[Slugnet] IPTABLES - ARP - DNS. &#&#%^#,it. Can anyone help!

carlton lee Mon, 07 Apr 2008 00:03:41 -0700

I'm trying to build a very secure file server. Having
problems!

>From debian-40r3-i386-CD-1.iso
IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT DROP
IPTABLES -P FORWARD DROP
SSH port 22000
FTP for apt-get
EXIM4 for sending reports to local mail server.
SSHD and EXIM4 are the only servers/services running.


Network diagram
192.168.4.24 -> IPCOP >  Internet
and
Internet -> IPCOP -> 192.168.4.24

If - "IPTABLE -P INPUT ACCEPT" everything works but is
not secure.
If - "IPTABLE -P INPUT DROP" everything but ftp works
and is very secure.

Note: both external and internal domain names
resolv(e) properly.

Seems to have some problem with arp or DNS?

Can Anyone Help me!

Thanks,
Carlton Lee

--------------------------------------------
192.168.4.24 Firewall

#!/bin/sh

INTERNET="eth0"
IPADDRESS="192.168.4.24"
UNPRIVPORTS="1024:65535"

/sbin/modprobe ip_tables 2> /dev/null
/sbin/modprobe iptable_filter 2> /dev/null
/sbin/modprobe ipt_state 2> /dev/null
/sbin/modprobe ip_conntrack 2> /dev/null
/sbin/modprobe ip_conntrack_ftp 2> /dev/null
/sbin/modprobe ipt_REJECT 2> /dev/null
/sbin/modprobe ipt_TOS 2> /dev/null
/sbin/modprobe ipt_LOG 2> /dev/null
/sbin/modprobe iptable_mangle 2> /dev/null

echo 1 >
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
for f in
/proc/sys/net/ipv4/conf/*/accept_source_route; do
       echo 1 > $f
done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
       echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
       echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
       echo 1 > $f
done
 for f in /proc/sys/net/ipv4/conf/*/log_martians; do
       echo 1 > $f
 done

/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -F -t mangle
/sbin/iptables -X
/sbin/iptables -X -t nat
/sbin/iptables -X -t mangle

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 192.168.1.254
--sport 53 --dport 1024:65535 -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 192.168.4.254
--sport 53 --dport 1024:65535 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 192.168.1.254
--sport 53 --dport 1024:65535 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 192.168.4.254
--sport 53 --dport 1024:65535 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.4.0/255.255.255.0
-p <http://192.168.4.0/255.255.255.0-p> tcp --sport 1024:65335 --dport 22000
-j ACCEPT

/sbin/iptables -A INPUT -i $INTERNET -p tcp --sport
$UNPRIVPORTS -d $IPADDRESS --dport ftp -m state
--state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i $INTERNET -p tcp --sport
$UNPRIVPORTS -d $IPADDRESS --dport ftp -j ACCEPT
/sbin/iptables -A INPUT -i $INTERNET -p tcp ! --syn
--sport $UNPRIVPORTS -d $IPADDRESS --dport ftp-data -j
ACCEPT
#/sbin/iptables -A INPUT -i $INTERNET -p tcp ! --syn
--sport $UNPRIVPORTS -d $IPADDESS --dport $UNPRIVPORTS
-j ACCEPT

/sbin/iptables -A INPUT -s 192.168.4.0/255.255.255.0
-p <http://192.168.4.0/255.255.255.0-p> icmp -m icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.4.0/255.255.255.0
-p <http://192.168.4.0/255.255.255.0-p> icmp -m icmp --icmp-type 8 -j ACCEPT

/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --sport 1024:65535 -d
192.168.1.254 --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --sport 1024:65535 -d
192.168.4.254 --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 1024:65535 -d
192.168.1.254 --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 1024:65535 -d
192.168.4.254 --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -o $INTERNET -p tcp -s
$IPADDRESS --sport $UNPRIVPORTS --dport $UNPRIVPORTS
-m state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -s
192.168.4.0/255.255.255.0 --sport 22000 --dport
1024:65535 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -s
192.168.4.0/255.255.255.0 --sport 1024:65535 --dport
80 -j ACCEPT

/sbin/iptables -A OUTPUT -o $INTERNET -p tcp -s
$IPADDRESS --sport ftp-data --dport $UNPRIVPORTS -m
state --state NEW,RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o $INTERNET -p tcp ! --syn
-s $IPADDRESS --sport ftp --dport $UNPRIVPORTS -j
ACCEPT
/sbin/iptables -A OUTPUT -o $INTERNET -p tcp -s
$IPADDRESS --sport ftp-data --dport $UNPRIVPORTS -j
ACCEPT
/sbin/iptables -A OUTPUT -o $INTERNET -p tcp -s
$IPADDRESS --sport $UNPRIVPORTS --dport $UNPRIVPORTS
-j ACCEPT

/sbin/iptables -A OUTPUT -s 192.168.4.0/255.255.255.0
-p <http://192.168.4.0/255.255.255.0-p> icmp -m icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A OUTPUT -s 192.168.4.0/255.255.255.0
-p <http://192.168.4.0/255.255.255.0-p> icmp -m icmp --icmp-type 8 -j ACCEPT

FROM TCPDUMP

With IPTABLE -P INPUT DROP

20:34:34.399073 IP 192.168.4.24.1036 >
192.168.1.254.53:  3393+ AAAA? ftp.jaist.ac.jp. (33)
20:34:34.412448 IP 192.168.1.254.53 >
192.168.4.24.1036:  3393 0/1/0 (78)
20:34:34.412701 IP 192.168.4.24.1036 >
192.168.1.254.53:  57983+ AAAA?
ftp.jaist.ac.jp.carlnmei.com. (46)
20:34:35.543445 IP 192.168.1.254.53 >
192.168.4.24.1036:  57983 ServFail 0/0/0 (46)
20:34:35.543633 IP 192.168.4.24.1036 >
192.168.4.254.53:  57983+ AAAA?
ftp.jaist.ac.jp.carlnmei.com. (46)
20:34:36.724040 IP 192.168.4.254.53 >
192.168.4.24.1036:  57983 ServFail 0/0/0 (46)
20:34:36.724196 IP 192.168.4.24.1036 >
192.168.1.254.53:  57983+ AAAA?
ftp.jaist.ac.jp.carlnmei.com. (46)
20:34:36.736429 IP 192.168.1.254.53 >
192.168.4.24.1036:  57983 ServFail 0/0/0 (46)
20:34:36.736533 IP 192.168.4.24.1036 >
192.168.4.254.53:  57983+ AAAA?
ftp.jaist.ac.jp.carlnmei.com. (46)
20:34:37.857821 IP 192.168.4.254.53 >
192.168.4.24.1036:  57983 ServFail 0/0/0 (46)
20:34:37.858088 IP 192.168.4.24.1036 >
192.168.1.254.53:  52486+ A? ftp.jaist.ac.jp. (33)
20:34:37.870234 IP 192.168.1.254.53 >
192.168.4.24.1036:  52486 1/0/0 A 150.65.7.130 (49)
20:34:37.870681 IP 192.168.4.24.2283 >
150.65.7.130.80: S 3408724511:3408724511(0) win 5840
<mss 1460,sackOK,timestamp 1904797 0,nop,wscale 2>
20:34:37.881450 IP 150.65.7.130.80 >
192.168.4.24.2283: S 3896353550:3896353550(0) ack
3408724512 win 8190 <mss 1380>
20:34:39.395564 arp who-has 192.168.4.254 tell
192.168.4.24
20:34:39.395656 arp reply 192.168.4.254 is-at
00:1a:70:10:00:22
20:34:40.867662 IP 192.168.4.24.2283 >
150.65.7.130.80: S 3408724511:3408724511(0) win 5840
<mss 1460,sackOK,timestamp 1905547 0,nop,wscale 2>
20:34:40.878016 IP 150.65.7.130.80 >
192.168.4.24.2283: S 3896353550:3896353550(0) ack
3408724512 win 8190 <mss 1380>
20:34:45.871086 arp who-has 192.168.4.24 tell
192.168.4.254
20:34:45.871115 arp reply 192.168.4.24 is-at
00:50:da:c3:36:c2

With IPTABLE -P INPUT ACCEPT

20:09:52.230712 IP 192.168.4.24.1033 >
192.168.1.254.53:  34744+ AAAA? ftp.jaist.ac.jp. (33)
20:09:52.242961 IP 192.168.1.254.53 >
192.168.4.24.1033:  34744 0/1/0 (78)
20:09:52.243226 IP 192.168.4.24.1033 >
192.168.1.254.53:  60324+ AAAA?
ftp.jaist.ac.jp.carlnmei.com. (46)
20:09:52.255477 IP 192.168.1.254.53 >
192.168.4.24.1033:  60324 ServFail 0/0/0 (46)
20:09:52.255590 IP 192.168.4.24.1033 >
192.168.4.254.53:  60324+ AAAA?
ftp.jaist.ac.jp.carlnmei.com. (46)
20:09:53.385950 IP 192.168.4.254.53 >
192.168.4.24.1033:  60324 ServFail 0/0/0 (46)
20:09:53.386154 IP 192.168.4.24.1033 >
192.168.1.254.53:  60324+ AAAA?
ftp.jaist.ac.jp.carlnmei.com. (46)
20:09:54.488734 IP 192.168.1.254.53 >
192.168.4.24.1033:  60324 ServFail 0/0/0 (46)
20:09:54.488901 IP 192.168.4.24.1033 >
192.168.4.254.53:  60324+ AAAA?
ftp.jaist.ac.jp.carlnmei.com. (46)
20:09:55.597915 IP 192.168.4.254.53 >
192.168.4.24.1033:  60324 ServFail 0/0/0 (46)
20:09:55.598154 IP 192.168.4.24.1033 >
192.168.1.254.53:  17899+ A? ftp.jaist.ac.jp. (33)
20:09:55.609474 IP 192.168.1.254.53 >
192.168.4.24.1033:  17899 1/0/0 A 150.65.7.130 (49)
20:09:55.609933 IP 192.168.4.24.2203 >
150.65.7.130.80: S 1853195068:1853195068(0) win 5840
<mss 1460,sackOK,timestamp 1534255 0,nop,wscale 2>
20:09:55.620244 IP 150.65.7.130.80 >
192.168.4.24.2203: S 2086403084:2086403084(0) ack
1853195069 win 8190 <mss 1380>
20:09:55.620318 IP 192.168.4.24.2203 >
150.65.7.130.80: . ack 1 win 5840
20:09:55.620723 IP 192.168.4.24.2203 >
150.65.7.130.80: P 1:167(166) ack 1 win 5840
20:09:55.633608 IP 150.65.7.130.80 >
192.168.4.24.2203: . ack 167 win 16360
20:10:00.798315 IP 150.65.7.130.80 >
192.168.4.24.2203: P 1:264(263) ack 167 win 16360
20:10:00.798370 IP 192.168.4.24.2203 >
150.65.7.130.80: . ack 264 win 6432

_______________________________________________
Slugnet mailing list
[email protected]
http://wiki.lugs.org.sg/LugsMailingListFaq
http://www.lugs.org.sg/mailman/listinfo/slugnet

[Slugnet] IPTABLES - ARP - DNS. &#&#%^#,it. Can anyone help!

Reply via email to