| View previous topic :: View next topic |
| Author |
Message |
shagrat
Apprentice
Joined: 10 Mar 2003
Posts: 219
Location: Norway
|
 Posted: Fri Jan 07, 2005 6:28 pm Post subject: First try at iptables. Check if I got my policies right |
 |
|
Here is my current policy:
- I want to block all inncoming traffic from the internet when the firewall is started.
- All connections to the firewall or the internet is allowed from the internal network.
- The firewall is also allowed to connect to the internet.
- When i stop the firewall, all connections are allowed.
There are also two exceptions to these rules:
- I need to allow incoming ident requests on port 113 from anywhere
- I need to forward port 6666 to a Windows machine for RDP
Here's my first firewall script:
| Code: |
#!/sbin/runscript
IPTABLES=/sbin/iptables
EXT_IF=eth0
LOC_IF=eth1
depend() {
need net
}
start() {
ebegin "Starting firewall"
einfo "Flushing existing rules"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
einfo "Setting new rules (dropping all inncoming)"
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#Allow new incoming connections from all but external network
$IPTABLES -A INPUT -m state --state NEW -i ! $EXT_IF -j ACCEPT
#Allow existing or related connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
einfo "Enabling NAT"
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
einfo "Opening ports"
$IPTABLES -A INPUT --protocol tcp --dport 113 -j ACCEPT
einfo "Forwarding ports"
$IPTABLES -t nat -I PREROUTING -p tcp --dport 6666 -i $EXT_IF -j DNAT --to 10.0.0.40:3389
eend $?
}
stop() {
ebegin "Stopping firewall"
einfo "Flushing existing rules"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
einfo "Setting new rules (accepting all)"
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
einfo "Enabling NAT"
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
eend $?
}
restart() {
svc_stop; svc_start
}
|
It seems to be working ok. I've tested it with ShieldsUP!. Is there any errors or some holes in the script opposed to my policies?
Last edited by shagrat on Fri Jan 07, 2005 10:46 pm; edited 1 time in total |
|
| Back to top |
|
 |
Wormo
Retired Dev
Joined: 29 Nov 2004
Posts: 526
Location: SB County California
|
| Posted: Fri Jan 07, 2005 9:39 pm Post subject: |
|
|
It seems ok, except it looks like you're running an identd server on the firewall and allowing connections from everywhere -- which contradicts your policy of "block all incoming traffic from the internet". The dnat rule obviously intends to forward a particular port into your internal net. I think you just forgot to mention exceptions when stating your policy.
| Quote: |
$IPTABLES -A INPUT --protocol tcp --dport 113 -j ACCEPT
$IPTABLES -t nat -I PREROUTING -p tcp --dport 6666 -i $EXT_IF -j DNAT --to 10.0.0.40:3389
|
|
|
| Back to top |
|
|
shagrat
Apprentice
Joined: 10 Mar 2003
Posts: 219
Location: Norway
|
| Posted: Fri Jan 07, 2005 10:41 pm Post subject: |
|
|
| Wormo wrote: | It seems ok, except it looks like you're running an identd server on the firewall and allowing connections from everywhere -- which contradicts your policy of "block all incoming traffic from the internet". The dnat rule obviously intends to forward a particular port into your internal net. I think you just forgot to mention exceptions when stating your policy.
| Quote: |
$IPTABLES -A INPUT --protocol tcp --dport 113 -j ACCEPT
$IPTABLES -t nat -I PREROUTING -p tcp --dport 6666 -i $EXT_IF -j DNAT --to 10.0.0.40:3389
|
|
Yes, you're right. I forgot to mention those two exceptions  I need the identd for some ftp servers and some irc servers. And I forward port 6666 to one internal WindowsXP machine for RDP. |
|
| Back to top |
|
|
Wormo
Retired Dev
Joined: 29 Nov 2004
Posts: 526
Location: SB County California
|
| Posted: Fri Jan 07, 2005 11:02 pm Post subject: |
|
|
| Are you certain you need access to your rdp from everywhere on the internet? When I set up VNC forwarding for my coworkers, I make them tell me where they are going to be coming in from if at all possible so I can at least restrict it to a subnet... |
|
| Back to top |
|
|
shagrat
Apprentice
Joined: 10 Mar 2003
Posts: 219
Location: Norway
|
| Posted: Fri Jan 07, 2005 11:11 pm Post subject: |
|
|
| Wormo wrote: | | Are you certain you need access to your rdp from everywhere on the internet? When I set up VNC forwarding for my coworkers, I make them tell me where they are going to be coming in from if at all possible so I can at least restrict it to a subnet... |
Pretty much. I use it from my university, from my gf, from my grandparents, from friends and more absurd places. To be a fraction more secure I decided to DNAT it from a nonstandard port to the default RDP port on the host machine. But I might change it to a higher port, like 40568. |
|
| Back to top |
|
|
|
Networking & Security
