firewall

Lisa Kachold lisakachold at obnosis.com
Tue Aug 7 21:36:49 MST 2012 

Hi Derek,

How are you?

We didn't really cover if you are using a singular dsl device or a small
switch/dsl modem on the upstream?

So if you have your two boxes (Ladmo and Wallace) connected via a crossover
cable or small switch to eth1 on Wallace which has eth0 connected to your
dsl, that's good.

If you have both boxes connected to the dsl switch/modem, there might be a
problem?

The best way to verify your settings is via nmap from outside.

Assumptions without real tests are the basis of bad security everywhere.

nmap each server from the other server.  Run a nmap from a shell or linux
box externally.

Also run this tool on the Windows system to verify what is really running:
http://www.youtube.com/watch?v=Kh4UeGfzO9o&playnext=1&list=PL908F54F9D05EE965&feature=results_video

See my comments below:

On Mon, Aug 6, 2012 at 11:06 PM, Derek Trotter <expat.arizonan at gmail.com>wrote:

> Recently I got dsl and decided to have my linux box pass on traffic to my
> windows box rather than buying a firewall.  I did the research online and
> figured out how to make everything work like I wanted. Is there anything
> I've done wrong?  Does anyone have any suggestions to improve it?  Below is
> what I put into rc.local including comments in case I forget later what
> each part does.  Wallace is the linux box.  Ladmo is the windows box.
>  Thanks.
>
> You can tighten up your source and destination by network subnet also:

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d \!
10.0.1.0/24 -j MASQUERADE



> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED
> -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> # The 3 above allow for nat and forwarding to Ladmo.  This allows me to do
> stuff online from Ladmo.
>
> iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 40998 -j DNAT --to
> 192.168.0.2:40998
> # Allows bittorrent clients on the net to contact mine.
>
> iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED
> -j ACCEPT
> # Allows me to surf the web from Wallace.
>
> iptables -A OUTPUT -o eth0 -p tcp --dport 53 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --sport 53 -m state --state ESTABLISHED
> -j ACCEPT
>
iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED
> -j ACCEPT
> #allows dns to work on Wallace.
>
> #Opening both tcp and udp DNS (from EVERYONE) will allow me to do all
sorts of nepharious things via DNS (trusted port) attack:
#
http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html
#http://www.watchguard.com/training/lss/60/Proxies/proxies9.htm
#http://www.exploit-db.com/exploits/16748/
#At the very least open instead source and destination udp only to your DNS
servers and use random ports:


iptables -A INPUT -p udp -s 8.8.8.8 --sport 1024:65535 -d 192.168.1.23
--dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8. --dport
1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d 192.168.1.23 --dport
53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8.8
--dport 53 -m state --state ESTABLISHED -j ACCEPT


#Add logging:  You need both rules
iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '

> iptables -A INPUT -i eth0 -j DROP
> #Drops unwanted incoming packets.
> ---------------------------------------------------
>

Adding a list of RFC 1419 private ip addresses might be nice but if you
tighten up your nat masquerade rule, they won't be necessary.

Also, if you can access the web via port 443, I would be worried that you
are getting packets from a switch on the other port eth1 outbound/inbound?

Test it...

-- 
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
<http://it-clowns.com>Safeway.com
Automation Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20120807/e1390a79/attachment.html>

More information about the PLUG-discuss mailing list