Firewall for multi-purpose server?

The_Great_Sephiroth

I have a new server at a client location that is running great. It hosts, DHCP, DNS, NTP, OpenVPN, SMB/Samba, and it accepts SSH access for maintenance. Now I need to secure it. Since this is shell only I plan to write a shell-script which will setup iptables and then do iptables-save so it gets restored at boot. The issue is that it has been so long I cannot remember what I need to do. Below is what I have right now.

pietinger · Posted: Mon Nov 09, 2020 4:20 pm Post subject:

Can this help a little bit ? -> https://forums.gentoo.org/viewtopic-t-1114432-highlight-.html

The_Great_Sephiroth · Posted: Tue Nov 10, 2020 8:43 pm Post subject:

Will read it now, thank you for sharing!
_________________
Ever picture systemd as what runs "The Borg"?

The_Great_Sephiroth · Posted: Tue Nov 17, 2020 11:57 pm Post subject:

OK, I read it but I believe it is a tad more than what I need. This specific server hosts DHCP, DNS, OpenVPN server (UDP), SMB file shares, SSH, and I want it to host NTP for the Windows 10 workstations at some point. Below is what I believe I need as far as a script goes.

pietinger · Posted: Wed Nov 18, 2020 1:44 am Post subject:

Hu · Administrator Joined: 06 Mar 2007 Posts: 23082

As an initial review:

pietinger is correct that you do not need a FORWARD rule for lo. You are correct to have them for INPUT/OUTPUT.
I understand the appeal, but I must discourage use of a shell script to load rules. As written, if a rule fails to load, the shell will blunder on, loading what rules it can. The resulting partial firewall may behave differently than the one you intended to load. You should use iptables-restore which can load all the rules as a unit, and leave the state unchanged if it fails. (If you do this, you should start by loading a very simple state, either fail-secure or fail-open, depending on your design requirements. Then, use iptables-restore to load the production-ready rules.)
Your rules are generally consistent with your stated goals.
I discourage allowing ssh from anywhere, and prefer that you allow ssh only from subnets where you expect legitimate users to be.
Your rule will allow the OpenVPN data packets to arrive and be processed by the openvpn process. That process will likely write decrypted packets to a virtual Ethernet device for the kernel to route internally. You have no rules to allow those decrypted packets, so traffic arriving from the VPN will probably be decrypted, then DROP'd.
You mention some services you intend to host, but have no rules to allow them.

pietinger · Posted: Wed Nov 18, 2020 3:18 am Post subject:

Short remarks:

Hu · Administrator Joined: 06 Mar 2007 Posts: 23082

I saw that you offered them, but I did not review them, because I don't know how much, if any, of it the original poster will adopt. I only reviewed what the original poster had provided. Aside from the acknowledgment of your suggestion, everything I wrote was based off the original poster's post and directed toward him.

pietinger · Posted: Wed Nov 18, 2020 11:31 am Post subject:

The_Great_Sephiroth · Posted: Wed Nov 18, 2020 11:52 pm Post subject:

I am only using a script to show off my intention. I do use iptables-save and -restore. The VPN allows users to work on their PCs from home, not provide an uplink. SSH is used by me either via the VPN or on the LAN itself if I am present there. Should I allow only from the LAN subnets? This thing does NOT face the Internet. You would need to be on the LAN or VPN anyway, so filtering for that seems redundant.

I have not setup NTP yet and SMB is going but I could not think of the ports off the top of my head. It's late here now and I am home. I will work on my stuff and add my missing services and the like soon. I am also trying to wrap my head around nftables, but it is a hot mess. However, if I am able to grasp nftables this stuff may go away anyway.
_________________
Ever picture systemd as what runs "The Borg"?

pietinger · Posted: Thu Nov 19, 2020 12:16 am Post subject:

The_Great_Sephiroth,

when you emerge "nftables" you should have "iptables-translate" and "iptables-restore-translate" for an automtic translation of your iptables-rules into nftables-rules. I never tried it, because the syntax of nftables is not very much different from iptables. The difference is inside the kernel. Nftables uses the berkerly packet filter (BPF) inside the network stack. I will do my switch when all needed options are pure nftables.

I dont know which machines (and how) in you LAN have a connection to the internet. But - be aware of IPv6 and its automatic configuration "service" ...

Good luck and have a good time,
Peter

Hu · Administrator Joined: 06 Mar 2007 Posts: 23082

You can use symbolic port names, if the port is known to /etc/services. From your additional description, further restricting ssh is probably not necessary.

I have not looked at nftables, so I cannot comment on it.

The_Great_Sephiroth · Posted: Thu Nov 19, 2020 6:17 pm Post subject:

Pietinger mentioned something that raises a question. Does nftables not support doing everything that iptables does yet? If so, why were we forced to nftables last year? This laptop is now using nftables and I seem to be doing fine, but since it is a workstation with Plasma I configure it via the firewalld GUI.

I am at the client location now and will be working on this while two old workstations are wiped (badblocks -wsv /dev/sda) and loaded with Windows 10 to be given to a school. Might have an updated post soon.
_________________
Ever picture systemd as what runs "The Borg"?

The_Great_Sephiroth · Posted: Thu Nov 19, 2020 7:04 pm Post subject:

OK, I have some more questions. It seems the deeper I dig the more I wonder what is correct and what is erroneous. I list all of the listening ports on my server.

Hu · Administrator Joined: 06 Mar 2007 Posts: 23082

The_Great_Sephiroth · Posted: Thu Nov 19, 2020 7:59 pm Post subject:

OK, I gotcha'. From what i understand now, with a fully locked-down firewall I need to add rules for incoming and outgoing ports and protocols, such as allowing 'domain' in on the NIC so LAN PCs can get DNS info from the server, but also out on the NIC where the destination port is 53 so the server can send queries upstream to Internet servers. My only area of confusion remaining is involving VPN stuff, but I can make a thread about that later. We will see how this firewall does for a while before I go to the next step.

Here is the firewall as it stands. Runs fine at this point!

pietinger · Posted: Thu Nov 19, 2020 9:33 pm Post subject:

Oh, many questions ...

1. iptables <> nftables

With nftables you can configure ARP-filtering, Bridging, IPv4 and IPv6 with ONE system: nftables. So you dont need arptables, ebtables, iptables, ip6tables ! And - nftables is the future !

But iptables is older and more stable (when I look onto the kernel patches). And the syntax is easier. Many people say the syntax of nftables is easier ... maybe if you understand you have to define the chains and tables and used hooks, because there are no predefined ones. I understand it, but I would say its more difficult, especially if you want some simple mangle definitions; e.g. allow only one UID (of a proxy) to go out to 443 and 80. Another point is: You are not free with your definitions anymore. You cant seperate your LOOPBACK-allows, CONNTRACK-rules and LOG-rules. With nft you have to put all together in one chain- and table-definition. So, for private using (if you have only IPv4) I recommend iptables.

(The same with IPv6. It is the future, but until you really need it stay at IPv4. There are some problems with your privacy and I am watching the kernel patches for it also. IPv4 is older and more stable.)

The_Great_Sephiroth · Posted: Thu Nov 19, 2020 10:11 pm Post subject:

Now I see why you did the matching of a port and the state of "NEW". Makes sense. I need to modify my firewall...
_________________
Ever picture systemd as what runs "The Borg"?