Re: Firewalling and MASQ

Stephen L. Favor (sfavor@rsn.hp.com)
Fri, 10 Dec 1999 08:04:29 -0600


DEMERRE DIETER wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> "Matthew Vanecek" <mailto:mev0003@unt.edu> wrote:
> >
> > > ipchains -A output -j DENY -p tcp -y -s <router ip>
> > >
> > > to block connects from the router as it will also block
> > connects from MASQed
> > > hosts.
> ...
> > Have you tried the above chain (just for shits-n-grins, y'know)?

Yes. It does exactly what I describe above--blocks all connects for
both the router and MASQed hosts as one would expect.

> > The question arises, why would you not want your router to talk to
> > the outside world (if, indeed, I understand your question

I've been studying hacker tactics for a year of so, which is quite
fun. Anyway, most attacks gain root access by compromising an open
port and run a small script which downloads and runs the software that
actually compromises the system. I run a dedicated router for a MASQed
network and I never connect to the outside world from the router. This
gives me a detection mechanism in case my machine is actully
compromised. Currently, I use tcpdump and some shell scripts to detect
when this occurs, but that doesn't block the attack. What I want to do
is block all outward connects from the router because it almost
certainly means I have been compromised.

> I don't think that such a silly thing to do. I configured a gateway
> pretty much like that. (Almost) no daemons on the gateway and only
> out-going connections masqueraded from the inside.
> Since I encountered the same problem like Stephen, I disabled
> access to the ports that could be open for an attack:
>
> ipchains -A input -y -p tcp -i ippp<n> -s 0.0.0.0/0 \
> -d 0.0.0.0/0 0:1024 -j DENY

I have done this also. I actually do "-A input -i ppp0 -y -l" and add
rules above it for the few ports to which I allow inbound connects.
I'm now trying to do the same thing for the output chain and MASQ is
giving me headaches :(

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu