You are not logged in.
I need some help with iptables config, this configuration works on my router(gateway) pc, all works fine about 6 month. I want to fully refuse of use hardware router, and in favor of flexible configuration on Linux PC
So you may call it paranoia but I want to sleep well, with thoughts that all under normal defence, no worse than hardware router.
Config is not too big. If someone can help me to improve it, it would be great
*ppp0 - internet
eth1 - provider network
eth0 - local network
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
# port forwarding to local PC's
-A PREROUTING -p tcp -m tcp --dport 51465 -j DNAT --to-destination 192.168.1.3:51465
-A PREROUTING -p tcp -m tcp --dport 51465 -j DNAT --to-destination 192.168.1.2:51465
# provide access to internet and provider network
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
#
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
:icmp-in - [0:0]
# IPTV from provider, allow
-A INPUT -p igmp -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth1 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -i eth1 -j ACCEPT
# allow connection in local network
-A INPUT -s 192.168.1.0/24 -i eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
# pptp
-A INPUT -i eth1 -p gre -m state --state RELATED,ESTABLISHED -j ACCEPT
# to local host
-A INPUT -i lo -j ACCEPT
# allow already established connection
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
# local samba
-A INPUT -i eth0 -p tcp -m tcp --dport 137:139 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 137:139 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 445 -j ACCEPT
# ftp
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 21 -j ACCEPT
# for l2tp/pptp
-A INPUT -i ppp0 -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 1194 -j ACCEPT
# to prevent some scans
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth1 -p udp -m udp --dport 138 -j DROP
-A INPUT -i ppp0 -p udp -m udp --dport 138 -j DROP
-A INPUT -p udp -m udp --dport 113 -j REJECT --reject-with icmp-port-unreachable
# dhcp (dnsmasq and dhcp server works only for local interface)
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
# port forwarding
-A FORWARD -d 192.168.1.3/32 -p tcp -m tcp --dport 51465 -j ACCEPT
-A FORWARD -d 192.168.1.2/32 -p tcp -m tcp --dport 51465 -j ACCEPT
# IPTV again, multicast
-A FORWARD -d 224.0.0.0/4 -j ACCEPT
-A FORWARD -s 224.0.0.0/4 -j ACCEPT
# for already established
-A FORWARD -s 192.168.1.0/24 -i eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -i ppp0 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -i eth1 -m state --state ESTABLISHED -j ACCEPT
# IGMP, udpxy share IPTV from eth1 to local network
-A OUTPUT -p igmp -j ACCEPT
#
-A OUTPUT -d 192.168.1.0/24 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# outband connections accept
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 0:65535 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 0:65535 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --dport 1723 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp --dport 1701 -j ACCEPT
-A OUTPUT -o eth1 -p gre -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 137:139 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 137:139 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 445 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 445 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 21 -j ACCEPT
-A OUTPUT -o ppp0 -p tcp -m tcp --sport 21 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A OUTPUT -p udp -j ACCEPT
#
-A icmp-in -p icmp -m state --state NEW -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable
-A icmp-in -p icmp -m state --state NEW -m icmp --icmp-type 11 -j REJECT --reject-with icmp-port-unreachable
-A icmp-in -p icmp -m state --state NEW -m icmp --icmp-type 3 -j REJECT --reject-with icmp-port-unreachable
COMMIT
and this mtu fix, after all loaded
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1500 -j TCPMSS --clamp-mss-to-pmtu -o ppp0
Last edited by hexen (2010-09-05 14:40:12)
Offline
there is a nice iptables tutorial in the wiki (check for stateful firewall)
good luck though
If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.
Offline
I like to make new chains for the different vectors of traffic. eg:
-A FORWARD -i eth0 -o eth1 -m state --state NEW -j call_LAN_NET
-A FORWARD -i eth0 -o ppp0 -m state --state NEW -j call_LAN_NET
-A FORWARD -i eth1 -o eth0 -m state --state NEW -j call_NET_LAN
-A FORWARD -i ppp0 -o eth0 -m state --state NEW -j call_NET_LAN
-A INPUT -i eth0 -m state --state NEW -j call_LAN_BOX
-A INPUT -i eth1 -m state --state NEW -j call_NET_BOX
-A INPUT -i ppp0 -m state --state NEW -j call_NET_BOX
-A call_LAN_BOX -p tcp -m tcp --dport 137:139 -j ACCEPT
-A call_LAN_BOX -p udp -m udp --dport 137:139 -j ACCEPT
-A call_LAN_BOX -p tcp -m tcp --dport 445 -j ACCEPT
-A call_LAN_BOX -p udp -m udp --dport 445 -j ACCEPT
-A call_LAN_BOX -j REJECT
You should also allow some specific ICMP packets such as TTL-EXCEEDED (type 11), DESTINATION-UNREACABLE (type 3) and FRAGMENTATION-NEEDED (type 3 code 4). Allowing ECHO-REQUEST and ECHO-REPLY is also a good idea IMHO. The days of ICMP threats are past. Besides, you're currently REJECTING them, so anyone trying to enumerate will still get packets back. Rate-limit it if you want to be paranoid:
-A icmp-in -m limit --limit 4/sec -p icmp --icmp-type echo-request -j ACCEPT
-A icmp-in -p icmp --icmp-type echo-request -j DROP
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
If you have a "normal" router running linux and you have access to a telnet login you can also look at the rules it uses as an example.
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline