Re: correct set-up on a router...

To: debian-firewall@lists.debian.org
Subject: Re: correct set-up on a router...
From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date: Tue, 10 Jan 2006 20:57:13 +0100
Message-id: <[🔎] 43C41199.7050101@plouf.fr.eu.org>
In-reply-to: <[🔎] 1136913844.1563.23.camel@localhost.localdomain>
References: <[🔎] 1136913844.1563.23.camel@localhost.localdomain>

Hi,

I'm new to this list, and apologize for my English.

Vladimir Konrad a écrit :

i have a router connected to the internet 24/7 and setting up a
router/firewal for a department of mathematics:

(maths cloud) --- [router/firewall] --- internet

the routing works, dns works but firewall does not. if i run the
configuration script (included), ssh session to the router stops
responding after about a minute (until a cron job re-sets the firewall
to open one).

I do not see anything in your ruleset that may cause such behaviour.What surprises me is that the SSH session is lost only after a minuteand not immediately after the filtering rules are created. I guess itaffects only sessions from clients that are located on the internetside. Connections from your network should stay alive due to theaccept-all INPUT rule on the eth0 interface. What about other kinds ofnetwork traffic to or through the router ?

Also, I notice that your ruleset does not take incoming ICMP requestsinto account. For diagnostic purposes, at least ICMP echo-request (ping)should be accepted. By the way, it is possible that your SSH softwareuse some kind of ICMP to periodically check that the other end is stillalive ?


Below are some comments of your ruleset.

[...]

# drop all input packets by default
iptables -P INPUT DROP

# drop all forward packets by default
iptables -P FORWARD DROP

I suppose that the OUTPUT default policy is implicitly set to ACCEPT.Explicitly may be better.

I also suppose that the conntrack module is already loaded.

# loopback:
iptables -A INPUT -i lo -j ACCEPT

# eth0 (the maths side)
# to be changed
iptables -A INPUT -i eth0 -j ACCEPT

# eth1 (the internet side):
iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# router daemons
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 346
-j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport
2600 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport
2601 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport
2604 -j ACCEPT

Have you ever considered grouping together such similar rules inuser-defined chains ? For example :


iptables -A INPUT -i eth1 -m state --state NEW -j my_chain
iptables -A my_chain -p tcp --dport 346 -j ACCEPT
iptables -A my_chain -p tcp --dport 2600:2601 -j ACCEPT
iptables -A my_chain -p tcp --dport 2604 -j ACCEPT

In this particular case you may also concatenate multiple TCP ports inone single rule using the 'multiport' or 'mport' match if your kernelsupports either :


iptables -A INPUT -i eth1 -p tcp -m state --state NEW \
  -m multiport --dports 346,2600,2601,2604 -j ACCEPT

# ssh (all interfaces)
iptables -A INPUT -s <allowed-network>/16 -p tcp -m state --state NEW -m
tcp --dport 22 -j ACCEPT
iptables -A INPUT -s <allowed-network>/16 -p udp -m state --state NEW -m
udp --dport 22 -j ACCEPT


The UDP rule is useless. SSH only uses TCP.

# forward (routing)

# accept what was already accepted
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
iptables -A FORWARD -p udp -m state --state NEW -m udp --dport 22 -j
ACCEPT

# http
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 80 -j
ACCEPT
iptables -A FORWARD -p udp -m state --state NEW -m udp --dport 80 -j
ACCEPT

#https
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 443 -j
ACCEPT
iptables -A FORWARD -p udp -m state --state NEW -m udp --dport 443 -j
ACCEPT

# smtp
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 25 -j
ACCEPT

# smtp over ssl
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 465 -j
ACCEPT


Same remark as above about UDP. All those protocols only use TCP.

Same remark as above about using user-defined chains and/ormport/multiport match.

Also, are you aware that these rules are bidirectional and allow accessfrom the internet to SSH, HTTP and SMTP services running on *any*machine in your network ?

# jet direct
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 9100 -j
ACCEPT

Do you really need to allow a printing protocol between your network andthe internet ?

At the end of your ruleset you should consider REJECTing valid butundesired packets instead of DROPping them, in order to remain compliantwith the IP specifications and avoid those annoying time-outs andretries resulting from DROP rules or default policies.

Reply to:

Follow-Ups:
- Re: solved - correct set-up on a router...
  - From: Vladimir Konrad <v.konrad@lse.ac.uk>
- Re: solved - correct set-up on a router...
  - From: Vladimir Konrad <v.konrad@lse.ac.uk>

References:
- correct set-up on a router...
  - From: Vladimir Konrad <v.konrad@lse.ac.uk>

Prev by Date: Re: correct set-up on a router...
Next by Date: can't transfer files via ftp
Previous by thread: Re: correct set-up on a router...
Next by thread: Re: solved - correct set-up on a router...
Index(es):
- Date
- Thread