| View previous topic :: View next topic |
| Author |
Message |
aCOSwt
Bodhisattva
Joined: 19 Oct 2007
Posts: 2537
Location: Hilbert space
|
 Posted: Mon Dec 14, 2009 8:03 am Post subject: [Solved] Help needed for configuring my firewall |
 |
|
Hello,
Sorry for this, but firewalling has never been my cup of tea. 
The machine I wish to protect is in a very simple configuration regarding its network :
Connection to the internet via ppp0.
On my FreeBSD box, I am using pf which enables the very simple following ruleset :
| Code: |
net skip on lo0 (pass all loopback traffic)
scrub in all
block log all
pass out quick on tun0 inet proto tcp flags S/SA keep state
pass out quick on tun0 inet proto {udmp,icmp} keep state
|
Because (I think... might be wrongly...  ) that the above ruleset fits my needs (blocking all inputs apart from those related to an output and associated with the S/SA flags and udmp / icmp protocols) I am trying to do the same with my NetFilter :
| Code: |
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- localhost.localdomain anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
1/ Is that beginning correct ?
2/ how can I specify my restrictions regarding protocols and flags ?
3/ should I be more restrictive ?
4/ I would like to log only dropped packets, how do I achieve this ?
5/ Which are the minimal kernel configuration flags I need to enable this ?
Last edited by aCOSwt on Tue Dec 29, 2009 7:47 pm; edited 1 time in total |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23326
|
| Posted: Tue Dec 15, 2009 3:22 am Post subject: |
|
|
| First, please use iptables-save rather than iptables --list when you want to post your rules. Second, that second rule looks like an incorrectly written attempt to allow loopback traffic. Use -i lo instead of -s localhost. Use -j LOG to printk a message when a packet matches. It is traditional, but not required, to place this such that it only matches traffic you drop. |
|
| Back to top |
|
|
aCOSwt
Bodhisattva
Joined: 19 Oct 2007
Posts: 2537
Location: Hilbert space
|
| Posted: Tue Dec 15, 2009 7:51 pm Post subject: |
|
|
Thank you Hu for helping.
I am going to rework this following your advices. |
|
| Back to top |
|
|
Stolz
Moderator
Joined: 19 Oct 2003
Posts: 3028
Location: Hong Kong
|
| Posted: Tue Dec 29, 2009 12:13 pm Post subject: Re: Help needed for configuring my firewall |
|
|
| aCOSwt wrote: | | ...blocking all inputs apart from those related to an output and associated with the S/SA flags and udmp / icmp protocols) |
aCOSwt, I'm not an Iptables guru, but I'll try to help with your basic setup
| Code: | #Flush
iptables -F
iptables -X
#Default: Block all inputs, allow outputs
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#Allow loopback
iptables -A INPUT -i lo -j ACCEPT
#Allow those related to an output
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow ICMP ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#Log dropped
iptables -N LOGDROP
iptables -A LOGDROP -j LOG
iptables -A LOGDROP -j DROP
iptables -A INPUT -j LOGDROP |
| aCOSwt wrote: | | 5/ Which are the minimal kernel configuration flags I need to enable this ? |
Minimal kernel configuration:
| Code: | Networking --->
[*] Networking support
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
<M> Netfilter Xtables support (required for ip_tables)
IP: Netfilter Configuration --->
<M> IP tables support (required for filtering/masq/NAT)
<M> Packet filtering |
For "-m state.." to work, you also need...
| Code: | Networking --->
[*] Networking support
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
<M> Netfilter connection tracking support |
...which brings up new options you also have to enable | Code: |
Core Netfilter Configuration --->
<M> "state" match support
IP: Netfilter Configuration --->
<M> IPv4 connection tracking support (required for NAT)
|
For log, you need
| Code: | Networking --->
[*] Networking support
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
IP: Netfilter Configuration --->
<M> LOG target support
|
And if you don't want to flood your logs, you can enable | Code: | | <M> "limit" match support |
and change your logging rule to
| Code: | | iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 2 --log-prefix "Firewall: " |
Hope it helps. |
|
| Back to top |
|
|
aCOSwt
Bodhisattva
Joined: 19 Oct 2007
Posts: 2537
Location: Hilbert space
|
| Posted: Tue Dec 29, 2009 7:46 pm Post subject: |
|
|
 
Simply Great !
Many thanks Stolz for your effort !
On my side, I had approximately finished with something rather similar :
| Code: |
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED, RELATED -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT
|
I will follow your advice regarding allowing icmp and dropping rather than rejecting.
I have still not understand how to restrict the INPUT ACCEPT on existing connexions to the TCP packets flagged S/SA but, never mind, I will enjoy tcpdump...  to check if it is worth bothering about that.
Thanks again. |
|
| Back to top |
|
|
|
Networking & Security
