Re: netfilter iptables and firewall

On 24 Oct 2006, in the Usenet newsgroup comp.security.firewalls, in article
<1161680624.249954.282620@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, EldarXP wrote:

I'm currently using a computer with linux to do a Bridge Firewall, as
my company have limited ressources i have put together some other
service on it (apache, dansguardian).
it give them a fairly secure network and should only allow some people
to access internet.

"some people" - but none of your rules limit to individual addresses.
Of course, if your LAN is running DHCP because it's to much trouble to
set the boxes to static addresses, then you can't allow "some" people
to access the Internet unless everything is done through an authenticated
proxy, in which case your rules should block ALL access to/from the world
except via that proxy. HOWEVER - you should not depend on your firewall
to _replace_ written policy.

Still i found some problem in my firewall where some people were still
ablle to use web and messenger even with the set of rules i have put on
it.

See that a _written_ policy detailing allowed Internet use is in place.
Depending on your jurisdiction, there may or may not be legal implications.
You _probably_ should consult with your company's legal advisor to be sure.

Temporarily, jack up the logging, so that you are logging all NEW
and ESTABLISHED connections (all you need it headers), for a month or
so. Use common scripting tools to sort out source and destination IPs,
and destination port numbers. Who is talking to who, and why? Is such
traffic beneficial, or tolerable? If you don't understand scripting, see
the "Bash-Prog-Intro-HOWTO" (should be on your system in /usr/share/HOWTO)
and "Advanced Bash-Scripting Guide" (version 4.1 was released two weeks
ago - try http://tldp.org/guides.html). When we did this (using tcpdump
because the firewall logging of the era wasn't very good), we wound up with
a log of roughly 350 Megabytes. It two two people _less_than_two_days_ to
ID every site, showing about 200 "holes" that had to be created through
our "block everything by default" firewall.

iptables -P FORWARD ACCEPT

If it's not explicitly in the rules, allow ??? WTF?!? In the comments below,
I'm assuming $INTERNET means 0.0.0.0/0 or literally, the entire world.

iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET
--dport 25

Some mail admins don't like to accept mail from systems not designated
as mail servers. Allow the mail to be forwarded to a smarthost, and sent
on from there only.

iptables -A FORWARD -j LOG -p tcp -s $LOCALNET -d 202.72.104.1
--dport 110
iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET dport
110

Log stuff to a specific destination, but allow to anywhere? Seems reversed.

iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET
--dport 22

Allow _all_ SSH outbound???

iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET
--dport 443

Allow _all_ https outbound???

iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET
--dport 6667

And the reason your employees need IRC to do their jobs is what exactly?

iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET
--dport 8383

What's 8383/tcp, and why is it needed?

iptables -A FORWARD -j r_drop

I don't have to deal with windoze, but I'd drop INPUT and OUTPUT as well,
as nothing runs on my firewall box except the firewall, and the ordinary
users (much less the entire world) has no reason to be connecting to that
box.

iptables -A Icmp_Related_And_New -p icmp --icmp-type
destination-unreachable -m state --state RELATED -j ACCEPT

OK

iptables -A Icmp_Related_And_New -p icmp --icmp-type source-quench
-m state --state RELATED -j ACCEPT

Stretching - I rarely see a source-quench.

iptables -A Icmp_Related_And_New -p icmp --icmp-type
parameter-problem -m state --state RELATED -j ACCEPT

I can't recall the last time I saw one of those

iptables -A Icmp_Related_And_New -p icmp --icmp-type time-exceeded
-m state --state RELATED -j ACCEPT

In the modern Internet, the only time you see this is in traceroute.

iptables -A Icmp_Related_And_New -p icmp --icmp-type echo-reply -m
state --state ESTABLISHED -j ACCEPT
iptables -A Icmp_Related_And_New -p icmp --icmp-type echo-request -m
limit --limit 1/s -j ACCEPT

We allow ICMP Echo request outbound, and ICMP Echo reply inbound only.

Old guy
.

Relevant Pages

  • Re: netfilter iptables and firewall
    ... to access the Internet unless everything is done through an authenticated ... HOWEVER - you should not depend on your firewall ... Temporarily, jack up the logging, so that you are logging all NEW ... Use common scripting tools to sort out source and destination IPs, ...
    (comp.security.firewalls)
  • Re: [Firewalls] Checkpoint FW-1 - Static NAT
    ... These services perform port mapping. ... destination port and IP address of a connection can be changed. ... After installing the new policy on the target Firewall Module, ... One to the internet, and the other to ...
    (comp.security.firewalls)
  • Re: Enabling logging on IPC$ share ?
    ... You should hope to see no access from the internet to a domain ... controller unless this is a intrusion detection project on a non production DC. ... events will give you the most information in conjunction with firewall logs. ... I have enabled all kinds of logging, ...
    (microsoft.public.win2000.security)
  • RE: ISA Server 2004 Issue with FWX_E_OUTBOUND_PATH_THROUGH_DROPPED
    ... error in my logging as well. ... Outside the firewall I can still browse the internet fine. ... > seems like if I use another port off our FW and grab a dhcp ip from the ...
    (microsoft.public.isaserver)
  • Re: Show real ip in ASA5520 log
    ... the internet doesn't know about your inside private network. ... but the firewall knows what is the nat connection that originated ... your network because the header is going to show the Internet IP ... destination ip and mac addreses that you can then use to find the ...
    (comp.dcom.sys.cisco)