Sunday, July 03, 2005

Re: Firewall-troubleshooting

Hi,

My firewall script doesn't have a problem with it's rules it is just
missing something important because when firehol tries it it doesn't give
any significant errors. When I turn on my previous firewall it works fine.
The place I am working in is a remote place where I am just setting up a
network. I have a small sized network here and my connection is rogers
cable. I seem to have problems just accepting anything. I believe it to be
the cause of some faulty strategy I had when making these rules up, or
maybe I need something extra that I haven't yet added. I am going to
display the iptables-save output in the hopes that someone might understand
the problem quicker then me.

Best Regards

kc

# Generated by iptables-save v1.2.11 on Sun Jul 3 18:18:43 2005
*nat
:PREROUTING DROP [0:0]
:POSTROUTING DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
# Completed on Sun Jul 3 18:18:43 2005
# Generated by iptables-save v1.2.11 on Sun Jul 3 18:18:43 2005
*mangle
:PREROUTING DROP [939:56233]
:INPUT ACCEPT [37647:1995360]
:FORWARD ACCEPT [120683:61189142]
:OUTPUT DROP [128:10168]
:POSTROUTING ACCEPT [157981:67483601]
COMMIT
# Completed on Sun Jul 3 18:18:43 2005
# Generated by iptables-save v1.2.11 on Sun Jul 3 18:18:43 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:EXT-icmp-in - [0:0]
:EXT-icmp-out - [0:0]
:EXT-input - [0:0]
:EXT-log-in - [0:0]
:EXT-log-out - [0:0]
:EXT-output - [0:0]
:connection-tracking - [0:0]
:destination-address-check - [0:0]
:local-dhcp-client-query - [0:0]
:local-dns-server-query - [0:0]
:local-tcp-client-request - [0:0]
:local-tcp-server-response - [0:0]
:local-udp-client-request - [0:0]
:log-tcp-state - [0:0]
:remote-dhcp-server-response - [0:0]
:remote-dns-server-response - [0:0]
:remote-tcp-client-request - [0:0]
:remote-tcp-server-response - [0:0]
:remote-udp-server-response - [0:0]
:source-address-check - [0:0]
:tcp-state-flags - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -j tcp-state-flags
-A INPUT -j connection-tracking
-A INPUT -i eth1 -p udp -m udp --sport 67 --dport 68 -j
remote-dhcp-server-response
-A INPUT -p ! tcp -j source-address-check
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j source-address-check
-A INPUT -j destination-address-check
-A INPUT -d 192.168.3.1 -i eth1 -j EXT-input
-A INPUT -d 224.0.0.0/240.0.0.0 -i eth1 -p udp -j DROP
-A INPUT -j EXT-log-in
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -j tcp-state-flags
-A OUTPUT -j connection-tracking
-A OUTPUT -o eth1 -p udp -m udp --sport 68 --dport 67 -j
local-dhcp-client-query
-A OUTPUT -j destination-address-check
-A OUTPUT -s 192.168.3.1 -d 224.0.0.0/240.0.0.0 -o eth1 -p udp -j DROP
-A OUTPUT -s 192.168.3.1 -o eth1 -j EXT-output
-A OUTPUT -j EXT-log-out
-A EXT-icmp-in -f -j LOG --log-prefix "Fragmented incoming ICMP: "
-A EXT-icmp-in -f -j DROP
-A EXT-icmp-in -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A EXT-icmp-in -s 24.156.100.1 -p icmp -m icmp --icmp-type 8 -m state
--state NEW -j ACCEPT
-A EXT-icmp-in -s 24.156.100.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A EXT-icmp-in -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A EXT-icmp-in -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A EXT-icmp-in -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A EXT-icmp-in -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A EXT-icmp-out -f -j LOG --log-prefix "Fragmented outgoing ICMP: "
-A EXT-icmp-out -f -j DROP
-A EXT-icmp-out -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A EXT-icmp-out -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A EXT-icmp-out -d 24.156.100.1 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A EXT-icmp-out -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A EXT-icmp-out -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A EXT-icmp-out -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A EXT-input -p udp -m udp --sport 53 --dport 53 -j remote-dns-server-response
-A EXT-input -p udp -m udp --dport 1024:65535 -j remote-udp-server-response
-A EXT-input -p icmp -j EXT-icmp-in
-A EXT-log-in -p icmp -m icmp ! --icmp-type 8 -m limit --limit 3/hour -j LOG
-A EXT-log-in -p tcp -m tcp --dport 0:650 -j LOG
-A EXT-log-in -p udp -m udp --dport 0:110 -j LOG
-A EXT-log-out -j LOG
-A EXT-output -p udp -m udp --sport 53 --dport 53 -j local-dns-server-query
-A EXT-output -p tcp -m tcp --sport 1024:65535 --dport 53 -j
local-dns-server-query
-A EXT-output -p tcp -m tcp --sport 53 --dport 1024:65535 ! --tcp-flags
SYN,RST,ACK SYN -j remote-dns-server-response
-A EXT-output -p tcp -m tcp --dport 1024:65535 ! --tcp-flags SYN,RST,ACK
SYN -j local-tcp-server-response
-A EXT-output -p udp -m udp --sport 1024:65535 -j local-udp-client-request
-A EXT-output -p icmp -j EXT-icmp-out
-A connection-tracking -m state --state RELATED,ESTABLISHED -j ACCEPT
-A connection-tracking -m state --state INVALID -j LOG --log-prefix
"INVALID packet:"
-A connection-tracking -m state --state INVALID -j DROP
-A destination-address-check -d 255.255.255.255 -j DROP
-A destination-address-check -d 192.168.3.0 -j DROP
-A destination-address-check -d 192.168.3.255 -j DROP
-A destination-address-check -d 224.0.0.0/240.0.0.0 -p ! udp -j DROP
-A destination-address-check -p tcp -m tcp --dport 6000:6063 --tcp-flags
SYN,RST,ACK SYN -j DROP
-A local-dhcp-client-query -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT
-A local-dhcp-client-query -s 0.0.0.0 -d 24.153.100.1 -j ACCEPT
-A local-dhcp-client-query -s 192.168.3.1 -d 24.153.100.1 -j ACCEPT
-A local-dns-server-query -d 24.153.22.195 -m state --state NEW -j ACCEPT
-A local-dns-server-query -d 24.153.23.66 -m state --state NEW -j ACCEPT
-A local-dns-server-query -d 130.63.168.21 -m state --state NEW -j ACCEPT
-A local-dns-server-query -d 24.153.22.195 -j ACCEPT
-A local-dns-server-query -d 24.153.23.66 -j ACCEPT
-A local-dns-server-query -d 130.63.168.21 -j ACCEPT
-A local-tcp-client-request -d 24.51.33.11 -p tcp -m tcp --dport 22
--tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A local-tcp-client-request -d 24.51.33.11 -p tcp -m tcp --dport 22 -j ACCEPT
-A local-tcp-client-request -p tcp -m multiport --dports 80,443 -m tcp
--tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A local-tcp-client-request -p tcp -m multiport --dports 80,443 -j ACCEPT
-A local-tcp-server-response -d 24.51.33.11 -p tcp -m tcp --sport 22 !
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A log-tcp-state -p tcp -j LOG --log-prefix "Illegal TCP state: "
--log-tcp-options --log-ip-options
-A log-tcp-state -j DROP
-A remote-dhcp-server-response -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT
-A remote-dhcp-server-response -s 24.153.100.1 -d 255.255.255.255 -j ACCEPT
-A remote-dhcp-server-response -s 24.153.100.1 -j ACCEPT
-A remote-dns-server-response -d 24.153.22.195 -j ACCEPT
-A remote-dns-server-response -d 24.153.23.66 -j ACCEPT
-A remote-dns-server-response -d 130.63.168.21 -j ACCEPT
-A remote-tcp-client-request -s 24.51.33.11 -p tcp -m tcp --dport 22 -m
state --state NEW -j ACCEPT
-A remote-tcp-client-request -s 24.51.33.11 -p tcp -m tcp --dport 22 -j ACCEPT
-A remote-tcp-server-response -s 24.51.33.11 -p tcp -m tcp --sport 22 !
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A remote-tcp-server-response -p tcp -m multiport --sports 80,443 -m tcp !
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A source-address-check -s 10.0.0.0/255.0.0.0 -j DROP
-A source-address-check -s 172.16.0.0/255.240.0.0 -j DROP
-A source-address-check -s 192.168.0.0/255.255.0.0 -j DROP
-A source-address-check -s 224.0.0.0/240.0.0.0 -j DROP
-A source-address-check -s 240.0.0.0/248.0.0.0 -j DROP
-A source-address-check -s 127.0.0.0/255.0.0.0 -j DROP
-A source-address-check -s 0.0.0.0/255.0.0.0 -j DROP
-A source-address-check -s 169.254.0.0/255.255.0.0 -j DROP
-A source-address-check -s 192.0.2.0/255.255.255.0 -j DROP
-A tcp-state-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-j log-tcp-state
-A tcp-state-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j log-tcp-state
-A tcp-state-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j log-tcp-state
-A tcp-state-flags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j log-tcp-state
-A tcp-state-flags -p tcp -m tcp --tcp-flags FIN,ACK FIN -j log-tcp-state
-A tcp-state-flags -p tcp -m tcp --tcp-flags PSH,ACK PSH -j log-tcp-state
-A tcp-state-flags -p tcp -m tcp --tcp-flags ACK,URG URG -j log-tcp-state
COMMIT

Paul Gear wrote:
> Daniel Pittman wrote:
>
>>...
>>Shorewall, like many firewall packages, gives you[1] a whole bunch of
>>configuration options, which turn on or off features in the pre-packaged
>>firewall you have.
>>
>>This tends to make it hard to do strange things like playing with DSCP
>>tagging of packets, or deciding to use the 'uid' option to an iptables
>>rule, or whatever. The recent ipt_recent protection against SSH, etc,
>>brute force attacks is a good example of this sort of stuff.
>>
>>It also tends to encourage "shortcuts" in the firewall, like accepting
>>any RELATED/ESTABLISHED packets,
>
>
> Am i right in understanding that you consider accepting
> RELATED/ESTABLISHED packets a bad thing?
>
>
>>...
>>Shorewall was *NOT* one of the tools that I evaluated to the level of a
>>generated firewall -- it didn't let me do some of the stuff I was doing
>>already, so I didn't try it.
>
>
> What were the main things you wanted that shorewall didn't do?
>
>
>>...
>>Firehol suits me, personally, because it makes it easy to write a really
>>good and secure firewall, because it takes the hard work out of
>>iptables, but it still doesn't get in the way of doing, well, anything I
>>want.
>
>
> You can integrate arbitrary iptables commands into shorewall also.
>
>
>>...
>>
>>>I have heared some opinions like "shorewall is bad" so I'm really
>>>thinking of switching to something else. But I dont't know why...
>>>noone was able to give me a good reason.
>>
>>...
>>Also, in general I don't recommend changing *anything* just because
>>someone else tells you they don't like it -- and if they can't tell you
>>*why*, it is just that they "don't like it."
>
>
> Couldn't agree more.
>

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments:

Post a Comment