What is Digg?26 Comments
- Craz1, on 10/12/2007, -0/+4People should have a look at the OpenSource fwbuilder GUI for this. It supports more than iptables too.
iptables
ipfilter
OpenBSD pf
Cisco PIX
Plugins so you can add support for others.
http://www.fwbuilder.org/
(screenshots: http://www.fwbuilder.org/archives/cat_screenshots.html) - harlowsmonkeys, on 10/12/2007, -0/+4The article has a MAJOR bug in it. It uses 190.1.x.x addresses for the private network. However, 190.1 is NOT in the space reserved for such things. Those are real live internet addresses.
- Stonekeeper, on 10/12/2007, -0/+3iptables --table nat --append POSTROUTING --out-interface $WAN_INTERFACE -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_INTERFACE -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward - int3lx, on 10/12/2007, -0/+2This was a pretty awful article. As previously mentioned it is quite basic and is extremely Red Hat specific. Those would be forgivable if it didn't also neglect explanation and use poor practices.
I administer a lot of systems remotely so I shudder when I see an IPTABLES howto advocate the use of iptables -F. There's a good chance if you don't understand why reading this won't make much sense to you until you try it.
I use ipt_state very often and run my INPUT, FORWARD, and OUTPUT tables policies set to DROP. It's a lot more secure to open up only what you need than it is to try closing off what you don't.
Here is a number of corrections
1. Don't FLUSH the tables until you've set the policies to ACCEPT!
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
2. Use the ipt_state module! This will keep track of "connections". You will only need to specifically allow the creation of a connection and none of the other packets associated with the connection. This can alleviate a lot of CPU time when you have a lot of rules.
iptables -N keep_state
iptables -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A keep_state -j RETURN
iptables -A INPUT -j keep_state
iptables -A FORWARD -j keep_state
iptables -A OUTPUT -j keep_state
3. Setup allows for ONLY what you want. I want ssh into my gateway from 10.1.1.1 and www to the gateway from 10.1.1.2. I want to be able to do anything from 10.1.1.1 and only www from 10.1.1.2 to the Internet. (NAT / MASQUERADE)
ssh: iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s 10.1.1.1 -j ACCEPT
www: iptables -A INPUT -p tcp --dport 80 -m state --state NEW -s 10.1.1.2 -j ACCEPT
nat*: iptables -A FORWARD -s 10.1.1.1 -m state --state NEW -j ACCEPT
nat(www): iptables -A FORWARD -s 10.1.1.2 -p tcp --dport 80 -m state --state NEW -j ACCEPT
4. DENY EVERYTHING!
If you've got the state tracking setup correctly and you're connected over ssh you should be able to see hits and packets hitting the rules in your keep_state table.
iptables -L keep_state -v
If you run this repeatedly and do not see the counters increase, don't proceed or you'll be locked out! (e.g. big shotgun wound in your foot)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Now you have locked things down very tightly. You can open up only what you need from here. And you will be useful to a company with a remote data center. - Craz1, on 10/12/2007, -0/+2sounds like this would blindly give the net access to any open port on your router. (but i could be wrong)
- jav1231, on 10/12/2007, -1/+3See it's really very simple.......ahemm.
- xenoterracide, on 10/12/2007, -0/+2this only would work on a red hat like distribution. some of this is in other places in other distro's. I was hoping for a good tutorial on how to do things like port forwarding. better written tutorials were written years ago on this.
- Doriath, on 10/12/2007, -0/+2For a "well written tutorial" is tells you very very little about what you are doing or why.
- getjpi, on 10/12/2007, -0/+2Urgh! Random unmaintainable line noise.
Compare and contrast with.
gw2:~ # cat /etc/rc.early
/sbin/ifconfig fxp0 name outside
/sbin/ifconfig bge0 name inside
gw2:~ # pfctl -nf ./pf.sample.conf
gw2:~ # cat pf.sample.conf
Ext="outside"
Int="inside"
UDP="inet proto udp"
TCP="inet proto tcp"
ICMP="inet proto icmp"
KSF="keep state flags S/SA"
MSF="modulate state flags S/SA"
KS="keep state"
table { 190.1.1.1/8 }
table { 61.95.194.69 }
# Be nice and tell the outside world to go forth and multiply.
#
set block-policy return
set skip on lo0
# NAT really is this easy.
#
nat on $Ext from to ! ->
#default block policy
#
block log all
# Permit Ingress Traffic
#
pass in quick on $Int $TCP from $KSF
pass in quick on $Int from $KS
# Permit Egress Traffic
#
pass out log quick on $Ext $TCP from to ! $MSF
pass out log quick on $Ext $UDP from to ! $KS
pass out log quick on $Ext $ICMP from to ! $KS
# Done...
Which expands into a nice neat loaded policy of
gw2:~ # pfctl -vnf ./pf.sample.conf
Ext = "outside"
Int = "inside"
UDP = "inet proto udp"
TCP = "inet proto tcp"
ICMP = "inet proto icmp"
KSF = "keep state flags S/SA"
MSF = "modulate state flags S/SA"
KS = "keep state"
table { 190.0.0.0/8 }
table { 61.95.194.69 }
set block-policy return
set skip on { lo0 }
nat on outside from to ! -> round-robin
block return log all
pass in quick on inside inet proto tcp from to any flags S/SA keep state
pass in quick on inside from to any keep state
pass out log quick on outside inet proto tcp from to ! flags S/SA modulate state
pass out log quick on outside inet proto udp from to ! keep state
pass out log quick on outside inet proto icmp from to ! keep state
If you would like to know more, I can recommend
http://www.openbsd.org/faq/pf/index.html
Greg - Craz1, on 10/12/2007, -0/+2pfSense might meet your needs, it's based off of m0n0wall, whereas m0n0 is for embedded type systems, pfSense is not.
Homepage: http://pfsense.org/ - joelhardi, on 10/12/2007, -0/+2Harlowsmonkeys is right. The RFC 1918 nonroutable addresses you should use for your NAT are any of:
10.*.*.*
172.16-31.*.*
192.168.*.*
Otherwise you are blocking off part of the real net. See http://tools.ietf.org/html/rfc1918 - dbr_onix, on 10/12/2007, -0/+1Eh? A 404 implies the HTTP traffic is getting though, but the link is wrong (So the firewall is set up right).. I assume you clicked the second (screenshots) links, which had a ) at the end, due to digg including the trailing ) in the a href="" bit..
http://www.fwbuilder.org/archives/cat_screenshots.html is the right link..
FWBuilder seems nice, I wished I knew about it 2 days ago, after trying to setup Smoothwall to provide a gateway to a Virtual (VMWare) network. I finally used m0n0wall to do the gateway VM, it works not badly, but it's a little limited for what I want to do (I can't run ethereal or similar on it, for example)
- Ben - int3lx, on 10/12/2007, -0/+1iptables -A PREROUTING -t nat -i -p tcp --dport -d -j DNAT--to-destination :
I'd have to do a lot of reading to explain how to do FTP. - int3lx, on 10/12/2007, -0/+1Good plug. pfil is a great firewall.
- eantoranz, on 10/12/2007, -0/+1Wanna get your hands down and dirty and know why netfilter works the way it does? Try reading Oskar Andreasson's tutorial. It's pretty straight-forward. No mumbo-jumbo.
http://iptables-tutorial.frozentux.net/
You can always visit netfilter's main page, which is filled with information and links to docs and toturials.
www.netfilter.org - Altotus, on 10/12/2007, -0/+1Good tutorial. However, unless you're managing the firewall remotely on a system without X installed, there's no reason not to use any of the really good GUI-based utilities to do this for you.
The advantage to the GUIs is that they validate your rules for you and take out a lot of repetitive typing. - dbremer, on 10/12/2007, -0/+0Altotus - such as what?
I see some recommended but do you have any other's to throw in the mix?
[added]blast - hit the wrong reply - there should be a delete option for idiots - negativefx, on 10/12/2007, -1/+1404? Maybe they used their own utility to set up their firewall...
- skwead, on 10/12/2007, -0/+0There is definitely a reason not to use GUI utility or that tutorial for NAT configuration -- all these tools give very little insight on whats going on under the hood.
People who do not understand how the NAT or iptables work should stay away and buy a cheap hardware router instead. - tnoy, on 10/12/2007, -0/+0It only opens up the ports to machines on the LAN side.
If you want to lock it down further, just remove the "server all accept" lines. - getjpi, on 10/12/2007, -0/+0What I meant to say before Diggs anti html filtering nuked the sample table entries
gw2:~ # pfctl -nf pf.sample.conf
gw2:~ # cat pf.sample.conf
Ext="outside"
Int="inside"
UDP="inet proto udp"
TCP="inet proto tcp"
ICMP="inet proto icmp"
KSF="keep state flags S/SA"
MSF="modulate state flags S/SA"
KS="keep state"
InsideNet="190.1.1.1/8"
OutsideAddress="61.95.194.69/32"
# Be nice and tell the outside world to go forth and multiply.
set block-policy return
set skip on lo0
# NAT really is this easy.
#
nat on $Ext from $InsideNet to !$InsideNet -> $OutsideAddress
#default block policy
#
block log all
# Permit Ingress Traffic
#
pass in quick on $Int $TCP from $InsideNet $KSF
pass in quick on $Int from $InsideNet $KS
# Permit Egress Traffic
#
pass out log quick on $Ext $TCP from $OutsideAddress to !$InsideNet $MSF
pass out log quick on $Ext $UDP from $OutsideAddress to !$InsideNet $KS
pass out log quick on $Ext $ICMP from $OutsideAddress to !$InsideNet $KS
Which expands into a loaded policy of
gw2:~ # pfctl -vnf pf.sample.conf
Ext = "outside"
Int = "inside"
UDP = "inet proto udp"
TCP = "inet proto tcp"
ICMP = "inet proto icmp"
KSF = "keep state flags S/SA"
MSF = "modulate state flags S/SA"
KS = "keep state"
InsideNet = "190.1.1.1/8"
OutsideAddress = "61.95.194.69/32"
set block-policy return
set skip on { lo0 }
nat on outside inet from 190.0.0.0/8 to ! 190.0.0.0/8 -> 61.95.194.69
block return log all
pass in quick on inside inet proto tcp from 190.0.0.0/8 to any flags S/SA keep state
pass in quick on inside inet from 190.0.0.0/8 to any keep state
pass out log quick on outside inet proto tcp from 61.95.194.69 to ! 190.0.0.0/8 flags S/SA modulate state
pass out log quick on outside inet proto udp from 61.95.194.69 to ! 190.0.0.0/8 keep state
pass out log quick on outside inet proto icmp from 61.95.194.69 to ! 190.0.0.0/8 keep state
Human readable and very easy to maintain.
Greg - NickMontez, on 10/12/2007, -1/+0I would just use a Cisco router and do things the right way..
- jer2eydevil88, on 10/12/2007, -3/+2extremely useful and well written tutorial.. although there are distros that have gui's for this now...
- venkat23, on 10/12/2007, -1/+0doesn't matter if the article is good or bad if you want a front page article you submit from howtoforge there seems to be some link between howtoforge and digg may be advertising company is same so promoting each other
- mrlovell, on 10/12/2007, -1/+0Exactly. If you need to NAT by a $40 router. If you need to do more advanced router. Buy a Business class router. This is a nice setup toy, but you can get more for probably less money and a lot less head ache.
- DNAspark99, on 10/12/2007, -3/+1Or you could just use the most underrated iptabled-configuration frontend available: fireHOL (firehol.sourceforge.net). the equivalant config would look something like this:
interface eth0 Net
client all accept
interface eth1 Lan
server all accept
client all accept
router Lan2Net inface eth1 outface eth0
masquerade
server all accept
client all accept
Browsing Digg on your phone just got easier with our enhancements to the 
© Digg Inc. 2009
— Content created and posted by Digg users is