[PLUG] IPTABLES and protecting win2k boxes...

Ed Sawicki ed at alcpress.com
Wed Dec 31 12:53:01 UTC 2003


On Wed, 2003-12-31 at 12:31, none wrote:
> Does anyone know of a definitive reference to the ports 
> under Windows 2000 focused on how to program an iptables 
> masq box to block outbound packets  associated with DCOM, 
> the ports abused by blaster, and other Windows specific 
> services that should not go beyond a local LAN?  Using 
> Zonealarm on an inside machine is a major pain, it seems 
> to be intended for machines with direct net connections 
> only.

Google for windows ports.


> What I'd prefer under Windows 2000 is iptables filtering.
> I'm thinking deny all packets whose destination is not local
> followed by explicit allow rules.

Yes, of course.


> Trying to put this in
> the gateway firewall seems ugly at best.

I see it as elegant and effective. It focuses security admin
at one box rather than many.


>   Figuring out how
> to allow individual users to create their own firewall for
> what can leave their machine and go through a masq gateway
> that connects to the Internet makes a lot of sense.

You must have Windows users that have more technical knowledge
than most. I don't know of any Windows environments where
this would work well.

>   The
> standard masq rule I've seen for a gateway is masq anything 
> from inside destined to a remote destination.

You need to see more secure setups.



>   Packets that 
> shouldn't go out should be stopped at the workstation that 
> is trying to send them.

I don't think this is realistic - especially with Windows.
If we could do this, we wouldn't need firewalls.


> I've got netbios requests, etc., showing up in my logs from 
> outside my network, how can I block these requests and keep 
> them out of my logs?

What makes you think they're not blocked?
With iptables, you have some control of what's sent to the logs.
If you want more control, send the stuff to a named pipe and
apply your own filter.




>   Is there something like pflogsumm
> that I can use to create and email reports of packet 
> statisitics that will contain symbolic service names,
> port numbers, packet counts, and total byte counts for 
> each workstation?  With a report of everything that 
> goes out in a usable summary, it would be easier to
> catch an obscure Windows service being open and getting 
> out through one of the masq gateways.
> 
> How does one know for example that 7070:7071 is a port range 
> for Realaudio or that 2345 can be used for a custom service?  
> I know ports 0 through 1024 are priviledged, but aside from 
> maintaining a standard Linux password file revealing what 
> ports are standard for some priviledged services, where 
> can I get a definitive list of port 0 to port 1024 and
> the unpriviledged port ranges that are connected to 
> various services?

Maybe you should attend my firewall class.




> rule (a)
> iptables -A FORWARD -i $OUT_INT_1 -o $IN_INT_1 -m state \
>          --state ESTABLISHED,RELATED,NEW -j ACCEPT
> 
> What exactly does the above rule do?
> Why is the above rule needed for masquerading?
> 
> rule (b)
> iptables -A FORWARD -m state --state NEW,ESTABLISHED \
>  	            --in-interface $IN_INT -s $ip \
>                     -j bad_desti
> 
> The $bad_desti jumps to a custom chain that blocks input 
> to forbidden ip addresses.  It seems to be necessary to 
> jump to this in FORWARD instead of INPUT.  Should rule (a) 
> be rewritten as multiple rules for individual
> hosts?  Rule (a) appears to allow responses back where 
> responses to a specific host should be rejected 
> if a request to turn Internet access off to that 
> host is serviced.
> 
> rule (c)
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
>                     --in-interface $OUT_INT_1 \
>                     -s ! $INTRANET_1 -j ACCEPT
> 
> Is rule (c) meant to allow secondary etc. packets of establish
> masq connections though?  Should this rule be replaced with an
> ip specific one?
> 
> Should rule (a) be replaced with an ip specific one
> if I use a CGI script to enable and disable Internet access
> for individual hosts?  I already add and delete based
> on requests from a CGI script instances of rule (b) 
> and matching instances of a similar rule to it where the 
> only difference is that $bad_desti is ACCEPT.
> 
> rule (d)
> iptables -A POSTROUTING -t nat --out-interface $OUT_INT_1 \
>                         -j MASQUERADE
> 
> Does rule (d) need any changes or do I block all packets
> that shouldn't reach this rule with FORWARD rules?
> 
> For a list of forbidden Internet addresses is it sufficient
> to only have rules that block input to them or should I block 
> input from them as well?  How about connection requests?  
> How about output?  How does MSN block certain web sites
> based on abstract content specifiers such as appropriate
> for kids, etc?  Are there databases of web site ratings
> that are trustworthy and downloadable to program iptables
> firewalls with?
> 
> Sorry about the length :-)


No problem - whoever you are.

Ed


> 
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug





More information about the PLUG mailing list