Re: 2 nic setup for firewall machine
Benedict Verheyen wrote:
> >1. Firewall machine
> >===================
> >
> >IN from net: allow ddt for Dynamic DNS (http://www.ddts.org/), ssh
> >IN from lan: allow ssh, dhcp
> >OUT to net: allow ftp, ssh, smtp, dns, www, pop3, imap, ddt,
> >proxy server access to isp, ping
> >OUT to lan: allow dhcp for LAN clients
> >
> >2. LAN
> ======
> >IN: allow in only stuff related to what went out
> >OUT: allow ftp, ssh, smtp, dns, www, pop3,imap, ddt, proxy isp,
> >dhcp to firewall machine
> >
> >It's not totally clear what the policy is supposed to be for each
> >machine here. Looking at your current rules, here is what traffic I
> >think would actually be allowed:
> >FW to Inet: ftp, ssh, smtp, dns, www, pop3, imap, ddt, isp proxy, ping
>
> this is what i want.
>
> >Inet to FW: ssh, ddt, dhcp replies, related/established connections
>
> this is also what i want
>
> >LAN to FW: ssh, dhcp
>
> I will need imap, smtp too since my server will run courier imap.
> Do i specify these in the FORWARD chain?
Those would go in your internal_in chain.
>
> >FW to LAN: nothing!
>
> i don't think anything like this is necessary or do i have to specifically let
> dhcp through for eth1? same for imap or will these automatically go through
> because of the related/established rule?
You don't test "-o $INTIF" in OUTPUT right now, so packets going from
the firewall to the LAN (the ones originating at the FW, not the ones
being forwarded) never reach a related/established rule. They just get
dropped, so you need to explicitly allow them.
>
> >LAN to Inet: (1/sec) [SYN, RST, echo], established/related connections
>
> Hhhm. I would want to specify what goes out from the lan. Basically this will
> be these services:
> ftp, ssh, smtp, dns, www, pop3, isp proxy, ping
> Everything else should be dropped. As you said, i will specify these
> in the FORWARD rule.
>
> >Inet to LAN: everything!
>
> Ouch. Only related or established connections should go through! Aaaargh.
I think that's fixed now.
>
> >Probably not quite what you wanted ;-)
>
> Nope :-(
>
> >For some forward rules you said "Not sure if you really want these rules."
>
> Why wouldn't i want these? Would they flood the logs?
>
> ================== script v0.2 ==========================
>
> #!/bin/sh
>
> # Set variables needed for a 2 interfaces system where interface eth0
> # gets an ip from the isp (cable modem) over dhcp and eth1 is
> # 192.168.0.1 and serves the LAN with
> # ip's in the range 192.168.0.2-192.168.0.10
> IPT=`which iptables`
> DEP=`which depmod`
> INS=`which insmod`
> EXTIF="eth0"
> INTIF="eth1"
> LO="lo"
> LAN="192.168.0.0/24"
>
> # i need to check this list so it's possible it's not up to date.
> # I used the Dotted Decimal Non-aggregated list
> # of http://www.cymru.com/Documents/bogon-dd.html
> RESERVED_NET="
> 0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 \
> 10.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 \
> 36.0.0.0/8 37.0.0.0/8 39.0.0.0/8 \
> 41.0.0.0/8 42.0.0.0/8 49.0.0.0/8 \
> 50.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
> 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
> 74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 \
> 79.0.0.0/8 \
> 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
> 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 \
> 93.0.0.0/8 94.0.0.0/8 \
> 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 \
> 100.0.0.0/8 101.0.0.0/8 \
> 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 \
> 107.0.0.0/8 \
> 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 \
> 113.0.0.0/8 \
> 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 \
> 119.0.0.0/8 \
> 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 \
> 125.0.0.0/8 \
> 126.0.0.0/8 127.0.0.0/8 \
> 169.254.0.0/16 172.16.0.0/255.240.0.0 \
> 192.0.2.0/24 192.168.0.0/16 \
> 197.0.0.0/8 198.18.0.0/255.254.0.0 \
> 201.0.0.0/8 222.0.0.0/8 223.0.0.0/8 224.0.0.0/224.0.0.0"
>
> #Insert necessary modules
> $INS ip_tables
> $INS ip_conntrack
> $INS ip_conntrack_ftp
> $INS ip_conntrack_irc
> $INS iptable_filter
> $INS ipt_limit
> $INS ipt_state
> $INS ipt_unclean
> $INS ipt_LOG
> $INS iptables_nat
> $INS ipt_MASQUERADE
> $INS ip_nat_ftp
>
> #Clearing any previous configuration
> $IPT -F
> $IPT -X
> $IPT -Z
>
> $IPT -P INPUT DROP
> $IPT -F INPUT
> $IPT -P OUTPUT DROP
> $IPT -F OUTPUT
> $IPT -P FORWARD DROP
> $IPT -F FORWARD
> $IPT -t nat -F
> $IPT -t nat -X
> $IPT -t mangle -F
> $IPT -t mangle -X
>
> # Create the rules
> $IPT -N inet_in
> $IPT -N local_in
> $IPT -N checkspoof
> $IPT -N logspoof
> $IPT -N inet_out
> $IPT -N local_out
>
> # Dynamic IP
> echo "1" /proc/sys/net/ipv4/ip_dynaddr
>
> # Disable spoofing
> echo "1" /proc/sys/net/ipv4/conf/eth0/rp_filter
>
> # Block all echo requests
> #echo "1" /proc/sys/net/ipv4/icmp_echo_ignore_all
>
> # Add synflood protection
> echo "1" /proc/sys/net/ipv4/tcp_syncookies
>
> # Log martians
> echo "1" /proc/sys/net/ipv4/conf/all/log_martians
>
> # Not accept ICMP redirect messages
> echo "0" /proc/sys/net/ipv4/conf/all/accept_redirects
>
> # Track nr of connections
> echo "16384" /proc/sys/net/ipv4/ip_conntrack_max
>
> # Disable ICMP send_redirect
> echo "0" /proc/sys/net/ipv4/conf/eth0/send_redirects
>
> # Don't accept source routed packets.
> echo "0" /proc/sys/net/ipv4/conf/eth0/accept_source_route
>
> # ICMP Broadcasting protection (smurf amplifier protection)
> echo "1" /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> # ICMP Dead Error Messages protection
> echo "1" /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>
> # LooseUDP patch is required by some internet-based games
> # echo "1" /proc/sys/net/ipv4/ip_masq_udp_dloose
>
> # IP forwarding (need it to perform for example NAT)
> # echo "1" /proc/sys/net/ipv4/ip_forward
>
> # Reduce DoS'ing ability by reducing timeouts
> # Defaults:
> # echo 60 /proc/sys/net/ipv4/tcp_fin_timeout
> # echo 7200 /proc/sys/net/ipv4/tcp_keepalive_time
> # echo 1 /proc/sys/net/ipv4/tcp_window_scaling
> # echo 1 /proc/sys/net/ipv4/tcp_sack
> echo "10" /proc/sys/net/ipv4/tcp_fin_timeout
> echo "1800" /proc/sys/net/ipv4/tcp_keepalive_time
> echo "0" /proc/sys/net/ipv4/tcp_window_scaling
> echo "0" /proc/sys/net/ipv4/tcp_sack
>
> # Set out local port range
> # Default echo "1024 4999" /proc/sys/net/ipv4/ip_local_port_range
> echo "32768 61000" /proc/sys/net/ipv4/ip_local_port_range
>
> # Time To Live (TTL) is the term for a data field in the internet
> # protocol.
> # TTL is today interpreted to indicate the maximum number of
> # routers a packet may transit.
> echo "64" /proc/sys/net/ipv4/ip_default_ttl
>
> # Increase the default queuelength. (Kernel Default: 1024)
> #echo "2048" /proc/sys/net/ipv4/ip_queue_maxlen
>
> # Enable ECN? (Explicit Congestion Notification)
> echo "1" /proc/sys/net/ipv4/tcp_ecn
>
>
> #################################################################
> ### logspoof ####
> #################################################################
> $IPT -A logspoof -m limit --limit 3/min \
> -j LOG --log-prefix "ip spoofing detected " \
> --log-tcp-sequence --log-level info
> $IPT -A logspoof -j DROP
>
> #################################################################
> ### checkspoof ####
> #################################################################
> # this ip is used by my isp for something (don't know what) and
> # is send every 2 minutes so i do
> # not even want to log this! Annoying isp. It goes to address
> # 224.0.0.1 which is IGMP multicast network
> $IPT -A checkspoof -s 10.95.11.80 -j DROP
>
> ## Class A Reserved
> $IPT -A checkspoof -s 10.0.0.0/8 -j logspoof
>
> ## Class B Reserved
> $IPT -A checkspoof -s 172.16.0.0/12 -j logspoof
>
> ## Class C Reserved
> $IPT -A checkspoof -s 192.168.0.0/16 -j logspoof
>
> ## Class D Reserved
> $IPT -A checkspoof -s 224.0.0.0/4 -j logspoof
>
> ## Class E Reserved
> $IPT -A checkspoof -s 240.0.0.0/5 -j logspoof
>
> for NET in $RESERVED_NET; do
> $IPT -A checkspoof -s $NET -j logspoof
> done
>
> #################################################################
> ### inet_in ####
> #################################################################
> ### allow inside on firewall machine: ssh, ddt
>
> $IPT -A inet_in -p tcp --dport 22 -j ACCEPT # allow ssh in
> $IPT -A inet_in -p udp --dport 1052 -j ACCEPT # allow ddt queries in
> $IPT -A inet_in -p tcp ! --syn -m state --state NEW \
> -j LOG --log-prefix "inet_in: New not syn:"
> $IPT -A inet_in -p tcp ! --syn -m state --state NEW \
> -j DROP
> $IPT -A inet_in -j checkspoof
> $IPT -A inet_in -p ALL -m state --state ESTABLISHED,RELATED \
> -j ACCEPT
>
> ################################################################
> ### internal_in ####
> ################################################################
> # allow dhcp request to eth1, allow ssh to firewall from lan
> $IPT -A internal_in -p tcp --dport 22 -j ACCEPT
> $IPT -A internal_in -p udp --sport 67 --dport 68 -j ACCEPT
>
> ################################################################
> ### local_in ####
> ################################################################
> $IPT -A local_in -j ACCEPT
>
> ################################################################
> ### inet_out ####
> ################################################################
> ### allow outside from firewall machine: ping, dns,
> ### proxy of isp (8080), dhcp, news, smtp,
> ### www, imap, pop3, ftp (+ftpdata), ssh, ddt
>
> ### all tcp ports ###
> $IPT -A inet_out -p tcp --dport 21 -j ACCEPT # ftp
> $IPT -A inet_out -p tcp --dport 22 -j ACCEPT # ssh
> $IPT -A inet_out -p tcp --dport 25 -j ACCEPT # smtp
> $IPT -A inet_out -p tcp --dport 53 -j ACCEPT # dns
> $IPT -A inet_out -p tcp --dport 80 -j ACCEPT # www
> $IPT -A inet_out -p tcp --dport 110 -j ACCEPT # pop3
> $IPT -A inet_out -p tcp --dport 143 -j ACCEPT # imap
> $IPT -A inet_out -p tcp --dport 1052 -j ACCEPT # ddt ports
> $IPT -A inet_out -p tcp --dport 8080 -j ACCEPT # proxy isp
>
> ### all udp ports ###
> $IPT -A inet_out -p udp --dport 53 -j ACCEPT # dns
> $IPT -A inet_out -p udp --sport 67 --dport 68 -j ACCEPT # DHCP to isp
> $IPT -A inet_out -p udp --dport 1052 -j ACCEPT # ddt ports
>
> ### all icmp ###
> $IPT -A inet_out -p icmp --icmp-type 0 -j ACCEPT
> $IPT -A inet_out -p icmp --icmp-type 3 -j ACCEPT
> $IPT -A inet_out -p icmp --icmp-type 8 -j ACCEPT
> $IPT -A inet_out -p icmp --icmp-type 11 -j ACCEPT
>
> #################################################################
> ### local_out ####
> #################################################################
> $IPT -A local_out -j ACCEPT
>
> #################################################################
> ### INPUT ####
> #################################################################
> $IPT -A INPUT -i $EXTIF -j inet_in
> $IPT -A INPUT -i $INTIF -j internal_in
> $IPT -A INPUT -i $LO -j local_in
> $IPT -A INPUT -i $EXTIF -p ALL -j LOG \
> --log-prefix "INPUT: dropped packets"
> $IPT -A INPUT -i $EXTIF -p ALL -j DROP
>
> #################################################################
> #### OUTPUT ####
> #################################################################
> $IPT -A OUTPUT -o $EXTIF -j inet_out
> $IPT -A OUTPUT -o $LO -j local_out
> $IPT -A OUTPUT -o $EXTIF -p ALL -j LOG --log-level info \
> --log-prefix "OUTPUT: dropped packets"
> $IPT -A OUTPUT -o $EXTIF -p ALL -j DROP
>
>
> #################################################################
> #### FORWARD ####
> #################################################################
>
> # Syn-flood protection:
> $IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
This rule is a problem because it short-circuits the restrictive rules
you have below. Any outgoing SYN will be accepted, not just those to the
allowed ports. Going the other direction (Inet->LAN) it should be almost
impossible for a plain SYN to reach FORWARD in the first place when doing
masquerading, because Linux would think the packet is directed at the
firewall itself.
>
> # Furtive port scanner:
> $IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
> -m limit --limit 1/s -j ACCEPT
Same problem here as the last rule.
>
> # Ping of death:
> $IPT -A FORWARD -p icmp --icmp-type echo-request \
> -m limit --limit 1/s -j ACCEPT
I think this rule doesn't do anything, since you accept echo-request
from LAN later, and Inet packets won't get here.
>
> # Log invalid packets
> $IPT -A FORWARD -m state --state INVALID -j LOG \
> --log-prefix "FORWARD: invalid packets"
> $IPT -A FORWARD -m state --state INVALID -j DROP
These are ok I guess :)
>
>
> #### Not sure if you really want these rules.
> #### --- Why wouldn't i want these? Would they flood the logs?
They wouldn't really flood the logs, but see above. You might want to
put some of these in INPUT though, and if your LAN had public IPs, you
might want to use them here.
>
> ### allow forwarding to the net from the lan
> $IPT -A FORWARD -i $INTIF -o $EXTIF -s $LAN -d ! $LAN -j ACCEPT
You don't want this rule if you have the rules below. Since the rules
are checked in order, all LAN->Inet packets would be ACCEPTed by this
rule before reaching the restrictive rules below.
>
> ### rules for what gis allowed from the lan to the net
> $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 21 -j ACCEPT
> $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 22 -j ACCEPT
> $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 25 -j ACCEPT
> $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 53 -j ACCEPT
> $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 80 -j ACCEPT
> $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 110 -j ACCEPT
> $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 8080 -j ACCEPT
> $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 8080 -j ACCEPT
> $IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 0 -j ACCEPT
> $IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 3 -j ACCEPT
> $IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT
> $IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 11 -j ACCEPT
>
> ### allow forwarding to the lan from the net for established
> ### or related connections
> $IPT -A FORWARD -i $EXTIF -o $INTIF -d $LAN -s ! $LAN \
> -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> ### log all the rest (i shouldn't get packets here?) ###
> $IPT -A FORWARD -p ALL -j LOG --log-level info \
> --log-prefix "FORWARD: dropped packets"
> $IPT -A FORWARD -p ALL -j DROP
>
> ###############################################################
> #### POSTROUTING ####
> ###############################################################
>
> $IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
> ====================== script v 0.2 =========================
>
> ------
> Benedict Verheyen
> Linux 2.4.20 AMD Athlon(tm) Processor AuthenticAMD GNU/Linux
I think your script's ok now, minus the things I mentioned :)
Jason
Reply to: