Routing with iptables [was: Routing, Bridging and VPN]

To: debian-user-list <debian-user@lists.debian.org>
Subject: Routing with iptables [was: Routing, Bridging and VPN]
From: Michael Przysucha <mp@abi-2k3.net>
Date: Sun, 19 Feb 2006 17:38:02 +0100
Message-id: <[🔎] 20060219164210.CE35B148027@sedanet0.sedan.uos.de>
Reply-to: mp@abi-2k3.net

Hello,

I had posted earlier and got good hints. But for keeping it simple I want to do the setup only with iptables.

I have the following Interfaces:

eth0: ADSL-Modem connected and dail-up connection with pppoe package
eth2: LAN connected with 192.168.1.0/24
tun0: VPN tunnel with 131.173.0.0/16 and 172.16.0.0/12 at the end, Interface gets an public IP by Gateway

I have tried to set up the rules wit some safety restrictions and avoiding to set up a cirle-route. Can anyone give me a 
hint if ths is ok at all?
I need to make all changes in theory first, the router can only be disabeld for short time.

Thanks in advance,
Michael Przysucha




The rules: (with remarks)


# used interfaces 
#
# eth0 - Internet interface via PPPoE
# eth1 - not in use
# eth2 - Intranet
# tun0 - VPN Tunnel to HoNOs (campus network)
# 
#============================================================ 
# port remarks
# 
# 666 - alternativ-SSH-port (hiding the system)
# 
# 
#============================================================
# preparing rules
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P FORWARD DROP
-F INPUT
-F OUTPUT
-F FORWARD
-F TRUSTED
-X TRUSTED
-N TRUSTED

# Interfaces for I-Net
-A PREROUTING -i eth0 -j REDIRECT
-A PREROUTING -i tun0 -j REDIRECT

# masquerading of packages
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE

# avoiding circle-route
-A REDIRECT -i tun0 -d ! 192.168.1.0/255.255.255.0 -j DROP
-A REDIRECT -i eth0 -d ! 192.168.1.0/255.255.255.0 -j DROP

# important ports to be forewarded/opend
-A REDIRECT -i eth0 -p tcp -m multiport --dports 80,666 DNAT --to-destination 192.168.1.254
-A REDIRECT -i tun0 -p tcp -m multiport --dports 80,666 DNAT --to-destination 192.168.1.254

# important safety-rules during iptables-rebuild
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 21 -j DROP
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j DROP
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 23 -j DROP

-A INPUT -i tun0 -p tcp -m state --state NEW -m tcp --dport 21 -j DROP
-A INPUT -i tun0 -p tcp -m state --state NEW -m tcp --dport 22 -j DROP
-A INPUT -i tun0 -p tcp -m state --state NEW -m tcp --dport 23 -j DROP

# every client within the local zone is allowed to acces every port on the router
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 0-65535 -j DROP


# outgoing rules for clients
# is MARK recommended?
-A PREROUTING -s 192.168.1.0/255.255.255.0 -i eth2 -j REDIRECT
-A FORWARD -s 192.168.1.0/255.255.255.0 -d ! 131.173.0.0/255.255.0.0 -o eth0 -j MARK --set-mark 0x4
-A FORWARD -s 192.168.1.0/255.255.255.0 -d 131.173.0.0/255.255.0.0 -o tun0 -j MARK --set-mark 0x4

# incomming rules for clients
# is MARK recommended?
-A POSTROUTING -s ! 131.173.0.0/255.255.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j MARK --set-mark 0x3
-A POSTROUTING -s 131.173.0.0/255.255.0.0 -d 192.168.1.0/255.255.255.0 -i tun0 -j MARK --set-mark 0x3



# ping abuse on tun0
-A INPUT -m state --state NEW -j TRUSTED
-A TRUSTED -i tun0 -p icmp -m icmp --icmp-type 8 -j DROP
-A TRUSTED -i tun0 -p icmp -j DROP
-A TRUSTED -j REJECT --reject-with icmp-port-unreachable

# closing all open ports to the outside
-P INPUT DROP

Reply to:

Prev by Date: Re: OT: What wireless cards are well supported in Linux?
Next by Date: Re: Why does aptitude do this?
Previous by thread: Re: fetchmail broken after etch update - a kludgy fix
Next by thread: wine 3d very very slow, toolchain problem?
Index(es):
- Date
- Thread