<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: CIPE <cipe-l,AT,inka,DOT,de>
Subject: Re: Slow file sharing performance
From: James Knott <james.knott,AT,rogers,DOT,com>
Date: Mon, 01 Sep 2003 19:00:14 -0400
In-reply-to: <20030901214440.GA622@dreamcraft.com.au>
References: <3F5334D7.1000709@rogers.com> <20030901214440.GA622@dreamcraft.com.au>

Tomasz Ciolek wrote:
On Mon, Sep 01, 2003 at 08:00:23AM -0400, James Knott wrote:

firewall rules applied to the vpn traffic.  My firewall runs IPTables on
Red Hat 7.3 and the firewall rules allow ICMP from the outside world.


Can you post your IP tables rule-set with obscured IP addresses? I know this 
sounds
pedantic, but saying I have IPtables on RH 7.3 is like saying " I have a
firewall blah".

Tomasz Ciolek


I suppose I could obscure all the 192.168.addresses. ;-)


Here it is.

!/bin/sh
# ----------------------------------------------------------------------|
#             Here it is...MonMotha's Firewall 2.2.1!                   |
#         Once again, my crude ASCII art best viewed with pico.         |
# ----------------------------------------------------------------------|
# 2.2 RELEASE NOTES: This is the "stable" version of the 2.1 series.  |
# It works great for me, hope you like it!                              |
# ----------------------------------------------------------------------|
# COMMENTS from MonMotha, Steff, and LaptopZZ:                          |
#                                                                       |
# Please...PLEASE give me feedback on your experiences with this script |
# I would really like to know what everyone wants, what works, and      |
# about the inevitable bugs present in anything.                        |
#                                                                       |
#               Direct all feedback to: bvmopen,AT,usa,DOT,net                
  |
#                                               --MonMotha              |
#                                                                       |
# If you encounter problems with this script, please feel free to EMail |
# me a report on what happened.  Please include the file .config for    |
# your kernel (the kernel configuration), relavent info from syslog     |
# (check /var/log/messages) and relavent info from dmesg. With your     |
# help, I can make my next firewall even better!                        |
#                                                                       |
#               I can be reached at: bvmopen,AT,usa,DOT,net                   
  |
#                                               --MonMotha              |
# ----------------------------------------------------------------------|
# SYSTEM REQUIREMENTS: You must have either compiled the appropriate    |
# iptables support into your 2.4 kernel or have loaded all the          |
# applicable modules BEFORE you run this script.  This script assumes   |
# that you have everything compiled into your kernel.                   |
#                                                                       |
# I'll get you a list of required kernel options as I play with the     |
# 2.4 kernel series more.                                               |
#                                                                       |
# You need iptables.  Get it at "http://netfilter.samba.org";.         |
#                                                                       |
# This script was written (and partially tested) with iptables 1.2      |
# and kernel 2.4.0  in mind. This has been tested on 2.4.0.             |
#                                                                       |
# Also, this is a BASH shell script...any 2.x version of GNU BASH       |
# should work with this script.                                         |
# ----------------------------------------------------------------------|
# CHANGELOG (Since 2.2.0 only):                                         |
#       version 2.2.1: Added a check before enabling IP SynCookies      |
#       version 2.2.1-pre1: Updates for iptables 1.2                    |
#       version 2.2.0: Exactly the same as 2.1.16 with updated comments |
# ----------------------------------------------------------------------|
# USE AT YOUR OWN RISK! THIS IS WITHOUT ANY WARRANTY STATED OR IMPLIED! |
# That means NONE whatsoever, not even fitfullness for purpose!         |
# ----------------------------------------------------------------------|
# You NEED to set this!                                                 |
# Configuration follows:                                                |
#                                                                       |
# Notes about configuration:                                            |
# Some things take more than one option,separate with spaces.           |
# You probably don't want all the ports I have under here open, portscan|
#       yourself to find what you want open.                            |
# For SSH you need port 22 in TCP_ALLOW, and set the appropriate SSH    |
#       system(s) to "TRUE".                                          |
# If you want to used host-based identd allowing, do NOT put 113 in     |
#       TCP_ALLOW and DO set AUTH_ALLOW, if you want to NOT use         |
#       host-based identd allowing, leave AUTH_ALLOW empty and put      |
#       113 in TCP_ALLOW below. Putting 113 in TCP_ALLOW will cause a   |
#       global allow to be put in place (anyone can connect to it).     |
# DNS only needs to be set to do ZONE TRANSFERS!                        |

!/bin/sh
# ----------------------------------------------------------------------|
#             Here it is...MonMotha's Firewall 2.2.1!                   |
#         Once again, my crude ASCII art best viewed with pico.         |
# ----------------------------------------------------------------------|
# 2.2 RELEASE NOTES: This is the "stable" version of the 2.1 series.  |
# It works great for me, hope you like it!                              |
# ----------------------------------------------------------------------|
# COMMENTS from MonMotha, Steff, and LaptopZZ:                          |
#                                                                       |
# Please...PLEASE give me feedback on your experiences with this script |
# I would really like to know what everyone wants, what works, and      |
# about the inevitable bugs present in anything.                        |
#                                                                       |
#               Direct all feedback to: bvmopen,AT,usa,DOT,net                
  |
#                                               --MonMotha              |
#                                                                       |
# If you encounter problems with this script, please feel free to EMail |
# me a report on what happened.  Please include the file .config for    |
# your kernel (the kernel configuration), relavent info from syslog     |
# (check /var/log/messages) and relavent info from dmesg. With your     |
# help, I can make my next firewall even better!                        |
#                                                                       |
#               I can be reached at: bvmopen,AT,usa,DOT,net                   
  |
#                                               --MonMotha              |
# ----------------------------------------------------------------------|
# SYSTEM REQUIREMENTS: You must have either compiled the appropriate    |
# iptables support into your 2.4 kernel or have loaded all the          |
# applicable modules BEFORE you run this script.  This script assumes   |
# that you have everything compiled into your kernel.                   |
#                                                                       |
# I'll get you a list of required kernel options as I play with the     |
# 2.4 kernel series more.                                               |
#                                                                       |
# You need iptables.  Get it at "http://netfilter.samba.org";.         |
#                                                                       |
# This script was written (and partially tested) with iptables 1.2      |
# and kernel 2.4.0  in mind. This has been tested on 2.4.0.             |
#                                                                       |
# Also, this is a BASH shell script...any 2.x version of GNU BASH       |
# should work with this script.                                         |
# ----------------------------------------------------------------------|
# CHANGELOG (Since 2.2.0 only):                                         |
#       version 2.2.1: Added a check before enabling IP SynCookies      |
#       version 2.2.1-pre1: Updates for iptables 1.2                    |
#       version 2.2.0: Exactly the same as 2.1.16 with updated comments |
# ----------------------------------------------------------------------|
# USE AT YOUR OWN RISK! THIS IS WITHOUT ANY WARRANTY STATED OR IMPLIED! |
# That means NONE whatsoever, not even fitfullness for purpose!         |
# ----------------------------------------------------------------------|
# You NEED to set this!                                                 |
# Configuration follows:                                                |
#                                                                       |
# Notes about configuration:                                            |
# Some things take more than one option,separate with spaces.           |
# You probably don't want all the ports I have under here open, portscan|
#       yourself to find what you want open.                            |
# For SSH you need port 22 in TCP_ALLOW, and set the appropriate SSH    |
#       system(s) to "TRUE".                                          |
# If you want to used host-based identd allowing, do NOT put 113 in     |
#       TCP_ALLOW and DO set AUTH_ALLOW, if you want to NOT use         |
#       host-based identd allowing, leave AUTH_ALLOW empty and put      |
#       113 in TCP_ALLOW below. Putting 113 in TCP_ALLOW will cause a   |
#       global allow to be put in place (anyone can connect to it).     |
# DNS only needs to be set to do ZONE TRANSFERS!                        |

IPTABLES="/sbin/iptables" #set to your iptables location, must be set
DNS="" #set to your DNS server(s) that you get zones from
TCP_ALLOW="22" #TCP ports to ALLOW
UDP_ALLOW="6112 6119 4000 6969" #UDP ports to ALLOW (53 not needed, covered by DNS above)
INET_IFACE="eth0" #the interface your internet's on (one only), must be set
LAN_IFACE="eth1" #the interface(s) your LAN's on (currently unused)
USE_SSH1="FASLE" #set to TRUE if you use "real" SSH1 (anything else is interpreted as FALSE)
USE_OPENSSH="TRUE" #set to TRUE if you use OpenSSH (anything else is interpreted as FALSE)
INTERNAL_LAN="192.168.1.0/24 192.168.2.20" #the internal network(s), must be set
#AUTH_ALLOW="207.69.200.132 216.32.132.250 206.132.27.156 209.81.232.66 207.45.69.69 216.80.83.185 212.158.123.66" #IPs allowed to use the AUTH service (leave blank and put 113 in TCP_ALLOW for all)
DENY_ALL="" #internet hosts to explicitly deny from accessing your system at all
DROP="REJECT" #what to do with packets we don't want


# You shouldn't need to modify anything below here                      |
# ----------------------------------------------------------------------|

# Let's load it!
echo "Loading iptables firewall:"

# Turn on IP forwarding
echo -n "Checking IP Forwarding..."
if [ -e /proc/sys/net/ipv4/ip_forward ] ; then
        echo 1 > /proc/sys/net/ipv4/ip_forward
        echo "enabled."
else
        echo "support not found! This will probably cause problems!"
fi

# Enable TCP Syncookies
echo -n "Checking IP SynCookies..."
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
        echo 1 > /proc/sys/net/ipv4/tcp_syncookies
        echo "enabled."
else
        echo "support not found, but that's OK."
fi

# Flush everything
# If you need compatability, you can comment some or all of these out,
# but remember, if you re-run it, it'll just add the new rules in, it
# won't remove the old ones for you then, this is how it removes them.
#
# You'll notice I give status now :)

echo -n "Flush: "
${IPTABLES} -t filter -F INPUT
echo -n "INPUT "
${IPTABLES} -t filter -F OUTPUT
echo -n "OUTPUT1 "
${IPTABLES} -t filter -F FORWARD
echo -n "FORWARD "
${IPTABLES} -t nat -F PREROUTING
echo -n "PREROUTING1 "
${IPTABLES} -t nat -F OUTPUT
echo -n "OUTPUT2 "
${IPTABLES} -t nat -F POSTROUTING
echo -n "POSTROUTING "
${IPTABLES} -t mangle -F PREROUTING
echo -n "PREROUTING2 "
${IPTABLES} -t mangle -F OUTPUT
echo -n "OUTPUT3"
echo

# Create new chains
# Output to /dev/null in case the script hasn't been run yet
echo -n "Creating chains: "
${IPTABLES} -t filter -F INETIN > /dev/null 2>&1
${IPTABLES} -t filter -X INETIN > /dev/null 2>&1
${IPTABLES} -t filter -N INETIN
echo -n "INETIN "
${IPTABLES} -t filter -F INETOUT > /dev/null 2>&1
${IPTABLES} -t filter -X INETOUT > /dev/null 2>&1
${IPTABLES} -t filter -N INETOUT
echo -n "INETOUT "
echo

# Default Policies
# INPUT is still ACCEPT, the INETIN chain (defined above and jumped to later)
# is given a policy of DROP at the end
echo -n "Default Policies: "
${IPTABLES} -t filter -P INPUT ACCEPT
echo -n "INPUT:ACCEPT "
${IPTABLES} -t filter -P OUTPUT ACCEPT
echo -n "OUTPUT:ACCEPT "
${IPTABLES} -t filter -P FORWARD DROP
echo -n "FORWARD:DROP "
echo


# Security
echo -n "Local Traffic Rules: "
for subnet in ${INTERNAL_LAN} ; do
        ${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT
        ${IPTABLES} -t filter -A FORWARD -d ${subnet} -j ACCEPT
        echo -n "${subnet}:ACCEPT "
done
echo

# Set up basic NAT
# I assume masquerading here, which is technically for dynamic IPs, but
# it should still work with a static. If you want to be proper, change
# it accordingly.
echo -n "Setting up NAT: "
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE
echo -n "${subnet}:MASQUERADE "
done
echo


# Set up INET chains
echo -n "Setting up INET chains: "
${IPTABLES} -t filter -A INPUT -i ${INET_IFACE} -j INETIN
echo -n "INETIN "
${IPTABLES} -t filter -A OUTPUT -o ${INET_IFACE} -j INETOUT
echo -n "INETOUT "
echo

# Flood security
# You'll still respond to these if they comply with the limits
# Default limits are 1/sec for ICMP pings
# SYN Flood protection moved to a port-based basis because of the side
#   effect that it allowed all SYN packets through regardless if they
#   compiled with the limits. SYN flood protection is still in here, see
#   the TCP_ALLOW loop for the new method

echo -n "Flood Protection: "
# Ping Floods (ICMP echo-request)
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit 1/s -i ${INET_IFACE} -j ACCEPT
echo -n "ICMP-PING "
echo


# Allow the rest of the ICMP in
echo -n "Allowing ICMP in..."
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT
echo "done"

#Explicit denies
echo -n "Denying hosts: "
for host in ${DENY_ALL} ; do
        ${IPTABLES} -t filter -A INETIN -s ${host} -j ${DROP}
        echo -n "${host}:${DROP}"
done
echo

#Start allowing stuff
echo -n "TCP Input Allow: "
for port in ${TCP_ALLOW} ; do
if [ "0$port" == "021" ]; then #Active FTP (thanks steff)
${IPTABLES} -t filter -A INETIN -p tcp --sport 20 --dport 1024:65535 ! --syn -j ACCEPT
fi
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} ! --syn -j ACCEPT
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} --syn -m limit --limit 2/s -j ACCEPT
echo -n "${port} "
done
echo


echo -n "UDP Input Allow: "
for port in ${UDP_ALLOW} ; do
           ${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j ACCEPT
        echo -n "${port} "
done
echo

echo -n "DNS Servers: "
for server in ${DNS} ; do
        ${IPTABLES} -t filter -A INETIN -p udp -s ${server} --sport 53 -j 
ACCEPT
        echo -n "${server} "
done
echo

#SSH Rulesets
if [ $USE_SSH1 = TRUE ]; then #SSH1
echo -n "Accounting for SSH..."
${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 513:1023 ! --syn -j ACCEPT
echo -n "SSH1 "
fi
if [ $USE_OPENSSH = TRUE ] ; then #OpenSSH
if [ ! $USE_SSH1 = TRUE ] ; then #We need to echo "Accounting for SSH..."
echo -n "Accounting for SSH..."
fi
${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 1024:65535 ! --syn -j ACCEPT
echo -n "OpenSSH "
fi
echo


#AUTH(identd) host-based allows
if [ "$AUTH_ALLOW" != "" ] ; then
        echo -n "AUTH accepts: "
        for host in ${AUTH_ALLOW} ; do
                ${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport 113 
-j ACCEPT
                echo -n "${host} "
        done
        echo
fi

echo -n "Allowing established outbound connections back in..."
${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "done"


echo -n "Setting up INET Policies: "
# Drop if we cant find a valid inbound rule.
${IPTABLES} -t filter -A INETIN -j ${DROP}
echo -n "INETIN:${DROP} "
#We can send what we want to the internet
${IPTABLES} -t filter -A INETOUT -j ACCEPT
echo -n "INETOUT:ACCEPT "
echo

echo "Done loading the firewall!"


<< | Thread Index | >> ]    [ << | Date Index | >> ]