Few questions about using rc.firewall.iptables

To: <netfilter@us5.samba.org>, <debian-firewall@lists.debian.org>
Subject: Few questions about using rc.firewall.iptables
From: "Romanenko M.A." <mikhail@angg.ru>
Date: Sun, 21 Jan 2001 16:42:36 +0500
Message-id: <[🔎] 005701c0839f$42291040$010119ac@angg.ru>

We have a firewall (Debian Linux sid, kernel 2.4.0, iptables 1.2) between our net and Internet. To configure iptables I use http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/rc.firewall.iptables.
I had to change the original script so that it matched our environment:
Firewall is connected to the Internet via leased line (PPP), and to the private network via 100 MB Ethernet.
Private network consist of 7 subnetworks: 172.16.0.0/16, 172.17.0.0/16, 172.18.0.0/16
172.25.0.0/16, 172.26.0.0/16, 172.27.0.0/16, 172.28.0.0/16
We have domain of our own. DNS and Sedmail is running on the firewall.
Some users (not everyone) are allowed to send/recieve E-mail to/from the Internet and are not allowed to connect to any other Internet resources.
Some users (not everyone) are allowed to connect to any Internet resources (E-mail including).

I made the followinf changes to the script:

#!/bin/sh
##################################################################
#
## rc.firewall.iptables -- Version 1.1b
#
##################################################################
## Obsid@sentry.net
## http://www.sentry.net/~obsid/
## 10/20/00

## Example IPTables 1.1.2 script for a dual homed firewall.
## Please feel free to send me any comments or suggestions.

## Visit one of the NetFilter Project Home Pages for more information about IPTables.
## http://netfilter.kernelnotes.org/

[...]
## Variables
IPTABLES="/usr/sbin/iptables"
INTERNAL="eth0"                 # Internal Interface
EXTERNAL="ppp0"                 # External Interface
LOOPBACK="lo"                   # Loopback Interface
INTERNAL_NET="172.16.0.0/12"
ANY_ALLOWED="<IP-addresses of users allowed to connect to any Internet resources>"
MAIL_ALLOWED="<IP-addresses of users allowed to send/recieve E-mail to/from the Internet>"

[...]

###############################################################################
## New chain for input to the internal interface

        $IPTABLES -N INTERNAL-input
        $IPTABLES -F INTERNAL-input

   ## ACCEPT internal to internal traffic
#---      $IPTABLES -A INTERNAL-input -i $INTERNAL -s $INTERNAL_NET -d 0/0 -j ACCEPT
        for HOST in $ANY_ALLOWED $MAIL_ALLOWED; do
                $IPTABLES -A INTERNAL-input -i $INTERNAL -s $HOST -d 0/0 -j ACCEPT
        done

[...]

##------------------------------------------------------------------------##
## Source NAT -- (SNAT/Masquerading)
##------------------------------------------------------------------------##

  ## Source NAT allows us to "masquerade" our internal machines behind our
  ## firewall.

     ## Static IP address ##
        ## Change source address of outgoing packets on external
        ## interface to our IP address.
#---      $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT --to $EXT_IP
      for HOST in $ANY_ALLOWED; do
             $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $HOST -j SNAT --to $EXT_IP
      done

     ## Dynamic IP address ##
#---      $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
      for HOST in $ANY_ALLOWED; do
             $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $HOST -j MASQUERADE
      done

[...]

## EOF


It works, I don't see any warnings in the log files, but I'd like to be sure I didn't decrease security level by having made such modifications. My questions are:

1 Is it enough (for security reasons) to modify only INPUT chain for ALL_ALLOWED and MAIL_ALLOWED users, and NAT table for ALL_ALLOWED users. Isn't it be more secure to modify OUTPUT and FORWARD chains as well? I tried to modify FORWARD chain, but it gave me nothing. Any user which passed INPUT chain passed FORWARD as well never mind whether I tried to control his passing or not. Could it be because FORWARD policy is ACCEPT?
And here is my 2-d question.

2 In the script default policy are:
[...]
## Set Default Policies
$IPTABLES -P INPUT DROP         ## Highly Recommended
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
[...]
Isn't it be more secure to have all of them DROP?

3 To let users send/receive E-mail to/from Internet I add to ALLOW_EXTERNAL_PORTS chain strings:
[...]
        ## SMTP
        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 25 -j ACCEPT
[...]
Shouldn't I add the same string for udp?

4 Do I uderstand right that INTERNAL_NET="172.16.0.0/12" match any network in range 172.16.0.0/16 - 172.32.0.0/16?

Thank you, Mikhail.

Reply to:

Follow-Ups:
- Re: Few questions about using rc.firewall.iptables
  - From: "Stephen A. Zarkos" <obsid@sentry.net>

Prev by Date: Re: IPMasqing firewall with a Windows client problem
Next by Date: Re: Few questions about using rc.firewall.iptables
Previous by thread: Re: LIDS and debian
Next by thread: Re: Few questions about using rc.firewall.iptables
Index(es):
- Date
- Thread