|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] new to linux Paul
|
I hope that your network looks like the following
Internet --> DSL Modem --> Linux/BSD Firewall --> HUB --> Network
If you have the HUB connected directly to the modem then your network is
not secure and any M$ windows boxes are in peril. Using the asbove
setup mean that the Linux box has two ethernet cards. On the firewall
you can put Apachie to run you web site and a mail program like sendmail
or exim for your mail services.
The setting up of the firewall is the most important for securing your
system. If you are using Linux 2.4 series of kernel grab the source
from ftp.kernel.org and compile a custom kernel with all of the
firewalling support. Before compiling a custom kernel you need to know
what hardwarte your firewall actually has. Also you need to know what
ethernet cards you have in the system. To find out what your system has
you can do a lspci -v to view all of the hardware connected on the PCI
bus.
After finding out what your system has then you are ready to do a kernel
compile
Follow these steps:
grab the kernel from ftp://ftp.kernel.org/pub/linux/kernel/v2.4/
get file linux-2.4.17.tar.gz
make a directory /usr/src/linux or /usr/local/src/linux with group as
your login group with rwx permission for group
move the linux tar file to the newly created directory
cd to the above directory
execute "tar -xvzf linux-2.4.17.tar.gz" to unpack the source code.
If you have X running and are doing this in an xterm do
cd linux
less README # Read the Instructions
make xconfig
If you are doing this in a console do
cd linux
less README # Read the Instructions
make menuconfig
make dep; make bzImage; make modules
su # Become the root user
make modules_install
cp System.map /boot/System.map-2.4.17
cp arch/i386/boot/bzImage /boot/bzImage-2.4.17
cd /
rm vmlinuz
ln -s boot/bzImage-2.4.17 vmlinuz
ln -s boot/dist-kernel vmlinuz.dist
ln -s boot/dist-kernel vmlinuz.old
Edit your /etc/lilo.conf file to reflect these three versions of the
kernel symbolic links using your favorite editor. This way whenever you
upgrade your kernel and change the sym links in the root directory you
never hav eto edit the lilo.conf file again. Also this ensures that you
always have an old and a distribution kernel to fall back on incase
something goes wrong.
finally run lilo to install the master boot record on your hard drive.
Now you have the kernel compiled next is to install the iptables package
on your system.
here is the test script that I am using on my home network
Most of the lines are very long on this script and you need to determine
what you want to fill up your log with and what you want to allow to be
port forwarded. This is something that just grew on its own so to
speak. Also you need to change every instance of my real IP address to
your IP address and you need to modify the ways you have set up your
local network addresses.
#! /bin/bash
echo 0 > /proc/sys/net/ipv4/ip_forward
# Zero all byte counters
iptables -Z
iptables -Z -t nat
iptables -F INPUT
iptables -F FORWARD
iptables -F block
iptables -X block
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
###########################################
# #
# INTERNET #
# #
###########################################
# Drop all private network addresses from the Internet
iptables -A block -m state --state NEW -p tcp -s 10.0.0.0/8 -i eth0
-j LOG
--log-level info --log-prefix "Dropped Private Network "
iptables -A block -m state --state NEW -p tcp -s 10.0.0.0/8 -i eth0
-j DROP
iptables -A block -m state --state NEW -p udp -s 10.0.0.0/8 -i eth0
-j LOG
--log-level info --log-prefix "Dropped Private Network "
iptables -A block -m state --state NEW -p udp -s 10.0.0.0/8 -i eth0
-j DROP
iptables -A block -m state --state NEW -p tcp -s 172.16.0.0/12 -i eth0
-j LOG
--log-level info --log-prefix "Dropped Private Network "
iptables -A block -m state --state NEW -p tcp -s 172.16.0.0/12 -i eth0
-j DROP
iptables -A block -m state --state NEW -p udp -s 172.16.0.0/12 -i eth0
-j LOG
--log-level info --log-prefix "Dropped Private Network "
iptables -A block -m state --state NEW -p udp -s 172.16.0.0/12 -i eth0
-j DROP
iptables -A block -m state --state NEW -p tcp -s 192.168.0.0/16 -i eth0
-j LOG
--log-level info --log-prefix "Dropped Private Network "
iptables -A block -m state --state NEW -p tcp -s 192.168.0.0/16 -i eth0
-j DROP
iptables -A block -m state --state NEW -p udp -s 192.168.0.0/16 -i eth0
-j LOG
--log-level info --log-prefix "Dropped Private Network "
iptables -A block -m state --state NEW -p udp -s 192.168.0.0/16 -i eth0
-j DROP
iptables -A block -m state --state NEW -p tcp -i eth0 --dport 80 -j LOG
--log-le
vel info --log-prefix "Web Access Request "
iptables -A block -m state --state NEW -p tcp -i eth0 --dport 80 -j
ACCEPT
iptables -A block -m state --state NEW -p tcp -i eth0 --dport 25 -j LOG
--log-le
vel info --log-prefix "SMPT Access Request "
iptables -A block -m state --state NEW -p tcp -i eth0 --dport 25 -j
ACCEPT
iptables -A block -m state --state NEW -p tcp -i eth0 --dport 22 -j LOG
--log-le
vel info --log-prefix "SSH login Request "
iptables -A block -m state --state NEW -p tcp -i eth0 --dport 22 -j
ACCEPT
iptables -A block -m state --state NEW -p tcp -i eth0 --dport 465 -j LOG
--log-l
evel info --log-prefix "SMPT Access Request "
iptables -A block -m state --state NEW -p tcp -i eth0 --dport 465 -j
ACCEPT
iptables -A block -m state --state NEW -p tcp -i eth0 -j LOG
--log-level info -
-log-prefix "Dropped Internet "
iptables -A block -m state --state NEW -p tcp -i eth0 -j DROP
###########################################
# #
# LAN #
# #
###########################################
# iptables -A block -m state --state NEW -i eth1 -j LOG --log-level info
--log-p
refix "Accepted Packets from eth1 "
iptables -A block -m state --state NEW -i eth1 -j ACCEPT
###########################################
# #
# DMZ #
# #
###########################################
#iptables -A block -m state --state NEW -p tcp -i eth2 --dport 53 -j
LOG --lo
g-level info --log-prefix "DMZ DNS "
iptables -A block -m state --state NEW -p tcp -i eth2 --dport 53 -j
ACCEPT
#iptables -A block -m state --state NEW -p udp -i eth2 --dport 53 -j
LOG --lo
g-level info --log-prefix "DMZ DNS "
iptables -A block -m state --state NEW -p udp -i eth2 --dport 53 -j
ACCEPT
iptables -A block -m state --state NEW -p tcp -i eth2 --dport 111 -d
192.168.1
.1 -j LOG --log-level info --log-prefix "DMZ Portmapper "
iptables -A block -m state --state NEW -p tcp -i eth2 --dport 111 -d
192.168.1
.1 -j ACCEPT
iptables -A block -m state --state NEW -p udp -i eth2 --dport 111 -d
192.168.1
.1 -j LOG --log-level info --log-prefix "DMZ Portmapper "
iptables -A block -m state --state NEW -p udp -i eth2 --dport 111 -d
192.168.1
.1 -j ACCEPT
iptables -A block -m state --state NEW -p tcp -i eth2 --dport 984 -d
192.168.1
.1 -j LOG --log-level info --log-prefix "DMZ NFS mountd "
iptables -A block -m state --state NEW -p tcp -i eth2 --dport 984 -d
192.168.1
.1 -j ACCEPT
iptables -A block -m state --state NEW -p udp -i eth2 --dport 984 -d
192.168.1
.1 -j LOG --log-level info --log-prefix "DMZ NFS mountd "
iptables -A block -m state --state NEW -p udp -i eth2 --dport 984 -d
192.168.1
.1 -j ACCEPT
iptables -A block -m state --state NEW -p tcp -i eth2 --dport 2049 -d
192.168.1
.1 -j LOG --log-level info --log-prefix "DMZ NFS Activity "
iptables -A block -m state --state NEW -p tcp -i eth2 --dport 2049 -d
192.168.1
.1 -j ACCEPT
iptables -A block -m state --state NEW -p udp -i eth2 --dport 2049 -d
192.168.1
.1 -j LOG --log-level info --log-prefix "DMZ NFS Activity "
iptables -A block -m state --state NEW -p udp -i eth2 --dport 2049 -d
192.168.1
.1 -j ACCEPT
iptables -A block -m state --state NEW -p tcp -i eth2 --dport 25 -j
LOG --log-
level info --log-prefix "DMZ NFS Activity "
iptables -A block -m state --state NEW -p tcp -i eth2 --dport 25 -j
ACCEPT
iptables -A block -m state --state NEW -p udp -i eth2 --dport 25 -j
LOG --log-
level info --log-prefix "DMZ NFS Activity "
iptables -A block -m state --state NEW -p udp -i eth2 --dport 25 -j
ACCEPT
iptables -A block -m state --state NEW -p tcp -i eth2 --dport 465 -j
LOG --log
-level info --log-prefix "DMZ NFS Activity "
iptables -A block -m state --state NEW -p tcp -i eth2 --dport 465 -j
ACCEPT
iptables -A block -m state --state NEW -p udp -i eth2 --dport 465 -j
LOG --log
-level info --log-prefix "DMZ NFS Activity "
iptables -A block -m state --state NEW -p udp -i eth2 --dport 465 -j
ACCEPT
iptables -A block -m state --state NEW -i eth2 -d 192.168.1.0/16 -p icmp
-j LOG
--log-level info --log-prefix "DMZ ping Activity "
iptables -A block -m state --state NEW -i eth2 -d 192.168.1.0/16 -p icmp
-j ACCE
PT
iptables -A block -m state --state NEW -i eth2 -j LOG --log-level info
--log-pre
fix "Dropped Packets from eth2 "
iptables -A block -m state --state NEW -i eth2 -j DROP
iptables -A block -m state --state NEW -i eth0 -j LOG --log-level info
--log-pre
fix "Dropped Packets from eth0 "
iptables -A block -m state --state NEW -i eth0 -j DROP
iptables -A block -j LOG --log-level info --log-prefix "Dropped Packets
in block
"
iptables -A block -j DROP
iptables -A INPUT -j block
# iptables -A FORWARD -p all -i eth2 -j ACCEPT
# iptables -A FORWARD -p all -i eth1 -j ACCEPT
iptables -A FORWARD -j block
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
#iptables -t nat -A PREROUTING -i eth0 -d 64.194.227.197 -j DNAT --to
192.168.10
.10
#iptables -t nat -A POSTROUTING -s 64.194.227.197 -o eth2 -j SNAT --to
192.168.
10.10
# Set up the ip forwarding for the local network to get to the outside:
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
20 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
21 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
22 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport
25 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport
465 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport
53 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport
80 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
443 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
110 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
113 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
119 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
389 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
873 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
1024 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p udp -s 192.168.1.0/24 --dport
53 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p udp -s 192.168.1.0/24 --dport
1024 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p icmp -s
192.168.1.0/16 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
43 -j
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
37 -j
SNAT --to 64.194.227.197
# Allow these ports from the outside to be forwarded to the appropriate
machine:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j LOG
--log-level inf
o --log-prefix "Forward WWW Request "
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
192.168.1
0.1
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j LOG
--log-level inf
o --log-prefix "Forward Mail Request "
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to
192.168.1
0.1
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j LOG
--log-level inf
o --log-prefix "Forward SSH Login "
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to
192.168.1
0.1
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1024 -j LOG
--log-level in
fo --log-prefix "Forward SSH activity "
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1024 -j DNAT --to
192.168.
10.1
# Allow local subnet to access dmz for everything
# iptables -t nat -A POSTROUTING -o eth2 -p all -s 192.168.1.0/24 -j
SNAT --to
192.168.10.10
#######################################
# #
# The following is only for debugging #
# Turn off when fixed #
# #
#######################################
#iptables -t nat -A POSTROUTING -o eth1 -p all -s 192.168.10.0/24 -j
LOG --log
-level debug --log-prefix "Everything Forward DMZ "
#iptables -t nat -A POSTROUTING -o eth1 -p all -s 192.168.10.0/24 -j
SNAT --to
192.168.1.10
echo 1 > /proc/sys/net/ipv4/ip_forward
Andrew Puschak wrote:
>
> Hi Paul,
> thanks for the help. Network routing is definitely a first goal. I got my
> hands on a used but well working 16-port bocahub. I have three computers
> running now that I just unplug and plug the Ethernet cable into the modem to
> get internet. I have another box i want to use as a server or gateway or
> router with two Ethernet cards. I'm going to continue reading and learning
> the redhat manuals. I started with BSD and couldn't get networking other
> than that computer connecting to the internet to work. With redhat i've only
> gotten to the gui network configuration. Any ideas or additional reading
> material would be greatly appreciated. Again, thanks for your time!
>
> Andrew Puschak
> barberooza@hotmail.com
> AIM(GAIM) screen-name barberooza
>
> _________________________________________________________________
> Join the world?s largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
>
> ______________________________________________________________________
> Philadelphia Linux Users Group - http://www.phillylinux.org
> Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
> General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
--
Rev. LeRoy D. Cressy mailto:lcressy@telocity.com /\_/\
http://www.netaxs.com/~ldc ( o.o )
Phone: 215-535-4037 > ^ <
Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|