| View previous topic :: View next topic |
| Author |
Message |
bastibasti
Guru
Joined: 27 Nov 2006
Posts: 586
|
 Posted: Sat Sep 28, 2024 12:24 pm Post subject: beginners question about iptables |
 |
|
Hi all,
I am not 100% new to iptables, but I have used ready-made firewall/routers in the past
Here is my setup...
external modem -> Linux box (pppoe, iptables, WEBSERVER, dmz-dhcp, dmz-named) -> homerouter -> home network
the Idea is that the home network is not in contact with the linux box running the webserver. If there is an intruder on the dialin box (webserver etc) my private stuff is kind-a save (hopefully)
I have so far everything working, also the port forwarding to the 2nd router, but it seems like ppp0 as all ports open
Maybe someone can point out the steps to make this a little more safe?
| Code: |
#!/bin/bash
external=ppp0
internal=enp3s0
#Enable forwarding and general rules
iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $external -j MASQUERADE
iptables -A INPUT -i $internal -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $external -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT
#forward wireguard to dmz router
iptables -t nat -A PREROUTING -p tcp --dport 51138 -j DNAT --to-destination 192.168.2.10:51138
iptables -t nat -A PREROUTING -p udp --dport 51138 -j DNAT --to-destination 192.168.2.10:51138
|
|
|
| Back to top |
|
 |
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5109
Location: Bavaria
|
| Posted: Sat Sep 28, 2024 1:42 pm Post subject: Re: beginners question about iptables |
|
|
| bastibasti wrote: | | [...], but it seems like ppp0 as all ports open |
Check your default policy ! "iptables -L -vn" shoud start with:
| Code: | Chain INPUT (policy DROP 0 packets, 0 bytes)
...
Chain FORWARD (policy DROP 0 packets, 0 bytes)
... |
If not, you will need in your configuration script:
| Code: | ### Basic Settings ###
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT [your decision; I do filtering also all outgoing traffic and have here a DROP ... but you have "iptables -A OUTPUT -j ACCEPT". You dont need this rule if you set the default to ACCEPT (which is also the default unless you change it)].
iptables -P FORWARD DROP
... |
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
bastibasti
Guru
Joined: 27 Nov 2006
Posts: 586
|
| Posted: Sat Sep 28, 2024 1:47 pm Post subject: |
|
|
so literally,
-P input drop
would also drop all packets from the LAN, and I would have to open each port individually from the LAN seperately? |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5109
Location: Bavaria
|
| Posted: Sat Sep 28, 2024 2:28 pm Post subject: |
|
|
| bastibasti wrote: | so literally,
-P input drop
would also drop all packets from the LAN, and I would have to open each port individually from the LAN seperately? |
... would also drop all packets from both LAN (=not if packet is forwarded) - and own station - TO the OWN station (*) and I would have to open each port individually for this station.
... Yes. 
Maybe take a look into my (german) guide for a personal FW (= FW for a desktop): https://forums.gentoo.org/viewtopic-t-1112806.html
(dont mind the language; just look at the examples ... and then MAYBE ... you will find a link to: https://forums.gentoo.org/viewtopic-t-1114432.html
P.S.: *) Maybe interesting for you: https://stuffphilwrites.com/fw-ids-iptables-flowchart-v2024-05-22/
P.P.S.: Dont forget: The default policiy is only used at last, when no rule has fit for a packet. Yes, a FW should deny everything which is not explicitely allowed. ->
- ALLOW 1
- ALLOW 2
- DENY something without logging
- LOG all the rest
- Default: DENY everything which has arrived here
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
bastibasti
Guru
Joined: 27 Nov 2006
Posts: 586
|
| Posted: Sat Sep 28, 2024 4:46 pm Post subject: |
|
|
danke... da der router echt schwierig zu erreichen ist, werde ich wohl erstmal ne serielle konsole einrichten, das ich nicht bei jedem fehlschlag hin und herlaufen muss 
Thanks for the hints. I will surely write some more questions soon lol |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5109
Location: Bavaria
|
| Posted: Sat Sep 28, 2024 6:13 pm Post subject: |
|
|
| bastibasti wrote: | | [...] I will surely write some more questions soon lol |
ja, ja, mach nur
( yes yes go ahead )
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5109
Location: Bavaria
|
|
| Back to top |
|
|
|
Networking & Security
