[-Previous Page-]

Step 8 - Modify rc.local to make sure IP deframgemenation is always set to yes (kernel does it).

Add echo 1>/proc/sys/ip_always_defrag to rc.local

Part 2 - Gathering codes

Step 1. Flush all codes and set defaults to DENY

ipchains -F
ipchains -I input -j DENY
ipchains -I output -j DENY
ipchains -I forward -j DENY
Step 1. Manipulate type of serice

(www set to fast, ftp minimum delay, ftp-data minimum throughput, and pop-3 and nntp set to minimum cost)

ipchains -A output -i eth0 -p tcp -d 0/0 www -t 0x01 0x10
ipchains -A output -i eth0 -p tcp -d 0/0 pop-3 -t 0x01 0x02
ipchains -A output -i eth0 -p tcp -d 0/0 ftp -t 0x01 0x10
ipchains -A output -i eth0 -p tcp -d 0/0 ftp-data -t 0x01 0x08
ipchains -A output -i eth0 -p tcp -d 0/0 nntp -t 0x01 0x02

Note: 0/0 is short for anywhere.
Note: There are a lot of codes. I screw up typing hit the right arrow key, which should bring up the last command you entered. Use the left arrow key to move over and change the -A to a -D. You just deleted the last command that you entered. Now keep on typing (hopefully you figured out that you could use the right arrow key and just change the stuff that's different for the next command to keep you from typing ipchains -A output ....)

Step 2. Allow outgoing protocols

(wwww, https pop-3, ftp, ftp-data nm out, ftp-data pm, nntp, smtp, and DNS, traceroute)
Note replace: X.X.X.X with your IP address,
YourNewsServer'sIP with your news provider's IP address,
YourSMTPServer'sIP with your outgoing SMTP server's IP address,
Your1stDNServer'sIP with your primary DNS's IP address,
Your2ndDNServer'SIP with your secondary DNS's IP address.
If you don't have a second DNS omit the line. If you have more than one SMTP server add it.

Likewise for news.

ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d 0/0 www -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d 0/0 https -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d 0/0 pop-3 -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d 0/0 ftp -j ACCEPT
ipchains -A output -i eth0 -p tcp ! -y -s X.X.X.X 1024: -d 0/0 ftp-data -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d 0/0 1024:65535 -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d YourNewsServer'sIP nntp -j ACCEPT
ipchains -A output -i eth0 -p tcp -s X.X.X.X 1024: -d YourSMTPServer'sIP smtp -j ACCEPT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d Your1stDNServer'sIP domain -j ACCEPT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d Your2ndDNServer'sIP domain -j ACCEPT
ipchains -A output -i eth0 -p udp -s X.X.X.X 32769: -d 0/0 33434:33523 -j ACCEPT

Note: FTP has two modes: normal and passive. If you use a browser (like Netscape) to do FTP you'll have to make sure you set up the passive stuff).

Note: the notation 1024: in the above means ports 1024 to the highest port on your machine. Mine was 65535, but yours might be different. The highest port get filed in automatically ;)

Step 3. Allow local to local packets to ethernet card

ipchains -A output -i lo -j ACCEPT

Step 4. Set up outgoing icmp
(allow unreachable, source quench, ech-request, parameter problem, deny all others)
ipchains -A output -i eth0 -p icmp -s X.X.X.X 3 -j ACCEPT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 4 -j ACCEPT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 8 -j ACCEPT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 12 -j ACCEPT

Note: The really cool part about the above is that if some script-kiddie is scanning your network it will seem like nobodies home ;) They won't get a ping response to know that the address is in use. But, you will be able to get out.

Step 5. REJECT and log certain outputs

Note: On the outgoing side you want to REJECT the messages as opposed to DENY (in general). Also, logging on the outgoing side is a bit weird because if you've been had they could easily change the logs.

ICMP messages you are not allowing out.
ipchains -A output -i eth0 -p icmp -s X.X.X.X 0:2 -l -j REJECT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 5:7 -l -j REJECT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 9:11 -l -j REJECT
ipchains -A output -i eth0 -p icmp -s X.X.X.X 13:18 -l -j REJECT

Disallow and log UDP unprivileged ports from www.cert.org tech_tips packet_filtering) I used the numbers (i.e., 69) vice the name (tftp). Look in /etc/services for you numbers. (tftp, sunprc, socks, openwindows, NFS, Xwindows)

ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 69 -l -j REJECT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 111 -l -j REJECT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 1080 -l -j REJECT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 2000 -l -j REJECT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 2049 -l -j REJECT
ipchains -A output -i eth0 -p udp -s X.X.X.X -d 0/0 6000:65535 -l -j REJECT

Disallow and log TCP unprivileged ports (from cert).

(link, sunrpc, auth, (exec, biff, login, who), shell, socks, openwindows, NFS, Xwindows)

ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 87 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 111 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 113 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 512:515 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 540 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 1080 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 2000 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 2049 -l -j REJECT
ipchains -A output -i eth0 -p tcp -y -s X.X.X.X -d 0/0 6000:65535 -l -j REJECT

6. Disallow packets claiming to be me

ipchains -A output -i eth0 -d X.X.X.X -l -j REJECT

7. Disallow packets claiming to be to or from looback device

ipchains -A output -i eth0 -d 127.0.0.1 -l -j DENY
ipchains -A output -i eth0 -s 127.0.0.1 -l -j DENY

8. Allow returning packets corresponding to outgoing protocols
(DNS, www, https ftp, pop-3, nntp, ftp-data norm, ftp-data passive not on 6000-6010, more passive)

ipchains -A input -i eth0 -p udp -s Your1stDNServer'sIP domain -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p udp -s Your2ndDNServer'sIP domain -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 www -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 https -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 pop-3 -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 smtp -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 ftp -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 nntp -d X.X.X.X 1024: -j ACCEPT
ipchains -A input -i eth0 -p tcp -s 0/0 ftp-data -d X.X.X.X 1024:5999 -j ACCEPT
ipchains -A input -i eth0 -p tcp -s 0/0 ftp-data -d X.X.X.X 6011: -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s 0/0 1024:65535 -d X.X.X.X 1024:65535 -j ACCEPT

9. Allow local to local packets

ipchains -A input -i lo -j ACCEPT

10. Set up incomming icmp message
(Allow echo-reply, unreachable, source quench, timeout, parameter problem, block all others)

ipchains -A input -i eth0 -p icmp -s 0/0 0 -j ACCEPT
ipchains -A input -i eth0 -p icmp -s 0/0 3 -j ACCEPT
ipchains -A input -i eth0 -p icmp -s 0/0 4 -j ACCEPT
ipchains -A input -i eth0 -p icmp -s 0/0 11 -j ACCEPT
ipchains -A input -i eth0 -p icmp -s 0/0 12 -j ACCEPT

11. Disallow and log packets from Inet that are claiming my IP address

ipchains -A input -i eth0 -s X.X.X.X -l -j DENY

Note: If you haven't been had, then the logging all 'bad' things is good. You
can use the log to go after that script kiddie (get his connection turned off).

12. Disallow and log packets claiming to ve to or from loopback device

ipchains -A input -i eth0 -d 127.0.0.1 -l -j DENY
ipchains -A input -i eth0 -s 127.0.0.1 -l -j DENY

13. Refuse broadcast source addresses

ipchains -A input -i eth0 -s 255.255.255.255 -l -j DENY
ipchains -A input -i eth0 -s 0.0.0.0 -l -j DENY

14. Refuse multicast, anycast, and broadcast addresses

ipchains -A input -i eth0 -s 240.0.0.0/3 -j DENY

15. Disallow and log unprivileged ports:

ICMP messages you are not allowing in:
ipchains -A input -i eth0 -p icmp -s 0/0 1:2 -l -j DENY
ipchains -A input -i eth0 -p icmp -s 0/0 5:10 -l -j DENY
ipchains -A input -i eth0 -p icmp -s 0/0 13:18 -l -j DENY

UDP unprivileged ports:
(tftp, sunrpc, socks, openwindows, NFS, incoming traceroute)
ipchains -A input -i eth0 -p udp -d X.X.X.X 69 -l -j DENY
ipchains -A input -i eth0 -p udp -d X.X.X.X 111 -l -j DENY
ipchains -A input -i eth0 -p udp -d X.X.X.X 1080 -l -j DENY
ipchains -A input -i eth0 -p udp -d X.X.X.X 2000 -l -j DENY
ipchains -A input -i eth0 -p udp -d X.X.X.X 2049 -l -j DENY
ipchains -A input -i eth0 -p udp -d X.X.X.X 6000: -l -j DENY

TCP unprivileged ports (link, sunrpc, auth, (exec, biff, login, who), shell, socks, openwindows, NFS, Xwindows)

ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 87 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 111 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 113 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 512:515 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 540 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 1080 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 2000 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 2049 -l -j DENY
ipchains -A input -i eth0 -p tcp -y -d X.X.X.X 6000: -l -j DENY

16. Save codes

ipchains-save > /etc/ipchains.rules

17. Reboot and check to see rules stuck.

18. TEST IT?

I had a friend do a port scan for me and he said that it came back clean (i.e., his report indicated that there was no way for him to get in). Of course, I could be wrong and he could have screwed up somehow. I make no claims about the effectiveness of these codes ;)

[-Previous Page-]