Help File Library: Firewall Installation

Why created this: Well I'd heard all kinds of stories about people getting their machines hacked within hours of putting their machines on the big bad Internet. So I wanted to protect my self.

My system: Gateway 450XL, two scsi disks (cheetah all the way baby), ethernet card, printer, blah, blah, blah. I got a static IP address from my ADSL provider (so I don't have to worry about DHCP). I am the only one on the network (i.e., not ip masqerading or forwarding). I don't need to run any services like DNS caching, NFS, etc, etc. So it's pretty basic, but I don't want some ass to mess up what I finally got running.

Information is from: Reading ipchains howto (www.linux.org), studying Robert L. Ziegler's scripts (http://www.linux-firewall-tools.com/linux/), www.cert.org, and plain trial and error!

So here are the steps I took to put up a firewall for my little computer:

Part 1 - Getting the system ready.

Step 1 - Disconnect from Internet :)

Step 2 - Kill all daemons you don?t want to run.

In /etc/inetd.conf comment out (put a # in front of) shell, login, ftp, telnet, finger, talk, and ntalk.

Step 4 - Set up tcp wrappers to specify allowed and non-allowed hosts.

Add to /etc/host.allow
# disallow connections from my local network (it's ADSL)
ALL: All@127.0.0.1 : DISALLOW
# allow connections from my static IP address
ALL: All@X.X.X.X : ALLOW
# allow unchecked ident connections from anywhere
in.identd. : ALL : ALLOW
Add to /etc/hosts.deny
# disallow everything not specifically allowed in /etc/hosts.allow
ALL: 0.0.0.0/0.0.0.0

Step 5 - Make sure you got ipchains.

How: (I) Downloaded ipchains from Red Hat ftp site and used the command rpm -ivh

"filename" (also on the 2nd CD ROM provided by RH).
Note: It's not part of RH 5.1. It uses ipfwadm instead.

Why: Allows for ip packet filtering (i.e., firewalling).

Note: Not sure I had to do this as it was "in the kernel", but the binaries weren't in /sbin, where all binaries need to be. Also couldn?t use any of the commands like ipchains -L until I rpmed it. I'm still not sure it's "part of the kernel" but it seems to at least be on the machine. There was something in 2.3 of the HOWTO about kernel commands????

Note: The version from RH is 1.3.8 - the HOWTO is written against 1.3.9.

Step 6 - Make sure the scripts are always added.

How: See ipchains HOWTO (version 1.0.7) section 2.3.

What: Create script and add it before network runs in appropriate runlevels.

-------------

! /bin/sh
# script to control packet filtering.
# if no rules do nothing.
[ -f /etc/ipchains.rules ] || exit 0
case "$1" in
start)
echo -n "Turning on packet filtering:"
/sbin/ipchains-restore < /etc/ipchains.rules || exit 1
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "."
;;
stop)
echo -n "Turning off packet filtering:"
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -X
/sbin/ipchains -F
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward ACCEPT
echo "."
;;
*)
echo "Usage: /etc/init.d/packetfilter (start|stop)"
exit 1
;;
esac
exit 0

------------

Note: Make sure to set the properties to allow everyone to run it.

Note: Check to see what runlevels include network and make sure it loads before them.

In the examples it said S39filename (S is for loaded and K is for not loaded), but on mine it's got to come before S10. I used SysV Init editor in KDE. Also on RH 6.0 put the script (I called it packetfilter) in /etc/init.d directory. When you use sysV init editor it will add the appropriate s* (where * is the number).

Note: Make sure the last echo uses the right filename (in my case packetfilter vice package). In the example they used a different filename.

Note: The 2nd to last line has essac should be esac.

Step 7 - Add protection for regular ip spoofing.

How: See ipchains HOWTO section 5.7.

What: Create script and add it before network runs in appropriate runlevels.

-----------

# This is the best method: turn on Source Address Verification and get
# spoof protection on all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
echo "done."
else
echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
echo "CONTROL-D will exit from this shell and continue system startup."
echo
# Start a single user shell on the console
/sbin/sulogin $CONSOLE
fi

-------------

Note: Check to see what runlevels include network and make sure it loads before them.

I picked the file name no-ip-spoofing and added it into the /etc/init.d directory.

Then used SysV Init to add it before network, but after packetfilter. When you use sys5 init editor it will add the appropriate s* (where * is the number).

Note: I don't think it matters which of the scripts gets loaded first. I just picked the one from step 3 to load first.

Step 8 - Modify rc.local to make sure IP defragmentation is always set to yes (kernel does it).

Add echo 1>/proc/sys/ip_always_defrag to rc.local

Part 2 - Gathering codes

Step 1. Flush all codes and set defaults to DENY

ipchains -F
ipchains -I input -j DENY
ipchains -I output -j DENY
ipchains -I forward -j DENY
Step 1. Manipulate type of serice

(www set to fast, ftp minimum delay, ftp-data minimum throughput, and pop-3 and nntp set to minimum cost)

ipchains -A output -i eth0 -p tcp -d 0/0 www -t 0x01 0x10
ipchains -A output -i eth0 -p tcp -d 0/0 pop-3 -t 0x01 0x02
ipchains -A output -i eth0 -p tcp -d 0/0 ftp -t 0x01 0x10
ipchains -A output -i eth0 -p tcp -d 0/0 ftp-data -t 0x01 0x08
ipchains -A output -i eth0 -p tcp -d 0/0 nntp -t 0x01 0x02

Note: 0/0 is short for anywhere.
Note: There are a lot of codes. I screw up typing hit the right arrow key, which should bring up the last command you entered. Use the left arrow key to move over and change the -A to a -D. You just deleted the last command that you entered. Now keep on typing (hopefully you figured out that you could use the right arrow key and just change the stuff that's different for the next command to keep you from typing ipchains -A output ....)

Step 2. Allow outgoing protocols

(wwww, https pop-3, ftp, ftp-data nm out, ftp-data pm, nntp, smtp, and DNS, traceroute)
Note replace: X.X.X.X with your IP address,
YourNewsServer'sIP with your news provider's IP address,
YourSMTPServer'sIP with your outgoing SMTP server's IP address,
Your1stDNServer'sIP with your primary DNS's IP address,
Your2ndDNServer'SIP with your secondary DNS's IP address.
If you don't have a second DNS omit the line. If you have more than one SMTP server add it.

Likewise for news.

ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d 0/0 www -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d 0/0 https -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d 0/0 pop-3 -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d 0/0 ftp -j ACCEPT
ipchains -A output -i eth0 -p tcp ! -y -s X.X.X.X 1024: -d 0/0 ftp-data -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d 0/0 1024:65535 -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d YourNewsServer'sIP nntp -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d YourSMTPServer'sIP smtp -j ACCEPT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d Your1stDNServer'sIP domain -j ACCEPT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d Your2ndDNServer'sIP domain -j ACCEPT
ipchains -A output -i eth0 -p udp -s X.X.X.X 32769: -d 0/0 33434:33523 -j ACCEPT

Note: FTP has two modes: normal and passive. If you use a browser (like Netscape) to do FTP you'll have to make sure you set up the passive stuff).

Note: the notation 1024: in the above means ports 1024 to the highest port on your machine. Mine was 65535, but yours might be different. The highest port get filed in automatically ;)

Step 3. Allow local to local packets to ethernet card

ipchains -A output -i lo -j ACCEPT

Step 4. Set up outgoing icmp
(allow unreachable, source quench, ech-request, parameter problem, deny all others)
ipchains -A output -i eth0 -p icmp -s X.X.X.X 3 -j ACCEPT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 4 -j ACCEPT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 8 -j ACCEPT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 12 -j ACCEPT

Note: The really cool part about the above is that if some script-kiddie is scanning your network it will seem like nobodies home ;) They won't get a ping response to know that the address is in use. But, you will be able to get out.

Step 5. REJECT and log certain outputs

Note: On the outgoing side you want to REJECT the messages as opposed to DENY (in general). Also, logging on the outgoing side is a bit weird because if you've been had they could easily change the logs.

ICMP messages you are not allowing out.
ipchains -A output -i eth0 -p icmp -s X.X.X.X 0:2 -l -j REJECT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 5:7 -l -j REJECT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 9:11 -l -j REJECT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 13:18 -l -j REJECT

Disallow and log UDP unprivileged ports from www.cert.org tech_tips packet_filtering) I used the numbers (i.e., 69) vice the name (tftp). Look in /etc/services for you numbers. (tftp, sunprc, socks, openwindows, NFS, Xwindows)

ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 69 -l -j REJECT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 111 -l -j REJECT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 1080 -l -j REJECT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 2000 -l -j REJECT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 2049 -l -j REJECT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 6000:65535 -l -j REJECT

Disallow and log TCP unprivileged ports (from cert).

(link, sunrpc, auth, (exec, biff, login, who), shell, socks, openwindows, NFS, Xwindows)

ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 87 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 111 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 113 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 512:515 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 540 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 1080 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 2000 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 2049 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 6000:65535 -l -j REJECT

6. Disallow packets claiming to be me

ipchains -A output -i eth0 -d X.X.X.X -l -j REJECT

7. Disallow packets claiming to be to or from looback device

ipchains -A output -i eth0 -d 127.0.0.1 -l -j DENY
ipchains -A output -i eth0 -s 127.0.0.1 -l -j DENY

8. Allow returning packets corresponding to outgoing protocols
(DNS, www, https ftp, pop-3, nntp, ftp-data norm, ftp-data passive not on 6000-6010, more passive)

ipchains -A input -i eth0 -p udp -s Your1stDNServer'sIP domain -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p udp -s Your2ndDNServer'sIP domain -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 www -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 https -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 pop-3 -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 smtp -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 ftp -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 nntp -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp -s 0/0 ftp-data -d X.X.X.X 1024:5999 -j ACCEPT
ipchains -A input -i eth0 -p tcp -s 0/0 ftp-data -d X.X.X.X 6011: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 1024:65535 -d X.X.X.X 1024:65535 -j ACCEPT

9. Allow local to local packets

ipchains -A input -i lo -j ACCEPT

10. Set up incomming icmp message
(Allow echo-reply, unreachable, source quench, timeout, parameter problem, block all others)

ipchains -A input -i eth0 -p icmp -s 0/0 0 -j ACCEPT
ipchains -A input -i eth0 -p icmp -s 0/0 3 -j ACCEPT
ipchains -A input -i eth0 -p icmp -s 0/0 4 -j ACCEPT
ipchains -A input -i eth0 -p icmp -s 0/0 11 -j ACCEPT
ipchains -A input -i eth0 -p icmp -s 0/0 12 -j ACCEPT

11. Disallow and log packets from Inet that are claiming my IP address

ipchains -A input -i eth0 -s X.X.X.X -l -j DENY

Note: If you haven't been had, then the logging all 'bad' things is good. You
can use the log to go after that script kiddie (get his connection turned off).

12. Disallow and log packets claiming to ve to or from loopback device

ipchains -A input -i eth0 -d 127.0.0.1 -l -j DENY
ipchains -A input -i eth0 -s 127.0.0.1 -l -j DENY

13. Refuse broadcast source addresses

ipchains -A input -i eth0 -s 255.255.255.255 -l -j DENY
ipchains -A input -i eth0 -s 0.0.0.0 -l -j DENY

14. Refuse multicast, anycast, and broadcast addresses

ipchains -A input -i eth0 -s 240.0.0.0/3 -j DENY

15. Disallow and log unprivileged ports:

ICMP messages you are not allowing in:
ipchains -A input -i eth0 -p icmp -s 0/0 1:2 -l -j DENY
ipchains -A input -i eth0 -p icmp -s 0/0 5:10 -l -j DENY
ipchains -A input -i eth0 -p icmp -s 0/0 13:18 -l -j DENY

UDP unprivileged ports:
(tftp, sunrpc, socks, openwindows, NFS, incoming traceroute)
ipchains -A input -i eth0 -p udp -d X.X.X.X 69 -l -j DENY
ipchains -A input -i eth0 -p udp -d X.X.X.X 111 -l -j DENY
ipchains -A input -i eth0 -p udp -d X.X.X.X 1080 -l -j DENY
ipchains -A input -i eth0 -p udp -d X.X.X.X 2000 -l -j DENY
ipchains -A input -i eth0 -p udp -d X.X.X.X 2049 -l -j DENY
ipchains -A input -i eth0 -p udp -d X.X.X.X 6000: -l -j DENY

TCP unprivileged ports (link, sunrpc, auth, (exec, biff, login, who), shell, socks, openwindows, NFS, Xwindows)

ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 87 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 111 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 113 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 512:515 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 540 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 1080 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 2000 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 2049 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 6000: -l -j DENY

16. Save codes

ipchains-save > /etc/ipchains.rules

17. Reboot and check to see rules stuck.

18. TEST IT?

I had a friend do a port scan for me and he said that it came back clean (i.e., his report indicated that there was no way for him to get in). Of course, I could be wrong and he could have screwed up somehow. I make no claims about the effectiveness of these codes.