[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sheflug] Re: Iptables



>>>>> "Alan" == Alan Dawson <Dawson> writes:

    Alan> As a follower of this thread with interest I wonder if you
    Alan> could clarify this last point...

    Alan> As Richard is using a private non routable address range for
    Alan> his internal LAN - 192.168.1.0/24 - I imagine it is possible
    Alan> to produce packets with source 192.168.1.x and fire them
    Alan> them at his external ip - whatever ppp0 has bound to it -
    Alan> from the internet, but as i understand the situation
    Alan> impossible to gain a reply to them, as his machines would
    Alan> not route their reply's back to the attacker.

    Alan> More simply put does his use of private ip range and
    Alan> masquerading not protect him ..?

Last I heard private IPs are still routable - although many sites do
block them by default.

No - but there are a few things that you can/should do to stop people
spoofing packets with private IPs - like blocking those private IPs on
the input interface, and using the kernel's rp_filter to drop spoofed
packets.

Below is a quick firewall script that drops a lot of nasty packets to
start with, then relies on stateful filtering to deal with the
traffic.
It might not even work as it stands, but it shouldn't be far off :-)


#
# Skeleton firewall. Untested.
# 

# Drop everything by default.

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT REJECT # Your choice on this one.
###    iptables -P OUTPUT ACCEPT

# Anything coming from our internal network should have our private
# address(es).

   iptables -A FORWARD -i eth0 -s ! 192.168.0.0/24 -j DROP

# Anything coming from the Internet should have a real Internet
# address.
# There are more than just this to deal with.

    iptables -A FORWARD -i ppp0 -s 192.168.0.0/16 -j DROP
    iptables -A FORWARD -i ppp0 -s 172.16.0.0/12 -j DROP
    iptables -A FORWARD -i ppp0 -s 10.0.0.0/8 -j DROP

# Kill spoofed packets

    for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $i
    done

# Turn on syncookie support
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Set the dynamic address flag - for dynamic IP dialups etc.
# If on fixed IP, comment this out.
    echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Basic, untested ruleset.

# Allow SSH from eth0 to admin box.

iptables -I INPUT -i eth0 -p tcp -s 192.168.1.0/24 \
         --dport ssh -j ACCEPT

iptables -I INPUT -i lo -j ACCEPT

iptables -I OUTPUT -m --state RELATED,ESTABLISHED \
         -j ACCEPT

iptables -I FORWARD -s 0.0.0.0/0 -i ppp0 \
         -m --state NEW,INVALID -j DROP 

iptables -I FORWARD -i ppp0 -o eth0 \
         -m --state RELATED,ESTABLISHED \
         -j ACCEPT

iptables -I FORWARD -s 192.168.1.0/24 -i eth0 -o ppp0 \
         -m --state NEW,RELATED,ESTABLISHED \
         -j ACCEPT

# MASQUERADE to ppp0
    iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Activate the forwarding!
    echo 1 > /proc/sys/net/ipv4/ip_forward



-- 
Barrie J. Bremner		OpenPGP public key ID: F78CEE08
baz [at] barriebremner.com	http://barriebremner.com/


___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.