Re: 2 nic setup for firewall machine
Benedict Verheyen wrote:
> Hi,
>
> a while back i posted a 1 nic iptables script and now it's time
> for the 2 nic iptables setup for my firewall machine :-)
Hi again.
> My firewall machine will run sshd, courier imap, fetchmail, exim,
> ddts and dhcpd.
> It should share the internet connection (cable modem)
> for the LAN via nat and masquerading.
> Firewall machine will be 192.168.0.1 (eth1) and eth0 gets an ip
> from the ISP. IP's will be served for the LAN pc's on eth1.
>
> This is what i want to do:
>
> 1. Firewall machine
> ===================
>
> IN from net: allow ddt for Dynamic DNS (http://www.ddts.org/), ssh
> IN from lan: allow ssh, dhcp
> OUT to net: allow ftp, ssh, smtp, dns, www, pop3, imap, ddt,
> proxy server access to isp, ping
> OUT to lan: allow dhcp for LAN clients
>
> 2. LAN
> ======
> IN: allow in only stuff related to what went out
> OUT: allow ftp, ssh, smtp, dns, www, pop3,imap, ddt, proxy isp,
> dhcp to firewall machine
It's not totally clear what the policy is supposed to be for each
machine here. Looking at your current rules, here is what traffic I
think would actually be allowed:
FW to Inet: ftp, ssh, smtp, dns, www, pop3, imap, ddt, isp proxy, ping
Inet to FW: ssh, ddt, dhcp replies, related/established connections
LAN to FW: ssh, dhcp
FW to LAN: nothing!
LAN to Inet: (1/sec) [SYN, RST, echo], established/related connections
Inet to LAN: everything!
Probably not quite what you wanted ;-)
>
>
> ================== script ==========================
>
> #!/bin/sh
>
> # Set variables needed for a 2 interfaces system where interface eth0
> # gets an ip from the isp (cable modem) over dhcp and eth1 is
> # 192.168.0.1 and serves the LAN with
> # ip's in the range 192.168.0.2-192.168.0.10
> IPT=`which iptables`
> DEP=`which depmod`
> INS=`which insmod`
> EXTIF="eth0"
> INTIF="eth1"
> LO="lo"
> LAN="192.168.0.0/24"
>
> # i need to check this list so it's possible it's not up to date.
> # I used the Dotted Decimal Non-aggregated list
> # of http://www.cymru.com/Documents/bogon-dd.html
> RESERVED_NET="
> 0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 \
> 10.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 \
> 36.0.0.0/8 37.0.0.0/8 39.0.0.0/8 \
> 41.0.0.0/8 42.0.0.0/8 49.0.0.0/8 \
> 50.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
> 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
> 74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 \
> 79.0.0.0/8 \
> 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
> 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 \
> 93.0.0.0/8 94.0.0.0/8 \
> 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 \
> 100.0.0.0/8 101.0.0.0/8 \
> 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 \
> 107.0.0.0/8 \
> 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 \
> 113.0.0.0/8 \
> 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 \
> 119.0.0.0/8 \
> 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 \
> 125.0.0.0/8 \
> 126.0.0.0/8 127.0.0.0/8 \
> 169.254.0.0/16 172.16.0.0/255.240.0.0 \
> 192.0.2.0/24 192.168.0.0/16 \
> 197.0.0.0/8 198.18.0.0/255.254.0.0 \
> 201.0.0.0/8 222.0.0.0/8 223.0.0.0/8 224.0.0.0/224.0.0.0"
>
> #Insert necessary modules
> $INS ip_tables
> $INS ip_conntrack
> $INS ip_conntrack_ftp
> $INS ip_conntrack_irc
> $INS iptable_filter
> $INS ipt_limit
> $INS ipt_state
> $INS ipt_unclean
> $INS ipt_LOG
> $INS iptables_nat
> $INS ipt_MASQUERADE
> $INS ip_nat_ftp
>
> #Clearing any previous configuration
> $IPT -F
> $IPT -X
> $IPT -Z
>
> $IPT -P INPUT DROP
> $IPT -F INPUT
> $IPT -P OUTPUT DROP
> $IPT -F OUTPUT
> $IPT -P FORWARD DROP
> $IPT -F FORWARD
> $IPT -t nat -F
> $IPT -t nat -X
> $IPT -t mangle -F
> $IPT -t mangle -X
>
> # Create the rules
> $IPT -N inet_in
> $IPT -N local_in
> $IPT -N checkspoof
> $IPT -N logspoof
> $IPT -N inet_out
> $IPT -N local_out
>
> # Dynamic IP
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
> # Disable spoofing
> echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
>
> # Block all echo requests
> #echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
>
> # Add synflood protection
> echo "1" > /proc/sys/net/ipv4/tcp_syncookies
>
> # Log martians
> echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
>
> # Not accept ICMP redirect messages
> echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
>
> # Track nr of connections
> echo "16384" > /proc/sys/net/ipv4/ip_conntrack_max
>
> # Disable ICMP send_redirect
> echo "0" > /proc/sys/net/ipv4/conf/eth0/send_redirects
>
> # Don't accept source routed packets.
> echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
>
> # ICMP Broadcasting protection (smurf amplifier protection)
> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> # ICMP Dead Error Messages protection
> echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>
> # LooseUDP patch is required by some internet-based games
> #echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
>
> # IP forwarding (need it to perform for example NAT)
> # echo "1" > /proc/sys/net/ipv4/ip_forward
>
> # Reduce DoS'ing ability by reducing timeouts
> # Defaults:
> # echo 60 > /proc/sys/net/ipv4/tcp_fin_timeout
> # echo 7200 > /proc/sys/net/ipv4/tcp_keepalive_time
> # echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
> # echo 1 > /proc/sys/net/ipv4/tcp_sack
> echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
> echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
> echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
> echo "0" > /proc/sys/net/ipv4/tcp_sack
>
> # Set out local port range
> # Default echo "1024 4999" > /proc/sys/net/ipv4/ip_local_port_range
> echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
>
> # Time To Live (TTL) is the term for a data field in the internet
> # protocol.
> # TTL is today interpreted to indicate the maximum number of
> # routers a packet may transit.
> echo "64" > /proc/sys/net/ipv4/ip_default_ttl
>
> # Increase the default queuelength. (Kernel Default: 1024)
> #echo "2048" > /proc/sys/net/ipv4/ip_queue_maxlen
>
> # Enable ECN? (Explicit Congestion Notification)
> echo "1" > /proc/sys/net/ipv4/tcp_ecn
>
>
> #################################################################
> ### logspoof ####
> #################################################################
> $IPT -A logspoof -m limit --limit 3/min \
> -j LOG --log-prefix "ip spoofing detected " \
> --log-tcp-sequence --log-level info
> $IPT -A logspoof -j DROP
>
> #################################################################
> ### checkspoof ####
> #################################################################
> # this ip is used by my isp for something (don't know what) and
> # is send every 2 minutes so i do
> # not even want to log this! Annoying isp. It goes to address
> # 224.0.0.1 which is IGMP multicast network
> $IPT -A checkspoof -s 10.95.11.80 -j DROP
>
> ## Class A Reserved
> $IPT -A checkspoof -s 10.0.0.0/8 -j logspoof
>
> ## Class B Reserved
> $IPT -A checkspoof -s 172.16.0.0/12 -j logspoof
>
> ## Class C Reserved
> $IPT -A checkspoof -s 192.168.0.0/16 -j logspoof
>
> ## Class D Reserved
> $IPT -A checkspoof -s 224.0.0.0/4 -j logspoof
>
> ## Class E Reserved
> $IPT -A checkspoof -s 240.0.0.0/5 -j logspoof
>
> for NET in $RESERVED_NET; do
> $IPT -A checkspoof -s $NET -j logspoof
> done
>
> #################################################################
> ### inet_in ####
> #################################################################
> ### allow inside on firewall machine: ssh, ddt
>
> $IPT -A inet_in -p tcp --dport 22 -j ACCEPT # allow ssh in
> $IPT -A inet_in -p udp --dport 1052 -j ACCEPT # allow ddt queries in
> $IPT -A inet_in -p tcp ! --syn -m state --state NEW \
> -j LOG --log-prefix "inet_in: New not syn:"
> $IPT -A inet_in -p tcp ! --syn -m state --state NEW \
> -j DROP
> $IPT -A inet_in -j checkspoof
> $IPT -A inet_in -p ALL -m state --state ESTABLISHED,RELATED \
> -j ACCEPT
>
> ################################################################
> ### internal_in ####
> ################################################################
> # allow dhcp request to eth1, allow ssh to firewall from lan
> $IPT -A internal_in -p tcp --dport 22 -j ACCEPT
> $IPT -A internal_in -p udp --sport 67 --dport 68 -j ACCEPT
>
> ################################################################
> ### local_in ####
> ################################################################
> $IPT -A local_in -j ACCEPT
>
> ################################################################
> ### inet_out ####
> ################################################################
> ### allow outside from firewall machine: ping, dns,
> ### proxy of isp (8080), dhcp, news, smtp,
> ### www, imap, pop3, ftp (+ftpdata), ssh, ddt
>
> ### all tcp ports ###
> $IPT -A inet_out -p tcp --dport 21 -j ACCEPT # ftp
> $IPT -A inet_out -p tcp --dport 22 -j ACCEPT # ssh
> $IPT -A inet_out -p tcp --dport 25 -j ACCEPT # smtp
> $IPT -A inet_out -p tcp --dport 53 -j ACCEPT # dns
> $IPT -A inet_out -p tcp --dport 80 -j ACCEPT # www
> $IPT -A inet_out -p tcp --dport 110 -j ACCEPT # pop3
> $IPT -A inet_out -p tcp --dport 143 -j ACCEPT # imap
> $IPT -A inet_out -p tcp --dport 1052 -j ACCEPT # ddt ports
> $IPT -A inet_out -p tcp --dport 8080 -j ACCEPT # proxy isp
>
> ### all udp ports ###
> $IPT -A inet_out -p udp --dport 53 -j ACCEPT # dns
> $IPT -A inet_out -p udp --sport 67 --dport 68 -j ACCEPT # DHCP to isp
> $IPT -A inet_out -p udp --dport 1052 -j ACCEPT # ddt ports
>
> ### all icmp ###
> $IPT -A inet_out -p icmp --icmp-type 0 -j ACCEPT
> $IPT -A inet_out -p icmp --icmp-type 3 -j ACCEPT
> $IPT -A inet_out -p icmp --icmp-type 8 -j ACCEPT
> $IPT -A inet_out -p icmp --icmp-type 11 -j ACCEPT
>
> #################################################################
> ### local_out ####
> #################################################################
> $IPT -A local_out -j ACCEPT
>
> #################################################################
> ### INPUT ####
> #################################################################
> $IPT -A INPUT -i $EXTIF -j inet_in
> $IPT -A INPUT -i $INTIF -j internal_in
> $IPT -A INPUT -i $LO -j local_in
> $IPT -A INPUT -i $EXTIF -p ALL -j LOG \
> --log-prefix "INPUT: dropped packets"
> $IPT -A INPUT -i $EXTIF -p ALL -j DROP
>
> #################################################################
> #### OUTPUT ####
> #################################################################
> $IPT -A OUTPUT -o $EXTIF -j inet_out
> $IPT -A OUTPUT -o $LO -j local_out
> $IPT -A OUTPUT -o $EXTIF -p ALL -j LOG --log-level info \
> --log-prefix "OUTPUT: dropped packets"
> $IPT -A OUTPUT -o $EXTIF -p ALL -j DROP
Notice that packets going to the LAN from the FW get dropped.
>
> #################################################################
> #### FORWARD ####
> #################################################################
>
> # Syn-flood protection:
> $IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
>
> # Furtive port scanner:
> $IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
> -m limit --limit 1/s -j ACCEPT
>
> # Ping of death:
> $IPT -A FORWARD -p icmp --icmp-type echo-request \
> -m limit --limit 1/s -j ACCEPT
>
> # Log invalid packets
> $IPT -A FORWARD -m state --state INVALID -j LOG \
> --log-prefix "FORWARD: invalid packets"
> $IPT -A FORWARD -m state --state INVALID -j DROP
>
Not sure if you really want these rules.
> ### allow forwarding to the net from the lan
> $IPT -A FORWARD -o $INTIF -i $EXTIF -d $LAN -s ! $LAN -j ACCEPT
Should be:
$IPT -A FORWARD -i $INTIF -o $EXTIF -s $LAN -d ! $LAN -j ACCEPT
>
> ### allow forwarding to the lan from the net for established
> ### or related connections
> $IPT -A FORWARD -o $EXTIF -i $INTIF -s $LAN -d ! $LAN \
> -m state --state ESTABLISHED,RELATED -j ACCEPT
Should be:
$IPT -A FORWARD -i $EXTIF -o $INTIF -d $LAN -s ! $LAN \
-m state --state ESTABLISHED,RELATED -j ACCEPT
>
> ### log all the rest (i shouldn't get packets here?) ###
> $IPT -A FORWARD -p ALL -j LOG --log-level info \
> --log-prefix "FORWARD: dropped packets"
> $IPT -A FORWARD -p ALL -j DROP
>
> ###############################################################
> #### POSTROUTING ####
> ###############################################################
>
> $IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
> ====================== script =========================
>
> Any mistakes or stupid stuff?
> I have some questions too:
>
> 1. To limit what goes out to the net from the LAN, i have to specify the
> rules in FORWARD? I mean for a 1 nic setup, i use OUTPUT but this
> doesn't get used for a packet coming from the LAN destined to the net,
> right?
> So can i specify rules to specify what can go outside from the LAN
> here (in FORWARD)?
Yes.
>
> 2. In the reserved net string specified in the beginning of the
> script, i have a mask like this: 198.18.0.0/255.254.0.0
> Is there a way to write the 255.254.0.0 shorter?
198.18.0.0/255.254.0.0 can be written as 198.18.0.0/15 . Or maybe even
198.18/15, not sure. This is since 255.254.0.0 in binary is
1111 1111 1111 1110 0000 0000 0000 0000, which has 15 leading ones.
> 3. I specified "internal_in" in order to be able to specify what
> can go from the clients on the LAN to the firewall machine itself.
> I am correct in thinking that the way i've got things setup now,
> only ssh and dhcp will be allowed to the firewall and nothing else?
Yes.
> Thanks
>
> ------
> Benedict Verheyen
> Linux 2.4.20 AMD Athlon(tm) Processor AuthenticAMD GNU/Linux
>
No problem. HTH.
Jason
Reply to: