Re: iptables for 1 interface pc and other questions

To: debian-firewall@lists.debian.org
Subject: Re: iptables for 1 interface pc and other questions
From: Jason McCarty <bclg@iup.edu>
Date: Fri, 17 Jan 2003 13:04:38 -0500
Message-id: <[🔎] 20030117180438.GA10177@iup.edu>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20030117124301.9AA811F8E4@murphy.debian.org>
References: <[🔎] 20030117124301.9AA811F8E4@murphy.debian.org>

Hi,

I have some comments for you inline.

benedict.verheyen@pandora.be wrote:
> Hello,
> 
> i'm trying to setup an iptables firewall instead of letting shorewall do it for 
> me. Shorewall works great but i'm trying to learn iptables. After having read 
> the manpages, and some tutorials, i'm going to take the plunge.
> 
> My setup is also simple: eth0 gets an ip address of my isp via DHCP. That's it.
> What i'm trying to accomplish is rather simple: 
> * deny everything in except if it was from an existing or related connection. 
> * Also only certain services are allowed out (to work against trojans)
> These services are ping, dns, proxy of isp (8080), dhcp, news, smtp, msn/gaim,
> irc, www, imap, pop3, ftp (+ftpdata), ssh
> All the rest should be blocked and logged.
> 
> This is the script:
> ================================================================
> #!/bin/sh
> 
> # Set variables needed for a 1 interface system where interface eth0 gets
> # an ip from the isp (cable modem) over dhcp
> IPT=`which iptables`
> DEP=`which depmod`
> INS=`which insmod`
> EXTIF="eth0"
> LO="lo"
> 
> #Insert necessary modules
> $INS ip_tables
> $INS ip_conntrack
> $INS ip_conntrack_ftp
> $INS ip_conntrack_irc
> $INS iptable_filter
> $INS ipt_limit
> $INS ipt_state
> $INS ipt_unclean
> 
> # Dynamic IP
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> 
> #Clearing any previous configuration
> $IPT -P INPUT DROP
> $IPT -F INPUT 
> $IPT -P OUTPUT DROP
> $IPT -F OUTPUT 
> $IPT -P FORWARD DROP
> $IPT -F FORWARD 
> $IPT -t nat -F
> $IPT -X
> $IPT -Z
> 
> ###############################################################################
> #### INPUT ####
> ###############################################################################
> #is covered by last rule? $IPT -A INPUT -p ALL -m state --state NEW,INVALID -j DROP
> $IPT -A INPUT -p ALL -m state --state ESTABLISHED, RELATED -j ACCEPT
I think you can't have a space here.                ^

You should specify the input interface (-i eth0) in these lines. Local
(127.0.0.1) packets go through the lo interface, so if you had a proxy
like junkbuster running, your requests to it would get dropped by the
line below.

> $IPT -A INPUT -p ALL --log-level info --log-prefix "INPUT: dropped packets" -j LOG
> $IPT -A INPUT -p ALL -j DROP
> 
> ###############################################################################
> #### OUTPUT ####
> ###############################################################################
> 
> ### allow outside: ping, dns, proxy of isp (8080), dhcp, news, smtp, msn/gaim?,
> ###                irc, www, imap, pop3, ftp (+ftpdata), ssh
> 

Same issue with lo here as in the INPUT chain. Packets destined for
127.0.0.1 go out through lo, so you might not want the same restrictions
on them as the ones going to the Internet. So these lines should have
-o eth0.

> ### all tcp ports ###
> $IPT -A OUTPUT -p tcp --sport 67 --dport 68 -j ACCEPT       # DHCP to isp
I think dhcp is only udp, so you don't want this line.

> $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT                  # www
> $IPT -A OUTPUT -p tcp --dport 22 -j ACCEPT                  # ssh
> $IPT -A OUTPUT -p tcp --dport 21 -j ACCEPT                  # ftp
> $IPT -A OUTPUT -p tcp --dport 110 -j ACCEPT                 # pop3
> $IPT -A OUTPUT -p tcp --dport 143 -j ACCEPT                 # imap
> $IPT -A OUTPUT -p tcp --dport 194 -j ACCEPT                 # irc
Dunno if this is an obsolete entry in /etc/services or what, but every
irc server I know runs on port 6667 or thereabouts.

> $IPT -A OUTPUT -p tcp --dport 25 -j ACCEPT                  # smtp
> $IPT -A OUTPUT -p tcp --dport 119 -j ACCEPT                 # news
> $IPT -A OUTPUT -p tcp --dport 8080 -j ACCEPT                # proxy isp
> $IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT                  # dns
> 
> ### all udp ports ###
> $IPT -A OUTPUT -p udp --sport 67 --dport 68 -j ACCEPT       # DHCP to isp
> $IPT -A OUTPUT -p udp --dport 80 -j ACCEPT                  # www
> $IPT -A OUTPUT -p udp --dport 22 -j ACCEPT                  # ssh
> $IPT -A OUTPUT -p udp --dport 21 -j ACCEPT                  # ftp
> $IPT -A OUTPUT -p udp --dport 110 -j ACCEPT                 # pop3
> $IPT -A OUTPUT -p udp --dport 143 -j ACCEPT                 # imap
> $IPT -A OUTPUT -p udp --dport 194 -j ACCEPT                 # irc
> $IPT -A OUTPUT -p udp --dport 25 -j ACCEPT                  # smtp
> $IPT -A OUTPUT -p udp --dport 119 -j ACCEPT                 # news
Except for dhcp, these services all run on tcp only, so no need for
the rest of the above lines.

> $IPT -A OUTPUT -p udp --dport 53 -j ACCEPT                  # dns
> 
> ### all icmp ###
> $IPT -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
> $IPT -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
> $IPT -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
> $IPT -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT
> 
> ### log all the rest ###
> $IPT -A OUTPUT -p ALL --log-level info --log-prefix "OUTPUT: dropped packets" -j LOG
> $IPT -A OUTPUT -p ALL -j DROP
> 
> ###############################################################################
> #### FORWARD ####
> ###############################################################################
> 
> ### i found these in a tutorial somewhere. are these handy or not of use in a
> ### 1 interface environment
> 
> # Syn-flood protection: 
> # $IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
> 
> # Furtive port scanner: 
> # $IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
> 
> # Ping of death: 
> # $IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
> 
> ### log all the rest (i shouldn't get packets here?) ###
> $IPT -A FORWARD -p ALL --log-level info --log-prefix "FORWARD: dropped packets" -j LOG
> $IPT -A FORWARD -p ALL -j DROP

The packet-filtering HOWTO says that if you have forwarding turned off,
packets that want to be forwarded will just be dropped. So I don't think
you need rules in FORWARD for a single machine.

> ================================================================
> Is this setup workable and safe? What should i add?
> Do i need to add a rule to explicitly deny addresses on eth0 that are RFC 1918 
> or is this already covered by the rules i specified? (i think so)

Yeah, they'll get logged and dropped by your rules.

> Also, do i need to add rules for ping of death in my input chain? Or is this 
> supposed to be added in the forward chain.

If you did have them, they would go in INPUT. However, you already log
and drop them. However, a real concern is that someone could easily fill
up your logs with junk packets. You can prevent this by putting a limit
match (-m limit --limit 2/min  for example) in your LOG lines. The
problem with that is that you might miss some important packets since the few that are getting logged are unimportant. I don't really know a solution to this conundrum. I just log at 3/min.

> Some other questions:
> * Am i correct in assuming that on a 1 interface system as above,
> only the INPUT and OUTPUT chains are used? Or should one check the FORWARD 
> chain anyway?

Correct.

> * In a 2 interface gateway, eth0 (internet), eth1(lan):
> -> from the net, to the firewall machine and then to a host on the lan passes
>    the FORWARD chain on eth0 and the INPUT chain on eth1. Correct?

No. Packets destined for the LAN from the inet, and vice-versa, pass
through FORWARD only. Only packets destined for the firewall machine
itself go through INPUT.

Also, chains aren't "on" interfaces. If you want to know what interface a
packet is coming or going on, you have to explicitly test it with -i or
-o. For example, -i eth1 -o eth0 would match a packet being forwarded to
the internet, and vice-versa for a packet going from the internet to
your lan.

> -> from a host on the lan, to the firewall machine and then to the net passes
>    the OUTPUT chain on eth1 and the FORWARD chain on eth0. Correct?

Only packets created by the firewall machine go through OUTPUT. Look at
the HOWTOs on www.netfilter.org, they should provide some more clarity.
I also find this image useful to figure out how packets traverse
iptables, although it has the internal netfilter names instead of the
iptables names: http://open-source.arkoon.net/kernel/kernel_net.png

> If this works out, i'm going to extend this script for a 2 lan system. My server 
> is in repair but as soon as it's repaired (probably mobo dead), i'll reinstall 
> woody there and try my hand at a similar iptables script. There eth0 will get 
> the ip address from the ISP and eth1 is the internal ip where also the dhcp 
> server is listening to serve ip's to the computers on my lan.
> 
> Thanks,
> Benedict

Cool. Let us know if you've got more questions.

HTH,

Jason

Reply to:

Follow-Ups:
- Re: iptables for 1 interface pc and other questions
  - From: Benedict Verheyen <benedict.verheyen@pandora.be>

References:
- iptables for 1 interface pc and other questions
  - From: "benedict.verheyen@pandora.be" <linux4bene@pandora.be>

Prev by Date: Re: iptables for 1 interface pc and other question
Next by Date: Re: iptables for 1 interface pc and other questions
Previous by thread: Re: iptables for 1 interface pc and other questions
Next by thread: Re: iptables for 1 interface pc and other questions
Index(es):
- Date
- Thread