linuxnet.txt

a collection of mega hacking tools

   # Let's see what is on the next door
   
   $IPCHAINS -A input -i ppp0 -j DENY -l


 Remote Port Forwarding
 ======================
 
  What should I read?
  -------------------
  
      .ipmasqadm man page
       
  
  Why do I want this?
  ------------------- 
   
    If you want to allow people to access some services inside your LAN like
webservice or shell, instead of setting services on the firewall, you
redirect the connection to an inside host. 
    Why not to run services on the firewall? Well because running services
on the firewall will expose it, so you redirect the traffic to inside your
network. Ok, right now you are thinking that I'm stupid, I'm concerned
about the firewall but I'm routing data to inside the network which is
a greater risk. Well it's now time to introduce to you the concept of DMZ.
    DMZ stands for De-Militarized Zone, a fancy term that started being used from the gulf war if I'm not wrong, but it also got ported to the networking language. DMZ is a subnet that has un-trusted hosts and has no contact to the trusted subnet. So right now our LAN will start having 2 subnets, both of them are being NAT, but one is still invisible and the other subnet will be acessible by the internet. 
    Since this is not the kind of network topology we set at our home, we
are probably talking about more than one registered internet IP, no more
dial-up but a set of IPs that are payed to be used, in this case the DMZ
won't need to be behind masquerading but will be assign public IPs. But we
will get to both network typologies the one where DMZ is also masquerade and
when DMZ isn't.


Configurations
- --------------

 To support remote port forwarding you have to download an application
called IP masquerading additional modules administration (aka ipmasqadm)
written by Juan Ciarlante. For this application work you have to compile
kernel with masquerading special module support. 

   Network options -->
   
   [*] IP: firewalling
   [*] IP: masquerading
   --- Protocol-specific masquerading support will be built as modules
   [*] IP: ICMP masquerading
   --- Protocol-specific masquerading support will be built as modules
   [*] IP: masquerading special modules support
   <M> IP: ipautofw masq support (EXPERIMENTAL)
   <M> IP: ipportfw masq support (EXPERIMENTAL)
   <M> IP: ip fwmarkk masq-forwarding support (EXPERIMENTAL)
   
   If you don't see the option IP: masquerading special modules support
remember to see if you have selected to be prompted for code in development
since this feature is still experimental. To check this go enable:

  Code maturity level options -->
      
  [*] Prompt for development and/or incomplete code/drivers
  
  When you enable this options the all the options listed will be shown.
  
  After compiling, rebooting the new kernel and loading just ipportfw or
all the 3 modules (for what we are talking just ipportfw is required). 
  Now you can just nicelly type 
  
  root@ExampleBox: ~# ipmasqadm portfw -a -P tcp -L ppp-ip 80 -R 192.168.1.3
80
  
  And then redirection will start to be done.
  
  
 Security
 --------
 
   Now how it was said starting to run services inside your LAN can expose
to much your LAN. So it's time to start thinking in DMZ. Check the two
diagrams bellow.


 Example 1:
                                           ------ (eth0) ---- DMZ   
                                          | 192.168.0.0/16 network
 Internet --- ppp0 --- Router/Firewall ---
                                          |
		                           ------ (eth1) ----- Trusted LAN 
					   192.168.1.0/16 network
					   
 In this case our Router/Firewall will have 3 IPs, the internet IP, then the IP for the eth0 interface and the IP for eth1 interface. Now as you can both subnets are behind a masquerading host. The firewall will run ipmasqadm fowarding traffic like web service to our DMZ. This way even if a script kiddie roots one of those boxes he's inside the DMZ and since the trusted LAN  is invisible from the DMZ (you have to deny everything from 192.168.0.0/16 to 192.168.1.0/16) the trusted LAN isn't in direct risk, of course you'll have to implement strong loggging and IDS (Intrusion Detectiong System) on the DMZ.
 This kind of network topology is called 2 legs network. 
 
 
 Example 2:
 
 Internet -- ppp0 -- Router/Firewall --- DMZ with registered static IPs 
                                                     | (eth0)
					      Masquerading Host
						     | (eth1)
						 Trusted LAN
 
 In this case the Router/Firewall host will be a normal routing host since
the DMZ will have static IPs registered from Internic, inside this DMZ
you'll have a box running no services the which will be the Masquerading
Host hidden behind this host there will be a trusted LAN, completly
invisible to  the outside as always.


 Transparent Proxy
 =================
  
   Since I actually never messed with Transparent Proxy I'll be short in
this section still giving the main topics to set things up, besides squid.

   What should I read?
   -------------------
   
      .Transparent Proxy Mini howto
      /usr/doc and look for the mini howto directory
      or http://www.linuxdoc.org/HOWTO/mini/TransparentProxy.html
      
   
   What is it?
   -----------
    
   Transparent Proxy is away that proxies connections without client
noticing. This means that if you browse to www.yahoo.com when this request
reachs your gateway it will be re-directed to another port where a proxy
service like squid will be active. The client thinks that it's exchanging
data with remote host but in the reality it's just exchanging data with the
gateway. 

 
  How can I support it?
  ---------------------
  
   To support Transparent Proxy once more you'll have to re-compile your
kernel this time the main features to support are:

   Networking Options -->
   
   (...)
   [*] IP: firewalling
   [*] IP: Transparent Proxy support 
   (...)
   
   Of course you'll probably enable mascarade on your host, to know which
options have to be enabled check the IP masquerade section.
  
   Configuring
   -----------
   
   Finally to make Transparent Proxy work you have to add a redirection
action on ipchains just simply giving the command:

   root@ExampleBox: ~# /sbin/ipchains -A input -p TCP --dport 80 -s
192.168.0.0/24 -j REDIRECT 8080

  Then you just have to configure squid, honestly I never messed with it so
I really don't know what to tell you, but I've seen squid.conf file it's
full of information, read it and it will help configuring. Also look at the
transparent proxy mini howto.

NFS
===

   What should I read?
   -------------------
   
    . NFS HOWTO 
      /usr/doc
      or http://www.linuxdoc.org/HOWTO/NFS-HOWTO/index.html

    . rpc.portmap man page
   
    . rpc.mountd man page
    
    . rpc.nfsd man page
     
    . exports man page
    
   What is it?
   -----------
   
   NFS stands for Network File System. Like I said in the lecture, once I
read a really simple definitition of NFS "it's like windows file sharing but better" and indeed it's a way of sharing HDs (totally or partially) inside a network. NFS is widelly used on networks where we have diskless boxes, or like in Beowulfs. Still you can just setup NFS on your local NFS to share some files between your computer, or like just have one /home directory and every single box of your LAN mounts that partition.  


   Is it really usefull?
   ---------------------
   
   Well... If you are in a small LAN like the ones we set at home, and each
box you still want to have each computer working without any essential OS
part like /var or /home mounted from one single host, it might not be really usefull. If you are thinking in just setting up NFS to share some files you have and you want to copy them from box to box I tell that it's better to use FTP because of 2 main reasons speed and security. Actually NFS is slow as hell, and well security it's not it's best also. I know about a couple of worms that use vunerabilities in the portmap to spread. Of course if you start running NFS on your LAN the daemons used will be the latest ones...still we know that the code is buggy as hell. 


    Configuration
    -------------
    
    You have to compile your kernel with NFS support to add NFS support to
your kernel enable the option

  Filesystems -->
     Network File Systems -->
       <*> NFS filesystem support
       (...)
   
   Compile and you are ready for playing with nfs.
   There are 3 main files that allow you to configure NFS at your will:
    
     /etc/hosts.allow
     /etc/hosts.deny
     /etc/exports
     
     . hosts.allow 
        This file holds which IPs have access to the portmap services.
	This file has the syntax SERVICE : ALLOWED IPs
	So in our case we would read in the /etc/hosts.allow something like
	
	rpc.portmap : 192.168.0.0/24
	rpc.nfsd    : 192.168.0.0/24
	rpc.mountd  : 192.168.0.0/24
	
      . hosts.deny
         This file holds which IPs don't have access to the portmap services. When portmap is queried, it grabs the IP, first it checks
hosts.allow if it's there it accepts, if it isn't check hosts.deny file if
it's there it will deny it, otherwise if not listed in both it will accept
the connection. The syntax it's the same as hosts.allow, so since we don't wanna accept any IP that is not listed on hosts.allow we can just add a single entry to host.deny were we read

        ALL : ALL
	
	This will deny everything that didn't match on the hosts.allow file.
	
      . exports
        Finally we have the exports file, this file holds which directories
can be exported and to where and with what options.
        The syntax of this file is:
	   directory     IP(options)
         
	 Where options can be:
	    
	    noaccess: just the dir listed will be mounted the subdirs won't
	    rw: will give read and write permissions when mounted
	    ro: will give read only permission when mounted
	    root_squash: users with UID and GID iqual to 0 will be mapped
                         for the anonymous UID and GID
	    insecure: the source port can be any of the 65536
	    secure: the source port have to be a reserved port (<1024)
	    
        This is not by any means a complete list of options still I think
they are the most used. To have an exaustive list of available options check exports man page. 	    


   Security
   --------
   
   As I told you NFS services are buggy and you are making your LAN vulnerable when using this kind of services, so make sure your firewall is blocking the portmap port (111) tpc and udp. And remember to allow just your LANs hosts and deny all the rest on those hosts.allow and hosts.deny.
   As a last advice, if you  don't really need NFS don't use it.
   
   
  Final notes
  ===========
  
  Well this is the end, I hope you enjoyed it and learned something. Remember to set secure firewall policies, logging and never forget to be paranoid :) If you are planning on installing linux right now, go get tripwire it will also help you a lot. Don't install tripwire after you have exposed your lan to the Internet, because of the chance of compromise, which would render tripwire useless. Also the most important thing, have fun while setting all this up.  See you soon, I got some ideas to write about.
  
      	  	      	   	    	  		       Ghost_Rider
  
  root@ExampleBox: ~# shutdown -h now
  (...)
  Power Down
  
  Now it's time to say *PUF*

EOF