[Plug-security] ipchains vs iptable
Rusty Carruth
plug-security@lists.PLUG.phoenix.az.us
Sun, 10 Mar 2002 12:09:57 -0700 (MST)
>
> Okay I'm trying to get port forwarding working on my home system. So
> that any request for port 8081 on my gatway box would go to port 80 on
> my webserver. In my firewall script I have the following variables set.
>
> $WEB_SERVER - My internal webserver
> $EXTERNAL_INTERFACE - the nic card going out the the world
> $INTERNAL_INTERFACE - the nic card going to my internal network
> $IPADDR - external ip address
>
> >From my reading I *think* this is the iptables rules I would want to set
> up
Well, there are some weaknesses in the following rc.firewall thing (mostly
paranoia-type stuff ;-), but here's my current setup:
#!/bin/bash
# rc.firewall - Initial SIMPLE IP Masquerade setup for 2.1/2.x kernels using IPchains
#
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current available IP MASQ modules
# are shown below but are commented out from loading.
$P25ACCEPTOR=98765 # see redirect rule way below.
# Needed to initially load modules
#
/sbin/depmod -a
# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp
# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
/sbin/modprobe ip_masq_raudio
#CRITICAL: Enable IP forwarding since it is disabled by default
#
# Redhat Users: you may try changing the options in /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#CRITICAL: Enable automatic IP defragmenting since it is disabled by default
# This used to be a compile-time option but the behavior was changed in 2.2.12
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
# comment from RC - I hacked up a workaround for this - you should probably use
# this if you have dynip instead of trying to use the hack I did... (which I'm
# not including here!) - rc
# Dynamic IP users:
#
# If you get your Internet IP address dynamically from SLIP, PPP, or DHCP, enable this following
# option. This enables dynamic-ip address hacking in IP MASQ, making the life
# with DialD, PPPd, and similar programs much easier.
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# set up ip addresses and such
extip=<yourexternalIPaddrGoesHere>
extint="ppp0"
# where is the inside of the firewall? set it below
intint="eth0"
intnet="10.40.0.0/15"
#set -v -x
# flush all the chains.
ipchains -F forward
ipchains -F output
ipchains -F input
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
#
ipchains -M -S 7200 10 60 -v
# internal net to internal net, no problem with anything (for now!)
ipchains -A input -v -i $intnet -s $intnet -d $intnet -j ACCEPT
ipchains -A input -v -i lo -s $intnet -d $intnet -j ACCEPT
# I don't think I want microsloth names service over the net! ESPECIALLY
# outbound!
ipchains -A input -v -i $intnet -s $intnet 137 -p tcp -d 0.0.0.0/0 -j REJECT -l
ipchains -A input -v -i $intnet -s $intnet 137 -p udp -d 0.0.0.0/0 -j REJECT -l
ipchains -A input -v -i $intnet -s $intnet 138 -p tcp -d 0.0.0.0/0 -j REJECT -l
ipchains -A input -v -i $intnet -s $intnet 138 -p udp -d 0.0.0.0/0 -j REJECT -l
ipchains -A input -v -i $intnet -s $intnet 139 -p tcp -d 0.0.0.0/0 -j REJECT -l
ipchains -A input -v -i $intnet -s $intnet 139 -p udp -d 0.0.0.0/0 -j REJECT -l
# other things I don't want going out:
ipchains -A input -v -i $intnet -s $intnet 67 -p tcp -d 0.0.0.0/0 -l -j REJECT # bootp
ipchains -A input -v -i $intnet -s $intnet 67 -p udp -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -v -i $intnet -s $intnet 68 -p tcp -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -v -i $intnet -s $intnet 68 -p tcp -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -v -i $intnet -s $intnet 201 -p udp -d 0.0.0.0/0 -l -j REJECT # appletalk
ipchains -A input -v -i $intnet -s $intnet 201 -p udp -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -v -i $intnet -s $intnet 202 -p udp -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -v -i $intnet -s $intnet 202 -p udp -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -v -i $intnet -s $intnet 204 -p udp -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -v -i $intnet -s $intnet 204 -p udp -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -v -i $intnet -s $intnet 206 -p udp -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -v -i $intnet -s $intnet 206 -p udp -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -v -i $intnet -s $intnet 213 -p udp -d 0.0.0.0/0 -l -j REJECT # ipx
ipchains -A input -v -i $intnet -s $intnet 213 -p udp -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -v -i $intnet -s $intnet 389 -p udp -d 0.0.0.0/0 -l -j REJECT # ldap
ipchains -A input -v -i $intnet -s $intnet 389 -p udp -d 0.0.0.0/0 -l -j REJECT
#ipchains -A input -v -i $intnet -s $intnet 139 -p udp -d 0.0.0.0/0 -l -j REJECT
#ipchains -A input -v -i $intnet -s $intnet 139 -p udp -d 0.0.0.0/0 -l -j REJECT
# accept anything else from local interface going outbound:
ipchains -A input -v -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT
# local to local is ok
ipchains -A input -v -i lo -d 0.0.0.0/0 -j ACCEPT
# reject anything on ppp saying its inside
ipchains -A input -v -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -v -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
# reject anything outisde trying to use pop3
ipchains -A input -v -i $extint -p tcp -d 0.0.0.0/0 110 -l -j REJECT
ipchains -A input -v -i $extint -p udp -d 0.0.0.0/0 110 -l -j REJECT
# redirect port 25 to $P25ACCEPTOR
ipchains -A input -v -i $extint -p tcp -d 0.0.0.0/0 25 -j REDIRECT $P25ACCEPTOR
ipchains -A input -v -i $extint -p udp -d 0.0.0.0/0 25 -j REDIRECT $P25ACCEPTOR
# accept anything already connected.
ipchains -A input -v -i $extint -p TCP ! -y -d 0.0.0.0/0 -j ACCEPT
# accept any outside packets to SSH and SMTP (on both udp and tcp)
ipchains -A input -v -i $extint -p tcp -d $extip/32 22 -j ACCEPT
# real soon now we will remove these 2:
ipchains -A input -v -i $extint -p tcp -d $extip/32 25 -j ACCEPT
ipchains -A input -v -i $extint -p udp -d $extip/32 25 -j ACCEPT
# allow dns REPLIES
# note the direction here!
ipchains -A input -v -i $extint -p tcp -s 0.0.0.0/0 53 -d $extip/32 -j ACCEPT
ipchains -A input -v -i $extint -p udp -s 0.0.0.0/0 53 -d $extip/32 -j ACCEPT
# disallow icmp redirect
ipchains -A input -i $extint -p ICMP -s 5 -l -j REJECT
# but allow other ICMP thingys
ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -p ICMP -j ACCEPT
# disallow all others and log.
/sbin/ipchains -A input -v -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
# ipchains -L -n -v
ipchains -P input REJECT
ipchains -F output
ipchains -P output REJECT
ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT
ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT
ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
ipchains -F forward
ipchains -P forward DENY
ipchains -A forward -s $intnet -d 0.0.0.0/0 -j MASQ
ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1>/proc/sys/net/ipv4/ip_always_defrag
exit 0
My guess is that you'd change the line that says:
ipchains -A input -v -i $extint -p tcp -d 0.0.0.0/0 25 -j REDIRECT $P25ACCEPTOR
to something like
ipchains -A input -v -i $extint -p tcp -d 0.0.0.0/0 25 -j REDIRECT $P25ACCEPTOR
where you've defined P25ACCEPTOR as machine/port. But I'm guessing, sorry.
(If you are looking for a difference, you won't find one ;-)
The other option would be to redirect to a local port and use redir to redirect
to a different machine.
Hope this is a tiny bit helpful, anyway.
rc