Few questions about using rc.firewall.iptables
We have a firewall (Debian Linux sid, kernel 2.4.0, iptables 1.2) between our net and Internet. To configure iptables I use http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/rc.firewall.iptables.
I had to change the original script so that it matched our environment:
Firewall is connected to the Internet via leased line (PPP), and to the private network via 100 MB Ethernet.
Private network consist of 7 subnetworks: 172.16.0.0/16, 172.17.0.0/16, 172.18.0.0/16
172.25.0.0/16, 172.26.0.0/16, 172.27.0.0/16, 172.28.0.0/16
We have domain of our own. DNS and Sedmail is running on the firewall.
Some users (not everyone) are allowed to send/recieve E-mail to/from the Internet and are not allowed to connect to any other Internet resources.
Some users (not everyone) are allowed to connect to any Internet resources (E-mail including).
I made the followinf changes to the script:
#!/bin/sh
##################################################################
#
## rc.firewall.iptables -- Version 1.1b
#
##################################################################
## Obsid@sentry.net
## http://www.sentry.net/~obsid/
## 10/20/00
## Example IPTables 1.1.2 script for a dual homed firewall.
## Please feel free to send me any comments or suggestions.
## Visit one of the NetFilter Project Home Pages for more information about IPTables.
## http://netfilter.kernelnotes.org/
[...]
## Variables
IPTABLES="/usr/sbin/iptables"
INTERNAL="eth0" # Internal Interface
EXTERNAL="ppp0" # External Interface
LOOPBACK="lo" # Loopback Interface
INTERNAL_NET="172.16.0.0/12"
ANY_ALLOWED="<IP-addresses of users allowed to connect to any Internet resources>"
MAIL_ALLOWED="<IP-addresses of users allowed to send/recieve E-mail to/from the Internet>"
[...]
###############################################################################
## New chain for input to the internal interface
$IPTABLES -N INTERNAL-input
$IPTABLES -F INTERNAL-input
## ACCEPT internal to internal traffic
#--- $IPTABLES -A INTERNAL-input -i $INTERNAL -s $INTERNAL_NET -d 0/0 -j ACCEPT
for HOST in $ANY_ALLOWED $MAIL_ALLOWED; do
$IPTABLES -A INTERNAL-input -i $INTERNAL -s $HOST -d 0/0 -j ACCEPT
done
[...]
##------------------------------------------------------------------------##
## Source NAT -- (SNAT/Masquerading)
##------------------------------------------------------------------------##
## Source NAT allows us to "masquerade" our internal machines behind our
## firewall.
## Static IP address ##
## Change source address of outgoing packets on external
## interface to our IP address.
#--- $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT --to $EXT_IP
for HOST in $ANY_ALLOWED; do
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $HOST -j SNAT --to $EXT_IP
done
## Dynamic IP address ##
#--- $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
for HOST in $ANY_ALLOWED; do
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $HOST -j MASQUERADE
done
[...]
## EOF
It works, I don't see any warnings in the log files, but I'd like to be sure I didn't decrease security level by having made such modifications. My questions are:
1 Is it enough (for security reasons) to modify only INPUT chain for ALL_ALLOWED and MAIL_ALLOWED users, and NAT table for ALL_ALLOWED users. Isn't it be more secure to modify OUTPUT and FORWARD chains as well? I tried to modify FORWARD chain, but it gave me nothing. Any user which passed INPUT chain passed FORWARD as well never mind whether I tried to control his passing or not. Could it be because FORWARD policy is ACCEPT?
And here is my 2-d question.
2 In the script default policy are:
[...]
## Set Default Policies
$IPTABLES -P INPUT DROP ## Highly Recommended
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
[...]
Isn't it be more secure to have all of them DROP?
3 To let users send/receive E-mail to/from Internet I add to ALLOW_EXTERNAL_PORTS chain strings:
[...]
## SMTP
$IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 25 -j ACCEPT
[...]
Shouldn't I add the same string for udp?
4 Do I uderstand right that INTERNAL_NET="172.16.0.0/12" match any network in range 172.16.0.0/16 - 172.32.0.0/16?
Thank you, Mikhail.
Reply to: