| View previous topic :: View next topic |
| Author |
Message |
myte
n00b
Joined: 11 Sep 2010
Posts: 3
Location: Norfolk, VA
|
 Posted: Sat Sep 11, 2010 10:13 pm Post subject: Please QA my Firewall Setup |
 |
|
I have two IP leases from my ISP. I have 3 ethernet adapters on my server. eth0 = static ip, dnsmasq'ing to the lan for dhcp server. eth1 is dhcp / inet, eth2 is dhcp/inet.
Here's what I have.
| Code: |
1.# Copyright 1999-2010 Gentoo Foundation
2.# Distributed under the terms of the GNU General Public License v2
3.# $Header: $
4.
5.depend() {
6. need net
7.}
8.
9.start() {
10.ebegin "Starting Firewall Script"
11.
12.#First we flush our current rules
13. iptables -t filter -F
14. iptables -t nat -F
15. iptables -t mangle -F
16.
17.#Setup default policies to handle unmatched traffic
18. iptables -t filter -P INPUT ACCEPT
19. iptables -t filter -P OUTPUT ACCEPT
20. iptables -t filter -P FORWARD ACCEPT
21.
22.#Copy and paste these examples ...
23. export LAN=eth0
24. export WAN0=eth1
25. export WAN1=eth2
26. export WAN0ip=$( ifconfig ${WAN0} | grep "inet addr" | sed -e 's/^ inet addr://' -e 's/\ .*$//' )
27. export WAN1ip=$( ifconfig ${WAN1} | grep "inet addr" | sed -e 's/^ inet addr://' -e 's/\ .*$//' )
28.
29.#add the rules for NAT
30. iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/25 -j SNAT --to-source ${WAN0ip} --random
31. iptables -t nat -A POSTROUTING -o eth2 -s 192.168.0.128/25 -j SNAT --to-source ${WAN1ip} --random
32.
33.#These rules are for access control to this router box and any external hosts (Lan or Wan)
34.#Accept anything coming from the LAN or loopback
35. iptables -A INPUT -i ${LAN} -j ACCEPT
36. iptables -A INPUT -i lo -j ACCEPT
37.#Allow ssh from outside
38. iptables -A INPUT -p TCP --dport 22 -i ${WAN0ip} -j ACCEPT
39. iptables -A INPUT -p TCP --dport 22 -i ${WAN1ip} -j ACCEPT
40.#Allow DHCP to renew its leases with your ISP. (if you can get the ip of your dhcp server into a variable, add it to the below lines in an -s argument)
41. iptables -A INPUT -p UDP --dport bootps ! -i ${WAN0ip} -j REJECT
42. iptables -A INPUT -p UDP --dport domain ! -i ${WAN1ip} -j REJECT
43.#Allow any return traffic that is part of a connection that was already allowed
44. iptables -A INPUT -i ${WAN0} -m state --state ESTABLISHED,RELATED -j ACCEPT
45. iptables -A INPUT -i ${WAN1} -m state --state ESTABLISHED,RELATED -j ACCEPT
46.#Reject all else
47. iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
48.
49.#These access control rules are for forwarded traffic between the lan and the internets:
50.#Allow anything originating internally
51. iptables -A FORWARD -i ${LAN} -d 192.168.0.0/24 -j DROP
52.#Allow any return traffic that is part of a connection that was already allowed
53. iptables -A FORWARD -i ${WAN0} -d 192.168.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
54. iptables -A FORWARD -i ${WAN1} -d 192.168.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
55.#Reject all else
56. iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
57.
58.#Tell the kernel that ip forwarding is OK
59. echo 1 > /proc/sys/net/ipv4/ip_forward
60. for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
61.eend $?
62.}
63.
64.stop() {
65. ebegin "Stopping Firewall Script"
66. iptables -t filter -F
67. iptables -t nat -F
68. iptables -t mangle -F
69.
70. iptables -t filter -P INPUT ACCEPT
71. iptables -t filter -P OUTPUT ACCEPT
72. iptables -t filter -P FORWARD ACCEPT
73. eend $?
74.}
75.
76.restart() {
77. ebegin "Restarting Firewall Script"
78. /etc/init.d/net.eth0 restart
79. /etc/init.d/net.eth1 restart
80. /etc/init.d/net.eth2 restart
81. /etc/init.d/mynet start
82. eend $?
83.}
|
Here's the output of iptables -L after starting this script:
| Code: |
1.rath init.d # iptables -L
2.Chain INPUT (policy ACCEPT)
3.target prot opt source destination
4.ACCEPT all -- anywhere anywhere
5.ACCEPT all -- anywhere anywhere
6.ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
7.ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
8.REJECT udp -- anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
9.REJECT udp -- anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable
10.ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
11.ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
12.REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
13.
14.Chain FORWARD (policy ACCEPT)
15.target prot opt source destination
16.DROP all -- anywhere 192.168.0.0/24
17.ACCEPT all -- anywhere 192.168.0.0/24 state RELATED,ESTABLISHED
18.ACCEPT all -- anywhere 192.168.0.0/24 state RELATED,ESTABLISHED
19.REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
20.
21.Chain OUTPUT (policy ACCEPT)
22.target prot opt source destination
23.rath init.d #
|
Does this look like it is setup properly to operate? My main goal is to have all IP's from one range route their traffic through one eth1, and all IP's from the other range will go through the other eth2.
Thanks! |
|
| Back to top |
|
 |
gerdesj
l33t
Joined: 29 Sep 2005
Posts: 622
Location: Yeovil, Somerset, UK
|
| Posted: Sun Sep 12, 2010 12:02 am Post subject: Re: Please QA my Firewall Setup |
|
|
I'm afraid I can't be bothered to read and understand all of that lot - you'll normally get a reply to a specific question!
However, I think what you really want is policy based routing - or more specifically source based routing:
What you do is (make sure you have iproute2 installed) create two additional routing tables which have different default gateways and then you add ip rules to these additional tables based on where the packets are coming FROM.
Normally your routing table is based on where a packet is going TO - destination based routing.
You can do all this in /etc/conf.d/net. You need to look up how to use "ip rule". Look at the postup() example in net.example (/etc/conf.d or /usr/share/doc/openrc)
http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html
Once you have the routing sorted out then you worry about the firewall.
Back to your config, I think it may work anyway - does it? The output of iptables -L -v -t nat would be useful. You should be able to run traceroutes from client machines to test where packets are actually going or run tcpdump on your router.
Now if you want failover, ie ISP2 link goes down - route ISP2 traffic via ISP1 until ISP2 recovers is a whole different ball game - if you want to do that then just use pfSense! I have wasted a lot of time over this with Linux and pfSense just works.
Cheers
Jon |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23100
|
| Posted: Sun Sep 12, 2010 4:36 am Post subject: |
|
|
I see two design problems with this script. First, you are calling iptables repeatedly without checking whether it succeeds, so you could load a very strange partial configuration if some of the calls fail and others succeed. Second, when you restart the interfaces, you restart them without regard to whether any of them fail.
To address the first problem, you should use the Gentoo-supplied iptables initscript, which performs an atomic rule load. Either all the rules load or none of them do. You could address the second problem with better error checking, but first I would like to hear why you want to restart all the network interfaces any time the firewall is reset.
If you want to post the state of the firewall, use iptables-save -c, not iptables -L. |
|
| Back to top |
|
|
d2_racing
Bodhisattva
Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada
|
| Posted: Sun Sep 12, 2010 2:13 pm Post subject: |
|
|
IMOO, you should try to do a firewall rules that open things 
| Code: |
.#Setup default policies to handle unmatched traffic
18. iptables -t filter -P INPUT ACCEPT
19. iptables -t filter -P OUTPUT ACCEPT
20. iptables -t filter -P FORWARD ACCEPT
|
Should be :
| Code: |
18. iptables -t filter -P INPUT DROP
19. iptables -t filter -P OUTPUT DROP
20. iptables -t filter -P FORWARD DROP
|
And start creating rules that accept connections and packets. |
|
| Back to top |
|
|
d2_racing
Bodhisattva
Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada
|
| Posted: Sun Sep 12, 2010 2:15 pm Post subject: |
|
|
And for the record, because of this :
| Code: |
18. iptables -t filter -P INPUT ACCEPT
19. iptables -t filter -P OUTPUT ACCEPT
20. iptables -t filter -P FORWARD ACCEPT
|
A lot of rules that you created were useless, because by default, your firewall was accepting everything.
Example :
| Code: |
38. iptables -A INPUT -p TCP --dport 22 -i ${WAN0ip} -j ACCEPT
39. iiptables -A INPUT -p TCP --dport 22 -i ${WAN1ip} -j ACCEPT
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
