[ale] Stupid Firewall Tricks

Hunter Eidson hunter at gpc.peachnet.edu
Wed Jun 21 11:49:31 EDT 2000


Hi Everyone!

Here at work, I need to set up a firewall machine to protect a single NT
server.  I won't go into the painful details why it has to be protected this
way, it just does.  I've built a Mandrake 7.1 box that can route packets
between the NT server and the outside world just fine.  When I start
restricting the hosts that are allowed to connect to it with ipchains, I can
get to the firewall from only the machines I specify, but now none of them
can reach the NT box.  I'm only using the INPUT, OUTPUT, and FORWARD default
chains, and I'm guessing the INPUT and OUTPUT chains are working since I can
still get to the firewall w/o problems.  Included below is my script for
setting the ipchains up (with IPs modified slightly).  Any suggestions would
be helpful...

	--Hunter

--------------8<---Cut Here--->8------------------

#!/bin/bash

# Config Environment Vars
UNIVERSE="0.0.0.0/0"
EXTIF="eth0"
EXTIP="10.28.193.31"
EXTGW="10.28.193.1"
INTIF="eth1"
INTIP="10.28.213.33"
INTLAN="10.28.213.32/30"
LOOPIF="lo"
LOOPIP="127.0.0.1"
SECHOST1="10.28.223.11"
SECHOST2="10.28.193.20"

# Turn On Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

# Turn Of IP Spoofing Attacks
for file in /proc/sys/net/ipv4/conf/*/rp_filter
do
		echo "1" > $file
done

# Blank All Standard Chains
ipchains -F input
ipchains -F output
ipchains -F forward
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT

exit 0
# Set Default REJECT For Standard Chains
ipchains -P input REJECT
ipchains -P output REJECT
#ipchains -P forward REJECT

# IPCHAINS Rules Input / Internal Network
ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE -l
ipchains -A input -j ACCEPT -i $LOOPIF -s $UNIVERSE -d $UNIVERSE -l

# IPCHAINS Rules Input / External Network
ipchains -A input -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE -l
ipchains -A input -j ACCEPT -i $EXTIF -s $SECHOST1 -d $EXTIP  -l
ipchains -A input -j ACCEPT -i $EXTIF -s $SECHOST2 -d $EXTIP  -l

# IPCHAINS Rules Input / F-U Catch-all rule
ipchains -A input -j REJECT -s $UNIVERSE -d $UNIVERSE  #-l

# IPCHAINS Rules Output / Internal Network
ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN -l
ipchains -A output -j ACCEPT -i $LOOPIF -s $UNIVERSE -d $UNIVERSE -l

# IPCHAINS Rules Output / External Network
#ipchains -A output -j REJECT -i $EXTIF -s $UNIVERSE -d $INTLAN -l
#ipchains -A output -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE -l
ipchains -A output -j ACCEPT -p icmp -s $UNIVERSE -d $UNIVERSE -l
ipchains -A output -j ACCEPT -s $EXTIP -d $SECHOST1 -l
ipchains -A output -j ACCEPT -s $EXTIP -d $SECHOST2 -l

# IPCHAINS Rules Output / F-U Catch-all rule
ipchains -A output -j REJECT -s $UNIVERSE -d $UNIVERSE # -l

# IPCHAINS Rules Forward / Internal --> External
#ipchains -A forward -j ACCEPT -i $EXTIF -s $INTLAN -d $UNIVERSE -l
#ipchains -A forward -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE -l
#ipchains -A forward -j ACCEPT -s $UNIVERSE -d $UNIVERSE -l
#ipchains -A forward -j ACCEPT -i $EXTIF -s $UNIVERSE -d $INTLAN -l
#ipchains -A forward -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN -l

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list