[ale] forwarding port 22 and 443

Jeff Martin jeff at xipe.net
Tue Oct 5 13:33:42 EDT 1999 

This is a multi-part message in MIME format.
--------------427CAF935DA6E4B26A83F4F3
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Glenn Stone wrote:

> [about port forwarding] It was written:
> > Excellent thank you.
> > -jeff
> >
> > Mike Fletcher wrote:
> >
> > >         There's this from the _Perl Cookbook_:
> > >
> > >   ------------------------------------------------------------------------
> > >                  Name: fwdport
> > >    fwdport       Type: Plain Text (text/plain)
> > >           Description: Perl port forwarder
> > >
> > >   ------------------------------------------------------------------------
>
> Ummm... what about IPCHAINS, fellows?  I'm thinking that something
> kernel-based will be faster and more secure.... am I out in left field?
>
> -- Glenn

I tried this ( see below ) , but none of the ports would connect..... well here
is the script-- I borrowed other GPL'd stuff -- this is only the part that does
Ipchains.  If you need more info please let me know. :)

_______________________________



--------------427CAF935DA6E4B26A83F4F3
Content-Type: text/plain; charset=us-ascii;
 name="fireitup"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="fireitup"

#!/bin/sh

#
# -------------------- Interfaces -
# Local Interface

LOCALIF="eth0"

# Internal Interface
INTERNALNET="192.168.1.1/25"

#
# Set the location of ipchains.

IPCHAINS="/sbin/ipchains"

# You shouldn't need to change anything in the rest of this section

LOCALIP=`ifconfig $LOCALIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`
LOCALMASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4`
LOCALNET="$LOCALIP/$LOCALMASK"

echo "Internal: $INTERNALNET"
echo "External: $LOCALNET"

REMOTENET="0/0"

# -------------------- Flush everything, start from scratch -

echo -n "Flushing rulesets.."

# Incoming packets from the outside network
$IPCHAINS -F input
echo -n "."

# Outgoing packets from the internal network
$IPCHAINS -F output   
echo -n "."

# Forwarding/masquerading
$IPCHAINS -F forward
echo -n "."

echo "Done!"

# -------------------- Allow all connections within the network -

echo -n "Internal.."

$IPCHAINS -A input -s $INTERNALNET -d $INTERNALNET -j ACCEPT
$IPCHAINS -A output -s $INTERNALNET -d $INTERNALNET -j ACCEPT
echo -n ".."

echo "Done!"

# ----------------- Allow loopback interface -

echo -n "Loopback.."

$IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
echo -n ".."

echo "Done!"

# -------------------------------------------------------------- Masquerading -

echo -n "Masquerading.."

# don't masquerade internal-internal traffic
$IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT
echo -n "."

# don't Masquerade external interface direct
$IPCHAINS -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT 
echo -n "."

# masq webserver as an entity
#$IPCHAINS -A forward -s $REMOTENET -d 192.168.1.2/25 -j MASQ

# masquerade all internal IP's going outside
$IPCHAINS -A forward -s $INTERNALNET -d $REMOTENET -j MASQ
echo -n "."

# set Default rule on MASQ chain to Deny
$IPCHAINS -P forward DENY
echo -n "."

# --------------------- Allow all connections from the network to the outside -

$IPCHAINS -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT   
$IPCHAINS -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT
echo -n ".."

echo "Done!"

# -------------------Set telnet, www and FTP for minimum delay -
# This section manipulates the Type Of Service (TOS) bits of the 
# packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
# in your kernel

echo -n "TOS flags.."

$IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 telnet -t 0x01 0x10   
$IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10
echo -n "..."

# Set ftp-data for maximum throughput
$IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08
echo -n "."

echo "Done!"

# ------------------------------------ Trusted Networks -
# Add in any rules to specifically allow connections from hosts/nets that
# would otherwise be blocked.

# echo -n "Trusted Networks.."

# $IPCHAINS -A input -s [trusted host/net] -d $LOCALNET <ports> -j ACCEPT 
# echo -n "."

# echo "Done!"

# ------------------------------------- Banned Networks -
# Add in any rules to specifically block connections from hosts/nets that
# have been known to cause you problems. These packets are logged.

# echo -n "Banned Networks.."

# This one is generic
# $IPCHAINS -A input -l -s [banned host/net] -d $LOCALNET <ports> -j DENY
# echo -n "."

# This one blocks ICMP attacks
# $IPCHAINS -A input -l -b -i $LOCALIF -p icmp -s [host/net] -d $LOCALNET -j DENY
# echo -n "."

# echo "Done!"



# ---------- Specific port blocks on the external interface -
# This section blocks off ports/services to the outside that have
# vulnerabilities. This will not affect the ability to use these services
# within your network. 

echo -n "Port Blocks.."
echo "...blocking:"
 
# NetBEUI/Samba
echo "NetBEUI/Samba"
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 139 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 139 -j DENY
echo -n "."

# Microsoft SQL
echo " MS SQL"
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1433 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1433 -j DENY
echo -n "."

# Postgres SQL
echo " Postgress SQL"
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5432 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5432 -j DENY
echo -n "."

# Network File System


#$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 111 -j DENY
#$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 111 -j DENY
echo -n "."

# X Displays :0-:2-
echo " X displays"
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY
echo -n "."

# X Font Server :0-:2-
echo " Font server"
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 7100 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 7100 -j DENY
echo -n "."

# Back Orifice (logged)
echo " CdC toys"
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 31337 -j DENY
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 31337 -j DENY
echo -n "."

# NetBus (logged)
echo " NETBUS "
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 12345:12346 -j DENY
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 12345:12346 -j DENY
echo -n "."


echo "Done!"

# --------------------------------------------------- High Unprivileged ports -
# These are opened up to allow sockets created by connections allowed by 
# ipchains

echo -n "High Ports.."

$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT
echo -n "."

echo "Done!"

# ------------------------------------------------------------ Basic Services -

echo -n "Services.."

# ssh (22)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 22 -j MASQ
echo -n "."


# smtp (25)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j ACCEPT
# echo -n "."

# DNS (53)
#$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
#$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
echo -n ".."


# http (80)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j MASQ
echo -n "."

# https (443)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 443 -j MASQ
echo -n "."

echo "Done!"

#Extra things
echo extra things.."
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 745 -j ACCEPT
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 745 -j ACCEPT
echo -n "..port 745"
#More extra
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 747 -j ACCEPT
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 747 -j ACCEPT
echo -n "..port 747"
# KIM'S TEST PORT
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 33333 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 33333 -j ACCEPT
 echo -n "..port 33333"

# Network File System
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 2049 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 2049 -j ACCEPT
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 111 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 111 -j ACCEPT
echo -n "...NFS ( 111 / 2049 )"
# ----------------------- ICMP -

echo -n "ICMP Rules.."

# Use this to deny ICMP attacks from specific addresses
# $IPCHAINS -A input -b -i $EXTERNALIF -p icmp -s <address> -d 0/0 -j DENY
# echo -n "."

# Allow incoming ICMP
$IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
$IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
echo -n ".."

# Allow outgoing ICMP
$IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
echo -n "...."

echo "Done!"

# -------------------------------------------------------- set default policy -

$IPCHAINS -A input -j DENY
$IPCHAINS -A output -j ACCEPT

echo ""
echo "Finished Establishing Firewall."

--------------427CAF935DA6E4B26A83F4F3--

More information about the Ale mailing list