Installing & Configuring IPFilter and TCP Wrappers
Alan Neville
Aug 10, 2001

  • What is IPFilter?
  • IPFilter or (IPF) is a software package that can be used to provide network address translation or (NAT) of some type of firewall services. IPF can either be used either as a loadable kernel module or incorporated into your unix kernel instead. It's recommended using a loadable kernel module where possible. Scripts are provided to install and patch system files as required.

  • IP Filters
  • Installing IPF is pretty easy and straightforward, following the documentation on the website, except for the config files that they seem to hide in a rather weird directory /etc/opt/ipf. I like to link these files to the ones in /etc

    cd /etc
    ln -s /etc/opt/ipf/ipf.conf
    ln -s /etc/opt/ipf/ipnat.conf

    NOTE: Remember that the ipf.conf in /usr/kernel/drv is the configuration data for the module loader and not the ipfilter set of rules. Also, place all NAT rules into ipnat.conf and not ipf.conf.

    If you wish to enable IPF Logging and I would recommend that you do since it's very handy to have logs etc to track errors and things down with. If so, edit /etc/rc2.d/S65ipfboot and remove the "#" from the line;

    # ipmon -n &

    What this does is makes the IPF logging run and reports everything over to the syslog. If you wish to make a syslog record the log messages, you also need to edit /etc/syslog.conf on the relevant syslog host and add the line;

    local0.debug /var/adm/messages

    What this does is log every packet that passed through the firewall. You may need to play around with this if you get a lot of traffic through your firewall other-words your log files will become huge.

    NOTE: Eric "Loki" Hines has recently written a very nice paper on setting up a secure remote logging server, which would be perfect. I personally love to do this since it always gives you another "untouched" source of your logs. Also, if you think your system has been compromised you can check your logs against the logging server to see if the one who compromised your system and/or network has edited anything, which they didn't want you to know about.

  • Configuring /etc/opt/ipf/ipf.conf
  • Unix/Linux systems offer a lot of different services to the world around them. Sometimes hackers or script-kiddies can compromise these services and grain root on that system or network. This is also brought to mind the word, 'security', which is one of the most important aspects in computers now a days. For a reference for newbies and securing a Linux box, check out my last paper on Locking Down Linux Mandrake. Even if you don't run Linux, It's still a good read because it will give you a basic idea of what to look out for security wise.

    Now, most ISPs already provide packet filtering that will stop all incoming connections to there dialup systems, so if this is the case, all you have to do is leave the file ipf.conf empty. If you have to setup you're on packet filtering and I would think that you would want to enable all outgoing connections and to block any incoming connections. All you have to do is setup a set of rules for IP Filter for just that. Here is an example of ipf.conf:

    #
    #
    # --------------------------------------------------------------
    # Nasty Packets:
    # Block any packets which are too short to be real.
    block in log quick all with short
    # Block any packets with source routing set
    block in log quick all with opt lsrr
    block in log quick all with opt ssrr
    #
    # --------------------------------------------------------------
    # Private Network:
    # Allow traffic on le0 and lo0 to pass unimpeded
    pass in on le0 all
    pass out on le0 all
    pass in on lo0 all
    pass out on lo0 all
    #
    # --------------------------------------------------------------
    # Public Network (dp0):
    # That which is not explicitly allowed is forbidden
    block in log on dp0 all
    block out log on dp0 all
    #
    # Invalid Internet packets
    # Deny reserved addresses
    block in log quick on dp0 from 10.0.0.0/8 to any
    block in log quick on dp0 from 192.168.0.0/16 to any
    block in log quick on dp0 from 172.16.0.0/12 to any
    #
    # ICMP Protocols
    # Allow pings out
    pass out log on dp0 proto icmp all keep state
    #
    # TCP/UDP Protocols
    # Allow TCP/UDP requests to go out and keep the results
    # flowing back in.
    pass out log on dp0 proto tcp/udp from any to any keep state
    # Allow FTP data channel back in
    pass in quick on dp0 proto tcp from any to any port = ftp-data keep state
    pass in quick on dp0 proto tcp from any port = ftp-data to any port > 1023 keep state
    #
    # Reset/Error for TCP/UDP services, send back TCP-Reset or
    # Network unreachable to attempts to initiate connections.
    block return-rst in log on dp0 proto tcp from any to any flags S/SA
    block return-icmp(net-unr) in log on dp0 proto udp from any to any

  • Configuring /etc/opt/ipf/ipnat.conf
  • To begin using NAT, you will need to creat a NAT configuration file to begin with. Run the command, touch /etc/opt/ipf/ipnat.conf which should then create an empty file called ipnat.conf in the location provided. Now, all you have to do is edit the file and add in your set of rules. Here is an example of the ipnat.conf file:

    #
    # Use the internal FTP proxy for outgoing FTP
    #
    map dp0 10.5.3.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
    #
    # Map anything going though dpn onto
    # the dpn address
    #
    map dp0 10.5.3.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000
    map dp0 10.5.3.0/24 -> 0.0.0.0/32

    This file would map all TCP and UDP connections coming from the 10.5.3 network onto a new port with the IP address of the dp0 interface. The IP address of the dp0 interface is assigned dynamically when the connection is made.

    NOTE: If you wish to make everything go through NAT, just edit the 10.5.3.0/24 to 0.0.0.0/0.

  • TCP Wrappers
  • Basically, TCP Wrappers is a package that "wraps" any daemons that run from within the inetd.conf file located in the /etc directory to limited access. You can specify who can have access and who is denied by adding a certain line into your TCP wrappers config file.

    You can download the TCP Wrappers package from the following link: ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz Installation of TCP Wrappers is very straightforward and it offers a choice of either replacing the daemons you wish to "wrap" or modifying the /etc/inetd.conf file. Think of this as your lucky day because I'm going to go through step by step on how to install and Configure TCP Wrappers for Linux :). (yay)

    Ok, step one is to first of all, download and save the package to your system. I prefer to use the "lynx" command in Linux to download certain type of package etc and save them in my home dir. Here is how I would go about unpacking the tar.gz file and installing it on my Mandrake Linux box.

  • Downloading and Installing the TCP Wrappers package
  • [quackmoo@ph33r]$ lynx ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz
    [quackmoo@ph33r]$ tar -zxvf tcp_wrappers_7.6.tar.gz
    [quackmoo@ph33r]$ cd tcp_wrappers_7.6
    [quackmoo@ph33r]$ cat README | more
    [quackmoo@ph33r]$ make

    NOTE: Once you run the command "make", make sure to follow the instructions that are on the screen as it will help you. Also, make sure you read the README before you even try to install the package.

    After you have configured your /etc/inetd.conf file it should pretty much ok like this:

    ftp stream tcp nowait root /usr/local/bin/tcpd usr/sbin/in.ftpd in.ftpd
    telnet stream tcp nowait root /usr/local/bin/tcpd /usr/sbin/in.telnetd in.telnetd

    The above basically means, anyone who connects to either the ftp or telnet daemon, (incoming) are passed to /usr/local/bin/tcpd so the connections can be checked against the access control, and if the connection is allowed, it will be passed onto the appropriate Daemon.

    But first a word of warning, I myself don't run telnet anymore, since the leak of the telnetd exploit. (Check out the telnetd advisory by cert.org at the following address: http://www.cert.org/advisories/CA-2001-21.htmlScript-Kiddies have been going around attacking any hosts that runs the telnetd daemon and gaining root for either personal gain, or revenge on a sysadmin or even a friend. I would suggest that you comment out the telnet daemon in the /etc/inetd.conf file and get ssh installed. Also, since I'm so nice, I have decided to go through the setup on ssh in dept as well.

  • Downloading and installing SSH
  • First, download and save the ssh package into your home directory. You can download ssh from the following address: ftp.cis.fed.gov/pub/ssh/old/ssh-2.4.0.tar.gz. Once you have it saved in your home dir or whatever directory you would like to unpack the files, use the following example to install the package.

    [quackmoo@ph33r]$ tar -zxvf ssh-2.4.0.tar.gz
    [quackmoo@ph33r]$ cd ssh-2.4.0
    [quackmoo@ph33r]$ cat README | more
    [quackmoo@ph33r]$ su
    Password: *************
    [quackmoo@ph33r]# ./configure && make && make install
    [quackmoo@ph33r]# exit

    Now that you have ssh installed, you will want to 1) create a public and private key that can be used. For this, we run ssh-keygen2 that comes with ssh-2.4.0. Just issue the command "ssh-keygen2" at the command prompt and follow the instructions on screen.

    NOTE: The following example was taken from a text file written by a Markus T. Delves. Mr. Delves has also written many HOWTO files and the most famous "Armoring FreeBSD" which has been circling around the BSD community for some time now. Check out this excellent paper at: http://www.daemonnews.org/200102/armoring.html Even if you don't run BSD, or any type of unix, Os, I recommend reading his paper as it gives you a great idea of what to look out for in bsd, security-wise.

    [quackmoo@ph33r]$ ssh-keygen2
    1 oOo.oOo.oKey generated.
    1024-bit dsa, ph33r@quackmoo, Thu Aug 10 2001 01:47:15
    Passphrase : **********
    Again : **********
    Private key saved to /home/ph33r/.ssh2/id_dsa_1024_a
    Public key saved to /home/ph33r/.ssh2/id_dsa_1024_a.pub

    Once the DSA keys are generated you will want to create an identification file for yourself.

    [quackmoo@ph33r]$ cd ~/.ssh2
    [quackmoo@ph33r] echo "IdKey id_dsa_1024_a" > identification

    Next, you will want to copy your public key to your remote host and put it in your ~/.ssh2 directory. Call it anything you wish. For example, I called mine quack.pub.

    [meow@ph33r]$ mv ../id_dsa_1024_a.pub quack.pub

    Next, you'll need to create an authorization file on your remote host so that the remote host knows which keys are available for it to use when you login.

    [meow@ph33r]$ echo "Key quack.pub" >> authorization

    Next, you will want to test it all out, so get back on your local system and try logging in to the remote host which you setup the authorization file. It should look something like this:

    [quackmoo@ph33r]$ ssh2 -l oink.example.com
    Passphrase for key "/home/ph33r/.ssh2/id_dsa_1024_a" with comment "1024-bit dsa, ph33r@isiclabs.org, Thu Aug 10 2001 02:19:12":

    Enter your pass phrase, and your done.

    The example above was excatly what I did to get ssh-2.4.0 fully installed and running on my Linux box. To use ssh, you can just use the command(s) ssh or ssh2 at your command prompt. Here is a quick example of how to use ssh2 and sftp.

    [quackmoo@ph33r]$ ssh2 -l ph33r oink.example.com

    or when using the ssh2 command, just replace the "ssh" with "ssh2". Also, sftp is included in the package and is just as handy. It replaces ftp and is another daemon I use instead of ftp. To use this command, just issue "sftp" at the command prompt.

    [quackmoo@ph33r] sftp -l ph33r meow.example.com

    Once logged in to your sftp account on your remote host, don't worry about the commands. If you know how to use ftp, the commands are pretty much the same.

  • Configuring TCP Wrappers
  • Ok, now that you have both, tcp wrappers and ssh installed on your local system, let's get onto configuring the TCP wrappers so allow and deny connections. Ok, lets deny all incoming connections to your system so that only certain users can login.

    [quackmoo@ph33r]$ su
    Password: ***********
    [quackmoo@ph33r]# pico /etc/hosts.deny

    You can use any editor for this, be it vi, emacs or pico, anythings good :). Next, add in the following lines so that /etc/hosts.deny look like this:

    ALL : ALL

    This is known as a "catch-all" as it catches all incoming connections and blocks them. Ok, you want to specify which connections are allowed in. Pick your favorite text editor and etc /etc/hosts.allow.

    Here is a typical example for the use of TCP Wrappers:

    So you're very paranoid about security, who isn't these days and you just got TCP Wrappers installed along with ssh. Your friend, who has account from his home to your system is going away from the weekend and is staying at his Aunts house while his parents are going away on holiday. All you have to do is ask your friend, once he arrives at your aunt's house to get her static IP address and email it over to you. Next you will edit the /etc/hosts.allow file and add in the following line to allow his Aunts home computer to connect to your system allowing him to login.

    ALL : 194.145.128.14

    This basically means that you are allowing all connections from the address, 194.145.128.14. This is exactly what you want so that your friend can login from his Aunts computer. Remember to keep an eye on your logs as they can provide crucial information on whose logging in and out of your system.

  • Conclusion
  • Within this paper you should learn how to setup, install and configure TCP Wrappers, IP Filter and ssh for remote administration. These tools are very handy in the world of linux as I myself use almost every day. I have also noticed in some new version of RedHat Linux they have made it standard for versions 7.x to use ipfilter, which I think, is great. Remember, computers are hard, but with time, you lean to love them ;).

  • Author's bio
  • Alan Neville claims to be nothing more then simply a computer geek. He has only been interested in computer over the last 2 years, and in them 2 years has been introduced to the cyber world, known only as 'The Internet'. While trying to keep a grasp on what is happening in the security world, he struggles to meet the standards in school and hold up his personal life. He enjoys experimenting with computers in his room late at night and loves having conversations with anyone half way across the world ;). He can be contacted at ph33r@isiclabs.org for any questions or suggestions you may have on this paper.

    Alan Neville
    ph33r@fatelabs.com