Re: Firewalling and MASQ

Matthew Vanecek (
Fri, 10 Dec 1999 16:13:01 -0600

"Stephen L. Favor" wrote:
> > > The question arises, why would you not want your router to talk to
> > > the outside world (if, indeed, I understand your question
> I've been studying hacker tactics for a year of so, which is quite
> fun. Anyway, most attacks gain root access by compromising an open
> port and run a small script which downloads and runs the software that
> actually compromises the system. I run a dedicated router for a MASQed
> network and I never connect to the outside world from the router. This
> gives me a detection mechanism in case my machine is actully
> compromised. Currently, I use tcpdump and some shell scripts to detect
> when this occurs, but that doesn't block the attack. What I want to do
> is block all outward connects from the router because it almost
> certainly means I have been compromised.

That very much makes sense.

Have you tried this, then--disable outbound traffic on the router, and
then specifically allow outbound traffic where -s <ip> are your internal
machines? Not sure if it would work, and you may have already tried it,
but that's about all I can think of.

Also, instead of using input and output, try naming your chains. It
gives you some more flexibility:

# Outgoing FireWall Rules
/sbin/ipchains -N eth1-out
/sbin/ipchains -A output -i eth10 -j eth1-out
/sbin/ipchains -A eth1-out -p TCP -d 0/0 80 -t 0x01 0x10

# Incoming FireWall Rules
/sbin/ipchains -N eth1-in
/sbin/ipchains -N eth0-in
/sbin/ipchains -A input -i eth0 -j eth0-in
/sbin/ipchains -A input -i eth1 -j eth1-in
/sbin/ipchains -A eth0-in -l -s 0/0 -d 0/0 23 -p TCP -j REJECT
/sbin/ipchains -A eth1-in -l -s 0/0 -d 0/0 23 -p TCP -j REJECT

Then you can do different rules based on the name of the interface, and
it helps (at least for me) keep the rules straight.

Hope this maybe gives you an inkling of an idea, anyhow......

