[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: correct set-up on a router...



Hi,

I'm new to this list, and apologize for my English.

Vladimir Konrad a écrit :
i have a router connected to the internet 24/7 and setting up a
router/firewal for a department of mathematics:

(maths cloud) --- [router/firewall] --- internet

the routing works, dns works but firewall does not. if i run the
configuration script (included), ssh session to the router stops
responding after about a minute (until a cron job re-sets the firewall
to open one).

I do not see anything in your ruleset that may cause such behaviour. What surprises me is that the SSH session is lost only after a minute and not immediately after the filtering rules are created. I guess it affects only sessions from clients that are located on the internet side. Connections from your network should stay alive due to the accept-all INPUT rule on the eth0 interface. What about other kinds of network traffic to or through the router ?

Also, I notice that your ruleset does not take incoming ICMP requests into account. For diagnostic purposes, at least ICMP echo-request (ping) should be accepted. By the way, it is possible that your SSH software use some kind of ICMP to periodically check that the other end is still alive ?

Below are some comments of your ruleset.

[...]
# drop all input packets by default
iptables -P INPUT DROP

# drop all forward packets by default
iptables -P FORWARD DROP

I suppose that the OUTPUT default policy is implicitly set to ACCEPT. Explicitly may be better.
I also suppose that the conntrack module is already loaded.

# loopback:
iptables -A INPUT -i lo -j ACCEPT

# eth0 (the maths side)
# to be changed
iptables -A INPUT -i eth0 -j ACCEPT

# eth1 (the internet side):
iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# router daemons
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 346
-j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport
2600 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport
2601 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport
2604 -j ACCEPT

Have you ever considered grouping together such similar rules in user-defined chains ? For example :

iptables -A INPUT -i eth1 -m state --state NEW -j my_chain
iptables -A my_chain -p tcp --dport 346 -j ACCEPT
iptables -A my_chain -p tcp --dport 2600:2601 -j ACCEPT
iptables -A my_chain -p tcp --dport 2604 -j ACCEPT

In this particular case you may also concatenate multiple TCP ports in one single rule using the 'multiport' or 'mport' match if your kernel supports either :

iptables -A INPUT -i eth1 -p tcp -m state --state NEW \
  -m multiport --dports 346,2600,2601,2604 -j ACCEPT

# ssh (all interfaces)
iptables -A INPUT -s <allowed-network>/16 -p tcp -m state --state NEW -m
tcp --dport 22 -j ACCEPT
iptables -A INPUT -s <allowed-network>/16 -p udp -m state --state NEW -m
udp --dport 22 -j ACCEPT

The UDP rule is useless. SSH only uses TCP.

# forward (routing)

# accept what was already accepted
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
iptables -A FORWARD -p udp -m state --state NEW -m udp --dport 22 -j
ACCEPT

# http
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 80 -j
ACCEPT
iptables -A FORWARD -p udp -m state --state NEW -m udp --dport 80 -j
ACCEPT

#https
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 443 -j
ACCEPT
iptables -A FORWARD -p udp -m state --state NEW -m udp --dport 443 -j
ACCEPT

# smtp
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 25 -j
ACCEPT

# smtp over ssl
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 465 -j
ACCEPT

Same remark as above about UDP. All those protocols only use TCP.
Same remark as above about using user-defined chains and/or mport/multiport match.

Also, are you aware that these rules are bidirectional and allow access from the internet to SSH, HTTP and SMTP services running on *any* machine in your network ?

# jet direct
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 9100 -j
ACCEPT

Do you really need to allow a printing protocol between your network and the internet ?

At the end of your ruleset you should consider REJECTing valid but undesired packets instead of DROPping them, in order to remain compliant with the IP specifications and avoid those annoying time-outs and retries resulting from DROP rules or default policies.



Reply to: