Re: Re: 2 nic setup for firewall machine
>1. Firewall machine
>===================
>
>IN from net: allow ddt for Dynamic DNS (http://www.ddts.org/), ssh
>IN from lan: allow ssh, dhcp
>OUT to net: allow ftp, ssh, smtp, dns, www, pop3, imap, ddt,
>proxy server access to isp, ping
>OUT to lan: allow dhcp for LAN clients
>
>2. LAN
======
>IN: allow in only stuff related to what went out
>OUT: allow ftp, ssh, smtp, dns, www, pop3,imap, ddt, proxy isp,
>dhcp to firewall machine
>
>It's not totally clear what the policy is supposed to be for each
>machine here. Looking at your current rules, here is what traffic I
>think would actually be allowed:
>FW to Inet: ftp, ssh, smtp, dns, www, pop3, imap, ddt, isp proxy, ping
this is what i want.
>Inet to FW: ssh, ddt, dhcp replies, related/established connections
this is also what i want
>LAN to FW: ssh, dhcp
I will need imap, smtp too since my server will run courier imap.
Do i specify these in the FORWARD chain?
>FW to LAN: nothing!
i don't think anything like this is necessary or do i have to specifically let
dhcp through for eth1? same for imap or will these automatically go through
because of the related/established rule?
>LAN to Inet: (1/sec) [SYN, RST, echo], established/related connections
Hhhm. I would want to specify what goes out from the lan. Basically this will
be these services:
ftp, ssh, smtp, dns, www, pop3, isp proxy, ping
Everything else should be dropped. As you said, i will specify these
in the FORWARD rule.
>Inet to LAN: everything!
Ouch. Only related or established connections should go through! Aaaargh.
>Probably not quite what you wanted ;-)
Nope :-(
>For some forward rules you said "Not sure if you really want these rules."
Why wouldn't i want these? Would they flood the logs?
================== script v0.2 ==========================
#!/bin/sh
# Set variables needed for a 2 interfaces system where interface eth0
# gets an ip from the isp (cable modem) over dhcp and eth1 is
# 192.168.0.1 and serves the LAN with
# ip's in the range 192.168.0.2-192.168.0.10
IPT=`which iptables`
DEP=`which depmod`
INS=`which insmod`
EXTIF="eth0"
INTIF="eth1"
LO="lo"
LAN="192.168.0.0/24"
# i need to check this list so it's possible it's not up to date.
# I used the Dotted Decimal Non-aggregated list
# of http://www.cymru.com/Documents/bogon-dd.html
RESERVED_NET="
0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 \
10.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 \
36.0.0.0/8 37.0.0.0/8 39.0.0.0/8 \
41.0.0.0/8 42.0.0.0/8 49.0.0.0/8 \
50.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 \
79.0.0.0/8 \
83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 \
93.0.0.0/8 94.0.0.0/8 \
95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 \
100.0.0.0/8 101.0.0.0/8 \
102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 \
107.0.0.0/8 \
108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 \
113.0.0.0/8 \
114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 \
119.0.0.0/8 \
120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 \
125.0.0.0/8 \
126.0.0.0/8 127.0.0.0/8 \
169.254.0.0/16 172.16.0.0/255.240.0.0 \
192.0.2.0/24 192.168.0.0/16 \
197.0.0.0/8 198.18.0.0/255.254.0.0 \
201.0.0.0/8 222.0.0.0/8 223.0.0.0/8 224.0.0.0/224.0.0.0"
#Insert necessary modules
$INS ip_tables
$INS ip_conntrack
$INS ip_conntrack_ftp
$INS ip_conntrack_irc
$INS iptable_filter
$INS ipt_limit
$INS ipt_state
$INS ipt_unclean
$INS ipt_LOG
$INS iptables_nat
$INS ipt_MASQUERADE
$INS ip_nat_ftp
#Clearing any previous configuration
$IPT -F
$IPT -X
$IPT -Z
$IPT -P INPUT DROP
$IPT -F INPUT
$IPT -P OUTPUT DROP
$IPT -F OUTPUT
$IPT -P FORWARD DROP
$IPT -F FORWARD
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
# Create the rules
$IPT -N inet_in
$IPT -N local_in
$IPT -N checkspoof
$IPT -N logspoof
$IPT -N inet_out
$IPT -N local_out
# Dynamic IP
echo "1" /proc/sys/net/ipv4/ip_dynaddr
# Disable spoofing
echo "1" /proc/sys/net/ipv4/conf/eth0/rp_filter
# Block all echo requests
#echo "1" /proc/sys/net/ipv4/icmp_echo_ignore_all
# Add synflood protection
echo "1" /proc/sys/net/ipv4/tcp_syncookies
# Log martians
echo "1" /proc/sys/net/ipv4/conf/all/log_martians
# Not accept ICMP redirect messages
echo "0" /proc/sys/net/ipv4/conf/all/accept_redirects
# Track nr of connections
echo "16384" /proc/sys/net/ipv4/ip_conntrack_max
# Disable ICMP send_redirect
echo "0" /proc/sys/net/ipv4/conf/eth0/send_redirects
# Don't accept source routed packets.
echo "0" /proc/sys/net/ipv4/conf/eth0/accept_source_route
# ICMP Broadcasting protection (smurf amplifier protection)
echo "1" /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# ICMP Dead Error Messages protection
echo "1" /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# LooseUDP patch is required by some internet-based games
# echo "1" /proc/sys/net/ipv4/ip_masq_udp_dloose
# IP forwarding (need it to perform for example NAT)
# echo "1" /proc/sys/net/ipv4/ip_forward
# Reduce DoS'ing ability by reducing timeouts
# Defaults:
# echo 60 /proc/sys/net/ipv4/tcp_fin_timeout
# echo 7200 /proc/sys/net/ipv4/tcp_keepalive_time
# echo 1 /proc/sys/net/ipv4/tcp_window_scaling
# echo 1 /proc/sys/net/ipv4/tcp_sack
echo "10" /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" /proc/sys/net/ipv4/tcp_window_scaling
echo "0" /proc/sys/net/ipv4/tcp_sack
# Set out local port range
# Default echo "1024 4999" /proc/sys/net/ipv4/ip_local_port_range
echo "32768 61000" /proc/sys/net/ipv4/ip_local_port_range
# Time To Live (TTL) is the term for a data field in the internet
# protocol.
# TTL is today interpreted to indicate the maximum number of
# routers a packet may transit.
echo "64" /proc/sys/net/ipv4/ip_default_ttl
# Increase the default queuelength. (Kernel Default: 1024)
#echo "2048" /proc/sys/net/ipv4/ip_queue_maxlen
# Enable ECN? (Explicit Congestion Notification)
echo "1" /proc/sys/net/ipv4/tcp_ecn
#################################################################
### logspoof ####
#################################################################
$IPT -A logspoof -m limit --limit 3/min \
-j LOG --log-prefix "ip spoofing detected " \
--log-tcp-sequence --log-level info
$IPT -A logspoof -j DROP
#################################################################
### checkspoof ####
#################################################################
# this ip is used by my isp for something (don't know what) and
# is send every 2 minutes so i do
# not even want to log this! Annoying isp. It goes to address
# 224.0.0.1 which is IGMP multicast network
$IPT -A checkspoof -s 10.95.11.80 -j DROP
## Class A Reserved
$IPT -A checkspoof -s 10.0.0.0/8 -j logspoof
## Class B Reserved
$IPT -A checkspoof -s 172.16.0.0/12 -j logspoof
## Class C Reserved
$IPT -A checkspoof -s 192.168.0.0/16 -j logspoof
## Class D Reserved
$IPT -A checkspoof -s 224.0.0.0/4 -j logspoof
## Class E Reserved
$IPT -A checkspoof -s 240.0.0.0/5 -j logspoof
for NET in $RESERVED_NET; do
$IPT -A checkspoof -s $NET -j logspoof
done
#################################################################
### inet_in ####
#################################################################
### allow inside on firewall machine: ssh, ddt
$IPT -A inet_in -p tcp --dport 22 -j ACCEPT # allow ssh in
$IPT -A inet_in -p udp --dport 1052 -j ACCEPT # allow ddt queries in
$IPT -A inet_in -p tcp ! --syn -m state --state NEW \
-j LOG --log-prefix "inet_in: New not syn:"
$IPT -A inet_in -p tcp ! --syn -m state --state NEW \
-j DROP
$IPT -A inet_in -j checkspoof
$IPT -A inet_in -p ALL -m state --state ESTABLISHED,RELATED \
-j ACCEPT
################################################################
### internal_in ####
################################################################
# allow dhcp request to eth1, allow ssh to firewall from lan
$IPT -A internal_in -p tcp --dport 22 -j ACCEPT
$IPT -A internal_in -p udp --sport 67 --dport 68 -j ACCEPT
################################################################
### local_in ####
################################################################
$IPT -A local_in -j ACCEPT
################################################################
### inet_out ####
################################################################
### allow outside from firewall machine: ping, dns,
### proxy of isp (8080), dhcp, news, smtp,
### www, imap, pop3, ftp (+ftpdata), ssh, ddt
### all tcp ports ###
$IPT -A inet_out -p tcp --dport 21 -j ACCEPT # ftp
$IPT -A inet_out -p tcp --dport 22 -j ACCEPT # ssh
$IPT -A inet_out -p tcp --dport 25 -j ACCEPT # smtp
$IPT -A inet_out -p tcp --dport 53 -j ACCEPT # dns
$IPT -A inet_out -p tcp --dport 80 -j ACCEPT # www
$IPT -A inet_out -p tcp --dport 110 -j ACCEPT # pop3
$IPT -A inet_out -p tcp --dport 143 -j ACCEPT # imap
$IPT -A inet_out -p tcp --dport 1052 -j ACCEPT # ddt ports
$IPT -A inet_out -p tcp --dport 8080 -j ACCEPT # proxy isp
### all udp ports ###
$IPT -A inet_out -p udp --dport 53 -j ACCEPT # dns
$IPT -A inet_out -p udp --sport 67 --dport 68 -j ACCEPT # DHCP to isp
$IPT -A inet_out -p udp --dport 1052 -j ACCEPT # ddt ports
### all icmp ###
$IPT -A inet_out -p icmp --icmp-type 0 -j ACCEPT
$IPT -A inet_out -p icmp --icmp-type 3 -j ACCEPT
$IPT -A inet_out -p icmp --icmp-type 8 -j ACCEPT
$IPT -A inet_out -p icmp --icmp-type 11 -j ACCEPT
#################################################################
### local_out ####
#################################################################
$IPT -A local_out -j ACCEPT
#################################################################
### INPUT ####
#################################################################
$IPT -A INPUT -i $EXTIF -j inet_in
$IPT -A INPUT -i $INTIF -j internal_in
$IPT -A INPUT -i $LO -j local_in
$IPT -A INPUT -i $EXTIF -p ALL -j LOG \
--log-prefix "INPUT: dropped packets"
$IPT -A INPUT -i $EXTIF -p ALL -j DROP
#################################################################
#### OUTPUT ####
#################################################################
$IPT -A OUTPUT -o $EXTIF -j inet_out
$IPT -A OUTPUT -o $LO -j local_out
$IPT -A OUTPUT -o $EXTIF -p ALL -j LOG --log-level info \
--log-prefix "OUTPUT: dropped packets"
$IPT -A OUTPUT -o $EXTIF -p ALL -j DROP
#################################################################
#### FORWARD ####
#################################################################
# Syn-flood protection:
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Furtive port scanner:
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
-m limit --limit 1/s -j ACCEPT
# Ping of death:
$IPT -A FORWARD -p icmp --icmp-type echo-request \
-m limit --limit 1/s -j ACCEPT
# Log invalid packets
$IPT -A FORWARD -m state --state INVALID -j LOG \
--log-prefix "FORWARD: invalid packets"
$IPT -A FORWARD -m state --state INVALID -j DROP
#### Not sure if you really want these rules.
#### --- Why wouldn't i want these? Would they flood the logs?
### allow forwarding to the net from the lan
$IPT -A FORWARD -i $INTIF -o $EXTIF -s $LAN -d ! $LAN -j ACCEPT
### rules for what gis allowed from the lan to the net
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 21 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 22 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 25 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 53 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 80 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 110 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 8080 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 8080 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 0 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 3 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 11 -j ACCEPT
### allow forwarding to the lan from the net for established
### or related connections
$IPT -A FORWARD -i $EXTIF -o $INTIF -d $LAN -s ! $LAN \
-m state --state ESTABLISHED,RELATED -j ACCEPT
### log all the rest (i shouldn't get packets here?) ###
$IPT -A FORWARD -p ALL -j LOG --log-level info \
--log-prefix "FORWARD: dropped packets"
$IPT -A FORWARD -p ALL -j DROP
###############################################################
#### POSTROUTING ####
###############################################################
$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
====================== script v 0.2 =========================
------
Benedict Verheyen
Linux 2.4.20 AMD Athlon(tm) Processor AuthenticAMD GNU/Linux
Reply to: