Ok, I’ve had a couple of requests for this, so here ‘goes;
Note: This is NOT endorsed by e-smith, inc! I am simply sharing my
experience as it’s been requested!
E-Smith is based on Redhat 6.1. However you my have a RedHat 6.2 CD
and would like ALL the updates to your components. This will ALSO add
the functionality of PORT FORWARDING, so you may want to go through
this exercise for that reason alone! J
Stuff you will need:
Redhat 6.2 cd. You can get a fresh ISO to burn HERE à
http://www.linuxiso.org/download/redhat-6.2-i386.isoThe latest, greatest SAMBA! Get it HERE à
http://ca.samba.org/samba/ftp/Binary_Packages/redhat/RPMS/6.2/samba-2.0.7-20000425.i386.rpmIPMASQADM which works very nicely to forward ports! Get it
HERE à
http://www.nx2000.net/ipmasqadm-0.4.2-3.i386.rpm If you want to
know about this module go HERE à
http://members.home.net/ipmasq/Place the SAMBA and IPMASQADMN rpms in a directory on your e-smith
server.
Step 1: BACK UP YOUR DATA!!!! BACK UP YOUR E-SMITH CONFIGURATION!
(You can do this from the e-smith manager)
Step 2: Boot with your RedHat 6.2 CD and go through the preamble. (I
type “text” at the LILO boot prompt so I’m not prompted about
irrelevant X config and mouse questions.) When prompted, select
UPGRADE and Customize packages to upgrade. Add the MC and IPCHAINS
modules. MC is VERY handy for editing rc scripts! J After you have
selected these...proceed with the upgrade....it should take about 6
minutes....just enough time to make coffee.
Step 3 (Optional): Drink Coffee ß MAY be endorsed by e-smith, inc.
Step 4: After reboot your e-smith server may be slightly dysfunctional
/ That’s Ok....we’re gonna do worse! J You must UNINSTALL
Samba-client and Samba-Common using the rpm -U command. (Type rpm |
more , for help here). This is because the NEW SAMBA does NOT run 2
daemons anymore. Usually you see [SMB] and [NMB] at startup...this
means you have the older SAMBA installed...the NEW one ONLY has [SMB]
at startup. Once you have purged the old SAMBA, use the rpm -I
command to install the new one.....which causes a problem; The
SMB.CONF file is overwritten....That’s ok....simply connect to your
e-smith server with a browser and go to the workgroup function...do
NOT change anything...just press the button...this will re-generate
your e-smith SAMBA configuration.
Step 5: Reboot
Step 6: IPCHAINS and port forwarding - this is SUCH a HUGE subject and
you MAY want to skip it! J I am really in my home turf here so this
may get a bit dry. J Your work is done otherwise and all you really
need to do is re-commit your settings in e-smith manager...I go
through all of them to be sure... but I digress...
IPCHAINS can lock your server RIGHT down and provide services nicely
to your internal network. Note that you have to connect to web, ftp,
telnet etc, via INTERNAL addresses. In MY example I will be using the
FIRST class C range 192.168.0.0-255. Also...you are going to be
navigating the e-smith directories off the /ETC directory, so you will
REALLY appreciate the MC install!
First install the IPMASQADMN rpm using the rpm -I command. You may
also choose to compile the IPCHAINS and IPMASQADMN into your
kernel....but ONLY if you know your way around LINUX!
Next create a file in your /ETC directory. I call mine rc.damnimgood.
(Yes...it’s a character flaw I have NO intention of working on) This
will be added to the RC.INIT script....place it at the end. You will
find it off the e-smith ETC subfolder.
E-smith has its own rules implemented and you should leave them in
case you want to back out of this little adventure....to remove this
process we are installing, simply comment out the rc.danimgood script
from the rc.init.
Next you will write your rules...we are going to use mine as an
example:
#Permanent Variables that don’t need changed.
ANYWHERE=”any/0”
#Remember your choice that you made when you FIRST installed
e-smith! If the adaptors are reversed, SWITCH THEM!
EXTERNAL_INTERFACE=”eth0”
LOCAL_INTERFACE_1=”eth1”
LOOPBACK_INTERFACE=”lo”
LOOPBACK=”127.0.0.0/8”
CLASS_A=”10.0.0.0/8”
CLASS_B=”172.16.0.0/12”
CLASS_C=”192.168.0.0/16”
MULTICAST=”240.0.0.0/3”
BROADCAST_0=”0.0.0.0”
BROADCAST_1=”255.255.255.255”
PRIVPORTS=”0:1023”
UNPRIVPORTS=”1024:65535”
RESTRICTED_PORTS=”2049” # (TCP/UDP)
NFS
RESTRICTED_OPENWINDOWS=”2000” # (TCP) openwindows
RESTRICTED_XWINDOWS=”6000:6001” # (TCP) X windows
SSH_PORTS=”1022:1023” # range for
SSH privileged ports
echo “Starting firewalling... “
# Remove all existing rules belonging to this filter
ipchains -F
# Set the default policy of the filter to deny.
ipchains -P input DENY
ipchains -P output ACCEPT
ipchains -P forward DENY
# SPOOFING & BAD ADDRESSES; NONE of these events should occur on your
external interface! They are ALWAYS hostile if they do! So we will
stop them...
# Refuse spoofed packets pretending to be to or from the
external address.
ipchains -A input -i $EXTERNAL_INTERFACE -s $OUTSIDE_IP -l -j
DENY
ipchains -A output -i $EXTERNAL_INTERFACE -d $OUTSIDE_IP -l -j
REJECT
# Refuse packets claiming to be to or from a Class A private
network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j
REJECT
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j
REJECT
# Refuse packets claiming to be to or from a Class B private
network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j
REJECT
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j
REJECT
# Refuse packets claiming to be to or from a Class C private
network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j
REJECT
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j
REJECT
# Refuse packets claiming to be to or from the loopback
interface
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -l -j
DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $LOOPBACK -l -j
DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -l -j
REJECT
ipchains -A output -i $EXTERNAL_INTERFACE -d $LOOPBACK -l -j
REJECT
# Refuse broadcast address SOURCE packets
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_1 -l -j
DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_0 -l -j
DENY
# Refuse multicast/anycast/broadcast addresses (in.h)
(NET-3-HOWTO)
ipchains -A input -i $EXTERNAL_INTERFACE -s $MULTICAST -j
DENY
#
----------------------------------------------------------------------------
# ICMP
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
-s $ANYWHERE 0 -d $OUTSIDE_IP -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
-s $ANYWHERE 3 -d $OUTSIDE_IP -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
-s $ANYWHERE 4 -d $OUTSIDE_IP -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
-s $ANYWHERE 11 -d $OUTSIDE_IP -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp
-s $ANYWHERE 12 -d $OUTSIDE_IP -j ACCEPT
#
----------------------------------------------------------------------------
# Disallow certain outgoing traffic to protect yourself from mistakes.
# openwindows: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y
-s $OUTSIDE_IP -d $ANYWHERE $RESTRICTED_OPENWINDOWS -j REJECT
# Xwindows: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y
-s $OUTSIDE_IP -d $ANYWHERE $RESTRICTED_XWINDOWS -j REJECT
# SOCKS: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y
-s $OUTSIDE_IP -d $ANYWHERE 1080 -j REJECT
#
----------------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
# Avoid ports subject to protocol & system administration problems.
# Deny access to the NFS, openwindows and X windows
unprivileged ports
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y
-d $OUTSIDE_IP $RESTRICTED_PORTS -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y
-d $OUTSIDE_IP $RESTRICTED_OPENWINDOWS -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y
-d $OUTSIDE_IP $RESTRICTED_XWINDOWS -l -j DENY
# SOCKS: incoming connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y
-s $ANYWHERE -d $OUTSIDE_IP 1080 -j DENY
#
----------------------------------------------------------------------------
# UDP UNPRIVILEGED PORTS -edit as needed
# Avoid ports subject to protocol & system administration problems.
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-d $OUTSIDE_IP $RESTRICTED_PORTS -l -j DENY
# UDP INCOMING TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-s $ANYWHERE 32769:65535
-d $OUTSIDE_IP 33434:33523 -l -j DENY
#
----------------------------------------------------------------------------
# DNS: full server
# server/client to server query or response
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-s $ANYWHERE $UNPRIVPORTS -d $OUTSIDE_IP 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS -d $OUTSIDE_IP 53 -j ACCEPT
#zone transfers
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-s $ANYWHERE 53 -d $OUTSIDE_IP 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE 53 -d $OUTSIDE_IP 53 -j ACCEPT
# DNS client (53)
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-s $ANYWHERE 53 -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 53 -d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
#
----------------------------------------------------------------------------
# Backup server (308)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP 308 -j ACCEPT
# Backup Client (308)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 308
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
#
----------------------------------------------------------------------------
# TELNET server (23)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP 23 -j ACCEPT
# TELNET client (23)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 23
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# HTTP server (80)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP 80 -j ACCEPT
# HTTP client (80)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 80
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# HTTP server (443)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP 443 -j ACCEPT
# HTTPS client (443)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 443
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# POP server (110)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP 110 -j ACCEPT
# POP client (110)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 110
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# NNTP NEWS client (119)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 119
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# FINGER client (79)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 79
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# AUTH server (113)
# Reject, rather than deny, the incoming auth port.
(NET-3-HOWTO)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE
-d $OUTSIDE_IP 113 -j REJECT
# AUTH client (113)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 113
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# SMTP server (25)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP 25 -j ACCEPT
# SMTP client (25)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 25
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# IMAP server (143)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP 143 -j ACCEPT
# IMAP client (143)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 143
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# IRC client (6667)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 6667
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# AOL IM client (5190)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 5190
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# ICQ client (4000)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 2000:4000
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-s $ANYWHERE 4000
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# FTP server (20, 21)
# incoming request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP 21 -j ACCEPT
# PORT MODE data channel responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP 20 -j ACCEPT
# PASSIVE MODE data channel responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# FTP client (20, 21)
# outgoing request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 21
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# NORMAL mode data channel
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE 20
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# PASSIVE mode data channel responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP $UNPIRVPORTS -j ACCEPT
# RealAudio client
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP 554 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP 7070:7071 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP 6970:7170 -j ACCEPT
# WHOIS client (43)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
-s $ANYWHERE 43
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
# PCAnywhere Server (5631:5632)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP 5631 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-s $ANYWHERE $UNPRIVPORTS
-d $OUTSIDE_IP 5632 -j ACCEPT
# PCAnywhere client (5631:5632)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp
-s $ANYWHERE 5631
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp
-s $ANYWHERE 5632
-d $OUTSIDE_IP $UNPRIVPORTS -j ACCEPT
#
----------------------------------------------------------------------------
# Unlimited traffic within the local network.
# All internal machines have access to the firewall machine.
ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j
ACCEPT
ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j
ACCEPT
#
----------------------------------------------------------------------------
# Masquerade internal traffic.
# All internal traffic is masqueraded externally.
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ
#Forward Services to Internal Server...note this will bypass
the same service on E-Smith! If you forward to another web
#server inside your network THAT is what the outside world
sees, NOT E-SMITH!
#Replace the $XXXXSERVER with the ip of your internal
server(s) or make them environment variables.
echo “Forwarding Needed Services”
ipmasqadm portfw -f
ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 21 -R $FTPSERVER 21
ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 23 -R $TELNETSERVER
23
ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 25 -R $MAILSERVER 25
ipmasqadm portfw -a -P udp -L $OUTSIDE_IP 53 -R $DNSSERVER 53
ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 53 -R $DNSSERVER 53
ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 80 -R $MAILSERVER 80
ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 443 -R $MAILSERVER
443
ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 110 -R $MAILSERVER
110
ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 308 -R $BACKUPSERVER
308
ipmasqadm portfw -a -P tcp -L $OUTSIDE_IP 5631 -R $PCASERVER
5631
ipmasqadm portfw -a -P udp -L $OUTSIDE_IP 5632 -R $PCASERVER
5632
#
----------------------------------------------------------------------------
# Enable logging for selected denied packets
# Basically anything that makes it through all the above rules without
getting accepted
# will be denied and logged by the rules below.
echo “logging enabled”
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -d
$OUTSIDE_IP -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d
$OUTSIDE_IP $PRIVPORTS -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d
$OUTSIDE_IP $UNPRIVPORTS -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE
5 -d $OUTSIDE_IP -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE
13:18 -d $OUTSIDE_IP -l -j DENY
#
----------------------------------------------------------------------------
echo “forwarding enabled”
echo “Firewall Enabled!”
Well there you have it...MY e-smith server....I can’t believe you read
this far....you guys need to get out more...
-Scott