Road Map

• Ipchains revisited
• Phase 1:Crawl before walk
• A Simple Case
• Prerequisites
• Finding the DHCP address
• Barebones ipchains
• Starting point
• Set a policy for forward chain
• Now add the masquerade
• Phase 2: Pull up the drawbridges
• /etc/inetd.conf
• Phase 3: Testing
• Phase 4: On to greater things
• Appendix: Script example
• Script example, con't
• Script example con't
• Script example con't

Phase 1:Crawl before walk

• The secret of success:
• Start with the simplest case.
• Then, once it is in hand, superimpose frills stepwise

A Simple Case

• A network behind a Linux box firewall
• DHCP broadband connection
• Users on network need only email and browsing
• Linux box not running Xwindows
• No servers for users outside local network.

Prerequisites

• Make sure kernel is set up for masquerading:
• depmod - a
• modprobe ip_masq_user
• modprobe ip_masq_ftp
• modprobe ip_masq_irc
• modprobe ip_masq_raudio
• modprobe ip_masq_cuseeme
• echo "1">/proc/sys/net/ipv4/ip_forward
• echo "1">/proc/sys/net/ipv4/ip_always_defrag
• echo "1">/proc/sys/net/ipv4/ip_dynaddr
• Ipchains - M - S 3600 10 50 (setting timeouts)

Finding the DHCP address

• Classic Unix!
• Look in ifconfig output: ifconfig
• Pipe to grep: |grep - A 2 "eth0"
• Pipe to awk: |awk '/inet/ {print $2}'
• Pipe to sed: |sed - e s/addr://
• Put it all together and put result in an environmental variable:
• IPADDR =" `ifconfig|grep - A 2 "eth0"|awk '/inet/ {print $2}' \ |sed - e s/addr:// ` "
• (For reference, output of ifconfig looks like:
• eth0 Link encap:Ethernet HWaddr 00:E0:98:05:7B:0F
• inet addr:192.168.7.35 Bcast:192.168.7.255 Mask:255.255.255.0
• UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
• etc )

Barebones ipchains

• There are three basic chains:

Starting point

• To see where you start, type
• ipchains - L
• to get an output like
• Chain input (policy ACCEPT):
• Chain forward (policy ACCEPT):
• Chain output (policy ACCEPT):

Set a policy for forward chain

• Type
• ipchains =---P forward DENY
• and now ipchains --L will show
• Chain input (policy ACCEPT):
• Chain forward (policy DENY):
• Chain output (policy ACCEPT):

Now add the masquerade

• Type (all on one line):
• ipchains =---A forward
• --- -s 192.168.1.0/255.255.255.0
• - j MASQ
• and now ipchains --L will add
• target prot opt source destination ports
• MASQ all - - - - - - localnet/24 anywhere n/a
• to that previous
• Chain forward (policy DENY):

Phase 2: Pull up the drawbridges

• Disable ports/services you do not need.
• Examples:
• ftp (port 21) ident (113)
• telnet (23) netbios (139)
• smtp (25) http (180)
• pop3 (110) imap (123)
• finger (79)
• (If needed later, can be activated at that time
• along with appropriate ipchains rules.)

/etc/inetd.conf

• Here is where you can disable ports/services.
• S imply "comment out" lines of unneeded/risky
• services. For example, change a line like:
• ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd
• to
• #ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd
• then, when all such entries are made,
• inform the inet daemon, inetd, with
  • killall -- HUP inetd

Phase 3: Testing

• Now, from a browser on a box inside the
• network, go to
• http://www.grc.com
• and click on Shields Up, then Test my shields.
• When that reports back, click Probe my ports.
• You get a report of holes you may have left in
• your defenses.

Phase 4: On to greater things

• At this point, your network boxes should be
• able to send/receive email and browse the web.
• If you now wish to add fancier services, do it
• one at a time. Reactivate in /etc/inetd.conf
• and then add appropriate ipchains rules to
• minimize added risk.
• ( See appendix for sample script illustrating the general idea.)

Appendix: Script example

Script example, con't

Script example con't

Script example con't