Re: [TCLUG:7419] firewall configuration

[^chewie <chewie@nerp.net>]

On Tue, 10 Aug 1999, Clayton T. Fandre wrote:

> That's a good question. I will test it out tonight and see if I can
> block pots 61000-65000 and see if everything still works. When I did a
> tcpdump yesterday I never saw anything go out on any port > 61000. I'm
> not even sure where those high-port packets would be going or coming
> from. Anyone?

I don't specifically block anything in my chains.  However, I DO use a
default policy of DENY on everything!  If I can't think of a rule to
allow something in or out, then I don't want it getting through.
Everyong should have a policy as such.

Anyway, since I use a DENY policy, I have to make sure I can get
through the firewall, right?  Still first things first when changing
firewall rules. Deny everything!

	ipchains -I input -j DENY    # Denies ALL packets coming in
	ipchains -I output -j DENY   # Denies ALL packets going out
	ipchains -I forward -j DENY  # Denies ALL packets going out

        ipchains -P input DENY       # Sets default rule if no match
        ipchains -P output DENY      # Sets default rule if no match
        ipchains -P forward DENY     # Sets default rule if no match

Now, I can delete the first three later by replacing "-I" with "-D".
Time for the default ipmasq rules...  If you've done the DENY policy,
you need to tell the kernel that you want to allow traffic that
originates from the firewall machine itself.  You can don't
necessarily have to specify the interface (ppp0, eth0, etc.), but it
can be helpful.

	# Allow traffic out originating from external interface
	ipchains -A output -i ${EXT_IF} -p tcp -s ${MY_IP} -j ACCEPT

	# Allow traffic out originating from external interface.  I
	# suspect this may not be needed.  I'll have to test it.
	ipchains -A forward -i ${EXT_IF} -p tcp -s ${MY_IP} -j ACCEPT

	# Now, we may not need this rule, but I haven't tested things
	# in its absence yet.
	ipchains -A input -i ${EXT_IF} -p tcp -s ${MY_IP} -j ACCEPT

OK, now for masquerading...

	# Allow masquerading: any interface, protocol to any
	# destination
	ipchains -A forward -s ${INTERNAL_NET} -j MASQ

But don't masq internal traffic

	# Don't masq internal traffic: any interface, protocol
	ipchains -A forward -s ${INTERNAL_NET} \
		-d ${INTERNAL_NET} -j ACCEPT

Yet, allow for traffic outbound from the internal network

	# Let internal traffic out...
	ipchains -A output -S ${INTERNAL_NET} -j ACCEPT

Do you provide services on your connected machine?  Two steps.  Makes
it much easier to organize things.  One, create a user-defined chain
that contains the rules you want per service.  Two, insert a link into
the "input" chain pointing to the "services" chain.  (I use a for
loop).

	# Add ports to string for loop (number or word found in
	# /etc/services)
	TCP_PORTS="ftp-data ftp ssh telnet smtp 53 www pop-3 imap2"
	TCP_PORTS="${TCP_PORTS} https"

	# Create a new chain
	ipchains -N services

	# Add rules to chain for each port
	for PORT in ${TCP_PORTS} ; do
		ipchains -A services -p tcp -d \
			${MY_IP} ${PORT} -j ACCEPT
	done

	# Add rule to input chain -- jump to services chain
	ipchains -A input -j services

In the same token, I've added a chain for portblocks (DENY's).  When I
get all of my scripts finalized, I'll throw them up on my web site.  
Now, this should work, but test it for yourself.  I don't think you'll
have to worry about the high ports deal, since with these rules,
you're allowing all outbound traffic from your IP/NET anyway.

^chewie

http://nerp.net/~chewie  <<--- Check it out!  I'm selling my truck!