Skåne Sjælland Linux User Group - http://www.sslug.dk Forside   Tilmelding   Postarkiv   Oversigt   Kalender   Søg
 

IPChains i Linux 2.2

Her er et eksempel på brug af ipchains i Linux 2.2 kernen til at beskytte en Linux maskine, som er koblet op til Internettet. Regelsættet tillader at man kan bruge sin maskine normalt, altså surfe på web, hente post og news, downloade filer med ftp osv, men hvis nogen udefra prøver at få forbindelse med din maskine, så er der lukket af. Scriptet enabler også nogle andre faciliteter i Linux 2.2 kernen, som beskytter mod forskellige former for angreb.

Jeg vil anbefale dig, at du bruger scriptet som inspiration - læs også man-siden til ipchains-programmet, så du har en ide om hvad de forskellige kommandoen gør.

Du kan downloade selve scriptet her.

Hvis du skal lave en egentlig DMZ zone i din firewall (hvis du har flere servere, der skal kunne nås udefra), så skal du bruge ipmasqadm værktøjet. Du kan finde en rpm-pakke med det her, og source-rpmen her

#!/bin/sh
#
# Configure safe networking practices
#
# chkconfig: - 06 90
# description: Setup firewalling and network security
#              This assumes your Internet is on a PPP connection
#              and the local (trusted) LAN is eth0.
#
# To install this on a Red Hat 6.x system, save this script as
# /etc/rc.d/init.d/securenet, then run the commands
#
#   chmod 755 /etc/rc.d/init.d/securenet
#   /sbin/chkconfig --add securenet
#   /sbin/chkconfig --level 2345 securenet on
#
# Henrik Størner, henrik@hswn.dk
#
# Modified 2000-03-20: Changed rules for ftp-data and DNS responses
#   so they work for masqueraded connections.
#

PATH=/bin:/sbin:/usr/bin:/usr/sbin


#########################################
# First setup some of the kernel features
#########################################

# Disable forwarding - this is for a standalone system.
# (For masquerading, see below).
echo "0" >/proc/sys/net/ipv4/ip_forward

# Enable syn-cookies (syn-flooding attacks)
if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then
   echo "1" >/proc/sys/net/ipv4/tcp_syncookies
else
   echo "Warning: SYN-cookie protection disabled in this kernel."
fi

# Disable ICMP echo-request to broadcast addresses (Smurf amplifier)
echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable ICMP echo-request altogether (see also below for ICMP filtering)
# echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all

# Set local port range for listeners (ftp ...)
# The range used here is what will be used for the connections 
# initiated from the firewall host. If you do masquerading, then
# masqueraded connections will use the range 61000-65096.
# Thus, in the ipchains rules below we will combine these two
# ranges into one: 56000:65096
echo "56000 60999" >/proc/sys/net/ipv4/ip_local_port_range

# It seems that this must be done for all network interfaces
for f in /proc/sys/net/ipv4/conf/*; do
   # Drop all source-routed packets
   echo "0" >$f/accept_source_route 

   # Enable Egress filtering (anti-spoofing measure)
   echo "2" >$f/rp_filter
done


######################
# Setup IP firewalling
######################

# Default policies. 
# We deny all input and forwarding, then allow specific things further down.
# We allow all outgoing traffic - this could be tightened, but is only
# necessary for very secure installations.
ipchains -P input DENY;  ipchains -F input
ipchains -P forward DENY;  ipchains -F forward
ipchains -P output ACCEPT; ipchains -F output


# Allow anything on trusted interfaces
# ------------------------------------

# Allow anything on the loopback i/f: We trust ourselves.
 ipchains -A input -p all -j ACCEPT -i lo

# Allow anything on the local LAN: We trust the local guys.
 ipchains -A input -p all -j ACCEPT -i eth0


# Handle incoming TCP traffic
# ---------------------------

# Allow all traffic that does not try to setup a connection (no SYN)
 ipchains -A input -p tcp -j ACCEPT \! -y

# Explicitly reject (RST) connections to my ident/auth server.
# Some mail servers try to talk to this when you send them mail,
# and get really slow if you shut this off.
 ipchains -A input -p tcp -j REJECT -s 0/0 -d 0/0 auth -y

# If you want people from the outside to be able to access your web
# server, you must enable this. But most people don't run web servers
# on their home machines.
#ipchains -A input -p tcp -j ACCEPT -s 0/0 -d 0/0 www -y

# Allow ftp-data connections to listener ports (downloads and dir listings).
# Would be better if kernel could setup temporary rules when we start
# an ftp download ("port" command), but this will have to do for now.
# If you don't like this, consider enforcing use of passive-mode ftp only.
 ipchains -A input -p tcp -j ACCEPT -s 0/0 ftp-data -d 0/0 56000:65096 -y


# Handle incoming UDP traffic
# ---------------------------

# Allow dns replies to our locally originating requests
# BIND 8 uses the high ports for sending requests; this is good.
 ipchains -A input -p udp -j ACCEPT -s 0/0 domain -d 0/0 56000:65096

# Allow ntp communication (uses ntp port for request and reply)
 ipchains -A input -p udp -j ACCEPT -s 0/0 ntp -d 0/0 ntp

# Allow Real Audio/Video in best quality (uses udp).
# NB: This is for listening to RealAudio on the firewall only!
# Don't do this if you're paranoid - newer (G2) Real Audio will
# automatically switch to TCP if udp does not work.
#
# By default, you must allow incoming udp to ports 6970:7170,
# but that is WAY too big an area for me. Changing this does
# require some configuration of the Real Player client software.
 ipchains -A input -p udp -j ACCEPT -d 0/0 32768:32769


# Handle incoming ICMP
# --------------------

# Allow all, except remote timestamp-, echo- and address-mask requests,
# and ICMP redirects.and router-advertisements
# (Denying echo-requests means we cannot be ping'ed).
  ipchains -A input -p icmp -s 0/0 timestamp-request    -j DENY --log
  ipchains -A input -p icmp -s 0/0 address-mask-request -j DENY --log
  ipchains -A input -p icmp -s 0/0 redirect             -j DENY --log
  ipchains -A input -p icmp -s 0/0 router-advertisement -j DENY --log
  ipchains -A input -p icmp -s 0/0 echo-request         -j DENY --log
  ipchains -A input -p icmp -j ACCEPT


# Log what drops through to here. If we catch anything, it
# will be interesting.
  ipchains -A input --log



# Now, play some tricks with outgoing packets on the modem link
# Use the TOS field to prioritize different protocols
# -------------------------------------------------------------

# http, telnet and ssh get "minimum delay"
ipchains -A output -p tcp -d 0/0 80    -i ppp+ -t 0x01 0x10
ipchains -A output -p tcp -d 0/0 23    -i ppp+ -t 0x01 0x10
ipchains -A output -p tcp -d 0/0 22    -i ppp+ -t 0x01 0x10

# ftp-data, nntp and pop-3 get "low cost"
ipchains -A output -p tcp -d 0/0 20    -i ppp+ -t 0x01 0x02
ipchains -A output -p tcp -d 0/0 119   -i ppp+ -t 0x01 0x02
ipchains -A output -p tcp -d 0/0 110   -i ppp+ -t 0x01 0x02



######################
# Setup Masquerading #
######################

### NB: This is disabled by default. If you want to use     ###
###     masquerading, just remove the "###" comment-markers ###
###     from the lines below.                               ###

# Load the masquerading prototcol-modules
# This loads all of the modules in /lib/modules/2.2.x/ipv4/
###for f in /lib/modules/`uname -r`/ipv4/*masq*.o; do
###   /sbin/modprobe `basename $f | sed -e's/\.o$//'`
###done

# Enable a hack in the kernel for dial-on-demand Internet connectivity
# without having a static IP address.
# Without setting this, the first packet that goes out on a dial-on-demand
# connection has the wrong sender IP address, meaning that you will have
# to retransmit at least once.
# (This has nothing to do with security - but it is useful for a home
# network using masquerading).
###echo "1" >/proc/sys/net/ipv4/ip_dynaddr

# Defrag all packets. Needed for masquerading
###echo "1" >/proc/sys/net/ipv4/ip_always_defrag

# Enable forwarding (needed for masquerading)
#
# NB: On Red Hat systems, this is controlled in /etc/sysctl.conf !
#     You need to set net.ipv4.ip_forward=1 in this file, or the
#     command below will have no effect.
#
###echo "1" >/proc/sys/net/ipv4/ip_forward

# Masquerade anything that needs forwarding on the 
# external interface (ppp0, usually), except all the Windows
# Netbios chit-chat on ports 137 thru 139.
# Note: "-i" on the forward chain refers to the OUTGOING interface.
###ipchains -A forward -i ppp+ -p tcp -s 0/0 137:139 -j DENY
###ipchains -A forward -i ppp+ -p udp -s 0/0 137:139 -j DENY
###ipchains -A forward -i ppp+ -j MASQ


 
Forside   Tilmelding   Postarkiv   Oversigt   Kalender   Søg

 
 
Henvendelse vedrørende websiderne til <www_admin>. Senest ændret 2004-03-07, klokken 21:25 .
 
Denne side vedligeholdes af Henrik Størner (<storner@sslug.dk>)