[-Previous Page-]
Step 8 - Modify rc.local to make sure IP deframgemenation
is always set to yes (kernel does it).
Add echo 1>/proc/sys/ip_always_defrag to rc.local
Part 2 - Gathering codes
Step 1. Flush all codes and set defaults to DENY
ipchains -F
ipchains -I input -j DENY
ipchains -I output -j DENY
ipchains -I forward -j DENY
Step 1. Manipulate type of serice
(www set to fast, ftp minimum delay, ftp-data minimum throughput,
and pop-3 and nntp set to minimum cost)
ipchains -A output -i eth0 -p tcp
-d 0/0 www -t 0x01 0x10
ipchains -A output -i eth0 -p tcp -d 0/0 pop-3 -t 0x01 0x02
ipchains -A output -i eth0 -p tcp -d 0/0 ftp -t 0x01 0x10
ipchains -A output -i eth0 -p tcp -d 0/0 ftp-data -t 0x01
0x08
ipchains -A output -i eth0 -p tcp -d 0/0 nntp -t 0x01 0x02
Note: 0/0 is short for anywhere.
Note: There are a lot of codes. I screw up typing hit the
right arrow key, which should bring up the last command
you entered. Use the left arrow key to move over and change
the -A to a -D. You just deleted the last command that you
entered. Now keep on typing (hopefully you figured out that
you could use the right arrow key and just change the stuff
that's different for the next command to keep you from typing
ipchains -A output ....)
Step 2. Allow outgoing protocols
(wwww, https pop-3, ftp, ftp-data nm out, ftp-data pm, nntp,
smtp, and DNS, traceroute)
Note replace: X.X.X.X with your IP address,
YourNewsServer'sIP with your news provider's IP address,
YourSMTPServer'sIP with your outgoing SMTP server's IP address,
Your1stDNServer'sIP with your primary DNS's IP address,
Your2ndDNServer'SIP with your secondary DNS's IP address.
If you don't have a second DNS omit the line. If you have
more than one SMTP server add it.
Likewise for news.
ipchains -A output -i eth0
-p tcp -s X.X.X.X 1024: -d 0/0 www -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d 0/0
https -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d 0/0
pop-3 -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d 0/0
ftp -j ACCEPT
ipchains -A output -i eth0 -p tcp ! -y -s X.X.X.X 1024:
-d 0/0 ftp-data -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d 0/0
1024:65535 -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d YourNewsServer'sIP
nntp -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d YourSMTPServer'sIP
smtp -j ACCEPT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d Your1stDNServer'sIP
domain -j ACCEPT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d Your2ndDNServer'sIP
domain -j ACCEPT
ipchains -A output -i eth0 -p udp -s X.X.X.X 32769: -d 0/0
33434:33523 -j ACCEPT
Note: FTP has two modes: normal and passive. If you use
a browser (like Netscape) to do FTP you'll have to make
sure you set up the passive stuff).
Note: the notation 1024: in the above means ports 1024
to the highest port on your machine. Mine was 65535, but
yours might be different. The highest port get filed in
automatically ;)
Step 3. Allow local to local packets to ethernet card
ipchains -A output -i lo -j ACCEPT
Step 4. Set up outgoing icmp
(allow unreachable, source quench, ech-request, parameter
problem, deny all others)
ipchains -A output -i eth0 -p icmp
-s X.X.X.X 3 -j ACCEPT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 4 -j ACCEPT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 8 -j ACCEPT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 12 -j ACCEPT
Note: The really cool part about the above is that if some
script-kiddie is scanning your network it will seem like
nobodies home ;) They won't get a ping response to know
that the address is in use. But, you will be able to get
out.
Step 5. REJECT and log certain outputs
Note: On the outgoing side you want to REJECT the messages
as opposed to DENY (in general). Also, logging on the outgoing
side is a bit weird because if you've been had they could
easily change the logs.
ICMP messages you are not allowing out.
ipchains -A output -i eth0 -p icmp
-s X.X.X.X 0:2 -l -j REJECT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 5:7 -l -j
REJECT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 9:11 -l -j
REJECT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 13:18 -l -j
REJECT
Disallow and log UDP unprivileged ports from www.cert.org
tech_tips packet_filtering) I used the numbers (i.e., 69)
vice the name (tftp). Look in /etc/services for you numbers.
(tftp, sunprc, socks, openwindows, NFS, Xwindows)
ipchains -A output -i eth0 -p udp
-s X.X.X.X -d 0/0 69 -l -j REJECT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 111
-l -j REJECT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 1080
-l -j REJECT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 2000
-l -j REJECT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 2049
-l -j REJECT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 6000:65535
-l -j REJECT
Disallow and log TCP unprivileged ports (from cert).
(link, sunrpc, auth, (exec, biff, login, who), shell, socks,
openwindows, NFS, Xwindows)
ipchains -A output -i eth0
-p tcp -y -s X.X.X.X -d 0/0 87 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 111
-l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 113
-l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 512:515
-l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 540
-l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 1080
-l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 2000
-l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 2049
-l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 6000:65535
-l -j REJECT
6. Disallow packets claiming to be me
ipchains -A output -i eth0 -d X.X.X.X
-l -j REJECT
7. Disallow packets claiming to be to or from looback device
ipchains -A output -i eth0 -d 127.0.0.1 -l -j DENY
ipchains -A output -i eth0 -s 127.0.0.1 -l -j DENY
8. Allow returning packets corresponding to outgoing protocols
(DNS, www, https ftp, pop-3, nntp, ftp-data norm, ftp-data
passive not on 6000-6010, more passive)
ipchains -A input -i eth0
-p udp -s Your1stDNServer'sIP domain -d X.X.X.X 1024: -j
ACCEPT
ipchains -A input -i eth0 -p udp -s Your2ndDNServer'sIP
domain -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 www -d X.X.X.X
1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 https -d X.X.X.X
1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 pop-3 -d X.X.X.X
1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 smtp -d X.X.X.X
1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 ftp -d X.X.X.X
1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 nntp -d X.X.X.X
1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp -s 0/0 ftp-data -d X.X.X.X
1024:5999 -j ACCEPT
ipchains -A input -i eth0 -p tcp -s 0/0 ftp-data -d X.X.X.X
6011: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 1024:65535
-d X.X.X.X 1024:65535 -j ACCEPT
9. Allow local to local packets
ipchains -A input -i lo -j ACCEPT
10. Set up incomming icmp message
(Allow echo-reply, unreachable, source quench, timeout,
parameter problem, block all others)
ipchains -A input -i eth0 -p icmp
-s 0/0 0 -j ACCEPT
ipchains -A input -i eth0 -p icmp -s 0/0 3 -j ACCEPT
ipchains -A input -i eth0 -p icmp -s 0/0 4 -j ACCEPT
ipchains -A input -i eth0 -p icmp -s 0/0 11 -j ACCEPT
ipchains -A input -i eth0 -p icmp -s 0/0 12 -j ACCEPT
11. Disallow and log packets from Inet that are claiming
my IP address
ipchains -A input -i eth0 -s X.X.X.X -l -j DENY
Note: If you haven't been had, then the logging all 'bad'
things is good. You
can use the log to go after that script kiddie (get his
connection turned off).
12. Disallow and log packets claiming to ve to or from
loopback device
ipchains -A input -i eth0 -d 127.0.0.1
-l -j DENY
ipchains -A input -i eth0 -s 127.0.0.1 -l -j DENY
13. Refuse broadcast source addresses
ipchains -A input -i eth0 -s 255.255.255.255
-l -j DENY
ipchains -A input -i eth0 -s 0.0.0.0 -l -j DENY
14. Refuse multicast, anycast, and broadcast addresses
ipchains -A input -i eth0 -s 240.0.0.0/3
-j DENY
15. Disallow and log unprivileged ports:
ICMP messages you are not allowing in:
ipchains -A input -i eth0 -p icmp
-s 0/0 1:2 -l -j DENY
ipchains -A input -i eth0 -p icmp -s 0/0 5:10 -l -j DENY
ipchains -A input -i eth0 -p icmp -s 0/0 13:18 -l -j DENY
UDP unprivileged ports:
(tftp, sunrpc, socks, openwindows, NFS, incoming traceroute)
ipchains -A input -i eth0 -p udp -d
X.X.X.X 69 -l -j DENY
ipchains -A input -i eth0 -p udp -d X.X.X.X 111 -l -j DENY
ipchains -A input -i eth0 -p udp -d X.X.X.X 1080 -l -j DENY
ipchains -A input -i eth0 -p udp -d X.X.X.X 2000 -l -j DENY
ipchains -A input -i eth0 -p udp -d X.X.X.X 2049 -l -j DENY
ipchains -A input -i eth0 -p udp -d X.X.X.X 6000: -l -j
DENY
TCP unprivileged ports (link, sunrpc, auth, (exec, biff,
login, who), shell, socks, openwindows, NFS, Xwindows)
ipchains -A input -i eth0 -p tcp
-y -d X.X.X.X 87 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 111 -l -j
DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 113 -l -j
DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 512:515 -l
-j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 540 -l -j
DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 1080 -l -j
DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 2000 -l -j
DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 2049 -l -j
DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 6000: -l
-j DENY
16. Save codes
ipchains-save > /etc/ipchains.rules
17. Reboot and check to see rules stuck.
18. TEST IT?
I had a friend do a port scan for me and he said that it
came back clean (i.e., his report indicated that there was
no way for him to get in). Of course, I could be wrong and
he could have screwed up somehow. I make no claims about
the effectiveness of these codes ;)
[-Previous
Page-]
|