You are not logged in.

Pages: 1

#1 2010-09-05 14:28:50

hexen
Member
Registered: 2010-07-24
Posts: 1

Help with iptables config improving

I need some help with iptables config, this configuration works on my router(gateway) pc, all works fine about 6 month. I want to fully refuse of use hardware router, and in favor of flexible configuration on Linux PC
So you may call it paranoia but I want to sleep well, with thoughts that all under normal defence, no worse than hardware router.
Config is not too big. If someone can help me to improve it, it would be great

*ppp0 - internet
eth1 - provider network
eth0 - local network

*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT

# port forwarding to local PC's
-A PREROUTING -p tcp -m tcp --dport 51465 -j DNAT --to-destination 192.168.1.3:51465 
-A PREROUTING -p tcp -m tcp --dport 51465 -j DNAT --to-destination 192.168.1.2:51465

# provide access to internet and provider network 
-A POSTROUTING -o eth1 -j MASQUERADE 
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT

# 
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
:icmp-in - [0:0]

# IPTV from provider, allow
-A INPUT -p igmp -j ACCEPT 
-A INPUT -d 224.0.0.0/4 -i eth1 -j ACCEPT 
-A INPUT -s 224.0.0.0/4 -i eth1 -j ACCEPT

# allow connection in local network 
-A INPUT -s 192.168.1.0/24 -i eth0 -m state --state NEW,ESTABLISHED -j ACCEPT 

# pptp
-A INPUT -i eth1 -p gre -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# to local host
-A INPUT -i lo -j ACCEPT 

# allow already established connection
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

# local samba
-A INPUT -i eth0 -p tcp -m tcp --dport 137:139 -j ACCEPT 
-A INPUT -i eth0 -p udp -m udp --dport 137:139 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 445 -j ACCEPT 
-A INPUT -i eth0 -p udp -m udp --dport 445 -j ACCEPT

# ftp 
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 21 -j ACCEPT

# for l2tp/pptp 
-A INPUT -i ppp0 -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 1194 -j ACCEPT

# to prevent some scans
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP 
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -i eth1 -p udp -m udp --dport 138 -j DROP 
-A INPUT -i ppp0 -p udp -m udp --dport 138 -j DROP 
-A INPUT -p udp -m udp --dport 113 -j REJECT --reject-with icmp-port-unreachable

# dhcp (dnsmasq and dhcp server works only for local interface) 
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT

# port forwarding
-A FORWARD -d 192.168.1.3/32 -p tcp -m tcp --dport 51465 -j ACCEPT 
-A FORWARD -d 192.168.1.2/32 -p tcp -m tcp --dport 51465 -j ACCEPT

# IPTV again, multicast
-A FORWARD -d 224.0.0.0/4 -j ACCEPT 
-A FORWARD -s 224.0.0.0/4 -j ACCEPT
 
# for already established
-A FORWARD -s 192.168.1.0/24 -i eth0 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A FORWARD -d 192.168.1.0/24 -i ppp0 -m state --state ESTABLISHED -j ACCEPT 
-A FORWARD -d 192.168.1.0/24 -i eth1 -m state --state ESTABLISHED -j ACCEPT

# IGMP, udpxy share IPTV from eth1 to local network 
-A OUTPUT -p igmp -j ACCEPT
#  
-A OUTPUT -d 192.168.1.0/24 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 

# outband connections accept
-A OUTPUT -p icmp -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 0:65535 -j ACCEPT 
-A OUTPUT -p udp -m udp --sport 0:65535 -j ACCEPT 
-A OUTPUT -o eth1 -p tcp -m tcp --dport 1723 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp --dport 1701 -j ACCEPT
-A OUTPUT -o eth1 -p gre -j ACCEPT 
-A OUTPUT -o eth0 -p tcp -m tcp --sport 137:139 -j ACCEPT 
-A OUTPUT -o eth0 -p udp -m udp --sport 137:139 -j ACCEPT 
-A OUTPUT -o eth0 -p tcp -m tcp --sport 445 -j ACCEPT 
-A OUTPUT -o eth0 -p udp -m udp --sport 445 -j ACCEPT 
-A OUTPUT -o eth0 -p tcp -m tcp --sport 21 -j ACCEPT
-A OUTPUT -o ppp0 -p tcp -m tcp --sport 21 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j DROP 
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A OUTPUT -p udp -j ACCEPT
# 
-A icmp-in -p icmp -m state --state NEW -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable 
-A icmp-in -p icmp -m state --state NEW -m icmp --icmp-type 11 -j REJECT --reject-with icmp-port-unreachable 
-A icmp-in -p icmp -m state --state NEW -m icmp --icmp-type 3 -j REJECT --reject-with icmp-port-unreachable 
COMMIT

and this mtu fix, after all loaded

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1500 -j TCPMSS --clamp-mss-to-pmtu -o ppp0

Last edited by hexen (2010-09-05 14:40:12)

Offline

#2 2010-09-05 16:37:25

quarkup
Member
From: Portugal
Registered: 2008-09-07
Posts: 497
Website

Re: Help with iptables config improving

there is a nice iptables tutorial in the wiki (check for stateful firewall) big_smile

good luck though

If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.

Offline

#3 2010-09-05 23:04:30

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,224
Website

Re: Help with iptables config improving

I like to make new chains for the different vectors of traffic. eg:

-A FORWARD -i eth0 -o eth1 -m state --state NEW -j call_LAN_NET
-A FORWARD -i eth0 -o ppp0 -m state --state NEW -j call_LAN_NET
-A FORWARD -i eth1 -o eth0 -m state --state NEW -j call_NET_LAN
-A FORWARD -i ppp0 -o eth0 -m state --state NEW -j call_NET_LAN

-A INPUT -i eth0 -m state --state NEW -j call_LAN_BOX
-A INPUT -i eth1 -m state --state NEW -j call_NET_BOX
-A INPUT -i ppp0 -m state --state NEW -j call_NET_BOX

-A call_LAN_BOX -p tcp -m tcp --dport 137:139 -j ACCEPT 
-A call_LAN_BOX -p udp -m udp --dport 137:139 -j ACCEPT 
-A call_LAN_BOX -p tcp -m tcp --dport 445 -j ACCEPT 
-A call_LAN_BOX -p udp -m udp --dport 445 -j ACCEPT
-A call_LAN_BOX -j REJECT

You should also allow some specific ICMP packets such as TTL-EXCEEDED (type 11), DESTINATION-UNREACABLE (type 3) and FRAGMENTATION-NEEDED (type 3 code 4). Allowing ECHO-REQUEST and ECHO-REPLY is also a good idea IMHO. The days of ICMP threats are past. Besides, you're currently REJECTING them, so anyone trying to enumerate will still get packets back. Rate-limit it if you want to be paranoid:

-A icmp-in -m limit --limit 4/sec -p icmp --icmp-type echo-request -j ACCEPT
-A icmp-in -p icmp --icmp-type echo-request -j DROP

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

Offline

#4 2010-09-06 14:12:47

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: Help with iptables config improving

If you have a "normal" router running linux and you have access to a telnet login you can also look at the rules it uses as an example.

R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

Pages: 1

Board footer

Powered by FluxBB