linux newbie needs a sanity critique for a IPTABLE setup

Message

dlm1065 · Post by **dlm1065** » Thu Dec 16, 2004 1:16 am

DETAILS

I am trying to do a proper setup of IPTABLES for a multihomed computer.
The computer that is doing this will also be doing web, mail, print servering,
and other misc roles. All roles will be minimal load levels.
- Interface Address
  A) eth0 192.168.0.1
  B) eth1 192.168.1.1
  C) eth2 dynamic(ISP assigned)
C is the internet interface. Anything not initially originated from interface(s)
A/B should be blocked. A & B are both segments that need to be allowed
to the internet and at this point to one another. Right now I need
full access between the 2 segments but in the future I will need to
restrict that to allow only certain things to be allowable.

Solution Candidate

Looking at the docs on setting up a home server this is what I think will
let me do my goal. Can someone that is more familiar with IPTABLES tell
me if I did this correctly or if this has major holes in it??

Code: Select all

iptables -F
iptables -t nat -F
#lock down services
iptables -I INPUT 1 -i eth0 -j ACCEPT
iptables -I INPUT 1 -i eth1 -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT
iptables -A INPUT -p UDP --dport bootps -i ! eth1 -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! eth1 -j REJECT
#Allow access to the ssh server from the WAN
iptables -A INPUT -p TCP --dport ssh -i eth2 -j ACCEPT
#Drop TCP/UDP packets to priveleged ports
iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p TCP -i ! eth1 -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! eth1 -d 0/0 --dport 0:1023 -j DROP
#add the NAT rules
iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.255.0 -j DROP
iptables -I FORWARD -i eth1 -d 192.168.1.0/255.255.255.0 -j DROP
iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.1.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i eth2 -d 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i eth2 -d 192.168.1.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
#tell the kernel ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
#so on reboot routing in place
/etc/init.d/iptables save
rc-update add iptables default

speed_bump · Post by **speed_bump** » Thu Dec 16, 2004 1:44 am

What's the default policy for the chain? In general, your best bet from a security perspective is to deny everything by default and write rules that specifically allow the things you need. It's more difficult, but there's less chance of overlooking something.

mcdermottpa · Post by **mcdermottpa** » Thu Dec 16, 2004 9:32 am

As suggested above you should disallow all access first and then expicitly state what will be allowed. Here's what I have in my iptables script:

Code: Select all

# All packets that are not explicitly accepted should be dropped.
/bin/echo -e '   [Dropping] All packets not explicitly accepted'
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP

The netfilter/itables project has lots of valuable documentation.
http://www.netfilter.org/

dlm1065 · Post by **dlm1065** » Thu Dec 16, 2004 10:28 pm

Ok the fact that I thought that this was doing what you both are suggesting means I know even less than I thought I did & I knew I didn't know much *sigh* I followed the Home Router How-To in the gentoo docs

Thank you both, I appreciate the script and the doc reference, but it makes me curious. Are there any other good places for a linux beginner to start understanding bettter how to lock things down??

charliecompany · Post by **charliecompany** » Fri Dec 17, 2004 12:46 am

I know it doesn't teach you as much but you could try using a gui to create your firewall rules. I have heard shorewall is good and I personally use fwbuilder. That has worked really well for me.

mcdermottpa · Post by **mcdermottpa** » Fri Dec 17, 2004 1:20 am

Well if you want some bedside reading, I found that this Linux Security HOWTO does a good job of outlining security considerations and providing some practical solutions. http://www.ibiblio.org/pub/Linux/docs/H ... HOWTO.html but it really does take a lot of work to develop an in-depth understanding of Linux security. Most of us have a long way to go, so welcome to the club

.

GenKreton · Post by **GenKreton** » Fri Dec 17, 2004 5:39 am

http://iptables-tutorial.frozentux.net/ ... orial.html

Best guide on iptables I found.

I too was just learning iptables and found that unless under special circumstances denying all forward and input is safe. Allow all output and then all input on related connections.

This setup has a few issues but will keep you safe from virtually everything.

My lax rules are as follows (I have a strict set I use normally that denies output but it is a HUGE hassle):

Code: Select all

## Variables
# Locations
IPT='/sbin/iptables'


## Flush rules
$IPT -F
$IPT -X
$IPT -Z


## Standard policy
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

## Filter

# Localhost
$IPT -A INPUT -i lo -j ACCEPT

# SSH
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
...

There are more rules but you get the idea and probably won't need them.

*EDIT: lots of stupidity was happening here in my post...