Firewall and Problems with allowing UDP 17000:17050, allways reject by the last rule
Hi, i´ve there some problems by allowing UDP PACKETS outgoing an Firewall The Problem-Zones are bold masked to find them easyer (my friend wants to play halflife, but his firewall is allways blocking with following message: Packet log: output REJECT eth1 PROTO=17 212.186.xx.xx:62445 194.183.128.54:27019 L=37 S=0x00 I=5296 F=0x0000 T=127 (#29) #!/bin/sh echo "Starting firewalling... " # ---------------------------------------------------------------------------- # Some definitions for easy maintenance. # EDIT THESE TO SUIT YOUR SYSTEM AND ISP. EXTERNAL_INTERFACE="eth1" # Internet connected interface LOOPBACK_INTERFACE="lo" # or your local naming convention LOCAL_INTERFACE_1="eth0" # internal LAN interface IPADDR="212.186.xx.xx" # your IP address LOCALNET_1="10.10.10.0/24" # whatever private range you use EXTERN_1="212.17.XX:XX" # extern 1 # Simon ANYWHERE="any/0" # match any IP address NAMESERVER_1="any/0" # everyone must have at least one LOOPBACK="127.0.0.0/8" # reserved loopback address range CLASS_A="10.0.0.0/8" # class A private networks CLASS_B="172.16.0.0/12" # class B private networks CLASS_C="192.168.0.0/16" # class C private networks CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses BROADCAST_SRC="0.0.0.0" # broadcast source address BROADCAST_DEST="255.255.255.255" # broadcast destination address PRIVPORTS="0:1023" # well known, privileged port range UNPRIVPORTS="1024:65535" # unprivileged port range # ---------------------------------------------------------------------------- HALFLIFE="17000:17050" # HALFLIFE port range NFS_PORT="2049" # (TCP/UDP) NFS SOCKS_PORT="1080" # (TCP) Socks # X Windows port allocation begins at 6000 and increments to 6063 # for each additional server running. XWINDOW_PORTS="6000:6063" # (TCP) X windows # traceroute usually uses -S 32769:65535 -D 33434:33523 TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" # The SSH client starts at 1023 and works down to 513 for each # additional simultaneous connection originating from a privileged port. # Clients can optionally be configured to use only unprivileged ports. SSH_LOCAL_PORTS="1022:65535" # port range for local clients SSH_REMOTE_PORTS="513:65535" # port range for remote clients # ---------------------------------------------------------------------------- # Default policy is DENY # Explicitly accept desired INCOMING & OUTGOING connections # Remove all existing rules belonging to this filter ipchains -F # Set the default policy of the filter to deny. ipchains -P input DENY ipchains -P output REJECT ipchains -P forward DENY # set masquerade timeout to 10 hours for tcp connections ipchains -M -S 36000 0 0 # ---------------------------------------------------------------------------- # Enable IP Forwarding, if it isn't already echo 1 > /proc/sys/net/ipv4/ip_forward # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Enable always defragging Protection echo 1 > /proc/sys/net/ipv4/ip_always_defrag # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Enable bad error message Protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Enable IP spoofing protection # turn on Source Address Verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # Log Spoofed Packets, Source Routed Packets, Redirect Packets for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done # These modules are necessary to masquerade their respective services. /sbin/modprobe ip_masq_ftp # ---------------------------------------------------------------------------- # LOOPBACK # Unlimited traffic on the loopback interface. ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT # ---------------------------------------------------------------------------- # Unlimited traffic within the local network. # All internal machines have access to the fireall machine. ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT # All internal access extern ip adresses ipchains -A input -i $EXTERNAL_INTERFACE -s $EXTERN_1 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -d $EXTERN_1 -j ACCEPT # ---------------------------------------------------------------------------- # Masquerade internal traffic. # All internal traffic is masqueraded externally. ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ # ---------------------------------------------------------------------------- # Network Ghouls # Deny access to jerks # -------------------- # /etc/rc.d/rc.firewall.blocked contains a list of # ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY # rules to block from any access. # Refuse any connection from problem sites if [ -f /etc/rc.d/rc.firewall.blocked ]; then . /etc/rc.d/rc.firewall.blocked fi # ---------------------------------------------------------------------------- # SPOOFING & BAD ADDRESSES # Refuse spoofed packets. # Ignore blatantly illegal source addresses. # Protect yourself from sending to bad addresses. # Refuse incoming packets pretending to be from the external address. ipchains -A input -s $IPADDR -j DENY -l # Refuse incoming packets claiming to be from a Class A, B or C private network ipchains -A input -s $CLASS_A -j DENY ipchains -A input -s $CLASS_B -j DENY ipchains -A input -s $CLASS_C -j DENY # Refuse broadcast address SOURCE packets ipchains -A input -s $BROADCAST_DEST -j DENY -l ipchains -A input -d $BROADCAST_SRC -j DENY -l # Refuse Class D multicast addresses # Multicast is illegal as a source address. # Multicast uses UDP. ipchains -A input -s $CLASS_D_MULTICAST -j DENY # Refuse Class E reserved IP addresses ipchains -A input -s $CLASS_E_RESERVED_NET -j DENY -l # Refuse special addresses defined as reserved by the IANA. # Note: The remaining reserved addresses are not included. # Filtering them causes problems as reserved blocks are # being allocated more often now. # Note: this list includes the loopback, multicast, & reserved addresses. # 0.*.*.* - Can't be blocked for DHCP users. # 127.*.*.* - LoopBack # 169.254.*.* - Link Local Networks # 192.0.2.* - TEST-NET # 224-255.*.*.* - Classes D & E, plus unallocated. ipchains -A input -s 0.0.0.0/8 -j DENY -l ipchains -A input -s 127.0.0.0/8 -j DENY -l ipchains -A input -s 169.254.0.0/16 -j DENY -l ipchains -A input -s 192.0.2.0/24 -j DENY -l ipchains -A input -s 224.0.0.0/3 -j DENY -l # ---------------------------------------------------------------------------- # NOTE: # The symbolic names used in /etc/services for the port numbers vary by # supplier. Using them is less error prone and more meaningful, though. # ---------------------------------------------------------------------------- # TCP UNPRIVILEGED PORTS # Avoid ports subject to protocol & system administration problems. # NFS: establishing a TCP connection ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $NFS_PORT -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $NFS_PORT -j REJECT # Xwindows: establishing a connection ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $XWINDOW_PORTS -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $XWINDOW_PORTS -j REJECT # SOCKS: establishing a connection ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $SOCKS_PORT -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $SOCKS_PORT -j REJECT # ---------------------------------------------------------------------------- # UDP UNPRIVILEGED PORTS # Avoid ports subject to protocol & system administration problems. ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ --destination-port $NFS_PORT -j DENY -l # UDP INCOMING TRACEROUTE # traceroute usually uses -S 32769:65535 -D 33434:33523 ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ --source-port $TRACEROUTE_SRC_PORTS \ --destination-port $TRACEROUTE_DEST_PORTS -j DENY -l # ALLOWED CONNECTIONS # MIXED TRAFFIC (TCP/UDP) # ------------------------------------------------------------------ # DNS client (53) # --------------- ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_1 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $NAMESERVER_1 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_1 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $NAMESERVER_1 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # HALFLIFE client (17000:17050) # ---------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE $HALFLIFE -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $ANYWHERE $HALFLIFE \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $ANYWHERE $HALFLIFE -j ACCEPT # UDP TRAFFIC # TCP TRAFFIC # ------------------------------------------------------------------ # FTP client (21) # --------------- # outgoing request ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 21 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 21 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # PORT mode data channel ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port 20 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR $UNPRIVPORTS \ --destination-port 20 -j ACCEPT # PASSIVE mode data channel creation ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port $UNPRIVPORTS \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # SSH server (22) # --------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port $SSH_REMOTE_PORTS \ -d $IPADDR 22 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR 22 \ --destination-port $SSH_REMOTE_PORTS -j ACCEPT # SSH client (22) # --------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $SSH_LOCAL_PORTS \ --destination-port 22 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 22 \ -d $IPADDR $SSH_LOCAL_PORTS -j ACCEPT # ------------------------------------------------------------------ # SMTP server (25) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR 25 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR 25 \ --destination-port $UNPRIVPORTS -j ACCEPT # SMTP client (25) # ---------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $SMTP_SERVER 25 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $SMTP_SERVER 25 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # WHOIS client (43) # ----------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 43 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 43 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # HTTP client (80) # ---------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 80 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 80 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # HTTP server (80) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR 80 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR 80 \ --destination-port $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # POP server (110) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s 212.17.77.232 $UNPRIVPORTS \ -d $IPADDR 110 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR 110 \ -d 212.17.77.232 $UNPRIVPORTS -j ACCEPT # POP client (110) # ---------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 110 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 110 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # AUTH server (113) # ----------------- # Reject, rather than deny, the incoming auth port. (NET-3-HOWTO) ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR 113 -j REJECT # AUTH client (113) # ----------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 113 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 113 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # HTTPS client (443) # ------------------ ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 443 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 443 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ---------------------------------------------------------------------------- # UDP accept only on selected ports # --------------------------------- # ------------------------------------------------------------------ # OUTGOING TRACEROUTE # ------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $TRACEROUTE_SRC_PORTS \ --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT -l # ---------------------------------------------------------------------------- # ICMP # To prevent denial of service attacks based on ICMP bombs, filter # incoming Redirect (5) and outgoing Destination Unreachable (3). # Note, however, disabling Destination Unreachable (3) is not # advisable, as it is used to negotiate packet fragment size. # For bi-directional ping. # Message Types: Echo_Reply (0), Echo_Request (8) # To prevent attacks, limit the src addresses to your ISP range. # # For outgoing traceroute. # Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11) # default UDP base: 33434 to base+nhops-1 # # For incoming traceroute. # Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11) # To block this, deny OUTGOING 3 and 11 # 0: echo-reply (pong) # 3: destination-unreachable, port-unreachable, fragmentation-needed, etc. # 4: source-quench # 5: redirect # 8: echo-request (ping) # 11: time-exceeded # 12: parameter-problem ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type echo-reply \ -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type destination-unreachable \ -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type source-quench \ -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type time-exceeded \ -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type parameter-problem \ -d $IPADDR -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR fragmentation-needed -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR source-quench -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR echo-request -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR parameter-problem -j ACCEPT # ---------------------------------------------------------------------------- # Enable logging for selected denied packets ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $IPADDR $PRIVPORTS -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $IPADDR $UNPRIVPORTS -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type 5 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type 13:255 -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l # ---------------------------------------------------------------------------- echo "done" exit 0
rene marhold wrote:
Part 1.1 Type: Plain Text (text/plain) Encoding: quoted-printable
What's up? Your mail is 50K big an nobody can read it! Please stop that nonsense. Thanks. -- Gero H. Marten "Computers are like air conditioners: They stop working properly if you open windows."
"Gero H. Marten" wrote:
rene marhold wrote:
Part 1.1 Type: Plain Text (text/plain) Encoding: quoted-printable
What's up? Your mail is 50K big an nobody can read it! Please stop that nonsense. Thanks.
-- Gero H. Marten
"Computers are like air conditioners: They stop working properly if you open windows."
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Only you cannot read it ... try using "View -> View Attachments Inline" in your Netscape Messenger ;-) (Works at least with 4.75. You have 4.76, don't you ?) Regards, Christian
sorry about the big message here the problemrulez in one file hope its now better Greetings DJMAD
participants (3)
-
Christian Haufe
-
GMarten@t-online.de
-
rene marhold