by I've downloaded monmotha, and edited it to a certain degree - here's that
part:
# -------------------------------------------------------------------------
# Main Options
IPTABLES="/usr/sbin/iptables"
TCP_ALLOW="22"
UDP_ALLOW="68 6112 6119 4000"
INET_IFACE="eth0"
LAN_IFACE="eth1"
INTERNAL_LAN="10.0.0.0/8"
MASQ_LAN="10.0.0.0/8"
SNAT_LAN=""
DROP="TREJECT"
DENY_ALL=""
DENY_HOSTWISE_TCP=""
DENY_HOSTWISE_UDP=""
BLACKHOLE=""
BLACKHOLE_DROP="DROP"
ALLOW_HOSTWISE_TCP=""
ALLOW_HOSTWISE_UDP=""
TCP_FW=""
UDP_FW=""
MANGLE_TOS_OPTIMIZE="FALSE"
DHCP_SERVER="TRUE"
BAD_ICMP="5 9 10 15 16 17 18"
ENABLE="Y"
# Flood Params
LOG_FLOOD="2/s"
SYN_FLOOD="20/s"
PING_FLOOD="1/s"
# Outbound filters
# FIXME: Update config help wiki then remove one-liner help
ALLOW_OUT_TCP="" # Internal hosts allowed to
be forwarded out on TCP (do not put this/these host/s in INTERNAL_LAN, but
do define their method of access [snat, masq] if not a public ip)
PROXY="" # Redirect for Squid or
other TRANSPARENT proxy. Syntax to specify the proxy is "host:port".
MY_IP="" # Set to the internal IP of
this box (with the firewall), only needed for PROXY=
# Below here is experimental (please report your successes/failures)
MAC_MASQ="" # Currently Broken
MAC_SNAT="" # Ditto...
TTL_SAFE=""
USE_SYNCOOKIES="FALSE"
RP_FILTER="TRUE"
ACCEPT_SOURCE_ROUTE="FALSE"
SUPER_EXEMPT=""
BRAINDEAD_ISP="FALSE"
ALLOW_HOSTWISE_PROTO=""
# Only touch these if you're daring (PREALPHA stuff, as in basically
non-functional)
DMZ_IFACE="" # Interface your DMZ is on
(leave blank if you don't have one) - Obsolete: Will be removed before 2.4.0
# ----------------------------------------------------------------------| Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT) Chain FORWARD (policy DROP) Chain OUTPUT (policy ACCEPT) Chain DMZIN (0 references) Chain DMZOUT (0 references) Chain INETIN (2 references) Chain INETOUT (2 references) Chain LDROP (0 references) Chain LREJECTLTREJECT (0 references) Chain TCPACCEPT (2 references) Chain TREJECT (13 references) Chain UDPACCEPT (5 references) Chain ULDROP (0 references) Chain ULREJECT (0 references) Chain ULTREJECT (0 references) --------------------------------------------------------------------------- Stuff is getting through, obviously (i.e. this post), and I've visited a Is that a hole? And should I turn off SSH, and if so, how? Anyway, I hope this is enough to work with to find out what I've done wrong. Thanks! P.S. is it eerie, that I encounter a firewall named Mothra right after
# These control basic script behavior; there should be no need to |
# change any of these settings for normal use. |
# ----------------------------------------------------------------------|
---------------------------------------------------------------------------
--------------
And /dev/rob0 reminded me to post data :-)
Here's some stuff before running rc.firewall or anything:
---------------------------------------------------------------------------
--------------
root@ops:/etc/rc.d# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
4.11.176.0 * 255.255.252.0 U 0 0 0 eth0
10.0.0.0 * 255.0.0.0 U 0 0 0 eth1
loopback * 255.0.0.0 U 0 0 0 lo
default wbar5-lax1-4-11 0.0.0.0 UG 0 0 0 eth0
root@ops:/etc/rc.d# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
target prot opt source destination
target prot opt source destination
root@ops:/etc/rc.d#
root@ops:~# lsmod
Module Size Used by Not tainted
snd-pcm-oss 37252 0 (unused)
snd-mixer-oss 11992 0 [snd-pcm-oss]
parport_pc 14724 1 (autoclean)
lp 6752 0 (autoclean)
parport 23264 1 (autoclean) [parport_pc lp]
tulip 40928 1
uhci 24496 0 (unused)
ehci-hcd 16872 0 (unused)
usbcore 58400 1 [uhci ehci-hcd]
snd-via82xx 11712 0
snd-pcm 55904 0 [snd-pcm-oss snd-via82xx]
snd-timer 13252 0 [snd-pcm]
snd-ac97-codec 37240 0 [snd-via82xx]
snd-page-alloc 6004 0 [snd-via82xx snd-pcm]
snd-mpu401-uart 3136 0 [snd-via82xx]
snd-rawmidi 12512 0 [snd-mpu401-uart]
snd-seq-device 3920 0 [snd-rawmidi]
snd 27460 0 [snd-pcm-oss snd-mixer-oss snd-via82xx
snd-pcm snd-timer snd-ac97-codec snd-mpu401-uart snd-rawmidi snd-seq-device]
soundcore 3332 4 [snd]
via-rhine 13552 1
mii 2304 0 [via-rhine]
crc32 2880 0 [tulip via-rhine]
pcmcia_core 40032 0
ide-scsi 9424 0
agpgart 39576 0 (unused)
root@ops:~#
---------------------------------------------------------------------------
-------------
Here's lsmod after running modprobe ip_tables:
root@ops:/etc/rc.d# lsmod
Module Size Used by Not tainted
ipt_MASQUERADE 1272 1 (autoclean)
iptable_mangle 2072 0 (autoclean) (unused)
iptable_nat 15928 1 (autoclean) [ipt_MASQUERADE]
ipt_REJECT 3160 7 (autoclean)
ipt_limit 856 21 (autoclean)
ipt_state 536 4 (autoclean)
ip_conntrack 18120 2 (autoclean) [ipt_MASQUERADE iptable_nat
ipt_state]
ipt_LOG 3384 7 (autoclean)
ipt_ULOG 3432 12 (autoclean)
iptable_filter 1644 1 (autoclean)
ip_tables 12288 11 [ipt_MASQUERADE iptable_mangle iptable_nat
ipt_REJECT ipt_limit ipt_state ipt_LOG ipt_ULOG iptable_filter]
snd-pcm-oss 37252 0 (unused)
snd-mixer-oss 11992 0 [snd-pcm-oss]
parport_pc 14724 1 (autoclean)
lp 6752 0 (autoclean)
parport 23264 1 (autoclean) [parport_pc lp]
tulip 40928 1
uhci 24496 0 (unused)
ehci-hcd 16872 0 (unused)
usbcore 58400 1 [uhci ehci-hcd]
snd-via82xx 11712 0
snd-pcm 55904 0 [snd-pcm-oss snd-via82xx]
snd-timer 13252 0 [snd-pcm]
snd-ac97-codec 37240 0 [snd-via82xx]
snd-page-alloc 6004 0 [snd-via82xx snd-pcm]
snd-mpu401-uart 3136 0 [snd-via82xx]
snd-rawmidi 12512 0 [snd-mpu401-uart]
snd-seq-device 3920 0 [snd-rawmidi]
snd 27460 0 [snd-pcm-oss snd-mixer-oss snd-via82xx
snd-pcm snd-timer snd-ac97-codec snd-mpu401-uart snd-rawmidi snd-seq-device]
soundcore 3332 4 [snd]
via-rhine 13552 1
mii 2304 0 [via-rhine]
crc32 2880 0 [tulip via-rhine]
pcmcia_core 40032 0
ide-scsi 9424 0
agpgart 39576 0 (unused)
root@ops:/etc/rc.d#
--------------------------------------------------------------
And here's a run of the script:
root@ops:/etc/rc.d# ./rc.firewall
Loading iptables firewall:
Checking configuration...passed
Performing TCP_ALLOW and UDP_ALLOW alias preprocessing...done
Checking IP Forwarding...enabled.
Checking IP SynCookies...disabled.
Checking Route Verification...activated:eth0 activated:eth1
Refusing Source Routed Packets via SysCtl...activated:eth0 activated:eth1
Flush: INPUT OUTPUT1 FORWARD PREROUTING1 OUTPUT2 POSTROUTING PREROUTING2
OUTPUT3Creating chains: INETIN INETOUT DMZIN DMZOUT TCPACCEPT UDPACCEPT
LDROP LREJECTLTREJECT TREJECT ULDROP ULREJECT ULTREJECT
Default Policies: INPUT:DROP OUTPUT:ACCEPT FORWARD:DROP
Setting up drop chains chains: LDROP iptables: No chain/target/match by that
name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
LREJECT TREJECT iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
LTREJECT ULDROP ULREJECT ULTREJECT
Setting up per-proto ACCEPT: TCPACCEPT UDPACCEPT
TREJECTing invalid packets...done
Setting up INET chains: INETIN INETOUT
Local Traffic Rules: 10.0.0.0/8:ACCEPT loopback:ACCEPT dhcp:ACCEPT
Setting up masquerading: 10.0.0.0/8:MASQUERADE
TREJECTing ICMP messages specified in BAD_ICMP...5 9 10 15 16 17 18
Flood limiting: ICMP-PING
Allowing the rest of the ICMP messages in...done
Hostwise TCP Allows: 0/0>22
Hostwise UDP Allows: 0/0>68 0/0>6112 0/0>6119 0/0>4000
Allowing established outbound connections back in...done
Allowing related inbound connections...done
Setting up INET policies: INETIN:TREJECT INETOUT:ACCEPT
Done loading the firewall!
root@ops:/etc/rc.d#
--------------------------------------------------------------
And the resulting iptables:
Chain INPUT (policy DROP)
target prot opt source destination
INETIN all -- anywhere anywhere
ACCEPT all -- 10.0.0.0/8 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:bootps
target prot opt source destination
INETIN all -- anywhere anywhere
INETOUT all -- anywhere anywhere
ACCEPT all -- 10.0.0.0/8 anywhere
target prot opt source destination
INETOUT all -- anywhere anywhere
target prot opt source destination
target prot opt source destination
target prot opt source destination
TREJECT all -- anywhere anywhere state INVALID
TREJECT icmp -- anywhere anywhere icmp redirect
TREJECT icmp -- anywhere anywhere icmp
router-advertisement
TREJECT icmp -- anywhere anywhere icmp
router-solicitation
TREJECT icmp -- anywhere anywhere icmp type 15
TREJECT icmp -- anywhere anywhere icmp type 16
TREJECT icmp -- anywhere anywhere icmp
address-mask-request
TREJECT icmp -- anywhere anywhere icmp
address-mask-reply
ACCEPT icmp -- anywhere anywhere icmp
echo-request limit: avg 1/sec burst 5
TREJECT icmp -- anywhere anywhere icmp
echo-request
ACCEPT icmp -- anywhere anywhere icmp
!echo-request
TCPACCEPT tcp -- anywhere anywhere tcp dpt:ssh
UDPACCEPT udp -- anywhere anywhere udp dpt:bootpc
UDPACCEPT udp -- anywhere anywhere udp dpt:6112
UDPACCEPT udp -- anywhere anywhere udp dpt:6119
UDPACCEPT udp -- anywhere anywhere udp dpt:4000
ACCEPT all -- anywhere anywhere state
ESTABLISHED
TCPACCEPT tcp -- anywhere anywhere tcp
dpts:1024:65535 state RELATED
UDPACCEPT udp -- anywhere anywhere udp
dpts:1024:65535 state RELATED
TREJECT all -- anywhere anywhere
target prot opt source destination
ACCEPT all -- anywhere anywhere
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level info prefix `TCP Dropped '
LOG udp -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level info prefix `UDP Dropped '
LOG icmp -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level info prefix `ICMP Dropped '
LOG all -f anywhere anywhere limit: avg 2/sec
burst 5 LOG level warning prefix `FRAGMENT Dropped '
DROP all -- anywhere anywhere
target prot opt source destination
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp
flags:SYN,RST,ACK/SYN limit: avg 20/sec burst 5
LOG tcp -- anywhere anywhere tcp
flags:SYN,RST,ACK/SYN limit: avg 2/sec burst 5 LOG level warning prefix
`Possible SynFlood '
TREJECT tcp -- anywhere anywhere tcp
flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp
flags:!SYN,RST,ACK/SYN
LOG all -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level warning prefix `Mismatch in TCPACCEPT '
TREJECT all -- anywhere anywhere
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
target prot opt source destination
ACCEPT udp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level warning prefix `Mismatch on UDPACCEPT '
TREJECT all -- anywhere anywhere
target prot opt source destination
ULOG tcp -- anywhere anywhere limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_TCP' queue_threshold 1
ULOG udp -- anywhere anywhere limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_UDP' queue_threshold 1
ULOG icmp -- anywhere anywhere limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_ICMP' queue_threshold 1
ULOG all -f anywhere anywhere limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_FRAG' queue_threshold 1
DROP all -- anywhere anywhere
target prot opt source destination
ULOG tcp -- anywhere anywhere limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_TCP' queue_threshold 1
ULOG udp -- anywhere anywhere limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_UDP' queue_threshold 1
ULOG icmp -- anywhere anywhere limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_UDP' queue_threshold 1
ULOG all -f anywhere anywhere limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_FRAG' queue_threshold 1
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
target prot opt source destination
ULOG tcp -- anywhere anywhere limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_TCP' queue_threshold 1
ULOG udp -- anywhere anywhere limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_UDP' queue_threshold 1
ULOG icmp -- anywhere anywhere limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_ICMP' queue_threshold 1
ULOG all -f anywhere anywhere limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_FRAG' queue_threshold 1
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
-
and the output of "route" is the same as above.
bunch of those "check your ports" sites,
and the general consensus seems to be that all the ports are "closed," but
not "stealthed," so I should buy
their firewall. Interestingly, the ssh port and the bootp ports were open -
it said that the bootp port is used
by DHCP; I get a message when DHCP starts, like "No subnet declaration for
4.10.x.x." Not listening, if this is
not what you want, etc.
Rich
fielding a project called KeyZilla?
R