Re: [gentoo-user] iptables example on Gentoo
Hi Dave, * Dave Nebinger [EMAIL PROTECTED], Friday, September 9, 2005, 4:23:07 PM: Dude, trying to use iptables directly was your first mistake. no, it wasn't. I have written some small example script http://forums.gentoo.org/viewtopic.php?p=377447 that (IMO) is quite modular... Yes, Timo, it is quite modular and quite thorough. It represents a great job at developing a general set of rules. But I would raise the following issues: 1. FTP support: You've allowed for the active ftp protocols on ports 20 21, but what about passive? This traffic will usually be on the higher ports (typically a range specified in the configuration for the ftp daemon). I do believe that if the ftp daemon tries to open a passive connection outbound it's going to get knocked off at the knees. If I open a ftp-connection from the inside to a ftp-server on the outside, it should get caught by the iptables-ftp-module and the RELATED rule. 2. Measure the checks: The more checks that a packet goes through, the longer it will take to travel through the iptables stack. Your script has a lot of checks in it. Consider a pgp packet as it traverses all of the chains etc. that you've specified. You're probably looking at 30+ checks at least (although I haven't counted each individual check, but I'm confident it is quite a large number). That's a significant number of hops and means the packet is going to be hanging around on the box a lot longer than what it really should. Yes, I have MANY checks. I have had no probleems while using this and some newer versions of this script. However this seems to bee a problem for users that get many small packets per time-unit... (think p2p here). As you state below, this is no universal solution, but was built to be easily reconfigurable. 3. No detail on why the checks are ordered in the way they are (is there an order?): As #2 indicates, the increased number of checks that a packet needs to be pushed through means it will hang around on the box longer. Therefore they should be ordered to give priority to either a) heavily used ports or b) ports you want to have processed sooner rather than later. There was no reason ;-). see above 4. No reason for accepting specific outbound traffic: I tend to prefer allowing all outbound traffic and filter on those ports that shouldn't be going outbound (i.e. dhcp responses, dns responses, ipp packets, windows networking stuff, known trojan/virus ports). It greatly reduces the number of checks outbound traffic needs to go through. I filter outbound for various reasons: generally, I like to know what happens on my internal network. You can catch misconfigured software some malware and some bad users with that. Obviously to improve the throughput you'd have to alter the script to use multiple ports on accept lines. Once you start doing that, though, you lose the modularity that you've built into the script. You are probably right in that. The point that needs to be made is that there is no 'one iptables script fits all'. Each site, each box for that matter, has it's own set of services and it's own usage criteria. To that end the iptables rules will (should) always vary from box to box, whether it is a server, a desktop, a gateway, or some combination of the three. Of course. New users looking to get their boxen online grab scripts like this thinking they are going to secure it for them, yet they don't understand the nuances of the individual rules nor how they are grouped. How many folks that grab the script are going to know what the teamspeak or pgp ports are for and whether they need them or not? How many are going to know that they've exposed their system to incoming teamspeak packets, whether they have teamspeak or not? Even more: They are exposing their box to ALL packets on the teamspeak port. But IMO, it's easier to learn than some gui-things, you don't have to transfer it over network to your firewall-box (who has X on a firewall??? :-) ) and its easy to reconfigure. Thanks for the feedback. really. Timo -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables example on Gentoo
Hi Dave, * Dave Nebinger [EMAIL PROTECTED], Tuesday, September 6, 2005, 7:39:53 PM: I've been trying to build a simple firewall with a DMZ for a web server. Dude, trying to use iptables directly was your first mistake. no, it wasn't. I have written some small example script http://forums.gentoo.org/viewtopic.php?p=377447 that (IMO) is quite modular... Timo -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables example on Gentoo
Dude, trying to use iptables directly was your first mistake. no, it wasn't. I have written some small example script http://forums.gentoo.org/viewtopic.php?p=377447 that (IMO) is quite modular... Yes, Timo, it is quite modular and quite thorough. It represents a great job at developing a general set of rules. But I would raise the following issues: 1. FTP support: You've allowed for the active ftp protocols on ports 20 21, but what about passive? This traffic will usually be on the higher ports (typically a range specified in the configuration for the ftp daemon). I do believe that if the ftp daemon tries to open a passive connection outbound it's going to get knocked off at the knees. 2. Measure the checks: The more checks that a packet goes through, the longer it will take to travel through the iptables stack. Your script has a lot of checks in it. Consider a pgp packet as it traverses all of the chains etc. that you've specified. You're probably looking at 30+ checks at least (although I haven't counted each individual check, but I'm confident it is quite a large number). That's a significant number of hops and means the packet is going to be hanging around on the box a lot longer than what it really should. 3. No detail on why the checks are ordered in the way they are (is there an order?): As #2 indicates, the increased number of checks that a packet needs to be pushed through means it will hang around on the box longer. Therefore they should be ordered to give priority to either a) heavily used ports or b) ports you want to have processed sooner rather than later. 4. No reason for accepting specific outbound traffic: I tend to prefer allowing all outbound traffic and filter on those ports that shouldn't be going outbound (i.e. dhcp responses, dns responses, ipp packets, windows networking stuff, known trojan/virus ports). It greatly reduces the number of checks outbound traffic needs to go through. Obviously to improve the throughput you'd have to alter the script to use multiple ports on accept lines. Once you start doing that, though, you lose the modularity that you've built into the script. The point that needs to be made is that there is no 'one iptables script fits all'. Each site, each box for that matter, has it's own set of services and it's own usage criteria. To that end the iptables rules will (should) always vary from box to box, whether it is a server, a desktop, a gateway, or some combination of the three. New users looking to get their boxen online grab scripts like this thinking they are going to secure it for them, yet they don't understand the nuances of the individual rules nor how they are grouped. How many folks that grab the script are going to know what the teamspeak or pgp ports are for and whether they need them or not? How many are going to know that they've exposed their system to incoming teamspeak packets, whether they have teamspeak or not? -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] iptables example on Gentoo
Wow, that is news to me... I've always just banged out iptables rules and then saved them... On Tue, 6 Sep 2005, Dave Nebinger wrote: I've been trying to build a simple firewall with a DMZ for a web server. Dude, trying to use iptables directly was your first mistake. Take a spin out and look at shorewall (I'm sure others have different recommendations). Shorewall will get you up and running in no time and will easily handle the configuration stuff from your original post. Trying to manage such a complex config using iptables directly is doomed to failure; any mistake in ordering of rules, etc., will break your connectivity. Sticking with a tool like shorewall will simplify rules maintenance and pose less of a problem when performing updates later on. Dave -- Bryan Whitehead Email:[EMAIL PROTECTED] -- gentoo-user@gentoo.org mailing list
[gentoo-user] iptables example on Gentoo
Hello, I've been trying to build a simple firewall with a DMZ for a web server. x.x.x.x is the local single static IP y.y.y.y is the gateway IP. z.z.z.z is the broadcast. Outward access is working (ip and dns) Currently the dns servers I use are the cable modem company's, and they work just fine, for now. I can download packages and ebuilds just fine. Access to the mail servers outside the network works just fine. Note: I have an openbsd firewall with a dmz web server, and all works just fine. It's disconnected while I try to get this gentoo firewall working with the same web server and other lan components. Following this simple example: http://www.gentoo.org/doc/en/home-router-howto.xml Here's what I did to add a DMZ based web server: A. (3) ethernet interfaces are setup via ifconfig and are working. B. /etc/conf.d.net I added these lines: iface_eth0=192.168.2.20 broadcast 192.168.2.255 netmask 255.255.255.0 iface_eth1=192.168.3.11 broadcast 192.168.3.255 netmask 255.255.255.0 iface_eth2=x.x.x.x broadcast z.z.z.z netmask 255.255.255.252 routes_eth2=( default gw y.y.y.y ) C. and here's the IP tables portion: Start with ' iptables -F' and 'iptables -t nat -F' export LAN=eth0 export DMZ=eth1 export WAN=eth2 iptables -I INPUT 1 -i ${LAN} -j ACCEPT iptables -I INPUT 1 -i lo -j ACCEPT iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.3.11 D. Next: echo 1 /proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 $f ; done E. And finishing with: /etc/init.d/iptables save rc-update add iptables default vi /etc/sysctl.conf Add/Uncomment the following lines: net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 Questions Step C: Qestion 1: The rule I added: iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.3.11 Does not give access to the web server, either from the outside internet, nor from the interlan lan. Can somebody fix the rule or tell me what I've done wrong or what is additionally needed? Here are the error messages: Warning: wierd character in interface `-j' (No aliases, :, ! or *). Bad argument `DNAT' Question 2: Where are the config files, built by iptables (filter, nat, mangle, raw) and is it OK to just edit these manually, trying various rules and testing the results? Any other files to edit directly? I've read about shorewall, but I prefer to directly edit these files (and any others I have missed) directly while I learn/test the features of iptables/netfilter. Shorewall or any other gui, is for later, when I've develop a certain confidence via understanding how iptables/netfilter works. This is only a simple network, I'm setting up to mostly to learn about iptables/netfilter. Any help or comments is appreciated. I intend to slowly add features and rules and to test along the way, as to satisfy my curiousity while learning firewalling on linux based systems. James -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] iptables example on Gentoo
I've been trying to build a simple firewall with a DMZ for a web server. Dude, trying to use iptables directly was your first mistake. Take a spin out and look at shorewall (I'm sure others have different recommendations). Shorewall will get you up and running in no time and will easily handle the configuration stuff from your original post. Trying to manage such a complex config using iptables directly is doomed to failure; any mistake in ordering of rules, etc., will break your connectivity. Sticking with a tool like shorewall will simplify rules maintenance and pose less of a problem when performing updates later on. Dave -- gentoo-user@gentoo.org mailing list