Dear list readers, out of educational interest and to understand the advanced features of packet filtering in a better way I am trying to build an ipchains based firewall on my own. The basic policy of all rules is to deny traffic. I'd like to build a machine which does masquerading for an internal network but keeps the users ON the machine from running their own servers on TCP or UDP highports. I found no way to differ between a port that is used by the firewall machine for local usage and a port that is used for masquerading a connection from the inside network. This is my basic idea of the firewall. Basic policy: DENY 1. Do masquerading for internal network. 2. Allow SSH connection from internal network. 3. Deny lowport (1-1024) connections to machine. 4. Do forwarding of masqueraded (highport) connections. 5. Deny highport local services. Using /proc/sys/net/ipv4/ip_local_port_range it is possible to limit the range of highports. Is it possible to limit the range of masqueraded ports to a certain scope? I could replace rules 4 and 5 by 4. Deny port 1024-20000 connections. --> local used ports 5. Accept port 20001-65000 connections. --> masqueraded ports Do you have any other idea how to differ between incoming packets for masqueraded connections and incoming packets for local highport services? The packet headers seem to look the same. Regards, Andreas Achtzehn
Actually you can do this.
http://www.seifried.org/security/os/linux/20011005-linux-port-behavior.html
The good news is that most of the IP-MASQ connections appear to originate
from ports in the 61000-65095 range - at least they do on my server - and
this doesn't change between reboots. (Look in ip_masq.c.)
So if your IP-MASQ'ed connections are originating from ports 61000-65095,
and connections from the server itself from 1024-4999, then you need two
sets of rules for each thing you want to allow.
to block servers though just do not allow connections to be initiated to
high ports (i.e. syn packet set). Or only allow established connections.
Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/
----- Original Message -----
From: "Andreas Achtzehn"
participants (2)
-
Andreas Achtzehn
-
Kurt Seifried