IPCop + IPTables + Green + Blue
Results 1 to 10 of 10

Thread: IPCop + IPTables + Green + Blue

  1. #1
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491

    Question IPCop + IPTables + Green + Blue

    Hello everybody,

    I'm setting up an IPCop firewall for this company I know in my free time.
    Now everything works fine, except for the link between the Green(lan) and blue(Wifi).

    Setup:

    Firewall:
    - Old box with enough ram for IPCop
    - 3 NIC's in IPCop box = 1 for the "RED" (external eth2) 1 for the "GREEN"(lan eth0) and 1 for the "BLUE"(Wifi eth1) network.

    LAN:
    - Windows XP clients
    - Windows 2003 Servers and DC
    - AD

    WiFi:
    - Access Point
    - WPA encryption

    I got everything working and communicating with the internet, including the Wifi, so that's not the problem. The problem now is, this company wants the wireless users to be able to authenticate to the AD DC, receive DHCP from their DHCP server, be able to access the shares on the file server etc...

    Now I advised them to use the VPN (roadwarrior) feature, to connect to their LAN (GREEN) but they thought it to be too difficult to administer once my job had finished .

    So the tidious task of shooting DMZ holes in the firewall between BLUE and GREEN began.
    Thank god that IPCop now has the possibility to add entire NET's instead of having to add every single address of BLUE.

    I made DHCP work (port 68), made LDAP work (port 389), DNS works (port53), etc...

    Ok so what is the problem then you ask

    For optimal communication between a client (winXP) and the AD DC I need ICMP to work between BLUE and GREEN, because Windows must be able to check if the link is slow etc...

    So because this can't be done via a port, I need to adjust the IPTables I guess ... This is where my knowledge stops a bit ...I've been reading up on it (the AO tutorial here and the internet page here ) but I need to find a solution quick ... Now I just need to know how to go about this and if I'm on the right track...

    Do I add IPTables in the rc.local file on IPCop like this:

    Code:
    $IPT -A CUSTOMINPUT -i $BLUE_DEV -p icmp --icmp-type 0 -j ACCEPT
    Is this the correct syntax to allow echo (0) reply from GREEN (eth0) to BLUE (eth1) (ping from blue to green) , do I need to add more then just echo reply for this setup to work ? What else can you recommend as ports to be open ? Is it "safe" to open port 445 (in retrospect I know it isn't but I'm not sure if Windows needs it at this point, need to check that)

    Or is there a total other way to go about this ???

    And they thought VPN was difficult

    Any info I missed, don't hesitate to ask.

    Many thanks in advance for any help.

    .C.
    Back when I was a boy, we carved our own IC's out of wood.

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    This is just my take on it... but I'd scrap firewalling between "green" and "blue" and just leave them open to each other.. In the future as they expand and start running various servers and services they'll just run into problems and if VPN was too difficult once you left, then so will this...

    Instead I'd setup wireless at the center of the building (limit the bleed at the perimeter) and then I'd restrict it to the Mac Addresses of their wireless clients. It's a lot easier to leave them with detailed instructions on obtaining the Mac address of a new computer and adding it to the AP then it is to document how to modify IPCop to allow future expansions between the two networks..

    Have you taken into account things like

    Network File Sharing
    Network Printing (Is it a Windows Machine running a Print Server or does the printer have it's own print server... did you make allowances for this)
    Exchange and IIS (assuming here... they could quite easily not be running this)
    Remote Desktop
    I dunno the nature of the company but SQL Server or possible future SQL server

    That's what I'd do anyways... just open the path of communication between the two and limit access to the WiFi.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Hey HTRegz,

    Thanks for the quick reply.

    I would open up the communication between the two networks (they are on a different subnet though) but this would also have to be done in the "heart" of the firewall or maybe even the IPtables I don't know ...there isn't a feature to enable/disable the firewall between these two networks (1 minor point for IPCop) in the admin webpage.

    I have taken in account for File sharing, IIS (although I think I need to open up more ports), Remote Desktop.

    Haven't yet done SQL, Network printing and other small stuff ...oh and whatabout WSUS also ...man it would be easier to open up the communication between the to, meaning no firewall ...do you or anybody know how to do this ??

    The wirelless is already secured with mac-address, no broadcast SSID and WPA so it's pretty secure.

    Thanks again for the input ... Didn't think of that in my post ... disable the firewall :P

    You must spread your AntiPoints around before giving it to HTRegz again.
    .C.
    Back when I was a boy, we carved our own IC's out of wood.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    OK.. I disagree with HT here... I don't know what value the data etc. is to this company but having the wireless open to the trusted network is not good practice. Nor is it good practice to open up so many ports from the DMZ to the trusted... Right now, if someone gets onto the WAP they can begin querying away at your AD which would be a major information leak.

    To be honest your better off opening port 3389 from DMZ to trusted and sticking a Terminal Services server in the trusted and have them RDP/Terminal Services in from the DMZ. Then you have a single hole that requires authentication and secondary encryption going on.... It's relatively easy to manage - setting up the user's desktops on the Term Server is the biggest pain but that is usually only a couple of minutes for the basic apps they would use.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Tiger Shark...

    Interesting approach .... But I'm afraid it will not be the thing this company wants ...they want complete access from the wireless to the AD (lan) side ...I know it's not safe ...But the customer in this case is king ...I adviced against it as well ...hence the VPN and all ... So ... I don't know ... I'll have them write a waver though ... in case they get "hacked" ...don't want to be held responsible for it.

    Thanks for the input though ...It's very interesting ... I might use it somewhere else...where they are less difficult

    .C.
    Back when I was a boy, we carved our own IC's out of wood.

  6. #6
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Is this the correct syntax to allow echo (0) reply from GREEN (eth0) to BLUE (eth1) (ping from blue to green) ,
    Well, I for one don't like it, ... no, .. I just don't like it.

    I don't know about manually adding rules to IPTables rules that have been created with software like this: you may wind up in trouble.
    Like, where did you insert this rule ? ( to check, iptables --list --line-numbers -n -v will list the rules in order )
    Then, what happens if someone down the road uses the software again to make some changes? Will it still be inserted in the same place?

    Or, when will this rule be inserted by the system? Before or after the program IPcop starts?

    Anyway, lets look at what you have:

    $IPT -- nice for a script .. is linux going to understand what you mean outside of that script? ( I don't know )

    CUSTOMINPUT .. this is an ICop cahin? What does it do and where is it referenced from ? ( FORWARD table I hope ? ) The -A would add this rule to the end of the CUSTOMINPUT chain.

    $BLU_DEV .. I assume this is an alias in the script for eth1 ?

    -i $BLUE_DEV .. packets coming in eth1 , which I don't think is what you want

    IF you are going to use something like this, why not something like:

    iptables -A CUSTOMINPUT -i eth0 -o eth1 -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT


    That would give an output ( in the CUSTOMINPUT chain ) of:

    num pkts bytes target prot opt in out source destination

    ? 0 0 ACCEPT icmp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 icmp type 0 state RELATED,ESTABLISHED

    Using the same thought as above, this would allow icmp packets in eth0 ( green ) then out to eth1 ( blue ) of type 0 that are established or related to already existing communication. Remember, it will put that rule at the end of CUSTOMINPUT chain.

    Would that work ? ( that is for reply only, which is what you asked. I assume you already allow an echo request through? )

    Doesn't IPcop have a way to insert a custom rule?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  7. #7
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by Tiger Shark
    OK.. I disagree with HT here... I don't know what value the data etc. is to this company but having the wireless open to the trusted network is not good practice. Nor is it good practice to open up so many ports from the DMZ to the trusted... Right now, if someone gets onto the WAP they can begin querying away at your AD which would be a major information leak.

    To be honest your better off opening port 3389 from DMZ to trusted and sticking a Terminal Services server in the trusted and have them RDP/Terminal Services in from the DMZ. Then you have a single hole that requires authentication and secondary encryption going on.... It's relatively easy to manage - setting up the user's desktops on the Term Server is the biggest pain but that is usually only a couple of minutes for the basic apps they would use.
    Hey Tiger,

    I think I know part of the reason that we disagree... I don't see this setup as having a DMZ. The LAN is obviously a local trusted network... but I consider wireless (properly secured) to also be a locally trusted network. I see the firewall as segregating the internal network from the external network without providing any real benefits that I can see...

    Then again... I also feel that IPCop might be a little overkill in this scenerio... and that any somewhat high-end home "router" would accomplish the task more effectively.

    Cementric: Was there a reason for IPCop? Is there a reason why a Linksys (or for a little more a cisco) home router solution isn't being used... If there's no clear segmentation inside the network is there a purpose for it on the perimeter?

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  8. #8
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    IKnowNot,

    Thank you for this extensive answer ..I can work with what you provided ...

    To answer your questions:

    IPCOP has an rc.local file in the /etc/rc.d/ directory ... this file is used to add custom rule that get loaded at the start of the firewall ...or so I think I've read somewhere (need to verify) ...

    You are correct in assuming that I can send a ping from green to blue (if that is what you mean) ...but I also need to be able to ping from blue to green and get a reply (maybe this part wasn't clear enough ?)

    The naming scheme of the IPTABLE is taken from the forums regarding smoothwall and IPCOP ... as well as some other places on the internet.

    Thanks again for your help ...I'll try the rule out ...in some way or another

    Cementric: Was there a reason for IPCop? Is there a reason why a Linksys (or for a little more a cisco) home router solution isn't being used... If there's no clear segmentation inside the network is there a purpose for it on the perimeter?
    Same question came to my mind when I heard they wanted this setup ... the reason being (this is the verion they told me) is ... They needed a good firewall with very good logging (check), they wanted somehow see the websites being visited (check), they wanted something like IDS (check) ... and it had to be cheap(check) ... and last but not least ...the "admin" (in the broadest sense) is a total g33k

    That's it basicly ... The only problem was ...they are way over their heads configuring it ...they never worked with Linux ...let alone a firewall or anything ...

    Anyway ... I'm going to figure it out sooner or later ... I'm thinking about just placing the wireless on the GREEN network ... then they can work like before ...then again ...hmmmm

    .C.
    Back when I was a boy, we carved our own IC's out of wood.

  9. #9
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    IPCOP has an rc.local file in the /etc/rc.d/ directory ..
    It is a Linux/Unix file, not specific to IPCOP.
    And yes, maybe. ( for example, SUSE doesn’t have this file ... they have another by another name and in another directory that works the same though. )

    These files are supposed to run after all the other init scripts, so it should work if the program is started through init.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  10. #10
    Junior Member
    Join Date
    Mar 2006
    Posts
    1

    this is not a response it is a question

    how can i get my computer set up so that it is completely untraceable; i have read some here about ghosting, that may or may not be what i am looking for. I want my computer to not register its ip at any site i visit nor be accesible to any other person, whether they are private or governmental.

    is it illegal to be invisible? is freedom truly a myth? perhaps as one person said, the only way to truly be invisible is to unplug your computer and turn it off. if this is the case, i still appreciate any info you can give. also about the most efficient way to clean a system registry...delete old traces of useless junk.

    if this sort of thing is illegal, then don't worry about it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •