[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sheflug] Re: Iptables
>>>>> "Alan" == Alan Dawson <Dawson> writes:
Alan> As a follower of this thread with interest I wonder if you
Alan> could clarify this last point...
Alan> As Richard is using a private non routable address range for
Alan> his internal LAN - 192.168.1.0/24 - I imagine it is possible
Alan> to produce packets with source 192.168.1.x and fire them
Alan> them at his external ip - whatever ppp0 has bound to it -
Alan> from the internet, but as i understand the situation
Alan> impossible to gain a reply to them, as his machines would
Alan> not route their reply's back to the attacker.
Alan> More simply put does his use of private ip range and
Alan> masquerading not protect him ..?
Last I heard private IPs are still routable - although many sites do
block them by default.
No - but there are a few things that you can/should do to stop people
spoofing packets with private IPs - like blocking those private IPs on
the input interface, and using the kernel's rp_filter to drop spoofed
packets.
Below is a quick firewall script that drops a lot of nasty packets to
start with, then relies on stateful filtering to deal with the
traffic.
It might not even work as it stands, but it shouldn't be far off :-)
#
# Skeleton firewall. Untested.
#
# Drop everything by default.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT REJECT # Your choice on this one.
### iptables -P OUTPUT ACCEPT
# Anything coming from our internal network should have our private
# address(es).
iptables -A FORWARD -i eth0 -s ! 192.168.0.0/24 -j DROP
# Anything coming from the Internet should have a real Internet
# address.
# There are more than just this to deal with.
iptables -A FORWARD -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i ppp0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i ppp0 -s 10.0.0.0/8 -j DROP
# Kill spoofed packets
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
# Turn on syncookie support
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Set the dynamic address flag - for dynamic IP dialups etc.
# If on fixed IP, comment this out.
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# Basic, untested ruleset.
# Allow SSH from eth0 to admin box.
iptables -I INPUT -i eth0 -p tcp -s 192.168.1.0/24 \
--dport ssh -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -m --state RELATED,ESTABLISHED \
-j ACCEPT
iptables -I FORWARD -s 0.0.0.0/0 -i ppp0 \
-m --state NEW,INVALID -j DROP
iptables -I FORWARD -i ppp0 -o eth0 \
-m --state RELATED,ESTABLISHED \
-j ACCEPT
iptables -I FORWARD -s 192.168.1.0/24 -i eth0 -o ppp0 \
-m --state NEW,RELATED,ESTABLISHED \
-j ACCEPT
# MASQUERADE to ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Activate the forwarding!
echo 1 > /proc/sys/net/ipv4/ip_forward
--
Barrie J. Bremner OpenPGP public key ID: F78CEE08
baz [at] barriebremner.com http://barriebremner.com/
___________________________________________________________________
Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html
GNU the choice of a complete generation.