Setting up a Linux Transparent Firewall

By: Mutilator (2600 Salt Lake City)

http://bridge.sourceforge.net/docs/Firewalling%20for%20Free.pdf

Download bridge-utils package

Download kernel source 2.4.18 and extract (/usr/src/) or use Redhat kernel RPM's w/ patched code.

Download netfilter (latest version that will work with 2.4.18)

Download bridge/iptables kernel patch and patch (patch -p1 - bridge-nf-yadayada.diff)

Compile kernel, enable experimental during config

Enable network packet filtering and all subsequent options

Enable 802.1d bridging and netfilter firewalling support

Restart, extract and compile bridge-utils

Setup interfaces/bridge/firewall (see /etc/rc.d/rc.inet1)/etc/rc.d/rc.inet1 (slackware)

HOSTNAME=`cat /etc/HOSTNAME`

/sbin/ifconfig lo 127.0.0.1

/sbin/route add -net 127.0.0.0 netmask 255.0.0.0 lo

/usr/sbin/brctld

/usr/sbin/brctl addbr brg0

/usr/sbin/brctl addif brg0 eth0

/usr/sbin/brctl addif brg0 eth1

/sbin/ifconfig eth0 0.0.0.0 promisc

/sbin/ifconfig eth1 0.0.0.0 promisc

/sbin/ifconfig brg0 200.200.59.216 promisc

/sbin/route add default gw 200.200.59.1

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_conntrack_irc

/etc/rc.d/rc.firewall

/etc/rc.d/rc.firewall (slackware)

iptables -F # Flush all rules

iptables -X # Delete user created chains

# CHAIN CREATION

# Create chain valid_traffic

iptables -N valid_traffic

iptables -A valid_traffic -m state --state INVALID -j DROP # Drop bad states

iptables -A valid_traffic -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept related/established

# Create chain for allow list

iptables -N all_allow

iptables -A all_allow -s 200.200.59.102 -j ACCEPT # Damon

iptables -A all_allow -s 200.200.59.103 -j ACCEPT # Shyra

iptables -A all_allow -s 200.200.59.100 -j ACCEPT # Chris

iptables -A all_allow -s 200.200.59.226 -j ACCEPT # Steve

iptables -A all_allow -s 200.200.59.106 -j ACCEPT # VOIP Gateway out

iptables -A all_allow -d 200.200.59.106 -j ACCEPT # VOIP Gateway in

# Create chain for all ICMP packets

iptables -N icmp_packets

iptables -A icmp_packets -p icmp --icmp-type 8/0 -s 200.200.59.0/24 -j ACCEPT # Allow echo req out

# Create chain for all UDP packets

iptables -N udp_packets

iptables -A udp_packets -p udp -s 200.200.59.0/24 --dport 53 -j ACCEPT # DNS out

iptables -A udp_packets -p udp -s 200.200.59.0/24 --dport 123 -j ACCEPT # NTP out

iptables -A udp_packets -p udp -d 200.200.59.100 --dport 53 -j ACCEPT # DNS in

iptables -A udp_packets -p udp -d 200.200.59.101 --dport 53 -j ACCEPT # (only allow to local DNS)

# Create chain for TCP packets in

iptables -N tcp_in

iptables -A tcp_in -p tcp -d 200.200.59.0/24 --dport 113 -j ACCEPT # Identd in

iptables -A tcp_in -p tcp -m multiport -d 200.200.59.101 --dport 80,443 -j ACCEPT # ORG Main web

iptables -A tcp_in -p tcp -m multiport -d 200.200.59.104 --dport 80,443 -j ACCEPT # Server in

iptables -A tcp_in -p tcp -d 200.200.59.215 --dport 80 -j ACCEPT # ORG IT Web in

iptables -A tcp_in -p tcp -d 200.200.59.217 --dport 25 -j ACCEPT # SMTP Server

iptables -A tcp_in -p tcp -d 200.200.59.217 --dport 110 -j ACCEPT # POP

iptables -A tcp_in -p tcp -d 200.200.59.215 --dport 21 -j ACCEPT # FTP Server

# Create chain for TCP packets out

iptables -N tcp_out

iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 80 -j ACCEPT # WWW out

iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 443 -j ACCEPT # Secure WWW out

iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 22 -j ACCEPT # SSH out

iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 21 -j ACCEPT # FTP out

iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 23 -j ACCEPT # Telnet out

iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 5190 -j ACCEPT # AIM out

iptables -A tcp_out -p tcp -s 200.200.59.217 --dport 25 -j ACCEPT # SMTP out (only on mail server)

# END CHAIN CREATION

# BEGIN PACKET TRAVERSAL

iptables -t mangle -A PREROUTING -i eth1 -s 200.200.59.0/24 -j ACCEPT # Drop spoofed packets

iptables -t mangle -A PREROUTING -i eth0 ! -s 200.200.59.0/24 -j ACCEPT

iptables -A FORWARD -j valid_traffic # Pass all boxes to valid_traffic (check state)

iptables -A FORWARD -j all_allow # Check IP allow list

iptables -A FORWARD -p icmp -j icmp_packets # Send to ICMP packets chain if ICMP packet

iptables -A FORWARD -p udp -j udp_packets # Send to UDP packets chain if UDP packet

iptables -A FORWARD -p tcp -d 200.200.59.0/24 -j tcp_in # Pass incoming TCP to tcp_in chain

iptables -A FORWARD -p tcp -s 200.200.59.0/24 -j tcp_out # Pass outgoing TCP to tcp_out chain

iptables -A FORWARD -p tcp --sport 1024:2000 --dport 1024:2000 -j ACCEPT # Allow carbon copy in/out

iptables -A FORWARD -p udp --sport 1024:2000 --dport 1024:2000 -j ACCEPT # (Annoying exception)

iptables -A FORWARD -j DROP # Drop anything that didn't match

# END PACKET TRAVERSAL

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-
© 2600SLC.ORG 2002
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

1.) FTP Dumpsites: A primer - Reaper
2.) Hacking the human mind: A look at the power of social engineering - L33tdawg
3.) The occasional hacking of web applications - spoonfork
4.) Setting up a Linux Transparent Firewall - Mutilator
5.) Passport Hijacking - Obscure
6.) Hard Attack: Chaintech Video - biatch0