[ Pobierz całość w formacie PDF ]

col, I m allowing it per default since I know there are some who actually do.
We currently also allow port 2074, which is used for certain real-time  multimedia
applications like speak freely which you can use to talk to other people in real-time
by using speakers and a microphone, or even better, a headset.
Port 4000 is the ICQ protocol. This should be an extremely well known protocol that is
used by the Mirabilis application named ICQ. There is at least 5 different ICQ clones
for Linux and it s one of the most widely used chat programs in the world. I doubt
there is any further need to explain what it is.
OUTPUT chain
Since i know that there s pretty much no one but me using this box which is partially
used as a Firewall and a workstation currently, I allow pretty much everything that
goes out from it that has a source address $LOCALHOST_IP, $LAN_IP or $STATIC_IP.
Everything else might be spoofed in some fashion, even though I doubt anyone that
I know would do it on my box. Last of all we log everything that gets dropped. If
it does get dropped, we ll sure as hell want to know about it for some reason or
another. Either it s a nasty error, or it s a weird packet that s spoofed. Finally weDROP
the packet in the default policy.
FORWARD chain
Even though I haven t actually set up a certain section in the rc.firewall example
file, I would like to comment on the few lines in there anyways. As it is now, we first
of allACCEPTall packets coming from our LAN with the following line :
/usr/local/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
So everything from our Localnet s interface gets ACCEPT ed whatever the circum-
stances. After this we allow everything in a state ESTABLISHED or RELATED from
everywhere, in other words, if we open a connection from our LAN to something
on the Internet, we allow the packets coming back from that site that s eitherESTAB-
LISHED or RELATED but nothing else. And after this we log everything and drop it.
We log maximally 3 log entries per minute as to not flood our own logs, and prefix
them with a short line that is possible to grep for in the logfiles. Also we log them
with debug level. We finally hit the default policy of the FORWARD chain that says to
DROPeverything.
Notes
1. http://www.boingworld.com/workshops/linux/iptables-
tutorial/scripts/rc.firewall.txt
2. http://netfilter.samba.org/unreliable-guides/packet-filtering-
HOWTO/index.html
3. http://www.ee.siue.edu/~rwalden/networking/icmp.html
4. ftp://sunsite.unc.edu/pub/docs/rfc/rfc792.txt
41
Chapter 6. Example scripts
rc.firewall.txt
This is the script that the whole tutorial bases its text on. To find the script go here,
rc.firewall.txt1. In other words I hope I won t have to write very much about it. Mainly
it was written for a two way homed network. For example, where you have one LAN
and one Internet Connection. This script also makes the assumption that you have a
static IP to the Internet, and hence don t use DHCP, PPP, SLIP or some other protocol
that assigns you an IP.
42
Chapter 6. Example scripts
rc.DMZ.firewall.txt
You will find this script at the following place URL, rc.DMZ.firewall.txt2. This script
was written for those people out there that has one trusted internal network, one
De-Militarized Zone and one Internet connection. The De-Militarized Zone is in this
case 1-to-1 NAT ed and requires you to do some IP aliasing on your firewall, ie, you
must make the box recognise packets for more than one IP. In the future you will
find examples on how to do IP aliasing in this tutorial, for now, you won t get any
practical examples though.
You need to have 2 internal networks with this script as you can see from the pic-
ture. One uses IP range 192.168.0.0/24 and consists of a Trusted Internal Network.
The other one uses IP range 192.168.1.0/24 and consists of the De-Militarized Zone
which we will do 1-to-1 NAT to. If someone from the internet sends a packet to our
DNS_IP, then we use DNAT, which stands for Destination Network Adress Transla- [ Pobierz całość w formacie PDF ]