Re: 2 nic setup for firewall machine

To: debian-firewall <debian-firewall@lists.debian.org>
Subject: Re: 2 nic setup for firewall machine
From: Benedict Verheyen <linux4bene@pandora.be>
Date: 14 Feb 2003 23:49:43 +0100
Message-id: <1045262983.2386.11.camel@lancelot.camelot>
In-reply-to: <200302121240.17202.debiansec@berndes.com>
References: <20030211125808.CAFF81F53D@murphy.debian.org> <20030211232237.GA840@iup.edu> <200302121240.17202.debiansec@berndes.com>
Hello,

i have included the changes suggested by Jason and Sven.
The end result is below. It might be interesting for other people
who have a similar setup.

It's basically the same script with these changes:
* i changed the internal_in rules to include imap and smtp
* added an internal_out rule to OUTPUT to allow imap, dhcp and 
  smtp from the firewall to the lan
* removed 4 forward rules and added port 443

One thing that i'm not sure is the internal_out rule. I've changed
the ports on the rule like this:
$IPT -A internal_out -p udp --sport 68 --dport 67 -j ACCEPT
I'm not sure if this is correct. The in rule had --sport 67 --dport 68 
so i figured it's the other way round for the outgoing connection.
Is this correct?
Anway, thanks to the people who have helped me on this.
It's very much appreciated. Only a few more weeks and this script is
going to see some action :)

Thanks!

========================= sript v 0.3 ==============================
#!/bin/sh

# Set variables needed for a 2 interfaces system where interface eth0
gets
# an ip from the isp (cable modem) over dhcp and eth1 is 192.168.0.1 and
serves the LAN with 
# ip's in the range 192.168.0.2-192.168.0.10
IPT=`which iptables`
DEP=`which depmod`
INS=`which insmod`
EXTIF="eth0"
INTIF="eth1"
LO="lo"
LAN="192.168.0.0/24"

# i need to check this list so it's possible it's not up to date. I used
the Dotted Decimal Non-aggregated list
# of http://www.cymru.com/Documents/bogon-dd.html
RESERVED_NET="
        0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \
        5.0.0.0/8 \
        7.0.0.0/8 \
        10.0.0.0/8 \
        23.0.0.0/8 \
        27.0.0.0/8 \
        31.0.0.0/8 \
        36.0.0.0/8 37.0.0.0/8 \
        39.0.0.0/8 \
        41.0.0.0/8 42.0.0.0/8 49.0.0.0/8 \
        50.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
        70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
        74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8
79.0.0.0/8 \
        83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
        88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8
93.0.0.0/8 94.0.0.0/8 \
        95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8
100.0.0.0/8 101.0.0.0/8 \
        102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8
107.0.0.0/8 \
        108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8
113.0.0.0/8 \
        114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8
119.0.0.0/8 \
        120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8
125.0.0.0/8 \
        126.0.0.0/8 127.0.0.0/8 \
        169.254.0.0/16 172.16.0.0/255.240.0.0 \
         192.0.2.0/24 192.168.0.0/16 \
        197.0.0.0/8 198.18.0.0/255.254.0.0 \
        201.0.0.0/8 222.0.0.0/8 223.0.0.0/8 224.0.0.0/224.0.0.0"

#Insert necessary modules
$INS ip_tables
$INS ip_conntrack
$INS ip_conntrack_ftp
$INS ip_conntrack_irc
$INS iptable_filter
$INS ipt_limit
$INS ipt_state
$INS ipt_unclean
$INS ipt_LOG
$INS iptables_nat
$INS ipt_MASQUERADE
$INS ip_nat_ftp

#Clearing any previous configuration
$IPT -F
$IPT -X
$IPT -Z

$IPT -P INPUT DROP
$IPT -F INPUT 
$IPT -P OUTPUT DROP
$IPT -F OUTPUT 
$IPT -P FORWARD DROP
$IPT -F FORWARD 
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

# Create the rules
$IPT -N inet_in
$IPT -N local_in
$IPT -N checkspoof
$IPT -N logspoof
$IPT -N inet_out
$IPT -N local_out

# Dynamic IP
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Disable spoofing
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter

# Block all echo requests
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Add synflood protection
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Log martians
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

# Not accept ICMP redirect messages
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Track nr of connections
echo "16384" > /proc/sys/net/ipv4/ip_conntrack_max

# Disable ICMP send_redirect
echo "0" > /proc/sys/net/ipv4/conf/eth0/send_redirects

# Don't accept source routed packets.
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route

# ICMP Broadcasting protection (smurf amplifier protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# ICMP Dead Error Messages protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# LooseUDP patch is required by some internet-based games
#echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose

# IP forwarding (need it to perform for example NAT)
# echo "1" > /proc/sys/net/ipv4/ip_forward

# Reduce DoS'ing ability by reducing timeouts
# Defaults:
#           echo 60 > /proc/sys/net/ipv4/tcp_fin_timeout
#           echo 7200 > /proc/sys/net/ipv4/tcp_keepalive_time
#           echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
#           echo 1 > /proc/sys/net/ipv4/tcp_sack
echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack

# Set out local port range
# Default echo "1024 4999" > /proc/sys/net/ipv4/ip_local_port_range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

# Time To Live (TTL) is the term for a data field in the internet 
# protocol. TTL is today interpreted to indicate the maximum number of 
# routers a packet may transit.
echo "64" > /proc/sys/net/ipv4/ip_default_ttl

# Increase the default queuelength. (Kernel Default: 1024)
#echo "2048" > /proc/sys/net/ipv4/ip_queue_maxlen

# Enable ECN? (Explicit Congestion Notification)
echo "1" > /proc/sys/net/ipv4/tcp_ecn


##############################################################################
### logspoof ####
###############################################################################
$IPT -A logspoof -m limit --limit 3/min -j LOG \ 
     --log-prefix "ip spoofing detected " \
     --log -tcp-sequence --log-level info
$IPT -A logspoof -j DROP

###############################################################################
###  checkspoof ####
###############################################################################
# this ip is used by my isp for something (don't know what) and is send
# every 2 minutes so i do not even want to log this! Annoying isp. 
# It goes to address 224.0.0.1 which is IGMP multicast # network
$IPT -A checkspoof -s 10.95.11.80 -j DROP

## Class A Reserved
$IPT -A checkspoof -s 10.0.0.0/8 -j logspoof

## Class B Reserved
$IPT -A checkspoof -s 172.16.0.0/12 -j logspoof

## Class C Reserved
$IPT -A checkspoof -s 192.168.0.0/16 -j logspoof

## Class D Reserved
$IPT -A checkspoof -s 224.0.0.0/4 -j logspoof

## Class E Reserved
$IPT -A checkspoof -s 240.0.0.0/5 -j logspoof

for NET in $RESERVED_NET; do
    $IPT -A checkspoof -s $NET -j logspoof
done

###############################################################################
### inet_in ####
###############################################################################
### allow inside on firewall machine:  ssh, ddt
$IPT -A inet_in -p tcp --dport 22 -j ACCEPT      # allow ssh in
$IPT -A inet_in -p udp --dport 1052 -j ACCEPT    # allow ddt queries in
$IPT -A inet_in -p tcp ! --syn -m state --state NEW -j LOG \       
     --log-prefix "inet_in: New not syn:"
$IPT -A inet_in -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A inet_in -j checkspoof
$IPT -A inet_in -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

###############################################################################
### internal_in ####
###############################################################################
# allow dhcp request to eth1 in, allow ssh to firewall machine from lan,
# allow imap and smtp
$IPT -A internal_in -p tcp --dport 22 -j ACCEPT
$IPT -A internal_in -p tcp --dport 25 -j ACCEPT
$IPT -A internal_in -p udp --sport 67 --dport 68 -j ACCEPT
$IPT -A internal_in -p tcp --dport 143 -j ACCEPT


###############################################################################
### local_in ####
###############################################################################
$IPT -A local_in -j ACCEPT

###############################################################################
###  inet_out ####
###############################################################################
### allow outside from firewall machine: ping, dns, proxy of isp (8080),
### dhcp, news, smtp,www, imap, pop3, ftp (+ftpdata), ssh, ddt

### all tcp ports ###
$IPT -A inet_out -p tcp --dport 21 -j ACCEPT        # ftp
$IPT -A inet_out -p tcp --dport 22 -j ACCEPT        # ssh
$IPT -A inet_out -p tcp --dport 25 -j ACCEPT        # smtp
$IPT -A inet_out -p tcp --dport 53 -j ACCEPT        # dns
$IPT -A inet_out -p tcp --dport 80 -j ACCEPT        # www
$IPT -A inet_out -p tcp --dport 110 -j ACCEPT       # pop3
$IPT -A inet_out -p tcp --dport 143 -j ACCEPT       # imap
$IPT -A inet_out -p tcp --dport 1052 -j ACCEPT      # ddt project ports
$IPT -A inet_out -p tcp --dport 8080 -j ACCEPT      # proxy isp

### all udp ports ###
$IPT -A inet_out -p udp --dport 53 -j ACCEPT             # dns
$IPT -A inet_out -p udp --sport 67 --dport 68 -j ACCEPT  # DHCP to isp
$IPT -A inet_out -p udp --dport 1052 -j ACCEPT      # ddt project ports

### all icmp ###
$IPT -A inet_out -p icmp --icmp-type 0 -j ACCEPT
$IPT -A inet_out -p icmp --icmp-type 3 -j ACCEPT
$IPT -A inet_out -p icmp --icmp-type 8 -j ACCEPT
$IPT -A inet_out -p icmp --icmp-type 11 -j ACCEPT

###############################################################################
### internal_out ####
###############################################################################
# from FW to lan: imap, dhcp, smtp
$IPT -A internal_out -p tcp --dport 25 -j ACCEPT
$IPT -A internal_out -p udp --sport 68 --dport 67 -j ACCEPT
$IPT -A internal_out -p tcp --dport 143 -j ACCEPT

###############################################################################
### local_out ####
###############################################################################
$IPT -A local_out -j ACCEPT

###############################################################################
### INPUT ####
###############################################################################
$IPT -A INPUT -i $EXTIF -j inet_in
$IPT -A INPUT -i $INTIF -j internal_in
$IPT -A INPUT -i $LO -j local_in
$IPT -A INPUT -i $EXTIF -p ALL -j LOG \
     --log-prefix "INPUT: dropped packets" 
$IPT -A INPUT -i $EXTIF -p ALL -j DROP

###############################################################################
#### OUTPUT ####
###############################################################################
$IPT -A OUTPUT -o $EXTIF -j inet_out
$IPT -A OUTPUT -o $INTIF -j internal_out
$IPT -A OUTPUT -o $LO -j local_out
$IPT -A OUTPUT -o $EXTIF  -p ALL -j LOG --log-level info \ 
     --log-prefix "OUTPUT: dropped packets"
$IPT -A OUTPUT -o $EXTIF  -p ALL -j DROP

###############################################################################
#### FORWARD ####
###############################################################################

$IPT -A FORWARD -m state --state INVALID -j LOG \
     --log-prefix "FORWARD: invalid packets"
$IPT -A FORWARD -m state --state INVALID -j DROP

### allow forwarding to the net from the lan
# Took it out for more restrictive rules
# $IPT -A FORWARD -o $INTIF -i $EXTIF -d $LAN -s ! $LAN -j ACCEPT

$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 21 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 22 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 25 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 53 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 80 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 110 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 443 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 8080 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 0 -j ACCEPT 
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 3 -j ACCEPT 
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT 
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 11 -j ACCEPT 

### allow forwarding to the lan from the net for established or related
connections
$IPT -A FORWARD -o $EXTIF -i $INTIF -s $LAN -d ! $LAN \
     -m state --state ESTABLISHED,RELATED -j ACCEPT

### log all the rest (i shouldn't get packets here?) ###
$IPT -A FORWARD -p ALL -j LOG --log-level info \ 
     --log-prefix "FORWARD: dropped packets"
$IPT -A FORWARD -p ALL -j DROP

###############################################################################
#### POSTROUTING ####
###############################################################################

$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

========================= sript v 0.3 ==============================

------ 
Benedict Verheyen 
Linux 2.4.20 AMD Athlon(tm) Processor AuthenticAMD GNU/Linux
Attachment: signature.asc
Description: Dit berichtdeel is digitaal gesigneerd
Reply to:
Follow-Ups:
- Re: 2 nic setup for firewall machine
  - From: Jason McCarty <bclg@iup.edu>
- Re: 2 nic setup for firewall machine
  - From: IT - Sven Mueller <debiansec@berndes.com>
References:
- Re: Re: 2 nic setup for firewall machine
  - From: "Benedict Verheyen" <linux4bene@pandora.be>
- Re: 2 nic setup for firewall machine
  - From: Jason McCarty <bclg@iup.edu>
- Re: 2 nic setup for firewall machine
  - From: IT - Sven Mueller <debiansec@berndes.com>
Prev by Date: Re: performance of -m multiport
Next by Date: Re: 2 nic setup for firewall machine
Previous by thread: Re: 2 nic setup for firewall machine
Next by thread: Re: 2 nic setup for firewall machine
Index(es):
- Date
- Thread