Question (Ip Masq Tutorial. v0.0.1)
On Sat, 21 Aug 1999, Steve Philp wrote: > Axalon Bloodstone wrote: > > > > On Sat, 21 Aug 1999, Steve Fox wrote: > > > > > > > > > > 5. I haven't found any package that will masquerade other LAN machines onto > > > > the internet. Supposedly it can be done through ipchains scripts, but > > > > I haven't made any work yet. I did use PaNTs which is supposed to work for > > > > RedHat 6 but I can't get anything through it on port 80 (web access). > > > > > > echo 1> /proc/sys/net/ipv4/conf/eth0/forwarding > > ipchains -P forward DENY > > > ipchains -I forward -j MASQ -s 192.168.0.0/16 -i eth0 -d 0/0 > > > ipchains -I input -j DENY -s 192.168.0.0/16 -i ! eth0 -d 0/0 -l > > > > > I haven't played with IP chains yet, but I get the notion that I may be > using it to put a bigger choke mechanism on a web server box. Could you > verify that my reading of the ipchains rules are correct? > > By default, deny all forwarding. Allow forwarding of packets sourced on > 192.168. and received on eth0. Deny forwarding of 192.168. packets that > did not get received on eth0. > > Is that correct? First a demonstration of exactly what the above commands will accomplish We have an existing private lan, operateing with non internet routable ip addresses. Say we have two interfaces, *0 and *1, * can be any type of network connection, eth ppp lo and all the others it doesn't matter. Both will be ethernet, your basic highspeed connections. We'll use eth0 for the private network (192.168.1.0/24 for this example) eth1 for internet. ##end /etc/rc.d/rc.firewall ##Begin Masq #Tell eth0 we want to be able to forward from it echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding #Setup a default reject on forwarding ipchains -P forward REJECT #Now the catch all logger ipchains -A forward -s 0/0 -d 0/0 -j DENY -l #Setup forwarding from the lan to anything not on it ipchains -I forward -s 192.168.1.0/24 -d \! 192.168.1.0/24 -i eth1 -j MASQ ##end Masq So only forward from eth0. By default, REJECT all forwarding requests. Append, a DENY on everything, and log it (to many overly talented ipv4 people out there, congradulations i'm paranoid) Insert, a MASQ rule for our private lan. "outgoing" only (again the paranoid thing, some very talented source route'ers) Now some rules when createing scripts like this. DOCUMENT every line or make some form of blocks, with comments, you WILL forget eventualy. Unless your really getting creative with custom chains, Appends (-A) should be used for DENY/REJECT commands Inserts (-I) should be used for ACCEPT/MASQ commands This help you to keep (me) from gettign denied when you swore you added the ip to the firewall, or prevent "well how the bleep did he even get to telnet, i had it firewalled" type situations. It basicly just makes it look nice also. And now we tackle > I've got the following setup: an ISDN connection that's terminated at a > Cisco router with 2 ethernet connections running their PIX firewall > software. On one ether port (192.168.4.x), is our "Internet" network. > It currently houses one machine which acts as the web/email server for > outside connections. Inside connections use that machine as their soul > gateway to the outside world (junkbuster and squid along with pop3 and > smtp services). The other ether port (192.168.3.x) connects to our > internal network. > > I'd like to put a bigger limit on the kinds of things that the webserver > will allow to be sent into the internal network. We need to allow the > squid and junkbuster conversations in, and I also need to be able to > talk to the machine via telnet from the internal connection. > > I'm not worried (much) about people being able to attack the internal > network from the Internet, since they're all private IP net addresses > that get nowhere when used on the Internet. However, if someone is able > to break into the web box, they can see the internal network and talk to > it from there. I'd prefer that not to be possible. > > Any ideas? following the same basic princples, everybodys with me right? , because here comes the fun part. setup: ISDN to Cisco router, 2port Cisco router, supplying 192.168.4.0/24 (cisco1 for lack of a better name) And an unused cisco0 192.168.4.254, Will be our gateway, with an internet IP (provided by Cisco's PIX firewall) This machine provides 192.168.3.0/24 with proxying via squid and junkbuster with 192.168.3.254, as it's internal IP How can we strengthen this with ipchains you ask? well lets see ## # First verify forwarding is disabled echo 0 > /proc/sys/net/ipv4/conf/all/forwarding # Default REJECT ipchains -P forward REJECT # DENY and log anyones attempts to forward thru us ipchains -A forward -s 0/0 -d 0/0 -l -j DENY # Ok thats pretty basic, now we get paranoid # DENY, and log any connections to us from inside as anything but our # gateway IP ipchains -I input -s 192.168.3.0/24 -d ! 192.168.3.254
