You are not logged in.

#1 2022-09-04 18:08:24

herOldMan
Member
Registered: 2013-10-11
Posts: 132

<solved>Arch Router - Iptables necessary & sufficient rules

Hi,

As a weekend project I have configured a router using the Wiki Router page instructions.

Works great. It has no exposed services as recommended and is reasonably secretive when subjected to an Nmap scan from the WAN side (nmap -T4 -A -vv -oX ).

For the iptables rules, I have used the basic rules detailed on the Internet sharing Wiki page. As suggested, I am now focused on the Router Wiki's statement: Since it is facing the public Internet, it makes sense to additionally secure it using a Simple stateful firewall.

I have reviewed the Internet Sharing, Iptables, and Simple stateful firewall WIKI pages and have added additional rules:

# LAN CIDR: 192.168.2.0/24

export WAN=enp1s0
export LAN=enp2s0

# Forward port 22 to LAN device at 192.168.2.20 
iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 22 -j DNAT --to-destination 192.168.2.20:22
iptables -A FORWARD -p tcp -d 192.168.2.20 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Basic internet sharing rules
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# *** Additional rules ***

iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p TCP ! -i $LAN -d 0/0 --dport 0:86 -j DROP 
iptables -A INPUT -p UDP ! -i $LAN -d 0/0 --dport 88:1023 -j DROP

My additional rules are, no doubt, misguided.

Are any of them unnecessary?  Are they inadequate or improperly ordered?

Last edited by herOldMan (2022-09-06 22:51:00)

Offline

#2 2022-09-04 19:21:07

TadaenSylvermane
Member
Registered: 2014-01-24
Posts: 24

Re: <solved>Arch Router - Iptables necessary & sufficient rules

https://gitlab.com/jmgibson1981/homescr … erouter.sh

This is a script I had written to set up the rules on boot for a router, in my case it was Debian. It worked out well enough but I have no doubt it can be improved. Everything seemed to work ok except the dual wan part, that was a bit squirrelly. This was based on having a local http transparent squid, dnsmasq for dhcp & dns, and ability to ssh into the box. I added some of the sources in the head of it but I'm sure there are some I missed. I did a lot of googling to get that far. It may give you an idea of what you need. Pretty sure I chased out everything that was totally unnecessary.

Offline

#3 2022-09-05 08:31:52

-thc
Member
Registered: 2017-03-15
Posts: 230

Re: <solved>Arch Router - Iptables necessary & sufficient rules

herOldMan wrote:
# Forward port 22 to LAN device at 192.168.2.20 
iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 22 -j DNAT --to-destination 192.168.2.20:22
iptables -A FORWARD -p tcp -d 192.168.2.20 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

This makes sense if ssh is only bound to enp2s0/192.168.2.20. If ssh is configured to listen on any interface (default) this port forwarding is unnecessary.

herOldMan wrote:
# Basic internet sharing rules
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

I would change the order of the FORWARD rules.

herOldMan wrote:
# *** Additional rules ***

iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p TCP ! -i $LAN -d 0/0 --dport 0:86 -j DROP 
iptables -A INPUT -p UDP ! -i $LAN -d 0/0 --dport 88:1023 -j DROP

Did you actually read the Arch wiki article? Did you understand the underlying concept (everything is blocked until explicitly allowed)? You have no policy rules and only one forward accept rule. Why those strange drop rules?

Offline

#4 2022-09-05 14:01:56

herOldMan
Member
Registered: 2013-10-11
Posts: 132

Re: <solved>Arch Router - Iptables necessary & sufficient rules

Thanks,

My interpretation of the thc post is: my setup is intrinsically simple and none of my additional rules are required to additionally secure the router. This makes sense to me and was my first impression (the quote from the router WIKI page concerning further securing pinched my paranoia nerve). I removed my additional rules.

I swapped the order of the forward rules as suggested.

I need both rules for inbound connections to port 22 on the internal LAN device at 192.168.2.20. The service is bound to a specific interface.

Perhaps I now have a necessary and sufficient rule set.

I will await further input for a short while before marking this question solved.



The script linked by TadaenSylvermane is impressive. My setup is much less functional by design... but I will explore further the creation of a WIFEWORKGW subnet.

Last edited by herOldMan (2022-09-05 14:06:32)

Offline

#5 2022-09-05 15:07:35

TadaenSylvermane
Member
Registered: 2014-01-24
Posts: 24

Re: <solved>Arch Router - Iptables necessary & sufficient rules

Eh, that was just because our internet out here was quite bad so I had a second ISP. One was far more reliable than the other so I was forcing her traffic plus my other few priorities to the good isp.

Last edited by TadaenSylvermane (2022-09-05 15:08:28)

Offline

Board footer

Powered by FluxBB