Disclaimer
The opinions expressed herein are my own personal opinions and do not represent anyone else's view in any way, including those of my employer.
© Copyright 2009
The opinions expressed herein are my own personal opinions and do not represent anyone else's view in any way, including those of my employer.
© Copyright 2009
This is a continuation of articles “using iptables on your linux router“ and “how to setup your slackware linux box as a router“. This is the script that im pretty much finished with and how it works.
This is a basic diagram of my network setup. Crossover cables are denoted with ‘C’. This does not represent the actual spacing between items at all, for instance PC 2 is about 100ft away from the hub, the hub is right on top of the server.
Eth1 Network (192.168.10.0)
Very Un-trusted !
Only allow ports 80, and 22
PC1 can be allowed samba ports also
Eth2 Network(192.168.1.0)
Very trusted
All Packets are passed directly through
This is a flow chart that explains how the firewall handles packets.
After making all this i realized that everything goes differently, packets go to see if its pc3 then to see if eth1 then they go to the firewall table to see if established/related, that is of course if they made it that far. If they were eth1 then they would have gone to net two. So please realize this above diagram is not exactly like my script, but very similar.
For simplicity I don’t include the “firewall” table which just accepts all local loopback and then goes to the trusted table. Really I should eliminate the “firewall” table, feel free to. The “NETTWO” table is dedicated to the unsecure network, It only allows port 80, 22 and PC1. PC1 is also pretty restricted. The table “NETTWO” hooks into the wifi router, which I am VERY weary of, I do further security on that router, its just a old Linksys wireless router. Its actually the router that I replaced my linux box with.
Anyway without further a due here is the actual script.
#!/bin/bash RETVAL=0 external_int="eth0" external_ip="`ifconfig $external_int | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" # start the firewall start() { # set all default behaviour to accept iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # create new chains for firewall and trusted filtering iptables -N FIREWALL iptables -N TRUSTED iptables -N NETTWO # temp? tables for subnetwork of wifi, luis and garage computer # Log chain iptables -N LOG_DROP iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : ' iptables -A LOG_DROP -j DROP # allow established and related incoming connetions only iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow self communication iptables -A FIREWALL -i lo -j ACCEPT iptables -A FIREWALL -o lo -j ACCEPT # send all package to the trusted chain iptables -A FIREWALL -j TRUSTED # drop all other packets iptables -A FIREWALL -j LOG_DROP ############################ # Prerouting, to speed up things ############################ # give the ubuntu pc a green light to do whatever, compleatly trusted ! (to firewall only) # ubuntu pc is connected to eth2 and has static ip of 192.168.1.11 iptables -A INPUT -j ACCEPT -p all -s 192.168.1.11 -i eth2 iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.11 -o eth2 # for the subnetwork that has luis and wifi we send it to its own table iptables -A INPUT -i eth1 -j NETTWO # send all input packets to the firewall chain iptables -A INPUT -j FIREWALL ############################ # Begin Forward Table and Inet sharing ############################ # forward all traffic coming from eth1 to eth 0 ( make all eth1's stuff go to the net) iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT # forward only established or related connections from eth0 to eth1 ( so only stuff a local lanputer has started) iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT # same as above but for eth2 (gigabit connection) iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT # forward all sof2mp test stuff to this computer (take all connections to server) iptables -A FORWARD -i eth0 -o eth2 -p udp -m udp --dport 20100:20112 -j ACCEPT # broadcast the sof2 mp test server iptables -A FORWARD -i eth0 -o eth2 -p tcp -m tcp --dport 20100:20112 -j ACCEPT # any packets that get to this point are logged then dropped iptables -A FORWARD -j LOG_DROP # masquerade the ip's so they look like they are "all from one" machine iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE # turn forwarding on "tell the kernel" echo 1 > /proc/sys/net/ipv4/ip_forward ############################ # network two routing table, for subnetwork with luis and wifi # only port 80 and 22 are allowed, the rest are logged/dropped ############################ iptables -A NETTWO -p tcp -m tcp --dport 80 -j ACCEPT iptables -A NETTWO -p tcp -m tcp --dport 22 -j ACCEPT #iptables -A NETTWO -m mac --mac-source "pc2's mac" -p tcp -m tcp --dport 137:139 -j ACCEPT #iptables -A NETTWO -m mac --mac-source "pc2's mac" -j ACCEPT iptables -A NETTWO -j LOG --log-prefix '[NETTWO DROP] : ' iptables -A NETTWO -j DROP ############################ # Begin Trusted Table ############################ # Allow http, the eth+ defines "all" ethernet devices iptables -A TRUSTED -i eth+ -p tcp -m tcp --dport 80 -j ACCEPT # Allow http, the eth+ defines "all" ethernet devices iptables -A TRUSTED -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT # Allow https iptables -A TRUSTED -o eth0 -p udp -m udp --dport 443 -j ACCEPT iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT # Allow SSH iptables -A TRUSTED -i eth+ -p tcp -m tcp --dport 22 -j ACCEPT # sof II test iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 20100 -j ACCEPT iptables -A TRUSTED -i eth0 -p udp -m udp --dport 20100 -j ACCEPT # Nexuiz iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 26000 -j ACCEPT iptables -A TRUSTED -i eth0 -p udp -m udp --dport 26000 -j ACCEPT # teamspeak iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 8767 -j ACCEPT iptables -A TRUSTED -i eth0 -p udp -m udp --dport 8767 -j ACCEPT # allow samba server for print and files to local nics only iptables -A TRUSTED -i eth1 -p tcp -m tcp --dport 137:139 -j ACCEPT iptables -A TRUSTED -i eth2 -p tcp -m tcp --dport 137:139 -j ACCEPT iptables -A TRUSTED -i eth1 -p tcp -m tcp --dport 445 -j ACCEPT iptables -A TRUSTED -i eth2 -p tcp -m tcp --dport 445 -j ACCEPT # log and drop all packets going through the trusted chain that make it this far iptables -A TRUSTED -j LOG_DROP # end message echo "- Iptables Script ran, security enabled" RETVAL=0 } # open everything and forward everything dumb() { # set all default behaviour to accept iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # now forward everything # forward all traffic coming from eth2to eth 0 (all ubuntu's computer goes to net) iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT # forward all traffic from eth0 to eth2, all traffic from net to ubuntu computer iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT # same as above but for eth1 (local lan slow) iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT iptables -t nat -A PREROUTING -p udp -i eth0 -d $external_ip --dport 20100:20112 -j DNAT --to-destination 192.168.1.11 iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip --dport 20100:20112 -j DNAT --to-destination 192.168.1.11 # masquerade the ip's so they look like they are "all from one" machine iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE # turn forwarding on "tell the kernel" echo 1 > /proc/sys/net/ipv4/ip_forward echo "+ everything accepted, everything forwarded"; } # stop the firewall (everything is open !) stop() { # set the default policy iptables -P INPUT ACCEPT # accept all incoming packets iptables -P FORWARD ACCEPT # forward all packets to other puters (flood) iptables -P OUTPUT ACCEPT # accept all outgoing packets and send them # set default policy for the NAT table iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT # delete all old rules iptables -F # flush iptables -t nat -F # flust nat table # delete all chains iptables -X iptables -t nat -X echo "+ All tables flushed" RETVAL=0 } lockdown() { echo "locking down everything" iptables -t nat -P PREROUTING DROP iptables -t nat -P POSTROUTING DROP iptables -t nat -P OUTPUT DROP iptables -t nat -P PREROUTING DROP iptables -t nat -P POSTROUTING DROP iptables -t nat -P OUTPUT DROP echo "itz locked down" } # case statement to call the correct function, exept status which is in the case case $1 in start) start ;; dumb) stop dumb ;; stop) stop ;; restart) stop start ;; status) iptables -L iptables -t nat -L RETVAL=0 ;; lockdown) stop lockdown ;; *) echo "Usage: Firewall (start|stop|restart|status)" esac exit
Thats pretty much it. I’m still kinda dumb when it comes to the forwarding part, so be careful of that part. Also when i allow pc2 to connect to samba ports i use its mac addres so replace “pc2 mac” with the mac address without quotes. Like this 00:00:00:00:00
Im dropping packets like there is no tommorrow. I’ve found that pc1 has something on it that is always sending packets to weird ports/ip’s they are all getting blocked.
Please comment if you know how i can improve this, or can point out any errors.
Another note, if you have email coming out from your server be sure to enable port 25, or whatever port you use. I just did that to mine.
Categories
Tag Cloud
Blog RSS
Comments RSS
Void « Default
Life 
Earth 
Wind 
Water 
Fire Light 
Previous 
Next 
Last 50 Posts
Back
Amazing….I would like the Zenwalk community to provide you feedback regarding this article. I want to sitdown later and test it because it has a lot of details.
Have you used Shorewall Firewall?
Maybe you can find something helpful here.
http://www.shorewall.net/
-2501
Have you tried Shorewall Firewall???
I was checking Zenwalk configurations and did not see any /etc/rc.d/rc.firewall …
Do you think that I should create one in order to run my script? If I do this I would not have to rely on Shorewall.
-2501
No, I did try some gui options though. Like firewall builder. I found it to be really confusing, and it costs money after the trial finishes out. I’d rather make my own scripts and such, I know I might be missing out on some security and easiness but thats just the way i am.
I know there was no “/etc/rc.d/rc.firewall” in my slackware. I had to make one and put it in there. You can call it whatever you like, just make sure you make it executable “chmod +x yourfilename” and add it to your rc.local all the way at the end “/etc/rc.d/yourfile” If your not using slackware the procedure might be a little different. I’ve never used zenwalk but if there is a /etc/rc.d/ folder there should be a rc.local if there is no /etc/rc.d folder there is something equivalent for your distro, good luck !
In my case all I have is one wifi router in the house. Pretty much what I need is to configure my firewall to have access to port 80 and 22…right?
-tony
ps: Shorewall has no GUI. It is all text-based which is what I like. I don’t like GUIs. You might like it.
Have you tried lighttpd?
If you just have one wifi router, is it like a normal hardware router or is it a computer ? If you dont use ssh i would not open port 22, just 80 for internet.
ok….thanks!
have you seen this one?
http://firehol.sourceforge.net/
I using Arch Linux and also got my custom firewall to work. Thanks for your ideas and expertise. I am happy using Arch.
-tony