You are not logged in.
- Topics: Active | Unanswered
#1 2022-09-04 18:08:24
- herOldMan
- Member
- Registered: 2013-10-11
- Posts: 151
<solved>Arch Router - Iptables necessary & sufficient rules
Hi,
As a weekend project I have configured a router using the Wiki Router page instructions.
Works great. It has no exposed services as recommended and is reasonably secretive when subjected to an Nmap scan from the WAN side (nmap -T4 -A -vv -oX ).
For the iptables rules, I have used the basic rules detailed on the Internet sharing Wiki page. As suggested, I am now focused on the Router Wiki's statement: Since it is facing the public Internet, it makes sense to additionally secure it using a Simple stateful firewall.
I have reviewed the Internet Sharing, Iptables, and Simple stateful firewall WIKI pages and have added additional rules:
# LAN CIDR: 192.168.2.0/24
export WAN=enp1s0
export LAN=enp2s0
# Forward port 22 to LAN device at 192.168.2.20
iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 22 -j DNAT --to-destination 192.168.2.20:22
iptables -A FORWARD -p tcp -d 192.168.2.20 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Basic internet sharing rules
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# *** Additional rules ***
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p TCP ! -i $LAN -d 0/0 --dport 0:86 -j DROP
iptables -A INPUT -p UDP ! -i $LAN -d 0/0 --dport 88:1023 -j DROPMy additional rules are, no doubt, misguided.
Are any of them unnecessary? Are they inadequate or improperly ordered?
Last edited by herOldMan (2022-09-06 22:51:00)
Offline
#2 2022-09-04 19:21:07
- TadaenSylvermane
- Member
- Registered: 2014-01-24
- Posts: 34
Re: <solved>Arch Router - Iptables necessary & sufficient rules
https://gitlab.com/jmgibson1981/homescr … erouter.sh
This is a script I had written to set up the rules on boot for a router, in my case it was Debian. It worked out well enough but I have no doubt it can be improved. Everything seemed to work ok except the dual wan part, that was a bit squirrelly. This was based on having a local http transparent squid, dnsmasq for dhcp & dns, and ability to ssh into the box. I added some of the sources in the head of it but I'm sure there are some I missed. I did a lot of googling to get that far. It may give you an idea of what you need. Pretty sure I chased out everything that was totally unnecessary.
Offline
#3 2022-09-05 08:31:52
- -thc
- Member
- Registered: 2017-03-15
- Posts: 496
Re: <solved>Arch Router - Iptables necessary & sufficient rules
# Forward port 22 to LAN device at 192.168.2.20 iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 22 -j DNAT --to-destination 192.168.2.20:22 iptables -A FORWARD -p tcp -d 192.168.2.20 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
This makes sense if ssh is only bound to enp2s0/192.168.2.20. If ssh is configured to listen on any interface (default) this port forwarding is unnecessary.
# Basic internet sharing rules iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
I would change the order of the FORWARD rules.
# *** Additional rules *** iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A INPUT -p TCP ! -i $LAN -d 0/0 --dport 0:86 -j DROP iptables -A INPUT -p UDP ! -i $LAN -d 0/0 --dport 88:1023 -j DROP
Did you actually read the Arch wiki article? Did you understand the underlying concept (everything is blocked until explicitly allowed)? You have no policy rules and only one forward accept rule. Why those strange drop rules?
Offline
#4 2022-09-05 14:01:56
- herOldMan
- Member
- Registered: 2013-10-11
- Posts: 151
Re: <solved>Arch Router - Iptables necessary & sufficient rules
Thanks,
My interpretation of the thc post is: my setup is intrinsically simple and none of my additional rules are required to additionally secure the router. This makes sense to me and was my first impression (the quote from the router WIKI page concerning further securing pinched my paranoia nerve). I removed my additional rules.
I swapped the order of the forward rules as suggested.
I need both rules for inbound connections to port 22 on the internal LAN device at 192.168.2.20. The service is bound to a specific interface.
Perhaps I now have a necessary and sufficient rule set.
I will await further input for a short while before marking this question solved.
The script linked by TadaenSylvermane is impressive. My setup is much less functional by design... but I will explore further the creation of a WIFEWORKGW subnet.
Last edited by herOldMan (2022-09-05 14:06:32)
Offline
#5 2022-09-05 15:07:35
- TadaenSylvermane
- Member
- Registered: 2014-01-24
- Posts: 34
Re: <solved>Arch Router - Iptables necessary & sufficient rules
Eh, that was just because our internet out here was quite bad so I had a second ISP. One was far more reliable than the other so I was forcing her traffic plus my other few priorities to the good isp.
Last edited by TadaenSylvermane (2022-09-05 15:08:28)
Offline