From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.43) id 1EDPZb-0001uW-6e for garchives@archives.gentoo.org; Thu, 08 Sep 2005 16:48:28 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j88Ghfe2000984; Thu, 8 Sep 2005 16:43:41 GMT Received: from vms046pub.verizon.net (vms046pub.verizon.net [206.46.252.46]) by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j88Gchhl029957 for ; Thu, 8 Sep 2005 16:38:43 GMT Received: from mail.joat.com ([71.114.131.89]) by vms046.mailsrvcs.net (Sun Java System Messaging Server 6.2 HotFix 0.04 (built Dec 24 2004)) with ESMTPA id <0IMI00D3DBQH8R23@vms046.mailsrvcs.net> for gentoo-user@lists.gentoo.org; Thu, 08 Sep 2005 11:42:18 -0500 (CDT) Received: from localhost (cornholio.joat.com [127.0.0.1]) by mail.joat.com (Postfix) with ESMTP id 87AC34936 for ; Thu, 08 Sep 2005 12:42:16 -0400 (EDT) Received: from mail.joat.com ([127.0.0.1]) by localhost (cornholio [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12690-10 for ; Thu, 08 Sep 2005 12:42:02 -0400 (EDT) Received: from butthead (butthead.joat.com [192.168.0.10]) by mail.joat.com (Postfix) with ESMTP for ; Thu, 08 Sep 2005 12:42:02 -0400 (EDT) Date: Thu, 08 Sep 2005 12:42:02 -0400 From: "Dave Nebinger" Subject: Re: [gentoo-user] Re: iptables example on Gentoo To: Message-id: <00d701c5b494$3d2d36e0$0a00a8c0@butthead> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Mailer: Microsoft Outlook Express 6.00.2900.2670 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal DomainKey-Signature: a=rsa-sha1; b=nE3LdBCw7XHkW+5+vbtHevkyJOoy8SQRgIYOH+BMVd7pl/oEYsAtM82arxiNJOOVHZ44Ad5tXAuwWOsDLUzqwcxIkutMded2LNsf1zSRPq8sZCanuuuHma0C9Nm6xnzvnd57FcAG+tICGP8fs41dN1l/q5mgoYqUZ+01AQuge78=; c=nofws; d=joat.com; q=dns; s=selector1 X-Virus-Scanned: amavisd-new 2.3.2 (20050629) at joat.com References: <004b01c5b3dc$c0795000$4501010a@jnetlab.lcl> <431F7D07.3030600@gmail.com> <20050908102019.658b8adf@hactar.digimed.co.uk> X-Archives-Salt: 1d79f0f7-1063-4e2b-8eef-b10e58721863 X-Archives-Hash: 6686159371c98b2821815320ac527dd6 > OK, good point. But several folks have mentioned that shorewall is > not a one-to-one tool for straight iptables/netfilters implementations. > It has things that are not part of a raw usage of iptables/netfilters. > My goal is to learn as much about iptables/netfilters on a Gentoo X86 > firewall, before I plunge into iptables/netfilters on an embedded > processor, most likely not x86. That is incorrect. Shorewall is, at it's heart, a scripting engine that builds iptables rules based upon the contents of the shorewall configuration files. Once the shorewall engine produces the iptables rules, the process goes away (there is no lingering shorewall process after it comes up). > Looking at bad rules, learning why they fail, and watching an attack > (either generated by myself or others) with an IDS and other tools running > can be an excellent learning experience. I'm not sure I'll have Shorewall > running on an embedded platform, nor to I want to generate things on > one system and transfer them to a different system(arch) in an embedded > enivronment, not just yet. > > Others have indirectly suggested that Shorewall does not directly generate > iptables/netfilters rulesets. I'm looking to get as close to > iptables/netfilters > as I can, rather than an immediate need to have a robust linux base > firewall. It does generate iptable rules, but they are customized for shorewall's purposes. For example, my shorewall setup builds the following iptables rules: # Generated by iptables-save v1.3.2 on Thu Sep 8 12:32:48 2005 *nat :PREROUTING ACCEPT [34942:3100331] :POSTROUTING ACCEPT [106864:7597940] :OUTPUT ACCEPT [106858:7597722] :net_dnat - [0:0] :w1ad_masq - [0:0] -A PREROUTING -i w1ad -j net_dnat -A POSTROUTING -o w1ad -j w1ad_masq -A net_dnat -p udp -m multiport --dports 27900,29900,27901,55123:55125,1500:4999,16567 -j DNAT --to-destination 192.168.0.10 -A net_dnat -p tcp -m multiport --dports 29900,29901,28910,4711 -j DNAT --to-destination 192.168.0.10 -A net_dnat -p tcp -m tcp --dport 5000:5201 -j DNAT --to-destination 192.168.0.10 -A net_dnat -p tcp -m tcp --dport 51000:52000 -j DNAT --to-destination 192.168.0.10 -A net_dnat -p tcp -m tcp --dport 10023 -j DNAT --to-destination 192.168.0.10 -A net_dnat -p tcp -m tcp --sport 8086 --dport 8085 -j DNAT --to-destination 192.168.0.10 -A w1ad_masq -s 255.255.255.255 -j MASQUERADE -A w1ad_masq -s 192.168.0.0/255.255.255.0 -j MASQUERADE COMMIT # Completed on Thu Sep 8 12:32:48 2005 # Generated by iptables-save v1.3.2 on Thu Sep 8 12:32:48 2005 *mangle :PREROUTING ACCEPT [11532470:15305239824] :INPUT ACCEPT [10012668:14215875107] :FORWARD ACCEPT [1519785:1089361813] :OUTPUT ACCEPT [8826128:782474663] :POSTROUTING ACCEPT [10353251:1873002122] :outtos - [0:0] :pretos - [0:0] -A PREROUTING -j pretos -A OUTPUT -j outtos -A outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 COMMIT # Completed on Thu Sep 8 12:32:49 2005 # Generated by iptables-save v1.3.2 on Thu Sep 8 12:32:49 2005 *filter :AllowFTP - [0:0] :AllowICMPs - [0:0] :Drop - [0:0] :DropDNSrep - [0:0] :DropSMB - [0:0] :DropUPnP - [0:0] :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [1:60] :Reject - [0:0] :RejectAuth - [0:0] :RejectSMB - [0:0] :all2all - [0:0] :blacklst - [0:0] :dropBcast - [0:0] :dropInvalid - [0:0] :dropNotSyn - [0:0] :dynamic - [0:0] :eth1_fwd - [0:0] :eth1_in - [0:0] :fw2loc - [0:0] :fw2net - [0:0] :loc2fw - [0:0] :loc2net - [0:0] :logflags - [0:0] :net2all - [0:0] :net2fw - [0:0] :net2loc - [0:0] :norfc1918 - [0:0] :reject - [0:0] :rfc1918 - [0:0] :shorewall - [0:0] :smurfs - [0:0] :tcpflags - [0:0] :w1ad_fwd - [0:0] :w1ad_in - [0:0] -A AllowFTP -p tcp -m tcp --dport 21 -j ACCEPT -A AllowICMPs -p icmp -m icmp --icmp-type 3/4 -j ACCEPT -A AllowICMPs -p icmp -m icmp --icmp-type 11 -j ACCEPT -A Drop -j RejectAuth -A Drop -j dropBcast -A Drop -p icmp -j AllowICMPs -A Drop -j dropInvalid -A Drop -j DropSMB -A Drop -j DropUPnP -A Drop -p tcp -j dropNotSyn -A Drop -j DropDNSrep -A DropDNSrep -p udp -m udp --sport 53 -j DROP -A DropSMB -p udp -m udp --dport 135 -j DROP -A DropSMB -p udp -m udp --dport 137:139 -j DROP -A DropSMB -p udp -m udp --dport 445 -j DROP -A DropSMB -p tcp -m tcp --dport 135 -j DROP -A DropSMB -p tcp -m tcp --dport 139 -j DROP -A DropSMB -p tcp -m tcp --dport 445 -j DROP -A DropUPnP -p udp -m udp --dport 1900 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -i w1ad -j w1ad_in -A INPUT -i eth1 -j eth1_in -A INPUT -j Reject -A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6 -A INPUT -j reject -A FORWARD -i w1ad -j w1ad_fwd -A FORWARD -i eth1 -j eth1_fwd -A FORWARD -j Reject -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6 -A FORWARD -j reject -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o w1ad -p udp -m udp --dport 67:68 -j ACCEPT -A OUTPUT -o eth1 -p udp -m udp --dport 67:68 -j ACCEPT -A OUTPUT -o w1ad -j fw2net -A OUTPUT -o eth1 -j fw2loc -A OUTPUT -j Reject -A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6 -A OUTPUT -j reject -A Reject -j RejectAuth -A Reject -j dropBcast -A Reject -p icmp -j AllowICMPs -A Reject -j dropInvalid -A Reject -j RejectSMB -A Reject -j DropUPnP -A Reject -p tcp -j dropNotSyn -A Reject -j DropDNSrep -A RejectAuth -p tcp -m tcp --dport 113 -j reject -A RejectSMB -p udp -m udp --dport 135 -j reject -A RejectSMB -p udp -m udp --dport 137:139 -j reject -A RejectSMB -p udp -m udp --dport 445 -j reject -A RejectSMB -p tcp -m tcp --dport 135 -j reject -A RejectSMB -p tcp -m tcp --dport 139 -j reject -A RejectSMB -p tcp -m tcp --dport 445 -j reject -A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A all2all -j Reject -A all2all -j LOG --log-prefix "Shorewall:all2all:REJECT:" --log-level 6 -A all2all -j reject -A blacklst -s 213.131.253.24 -j LOG --log-prefix "Shorewall:blacklst:DROP:" --log-level 5 -A blacklst -s 213.131.253.24 -j DROP -A blacklst -s 221.12.14.7 -j LOG --log-prefix "Shorewall:blacklst:DROP:" --log-level 5 -A blacklst -s 221.12.14.7 -j DROP -A blacklst -s 59.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j LOG --log-prefix "Shorewall:blacklst:DROP:" --log-level 5 -A blacklst -s 59.0.0.0/255.0.0.0 -p tcp -m tcp --dport 25 -j DROP -A dropBcast -m pkttype --pkt-type broadcast -j DROP -A dropBcast -m pkttype --pkt-type multicast -j DROP -A dropInvalid -m state --state INVALID -j DROP -A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A eth1_fwd -m state --state INVALID,NEW -j dynamic -A eth1_fwd -p tcp -j tcpflags -A eth1_fwd -o w1ad -j loc2net -A eth1_in -m state --state INVALID,NEW -j dynamic -A eth1_in -p udp -m udp --dport 67:68 -j ACCEPT -A eth1_in -p tcp -j tcpflags -A eth1_in -j loc2fw -A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2loc -p icmp -j ACCEPT -A fw2loc -j ACCEPT -A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2net -p tcp -m tcp --dport 631 -j DROP -A fw2net -p tcp -m tcp --dport 2401 -j ACCEPT -A fw2net -p udp -m udp --dport 2401 -j ACCEPT -A fw2net -p tcp -m tcp --dport 53 -j ACCEPT -A fw2net -p udp -m udp --dport 53 -j ACCEPT -A fw2net -p tcp -m tcp --dport 123 -j ACCEPT -A fw2net -p udp -m udp --dport 123 -j ACCEPT -A fw2net -p tcp -m tcp --dport 873 -j ACCEPT -A fw2net -p udp -m udp --dport 873 -j ACCEPT -A fw2net -p icmp -j ACCEPT -A fw2net -d 206.46.232.12 -p tcp -m tcp --dport 25 -j ACCEPT -A fw2net -p tcp -m tcp --dport 110 -j ACCEPT -A fw2net -p tcp -m tcp --dport 113 -j ACCEPT -A fw2net -p tcp -m tcp --dport 119 -j ACCEPT -A fw2net -p tcp -m tcp --dport 2703 -j ACCEPT -A fw2net -p udp -m udp --dport 6277 -j ACCEPT -A fw2net -p tcp -m tcp --dport 80 -j ACCEPT -A fw2net -p tcp -m tcp --dport 21 -j ACCEPT -A fw2net -p tcp -m tcp --dport 20 -j ACCEPT -A fw2net -j AllowFTP -A fw2net -j all2all -A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2fw -p tcp -m tcp --dport 8085 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 873 -j ACCEPT -A loc2fw -p udp -m udp --dport 873 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 10022 -j ACCEPT -A loc2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 25 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 110 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 113 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 119 -j ACCEPT -A loc2fw -p udp -m udp --dport 6277 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 3306 -j ACCEPT -A loc2fw -j AllowFTP -A loc2fw -p udp -m multiport --dports 1026,1027,1028,1029 -j LOG --log-prefix "Shorewall:loc2fw:DROP:" --log-level 6 -A loc2fw -p udp -m multiport --dports 1026,1027,1028,1029 -j DROP -A loc2fw -j ACCEPT -A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2net -p tcp -m tcp --dport 631 -j DROP -A loc2net -j AllowFTP -A loc2net -p udp -m udp --dport 6346 -j DROP -A loc2net -p tcp -m tcp --dport 6346 -j DROP -A loc2net -p udp -m multiport --dports 67,68 -j DROP -A loc2net -j ACCEPT -A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options -A logflags -j DROP -A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2all -j Drop -A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6 -A net2all -j DROP -A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2fw -p tcp -m tcp --dport 22 -j ACCEPT -A net2fw -p tcp -m tcp --dport 8085 -j ACCEPT -A net2fw -p tcp -m tcp --dport 10022 -j ACCEPT -A net2fw -p tcp -m tcp --dport 8085 -j ACCEPT -A net2fw -p tcp -m tcp --dport 25 -j ACCEPT -A net2fw -p tcp -m tcp --dport 110 -j ACCEPT -A net2fw -p tcp -m tcp --dport 113 -j ACCEPT -A net2fw -p udp -m udp --dport 6277 -j ACCEPT -A net2fw -j AllowFTP -A net2fw -p udp -m udp --dport 6346 -j DROP -A net2fw -p tcp -m tcp --dport 6346 -j DROP -A net2fw -p udp -m multiport --dports 1026,1027,1028,1029 -j DROP -A net2fw -j net2all -A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2loc -d 192.168.0.10 -p udp -m multiport --dports 27900,29900,27901,55123:55125,1500:4999,16567 -j ACCEPT -A net2loc -d 192.168.0.10 -p tcp -m multiport --dports 29900,29901,28910,4711 -j ACCEPT -A net2loc -p tcp -m tcp --dport 5000:5201 -j ACCEPT -A net2loc -d 192.168.0.10 -p tcp -m tcp --dport 5000:5201 -j ACCEPT -A net2loc -d 192.168.0.10 -p tcp -m tcp --dport 51000:52000 -j ACCEPT -A net2loc -d 192.168.0.10 -p tcp -m tcp --dport 10023 -j ACCEPT -A net2loc -d 192.168.0.10 -p tcp -m tcp --sport 8086 --dport 8085 -j ACCEPT -A net2loc -p udp -m multiport --sports 67,68 -j LOG --log-prefix "Shorewall:net2loc:DROP:" --log-level 6 -A net2loc -p udp -m multiport --sports 67,68 -j DROP -A net2loc -j net2all -A norfc1918 -s 172.16.0.0/255.240.0.0 -j rfc1918 -A norfc1918 -m conntrack --ctorigdst 172.16.0.0/12 -j rfc1918 -A norfc1918 -s 192.168.0.0/255.255.0.0 -j rfc1918 -A norfc1918 -m conntrack --ctorigdst 192.168.0.0/16 -j rfc1918 -A norfc1918 -s 10.0.0.0/255.0.0.0 -j rfc1918 -A norfc1918 -m conntrack --ctorigdst 10.0.0.0/8 -j rfc1918 -A reject -m pkttype --pkt-type broadcast -j DROP -A reject -m pkttype --pkt-type multicast -j DROP -A reject -s 71.114.131.255 -j DROP -A reject -s 192.168.0.255 -j DROP -A reject -s 255.255.255.255 -j DROP -A reject -s 224.0.0.0/240.0.0.0 -j DROP -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -p udp -j REJECT --reject-with icmp-port-unreachable -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable -A reject -j REJECT --reject-with icmp-host-prohibited -A rfc1918 -j LOG --log-prefix "Shorewall:rfc1918:DROP:" --log-level 6 -A rfc1918 -j DROP -A smurfs -s 71.114.131.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 71.114.131.255 -j DROP -A smurfs -s 192.168.0.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 192.168.0.255 -j DROP -A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 255.255.255.255 -j DROP -A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 224.0.0.0/240.0.0.0 -j DROP -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j logflags -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j logflags -A w1ad_fwd -m state --state INVALID,NEW -j dynamic -A w1ad_fwd -m state --state INVALID,NEW -j blacklst -A w1ad_fwd -m state --state NEW -j norfc1918 -A w1ad_fwd -p tcp -j tcpflags -A w1ad_fwd -o eth1 -j net2loc -A w1ad_in -m state --state INVALID,NEW -j dynamic -A w1ad_in -m state --state INVALID,NEW -j blacklst -A w1ad_in -p udp -m udp --dport 67:68 -j ACCEPT -A w1ad_in -m state --state NEW -j norfc1918 -A w1ad_in -p tcp -j tcpflags -A w1ad_in -j net2fw COMMIT # Completed on Thu Sep 8 12:32:49 2005 Values unique to my environment: w1ad - my ADSL card which is connected to the internet fw - The box that is the firewall loc - The local network inside the firewall net - The internet as a whole. eth0 - My DMZ card, currently not being used. eth1 - My intranet card, currently in use. These are all valid rules and are constructed by shorewall. Would they be the same if I hand-coded them? Absolutely not. I wouldn't have so many custom chains and would probably reorder the rules to give priorities to specific services. And, I would argue that whilst these rules are valid and do perform the firewall chores that I want/need, the format of the rules would leave a lot to be desired to try to maintain manually via the command line. > > So If I use Guarddog or Shorewall to generate rulesets, then I can issue: > /etc/init.d/iptables save Don't know about guarddog, but with shorewall the answer is yes (as demonstrated by the output above). > and look at the rules. Then I can manually adjust the rules at the command > line, once again issue '/etc/init.d/iptables save' and look at the rules, > make manual(command line) adjustments and continue the learning and > testing > process? If this is true, then I can use an x86 firewall with Gentoo on > it to build and test a firewall and then manually implement the ruleset > on an embedded linux project, and similarly test the ruleset (and the > security robustness of the embedded linux kernel and the ip stack > (note: some of the low level driver code for networking will most likely > be 'non standard' code). > > Is this logical and correct? > > I do appreciate your input and the input from others. I do apologize if > I have offended any, as I do get a little 'wacked' when I'm frustrated. You'll soon learn that, whilst this community loves to get people up and running using gentoo/linux, we don't respond well to the tones of your messages in previous days. Holly, especially, is a wonderful resource and really didn't deserve the response that she got. -- gentoo-user@gentoo.org mailing list