[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Firewall Problem on RHEL 4



Hey,

I have just installed RHEL 4 AS to act as my router/firewall. With out my firewall script loaded it works perfect. I have internet connectivity and network connectivity.

When I first loaded my script, the box operated fine. My clients could access the internet, and the forward rules were operating ok.

After a couple of hours I noticed the error in /var/log/messages;

Neighbour table overflow

This error indicates that the ARP table is full. After issuing the command arp -n I can see the table is full. The weird thing is that the addresses are coming in on the internal interface on a subnet that does not exist.

So out of curiosity, I restarted the server, and did not load the firewall. What I noticed is that the ARP table does not get filed until the firewall is loaded. I can not figure out for the life of me why this happens. So I tired the same script on a Debian Etch install on a tmp server and the issue did not occur. I used the same script as I used on the RHEL 4 AS box.

So here is the script, any ideas on what could be wrong would be really helpful! Or at least a shove in the right direction. :)

=============================

#!/bin/sh
echo "Starting FIREWALL V.04"
echo "1024" > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo "4096" > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo "8192" > /proc/sys/net/ipv4/neigh/default/gc_thresh3
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
	for f in /proc/sys/net/ipv4/conf/*/accept_source_route
	do
		echo 0 > $f
	done
fi
#Do not respond to a proxy arp request.
#Do not replay to 'proxyarp' packets
if [ -e /proc/sys/net/ipv4/proxy_arp ]; then
	echo 0 > /proc/sys/net/ipv4/proxy_arp
fi
#Stop spoofed packets(try to)
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
	for f in /proc/sys/net/ipv4/conf/*/rp_filter
	do
		echo 1 > $f
	done
fi
#Log martian packets
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Prevent smurf attack
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 45 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Load iptables modules
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_conntrack_* *_nat_* | sed 's/\..o.*$//')`
MODPROBE="/sbin/modprobe"
for modules in $(echo $MODULES); do
        if $LSMOD | grep ${modules} >/dev/null; then continue; fi
                echo loading module ${modules}
                $MODPROBE ${modules} || exit 1
done

iptables -A PREROUTING -t mangle -p tcp --sport \
 22 -j TOS --set-tos Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport \
 8916 -j TOS --set-tos Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport \
 5900:5930 -j TOS --set-tos Minimize-Delay

#Drop BAD IP packets
iptables -N BAD_FLAGS
iptables -A INPUT -p tcp --tcp-option 64 -m recent \
 --set -j BAD_FLAGS
iptables -A INPUT -p tcp --tcp-option 128 -m recent \
 --set -j BAD_FLAGS
iptables -A BAD_FLAGS -m limit --limit 1/second \
 -j LOG --log-level info --log-prefix \
 "Bad_FLAGS -- SHUN " --log-tcp-sequence \
 --log-tcp-options --log-ip-options
iptables -A BAD_FLAGS -j DROP

#Drop Small Packets (broken packets)
iptables -N SMALL
iptables -A INPUT -p udp -m length --length 0:27 \
 -m recent --set -j SMALL
iptables -A INPUT -p tcp -m length --length 0:39 \
 -m recent --set -j SMALL
iptables -A INPUT -p icmp -m length --length 0:27 \
 -m recent --set -j SMALL
iptables -A INPUT -p 30 -m length --length 0:31 \
-m recent --set -j SMALL
iptables -A INPUT -p 47 -m length --length 0:39 \
-m recent --set -j SMALL
iptables -A INPUT -p 50 -m length --length 0:49 \
-m recent --set -j SMALL
iptables -A INPUT -p 51 -m length --length 0:35 \
-m recent --set -j SMALL
iptables -A SMALL -m limit --limit 1/second -j LOG \
 --log-level info --log-prefix "SMALL -- SHUN " \
 --log-tcp-sequence --log-tcp-options \
 --log-ip-options
iptables -A SMALL -j DROP

iptables -N BOGUS
iptables -t filter -A INPUT -m conntrack \
 --ctstate INVALID -j BOGUS
iptables -t filter -A OUTPUT -m conntrack \
 --ctstate INVALID -j BOGUS
iptables -t filter -A FORWARD -m conntrack \
 --ctstate INVALID -j BOGUS
iptables -A BOGUS -m limit --limit 1/second -j LOG \
 --log-level info --log-prefix "INVALID PACKET \
  -- DROP " --log-tcp-sequence --log-tcp-options \
 --log-ip-options
iptables -A BOGUS -j DROP

iptables -N NOFRAGS
iptables -A OUTPUT -p ip -f -j NOFRAGS
iptables -A INPUT -p ip -f -j NOFRAGS
iptables -A FORWARD -p ip -f -j NOFRAGS
iptables -A NOFRAGS -m limit --limit 1/second \
 -j LOG --log-level info --log-prefix \
 "Fragment -- DROP " --log-tcp-sequence \
 --log-tcp-options --log-ip-options
iptables -A NOFRAGS -j DROP

iptables -A INPUT -p tcp ! --syn -m conntrack \
 --ctstate NEW -j LOG --log-prefix "New not syn:"
iptables -A INPUT -p tcp ! --syn -m conntrack \
 --ctstate NEW -j DROP

iptables -A FORWARD -p tcp ! --syn -m conntrack \
 --ctstate NEW -j LOG --log-prefix "New not syn:"
iptables -A FORWARD -p tcp ! --syn -m conntrack \
 --ctstate NEW -j DROP

iptables -N ANTI_SPOOF
iptables -A INPUT -i eth1 -s 10.20.6.1 \
 -j ANTI_SPOOF
iptables -A ANTI_SPOOF -m limit --limit 1/second \
 -j LOG --log-level info --log-prefix \
 "Spoofing DENY: " --log-tcp-sequence \
 --log-tcp-options --log-ip-options
iptables -A ANTI_SPOOF -j DROP

iptables -N ALLOWED_OUT
iptables -A OUTPUT -o eth1 -j ALLOWED_OUT
iptables -A FORWARD -o eth1 -j ALLOWED_OUT
iptables -A ALLOWED_OUT -o eth0 -s XXX.83.66.100 \
 -j RETURN
iptables -A ALLOWED_OUT -o eth0 \
 -s 10.20.6.0 -j RETURN

iptables -I INPUT -p tcp -s any/0 --dport 113 \
 -j REJECT --reject-with tcp-reset
iptables -I FORWARD -p tcp -i eth1 -s any/0 \
 --dport 113 -j REJECT --reject-with tcp-reset

iptables -A INPUT -m conntrack --ctstate \
 ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate \
 ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate \
 ESTABLISHED,RELATED -j ACCEPT

iptables -N OFFENDER
iptables -A INPUT -m recent --rcheck --seconds 300 \
 -j OFFENDER
iptables -A FORWARD -m recent --rcheck --seconds 300 \
 -j OFFENDER
iptables -A OFFENDER -m limit --limit 1/second -j LOG \
 --log-level info \
 --log-prefix "OFFENDER -- SHUN " \
 --log-tcp-sequence --log-tcp-options \
 --log-ip-options
iptables -A OFFENDER -j DROP

iptables -N MISC
iptables -A INPUT -p esp -j MISC
iptables -A OUTPUT -p esp -j MISC
iptables -A FORWARD -p esp -j MISC
iptables -A INPUT -p ah -j MISC
iptables -A OUTPUT -p ah -j MISC
iptables -A FORWARD -p ah -j MISC
iptables -A INPUT -s 127.0.0.1 -j MISC
iptables -A INPUT -p icmp -m icmp --icmp-type 255 \
 -j MISC
iptables -A INPUT -s XXX.163.0.0/255.255.0.0 -p tcp -m tcp \
 --dport 5900:5930 -m state --state NEW \
 -j MISC
iptables -A INPUT -s 10.152.0.0/255.255.0.0 -p tcp -m tcp \
 --dport 5900:5930 -m state --state NEW \
 -j MISC
iptables -A INPUT -p tcp -m tcp \
 --dport 8916 -m state --state NEW \
 -j MISC
iptables -A INPUT -p tcp -m tcp \
 --dport 22 -m state --state NEW \
 -j MISC
iptables -A INPUT -p tcp -m tcp \
 --dport 5900:5930 -m state --state NEW \
 -j MISC
iptables -A INPUT -i eth1 -j MISC
iptables -A MISC -j ACCEPT

iptables -t nat -A PREROUTING -d XXX.83.66.100 -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.20.6.44:22 iptables -t nat -A PREROUTING -d XXX.83.66.100 -i eth0 -p tcp -m tcp --dport 8916 -j DNAT --to-destination 10.20.6.11:22 iptables -t nat -A PREROUTING -d XXX.83.66.101 -i eth0 -p tcp -m tcp --dport 8916 -j DNAT --to-destination 10.20.6.12:22 iptables -t nat -A PREROUTING -d XXX.83.66.101 -i eth0 -p tcp -m tcp --dport 5900:5930 -j DNAT --to-destination 10.20.6.12 iptables -t nat -A PREROUTING -d XXX.83.66.100 -i eth0 -p tcp -m tcp --dport 5900:5930 -j DNAT --to-destination 10.20.6.11 iptables -t nat -A POSTROUTING -s 10.20.6.0/255.255.255.0 -j SNAT --to-source XXX.83.66.100

iptables -N FINAL_DROP
iptables -A INPUT -j FINAL_DROP
iptables -A FINAL_DROP -m limit --limit 1/second \
 -j LOG --log-level info --log-prefix "Final DROP " \
 --log-tcp-sequence --log-tcp-options \
 --log-ip-options
iptables -A FINAL_DROP -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Firewall loaded"

========================

--
Cheers,
Julian De Marchi
--
OpenNIC user - http://wiki.opennicproject.org/
--
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]