Re: workstation iptables

To: debian-security@lists.debian.org
Subject: Re: workstation iptables
From: Mario Koppensteiner <mariok@freeshell.org>
Date: Sat, 3 Mar 2007 12:33:05 +0000
Message-id: <[🔎] 20070303123305.GB12755@freeshell.org>
In-reply-to: <[🔎] 118014.42646.qm@web58803.mail.re1.yahoo.com>
References: <[🔎] 118014.42646.qm@web58803.mail.re1.yahoo.com>

Hello Sascha

Yes, there are advantages.

I think your first router (the avm-box) has only one ethernet port.
If you decide to setup a DMZ (for your Servers) and/or a separate
Network for wireless-LAN than it's very usefull to have more then one
ethernet-port available in your router.

For example:
           [Internet]
                |
                |
                |
          [small_routerbox]
                |
                |
                |
[DMZ] --- [Linux Router] --- [Wireless LAN]
                |
                |
                |
              [LAN]

The other thing is if you want to block unknown computers with unknown
MAC-Adresses or unknown MAC-Adress/IP-Adress combinations and you add
a new host, then you have to add the new rule on every host in your
network.

For example on my router there is a chain like that:
root@gateway:~# iptables -nvL eth0_MACCHECK
Chain eth0_MACCHECK (3 references)
 pkts bytes target     prot opt in     out     source               destination         
 2091  130K RETURN     all  --  *      *       192.168.9.4          0.0.0.0/0           MAC aa:bb:ee:ff:gg:hh 
   23  1687 RETURN     all  --  *      *       192.168.9.8          0.0.0.0/0           MAC ii:jj:kk:ll:mm:nn 
[...]
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 7 level 4 prefix `FW: eth0_MACCHECK -j DROP ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

root@gateway:~#

You can see there is "RETURN" instead of "ACCEPT" in the chain above.

And this chain (eth0_MACCHECK) is used in my eth0_INPUT and
eth0_FORWARD chain.

root@gateway:~# iptables -nvL eth0_INPUT
Chain eth0_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  228 18332 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
    7  3784 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:67 
   66  5016 eth0_MACCHECK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 
   66  5016 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:123 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 7 level 4 prefix `FW: eth0_INPUT -j DROP ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
root@gateway:~#

You can see there is "eth0_MACCHECK" instead of "ACCEPT".

and last but not least my INPUT chain:

root@gateway:~# iptables -nvL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   54  5958 eth2_INPUT  all  --  eth2   *       0.0.0.0/0            0.0.0.0/0           
  249 24910 eth1_INPUT  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
  404 34536 eth0_INPUT  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
   56  5698 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 7 level 4 prefix `FW: INPUT -j DROP ' 
root@gateway:~# 

Here there is "eth0_INPUT" instead of "ACCEPT".
My forward-chains look similar to my input-chains with a few
differences and the eth0_MACCHECK chain is used in both INPUT and FORWARD.

You can use a brute-force-check chain too like that:
Chain brute_force_check (2 references)
 pkts bytes target     prot opt in     out     source               destination 
        
85619   13M            all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        state NEW recent: SET name: DEFAULT side: source 
52330 7461K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        state NEW recent: UPDATE seconds: 60 hit_count: 4 name: DEFAULT side: so
urce LOG flags 7 level 4 prefix `FW: brute_force_check ' 
52330 7461K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        state NEW recent: UPDATE seconds: 60 hit_count: 4 name: DEFAULT side: so
urce 
38676 7956K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   


I know there could be more security by dropping new packets without
the SYN-Flag set, and so on.

Perhaps you and or other people on the list can give me/us some hints
about that.


best regards

Mario Koppensteiner

On Sat, Mar 03, 2007 at 01:36:19AM -0800, sascha s wrote:
> hey list,
> 
> im using two router to set up my internet connection and protect my home network. the first is just a little router from avm and the second is a pIII with linux and iptables. since the second box had some hardware trouble im considering to use just the first router and add the iptables rules to workstations (also linux). i dont use any special feature like vpn or something like that. are there any big advantages of having a dedicated linux router?
> 
> 
> thanks for help and best regards

Attachment: pgpVv2B71Ssgy.pgp
Description: PGP signature

Reply to:

References:
- workstation iptables
  - From: sascha s <nobody_65535@yahoo.com>

Prev by Date: workstation iptables
Next by Date: tripwire's default policy
Previous by thread: workstation iptables
Next by thread: tripwire's default policy
Index(es):
- Date
- Thread