2 nic setup for firewall machine
Hi,
a while back i posted a 1 nic iptables script and now it's time
for the 2 nic iptables setup for my firewall machine :-)
My firewall machine will run sshd, courier imap, fetchmail, exim,
ddts and dhcpd.
It should share the internet connection (cable modem)
for the LAN via nat and masquerading.
Firewall machine will be 192.168.0.1 (eth1) and eth0 gets an ip
from the ISP. IP's will be served for the LAN pc's on eth1.
This is what i want to do:
1. Firewall machine
===================
IN from net: allow ddt for Dynamic DNS (http://www.ddts.org/), ssh
IN from lan: allow ssh, dhcp
OUT to net: allow ftp, ssh, smtp, dns, www, pop3, imap, ddt,
proxy server access to isp, ping
OUT to lan: allow dhcp for LAN clients
2. LAN
======
IN: allow in only stuff related to what went out
OUT: allow ftp, ssh, smtp, dns, www, pop3,imap, ddt, proxy isp,
dhcp to firewall machine
================== script ==========================
#!/bin/sh
# Set variables needed for a 2 interfaces system where interface eth0
# gets an ip from the isp (cable modem) over dhcp and eth1 is
# 192.168.0.1 and serves the LAN with
# ip's in the range 192.168.0.2-192.168.0.10
IPT=`which iptables`
DEP=`which depmod`
INS=`which insmod`
EXTIF="eth0"
INTIF="eth1"
LO="lo"
LAN="192.168.0.0/24"
# i need to check this list so it's possible it's not up to date.
# I used the Dotted Decimal Non-aggregated list
# of http://www.cymru.com/Documents/bogon-dd.html
RESERVED_NET="
0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 \
10.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 \
36.0.0.0/8 37.0.0.0/8 39.0.0.0/8 \
41.0.0.0/8 42.0.0.0/8 49.0.0.0/8 \
50.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 \
79.0.0.0/8 \
83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 \
93.0.0.0/8 94.0.0.0/8 \
95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 \
100.0.0.0/8 101.0.0.0/8 \
102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 \
107.0.0.0/8 \
108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 \
113.0.0.0/8 \
114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 \
119.0.0.0/8 \
120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 \
125.0.0.0/8 \
126.0.0.0/8 127.0.0.0/8 \
169.254.0.0/16 172.16.0.0/255.240.0.0 \
192.0.2.0/24 192.168.0.0/16 \
197.0.0.0/8 198.18.0.0/255.254.0.0 \
201.0.0.0/8 222.0.0.0/8 223.0.0.0/8 224.0.0.0/224.0.0.0"
#Insert necessary modules
$INS ip_tables
$INS ip_conntrack
$INS ip_conntrack_ftp
$INS ip_conntrack_irc
$INS iptable_filter
$INS ipt_limit
$INS ipt_state
$INS ipt_unclean
$INS ipt_LOG
$INS iptables_nat
$INS ipt_MASQUERADE
$INS ip_nat_ftp
#Clearing any previous configuration
$IPT -F
$IPT -X
$IPT -Z
$IPT -P INPUT DROP
$IPT -F INPUT
$IPT -P OUTPUT DROP
$IPT -F OUTPUT
$IPT -P FORWARD DROP
$IPT -F FORWARD
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
# Create the rules
$IPT -N inet_in
$IPT -N local_in
$IPT -N checkspoof
$IPT -N logspoof
$IPT -N inet_out
$IPT -N local_out
# Dynamic IP
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Disable spoofing
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
# Block all echo requests
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Add synflood protection
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Log martians
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# Not accept ICMP redirect messages
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Track nr of connections
echo "16384" > /proc/sys/net/ipv4/ip_conntrack_max
# Disable ICMP send_redirect
echo "0" > /proc/sys/net/ipv4/conf/eth0/send_redirects
# Don't accept source routed packets.
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
# ICMP Broadcasting protection (smurf amplifier protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# ICMP Dead Error Messages protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# LooseUDP patch is required by some internet-based games
#echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
# IP forwarding (need it to perform for example NAT)
# echo "1" > /proc/sys/net/ipv4/ip_forward
# Reduce DoS'ing ability by reducing timeouts
# Defaults:
# echo 60 > /proc/sys/net/ipv4/tcp_fin_timeout
# echo 7200 > /proc/sys/net/ipv4/tcp_keepalive_time
# echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
# echo 1 > /proc/sys/net/ipv4/tcp_sack
echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
# Set out local port range
# Default echo "1024 4999" > /proc/sys/net/ipv4/ip_local_port_range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
# Time To Live (TTL) is the term for a data field in the internet
# protocol.
# TTL is today interpreted to indicate the maximum number of
# routers a packet may transit.
echo "64" > /proc/sys/net/ipv4/ip_default_ttl
# Increase the default queuelength. (Kernel Default: 1024)
#echo "2048" > /proc/sys/net/ipv4/ip_queue_maxlen
# Enable ECN? (Explicit Congestion Notification)
echo "1" > /proc/sys/net/ipv4/tcp_ecn
#################################################################
### logspoof ####
#################################################################
$IPT -A logspoof -m limit --limit 3/min \
-j LOG --log-prefix "ip spoofing detected " \
--log-tcp-sequence --log-level info
$IPT -A logspoof -j DROP
#################################################################
### checkspoof ####
#################################################################
# this ip is used by my isp for something (don't know what) and
# is send every 2 minutes so i do
# not even want to log this! Annoying isp. It goes to address
# 224.0.0.1 which is IGMP multicast network
$IPT -A checkspoof -s 10.95.11.80 -j DROP
## Class A Reserved
$IPT -A checkspoof -s 10.0.0.0/8 -j logspoof
## Class B Reserved
$IPT -A checkspoof -s 172.16.0.0/12 -j logspoof
## Class C Reserved
$IPT -A checkspoof -s 192.168.0.0/16 -j logspoof
## Class D Reserved
$IPT -A checkspoof -s 224.0.0.0/4 -j logspoof
## Class E Reserved
$IPT -A checkspoof -s 240.0.0.0/5 -j logspoof
for NET in $RESERVED_NET; do
$IPT -A checkspoof -s $NET -j logspoof
done
#################################################################
### inet_in ####
#################################################################
### allow inside on firewall machine: ssh, ddt
$IPT -A inet_in -p tcp --dport 22 -j ACCEPT # allow ssh in
$IPT -A inet_in -p udp --dport 1052 -j ACCEPT # allow ddt queries in
$IPT -A inet_in -p tcp ! --syn -m state --state NEW \
-j LOG --log-prefix "inet_in: New not syn:"
$IPT -A inet_in -p tcp ! --syn -m state --state NEW \
-j DROP
$IPT -A inet_in -j checkspoof
$IPT -A inet_in -p ALL -m state --state ESTABLISHED,RELATED \
-j ACCEPT
################################################################
### internal_in ####
################################################################
# allow dhcp request to eth1, allow ssh to firewall from lan
$IPT -A internal_in -p tcp --dport 22 -j ACCEPT
$IPT -A internal_in -p udp --sport 67 --dport 68 -j ACCEPT
################################################################
### local_in ####
################################################################
$IPT -A local_in -j ACCEPT
################################################################
### inet_out ####
################################################################
### allow outside from firewall machine: ping, dns,
### proxy of isp (8080), dhcp, news, smtp,
### www, imap, pop3, ftp (+ftpdata), ssh, ddt
### all tcp ports ###
$IPT -A inet_out -p tcp --dport 21 -j ACCEPT # ftp
$IPT -A inet_out -p tcp --dport 22 -j ACCEPT # ssh
$IPT -A inet_out -p tcp --dport 25 -j ACCEPT # smtp
$IPT -A inet_out -p tcp --dport 53 -j ACCEPT # dns
$IPT -A inet_out -p tcp --dport 80 -j ACCEPT # www
$IPT -A inet_out -p tcp --dport 110 -j ACCEPT # pop3
$IPT -A inet_out -p tcp --dport 143 -j ACCEPT # imap
$IPT -A inet_out -p tcp --dport 1052 -j ACCEPT # ddt ports
$IPT -A inet_out -p tcp --dport 8080 -j ACCEPT # proxy isp
### all udp ports ###
$IPT -A inet_out -p udp --dport 53 -j ACCEPT # dns
$IPT -A inet_out -p udp --sport 67 --dport 68 -j ACCEPT # DHCP to isp
$IPT -A inet_out -p udp --dport 1052 -j ACCEPT # ddt ports
### all icmp ###
$IPT -A inet_out -p icmp --icmp-type 0 -j ACCEPT
$IPT -A inet_out -p icmp --icmp-type 3 -j ACCEPT
$IPT -A inet_out -p icmp --icmp-type 8 -j ACCEPT
$IPT -A inet_out -p icmp --icmp-type 11 -j ACCEPT
#################################################################
### local_out ####
#################################################################
$IPT -A local_out -j ACCEPT
#################################################################
### INPUT ####
#################################################################
$IPT -A INPUT -i $EXTIF -j inet_in
$IPT -A INPUT -i $INTIF -j internal_in
$IPT -A INPUT -i $LO -j local_in
$IPT -A INPUT -i $EXTIF -p ALL -j LOG \
--log-prefix "INPUT: dropped packets"
$IPT -A INPUT -i $EXTIF -p ALL -j DROP
#################################################################
#### OUTPUT ####
#################################################################
$IPT -A OUTPUT -o $EXTIF -j inet_out
$IPT -A OUTPUT -o $LO -j local_out
$IPT -A OUTPUT -o $EXTIF -p ALL -j LOG --log-level info \
--log-prefix "OUTPUT: dropped packets"
$IPT -A OUTPUT -o $EXTIF -p ALL -j DROP
#################################################################
#### FORWARD ####
#################################################################
# Syn-flood protection:
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Furtive port scanner:
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
-m limit --limit 1/s -j ACCEPT
# Ping of death:
$IPT -A FORWARD -p icmp --icmp-type echo-request \
-m limit --limit 1/s -j ACCEPT
# Log invalid packets
$IPT -A FORWARD -m state --state INVALID -j LOG \
--log-prefix "FORWARD: invalid packets"
$IPT -A FORWARD -m state --state INVALID -j DROP
### allow forwarding to the net from the lan
$IPT -A FORWARD -o $INTIF -i $EXTIF -d $LAN -s ! $LAN -j ACCEPT
### allow forwarding to the lan from the net for established
### or related connections
$IPT -A FORWARD -o $EXTIF -i $INTIF -s $LAN -d ! $LAN \
-m state --state ESTABLISHED,RELATED -j ACCEPT
### log all the rest (i shouldn't get packets here?) ###
$IPT -A FORWARD -p ALL -j LOG --log-level info \
--log-prefix "FORWARD: dropped packets"
$IPT -A FORWARD -p ALL -j DROP
###############################################################
#### POSTROUTING ####
###############################################################
$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
====================== script =========================
Any mistakes or stupid stuff?
I have some questions too:
1. To limit what goes out to the net from the LAN, i have to specify the
rules in FORWARD? I mean for a 1 nic setup, i use OUTPUT but this
doesn't get used for a packet coming from the LAN destined to the net,
right?
So can i specify rules to specify what can go outside from the LAN
here (in FORWARD)?
2. In the reserved net string specified in the beginning of the
script, i have a mask like this: 198.18.0.0/255.254.0.0
Is there a way to write the 255.254.0.0 shorter?
3. I specified "internal_in" in order to be able to specify what
can go from the clients on the LAN to the firewall machine itself.
I am correct in thinking that the way i've got things setup now,
only ssh and dhcp will be allowed to the firewall and nothing else?
Thanks
------
Benedict Verheyen
Linux 2.4.20 AMD Athlon(tm) Processor AuthenticAMD GNU/Linux
Reply to: