[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IP Masquerading & ipfwadm



Hi all.

I've written some notes/script
for ip firewalling in linux.

I post this on the list for these resons:
1. find mistakes in my writings so it can
   be varified before adding it to the HOWTO
2. for newbies or users which did no firewalling before.

Waiting for comments

Regards
Erez.


the original letter is sent to Michael L. Collins <mcollins@alpha.cs.uttyl.edu>

Hello Micael,

because you want to make an howto,
I'll try to make it as general as i can.

Please feel free to correct my english.

You should also know: all what I write here
is from expiriance, as well as rumors, so watch out.
( i take no reponsibility for enything here
  or in brief, see the HOWTO's standard disclamer )

Regards
Erez.

I assume you connect to the internet with PPP0
and have local net on ETH0 .

for the HOWTO here is a short description of how to use ipfwadm.
the man page has more details but is less clear.


The linux kernel has 3 ip firewall filters :
1. The input filter allows or discards packets
   according to input firewall rules
2. The output filter allows or discards packets
   according to output firewall rules
3. The Forwarding filter allows, discards and/or
   masqurade packets according to forwarding
   firewall rules

Note: A forwarded packet, enters the firewall on
one interface, and leaves it on another interface,
so if you want to forward a packet, you must first
allow it to enter ( input firewall rules ),
to be forwarded ( forwarding firewall rules ),
and to leave ( output firewall rules ).

to set the firewall filtering rules we use a utility
called ipfwadm.

every ipfwadm command adresses a certine filter, so
on the command line you must specify -I for input filter,
-O for output filter, or -F for forwarding filter.
( there is also -A for Accounting rules, RTFM if you want to)
note that only one of the -O, -I, -F ( or -A ) is allowed
for each ipfwadm command.

at the beginning of our firewall script,
we use the -f swith to flush the old rules:
/sbin/ipfwadm -If
/sbin/ipfwadm -Of
/sbin/ipfwadm -Ff

( note that using the switches -I -f is the same as using -If )

now choose a default policy with the -p switch

/sbin/ipfwadm -Fp deny
/sbin/ipfwadm -Ip deny
/sbin/ipfwadm -Op deny

now we set a policy, we append it to the end of
our firewall rules by the -a option.
( there is also an insert : -i option. RTFM )
the policy may be deny, or accept. ( or reject, RTFM )
the command is like this:

ipfwadm -I|-O|-F -a accept|deny [-S host/mask port(s)] [-D host/mask port(s)]
[-P tcp|udp|icmp] [-k] [-o]


hosts and nets:
to specify a host, we use its ip adress
( we could also use the host name, but i do not
  recomend it. if you must use a name, see to it that
  this name is defined in /etc/hosts)

to use a net, we specify a net (or host) and a mask, by host/mask .
instead of the normal mask as 4 decimal numbers ( e.g. 255.255.255.0 )
we may just specify the number of '1's in the musk.
for instance, 255.255.255.0 is in binary '11111111111111111111111100000000'
we may define it as the number of '1's. in this case 24.
so 192.168.1.2/255.255.255.0 is equivalent to 192.168.1.2/24

-S and -D switches:
we may specify a source ( -S ) or destination ( -D ) for a packet.
if we do not implicitly specify -S than all source is allowed,
the same goes for -D.
we can use -S ( or -D ) in 3 ways:
1. ipfwadm ..... -S host ...
2. ipfwadm ..... -S host/mask ...
3. ipfwadm ..... -S host/mask port(s) ...
port(s) is either port numbers seprated by space(s)
( e.g. -S host/mask 21 23 53 )
or a range ( e.g. -S host/mask 1024:65535 )
notes:
1. not specifying port(s) at all, is the same as
   specifying all ports ( i.e. -S host/mask
   is the same as -S host/mask 0:65535 )
2. port(s) may only specify if a protocol was specify
   ( with the -P option)


-P and protocols:
we may specify a protocol ( i.e. -P tcp )
the protocols are: tcp, udp and icmp.
ports for icmp are defined at /usr/include/linux/icmp.h
tcp is used for ftp,mail (smtp and pop),telnet and more ...
udp is used for NFS and more ...
icmp is used for ping, traceroute, and messages like
   network unreacable.




options:
-k : this is for tcp only.
in tcp, instead of sending an acknoledge packet
for every packet received, the ack is integrated
into the data packet ( if any ) which is sent
to the other side. so every packet, discluding
the first one,has an acknoledge bit set.
if we do not allow incoming packets which do not
have an ack bit set, than we do not allow entrance
to the packet that initiates tcp connection. so we
do not allow a tcp connection to be initiated from
outside. but only from inside.
(warning: i did not check what happens the ack bit
 is set by an outside hacker on the first tcp connection's
 packet, will the kernel accept it as a new tcp connecion ?
 i do not think so ( at least linux) but i did not check,
 and havent heard of anyone that did. i also did not try
 to understand it from the kernel sources)

-o : used for deny, log the denied packet in the kernel log
( usually written to /var/log/messages )


masquarding (in brief):
the firewall forward masquarding rules, selects
which packets will be masquareded.
masquarding means that the firewall, before forwarding
the packets, changes them so it looks like the firewall
is the source of the packet. then when a packet is recived
back at the firewall, it changes it back again, and sends
it to the real destination of the packets.
( the firewall assign a masquarded port for every
port in use of every masquarded host.)

why use masqurading:
1. need only one real ip adress for an entire network
2. only internal hosts can initiate a connection
   ( if an external packets arrives to a port of the
     firewall, with no packet masquarede from this port,
     then the firewall does not know where to forward it to. )
   note that this may be good, or maybe a problem.
   if you do want some port to be accesibale from the outside,
   you may forward without masqurade, some ports of some hosts.


now if that was not clear, you can find some examples in the attached
firewall script


this is the firewall script for box #1

but some notes before:

while running this script, becuase the we use a default policy
of deny, the computer will be disconnected from any network
before reconnecting again, so we stick with full paths in the
script, so it will not look for ipfwadm and any other utils on
NFS or smb mounts, and be stuck .

---------------------- cut here ---------------
#! /bin/tcsh -fb

# anounce setting firewall
echo -n "Setting firewall rules ... "

# local computer on eth0 is 10.0.69.1
setenv LOCAL_HOST 10.0.69.1

# /24 means that netmask is 24x'1' and 8x'0' ->
# binary: '11111111111111111111111100000000' -> 255.255.255.0
# if you had a netmask of 255.255.255.128 - you have 25x'1' and
#   7x'0' you should write /25 instead of /24
setenv LOCAL_NET ${LOCAL_HOST}/24

# local ip on ppp0, this is the connection to the internet
setenv LOCAL_PPP_IP 206.76.228.241


#Flush all old firewall commands
/sbin/ipfwadm -F -f
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f

#set defualt rule to deny-all
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -I -p deny
/sbin/ipfwadm -O -p deny


# I trust my local users, so i allow all connections from
# eth0 and loopback, if you do not, you have to add some rules here

#allow all communications on internal interface
/sbin/ipfwadm -O -a accept -W eth0
/sbin/ipfwadm -I -a accept -W eth0

#allow  all communications on loopback interface
/sbin/ipfwadm -I -a accept -W lo
/sbin/ipfwadm -O -a accept -W lo

# remote interface, claiming to be local machines ->
# IP spoofing: get lost !
/sbin/ipfwadm -I -a deny -W ppp0 -S ${LOCAL_NET} -o

# TCP connections:
# I do not know if using the -k option is secure enough,
# maybe i should restrict the range of the ports
# but for now i allow all ports, and hope -k is secure enough
# ( -k sais that it allowes only packets which also acknolede
# old packets, so this discludes the packet that initiate a tcp
# connection, so nobody can open a tcp connection from outside )
# note that if you do not use ip_masq, you should replace
# ${LOCAL_PPP_IP} with ${LOCAL_NET} in the next line
/sbin/ipfwadm -I -a accept -W ppp0 -D ${LOCAL_PPP_IP} -P tcp -k
# if you have used this host for masquarding only, and
# this box does not need tcp connections of it's own, you should
# restrict the ports to 61000:65096 ( theaes are masqurade ports,
# defined in the kernel in /usr/src/linux/include/net/ip_masq.h)
# so you should replace the above line with:
#/sbin/ipfwadm -I -a accept -W ppp0 -D ${LOCAL_PPP_IP} 61000:65096 -P tcp -k

#UDP connections:

# allow udp connections to all masquraded machines
/sbin/ipfwadm -I -a accept -W ppp0 -D ${LOCAL_PPP_IP} 61000:65096 -P udp

# for this machine i allow udp ports 53 which is for nameserver
# and 4000 which is for ICQ
# you should add any other ports you need
/sbin/ipfwadm -I -a accept -W ppp0 -D ${LOCAL_PPP_IP} 53 4000 -P udp

#ICMP
#I allow some icmp msgs, like reply for ping - icmp/0
# ( see /usr/include/linux/icmp.h )
/sbin/ipfwadm -I -a accept -W ppp0 -D ${LOCAL_PPP_IP} -P icmp -S 0/0 0 3 11 12
# if you want others to be able to ping you,
# add 8 to the above line (icmp/8 = ICMP_ECHO)

# allow local host to output packets:
/sbin/ipfwadm -O -a accept -W ppp0 -S ${LOCAL_PPP_IP}

# the next line is panic setting, if you have configured
# your kernel and this script correctly - it has no use
# but to be on the safe side, i write it.
# the line denies non-ip-masquared acess for local net
/sbin/ipfwadm -O -a deny -W ppp0 -S ${LOCAL_NET} -o
# the -o option loggs any such denied packets to /var/log/messages
# another panic setting which could happen when the routing table
# is not configured properly:
# deny packet to local net which goes to the internet instead
/sbin/ipfwadm -O -a deny -W ppp0 -D ${LOCAL_NET} -o

# if you have an http proxy ( i use squid ) and you want to deny
# non-proxy acess to the internet, then deny acess to port 80 on
# the internet by uncommenting the next line:
#/sbin/ipfwadm -Fa deny -P tcp -S ${LOCAL_NET} -D 0/0 80 -o

#MASQUAREDING
# Masquerade from local net on local interface to anywhere.
/sbin/ipfwadm -Fma accept -S ${LOCAL_NET}
# note that this line is good only if you do NOT have
# your local network connected to this machine in more
# than one interface.


# now deny and log everything we didn't implicitly allow
/sbin/ipfwadm -I -a deny -o
/sbin/ipfwadm -F -a deny -o
/sbin/ipfwadm -O -a deny -o


# say we are done
echo "Done"

# that's it
exit 0

-------------------------------- cut here --------------------------





Michael L. Collins wrote:

>
>
> Thanks Erez,
> I would appreciate your help with the security issues.
> Prior, I have been only concerned with getting communications
> but I now am able to  ping  through the ip-masq gateway.
> So, the security is what I am looking at.
> Here is info on what I am currently running.
>
> Here is what Box #1 route table looks like:
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   irtt Iface
> 206.76.228.241  0.0.0.0         255.255.255.255 UH         0 ppp0
> 10.0.69.0       0.0.0.0         255.255.255.0   U          0 eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U          0 lo
> 0.0.0.0         206.76.228.241  0.0.0.0         UG         0 ppp0
>
> eth0 on Box #1 is 10.0.69.1
> 206.76.228.241 is the remote ppp0 interface.
>
> Here is what Box #2 route table looks like:
>
> Kernel IP routing table
> Destinati    Gateway         Genmask         Flags   irtt Iface
> 10.0.69.0    0.0.0.0         255.255.255.0   U          0 eth0
> 127.0.0.0    0.0.0.0         255.0.0.0       U          0 lo
> 0.0.0.0      10.0.69.1       0.0.0.0         UG         0 eth0
>
> eht0 on Box #2 is 10.0.69.13
>
> Thanks for your help.
>
> Michael


begin:          vcard
fn:             Erez Doron
n:              Doron;Erez
org:            Savan Communications Ltd.
email;internet: erez@savan.com
title:          Asic/Software/Sysadmin
x-mozilla-cpt:  ;0
x-mozilla-html: TRUE
version:        2.1
end:            vcard