* Having trouble properly configuring my firewall
@ 2012-04-24 8:09 Richard Thornton
2012-04-24 8:49 ` John Lister
2012-04-24 17:09 ` Humberto Jucá
0 siblings, 2 replies; 5+ messages in thread
From: Richard Thornton @ 2012-04-24 8:09 UTC (permalink / raw)
To: netfilter
Hi,
I hope you can help, please be gentle as it's my first time with raw
iptables, I have used other firewalls though.
I have a working config, my internal network can get out to the
internet but because of a lack of understanding I have opened up SSH
on the firewall to the internet:
1# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
2*mangle
3:PREROUTING ACCEPT [3292:1334085]
4:INPUT ACCEPT [462:36946]
5:FORWARD ACCEPT [2826:1297011]
6:OUTPUT ACCEPT [268:37651]
7:POSTROUTING ACCEPT [3075:1327352]
8-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss
--mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu
9COMMIT
10# Completed on Tue Apr 24 16:51:19 2012
11# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
12*nat
13:PREROUTING ACCEPT [130:12667]
14:INPUT ACCEPT [4:586]
15:OUTPUT ACCEPT [4:264]
16:POSTROUTING ACCEPT [0:0]
17-A POSTROUTING -o ppp0 -j MASQUERADE
18COMMIT
19# Completed on Tue Apr 24 16:51:19 2012
20# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
21*filter
22:INPUT DROP [0:0]
23:FORWARD DROP [0:0]
24:OUTPUT DROP [0:0]
25-A INPUT -i lo -j ACCEPT
26-A INPUT -d 192.168.100.254/32 -p tcp -m physdev --physdev-in eth2
-m tcp --dport 22 -j ACCEPT
27-A INPUT -i ppp0 -j ACCEPT
28-A INPUT -j DROP
29-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
30-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
31-A FORWARD -i br0 -o ppp0 -j ACCEPT
32-A FORWARD -j DROP
33-A OUTPUT -o lo -j ACCEPT
34-A OUTPUT -o br0 -j ACCEPT
35-A OUTPUT -o ppp0 -j ACCEPT
36-A OUTPUT -j DROP
37COMMIT
37# Completed on Tue Apr 24 16:51:19 2012
I believe my mistake is in either line 27 or line 35 but if I remove
either of them my firewall fails to be able to access the internet
locally for apt and stuff.
To add some background basically I have the following running on an
ubuntu 12.04 server:
ppp0 brought up on eth0
br0 a bridge which includes wlan0 and eth2 (office lan)
eth3 (lab mgmt)
eth4 (lab)
eth5 (quarantined pc)
So the firewall should be able to access the internet but the internet
should not be able to access the firewall.
Users on br0 should be able to access the internet, lab, lab mgmt, firewall
The lab should be able to access the internet
Lab mgmt should be able to access the internet, there are 8 IPs in
here and I have public IPs for them all but I need to setup SNAT and
fwknop doing DNAT to access them:
iptables -t nat -A POSTROUTING -s x.x.x.x -o eth0 -j SNAT --to-source y.y.y.y
With the above I am worried that this will conflict with line 17...
I believe fwknop will handle the DNAT stuff automagically.
The quarantined PC should be able to access the internet but nothing else
I have a way to go :)
Thanks for looking.
Kind Regards
Richard
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Having trouble properly configuring my firewall
2012-04-24 8:09 Having trouble properly configuring my firewall Richard Thornton
@ 2012-04-24 8:49 ` John Lister
2012-04-24 10:34 ` Jan Engelhardt
2012-04-24 17:09 ` Humberto Jucá
1 sibling, 1 reply; 5+ messages in thread
From: John Lister @ 2012-04-24 8:49 UTC (permalink / raw)
To: Richard Thornton; +Cc: netfilter
A quick perusal, shows a couple of things. Firstly I'm not familiar with
the conntrack or physdev modules, I'd just use the state module and -i
respectively - but i'd imagine they do the same. Secondly, it is usually
cleaner to set the policy on INPUT to drop and remove line 28. Add a
rule to let anything on eth2 in (I assume it is safe).
Remove the output rules, I generally don't drop outgoing stuff - unless
you need to restrict access for a specific reason and then block that.
Add rules to block eth5 from seeing anything internal. The same goes for
FORWARD
Also I assume you've enabled forwarding in the kernel
Hope that helps
On 24/04/2012 09:09, Richard Thornton wrote:
> Hi,
>
> I hope you can help, please be gentle as it's my first time with raw
> iptables, I have used other firewalls though.
>
> I have a working config, my internal network can get out to the
> internet but because of a lack of understanding I have opened up SSH
> on the firewall to the internet:
>
> 1# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
> 2*mangle
> 3:PREROUTING ACCEPT [3292:1334085]
> 4:INPUT ACCEPT [462:36946]
> 5:FORWARD ACCEPT [2826:1297011]
> 6:OUTPUT ACCEPT [268:37651]
> 7:POSTROUTING ACCEPT [3075:1327352]
> 8-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss
> --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu
> 9COMMIT
> 10# Completed on Tue Apr 24 16:51:19 2012
> 11# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
> 12*nat
> 13:PREROUTING ACCEPT [130:12667]
> 14:INPUT ACCEPT [4:586]
> 15:OUTPUT ACCEPT [4:264]
> 16:POSTROUTING ACCEPT [0:0]
> 17-A POSTROUTING -o ppp0 -j MASQUERADE
> 18COMMIT
> 19# Completed on Tue Apr 24 16:51:19 2012
> 20# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
> 21*filter
> 22:INPUT DROP [0:0]
> 23:FORWARD DROP [0:0]
> 24:OUTPUT DROP [0:0]
> 25-A INPUT -i lo -j ACCEPT
> 26-A INPUT -d 192.168.100.254/32 -p tcp -m physdev --physdev-in eth2
> -m tcp --dport 22 -j ACCEPT
> 27-A INPUT -i ppp0 -j ACCEPT
> 28-A INPUT -j DROP
> 29-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 30-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 31-A FORWARD -i br0 -o ppp0 -j ACCEPT
> 32-A FORWARD -j DROP
> 33-A OUTPUT -o lo -j ACCEPT
> 34-A OUTPUT -o br0 -j ACCEPT
> 35-A OUTPUT -o ppp0 -j ACCEPT
> 36-A OUTPUT -j DROP
> 37COMMIT
> 37# Completed on Tue Apr 24 16:51:19 2012
>
> I believe my mistake is in either line 27 or line 35 but if I remove
> either of them my firewall fails to be able to access the internet
> locally for apt and stuff.
>
> To add some background basically I have the following running on an
> ubuntu 12.04 server:
>
> ppp0 brought up on eth0
> br0 a bridge which includes wlan0 and eth2 (office lan)
> eth3 (lab mgmt)
> eth4 (lab)
> eth5 (quarantined pc)
>
> So the firewall should be able to access the internet but the internet
> should not be able to access the firewall.
> Users on br0 should be able to access the internet, lab, lab mgmt, firewall
> The lab should be able to access the internet
> Lab mgmt should be able to access the internet, there are 8 IPs in
> here and I have public IPs for them all but I need to setup SNAT and
> fwknop doing DNAT to access them:
>
> iptables -t nat -A POSTROUTING -s x.x.x.x -o eth0 -j SNAT --to-source y.y.y.y
>
> With the above I am worried that this will conflict with line 17...
>
> I believe fwknop will handle the DNAT stuff automagically.
>
> The quarantined PC should be able to access the internet but nothing else
>
> I have a way to go :)
>
> Thanks for looking.
>
> Kind Regards
> Richard
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
www.pricegoblin.co.uk
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Having trouble properly configuring my firewall
2012-04-24 8:49 ` John Lister
@ 2012-04-24 10:34 ` Jan Engelhardt
2012-04-24 13:13 ` Andy Furniss
0 siblings, 1 reply; 5+ messages in thread
From: Jan Engelhardt @ 2012-04-24 10:34 UTC (permalink / raw)
To: John Lister; +Cc: Richard Thornton, netfilter
On Tuesday 2012-04-24 10:49, John Lister wrote:
> A quick perusal, shows a couple of things. Firstly I'm not familiar with the
> conntrack or physdev modules, I'd just use the state module and -i respectively
> - but i'd imagine they do the same.
conntrack does more than state, so in any case you should definitely use
it.
physdev is obviously required for bridge (if there is one) interaction.
>> I have a working config, my internal network can get out to the
>> internet but because of a lack of understanding I have opened up SSH
>> on the firewall to the internet:
>>
>> 1# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
>> 2*mangle
>> 3:PREROUTING ACCEPT [3292:1334085]
>> 4:INPUT ACCEPT [462:36946]
>> 5:FORWARD ACCEPT [2826:1297011]
>> 6:OUTPUT ACCEPT [268:37651]
>> 7:POSTROUTING ACCEPT [3075:1327352]
>> 8-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss
>> --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu
One does not really need TCPMSS, for there is PMTUD.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Having trouble properly configuring my firewall
2012-04-24 10:34 ` Jan Engelhardt
@ 2012-04-24 13:13 ` Andy Furniss
0 siblings, 0 replies; 5+ messages in thread
From: Andy Furniss @ 2012-04-24 13:13 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: John Lister, Richard Thornton, netfilter
Jan Engelhardt wrote:
> On Tuesday 2012-04-24 10:49, John Lister wrote:
>>> 8-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss
>>> --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu
>
> One does not really need TCPMSS, for there is PMTUD.
Hmm, did someone mend the internet for pppoe users, or maybe I
misunderstand what you mean.
-m tcpmss --mss 1400:65495
looks redundant. I suppose you really need to assess your own situation
in any case (I had an ISP once that for a while caused 64k mtu on ppp).
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Having trouble properly configuring my firewall
2012-04-24 8:09 Having trouble properly configuring my firewall Richard Thornton
2012-04-24 8:49 ` John Lister
@ 2012-04-24 17:09 ` Humberto Jucá
1 sibling, 0 replies; 5+ messages in thread
From: Humberto Jucá @ 2012-04-24 17:09 UTC (permalink / raw)
To: Richard Thornton; +Cc: netfilter
Hi,
For your INPUT rules:
- Change the order of rules 28 and 29 - process the "DROP" rule after
"state ACCEPT"
- Remove rule 27
2012/4/24 Richard Thornton <richie.thornton@gmail.com>:
> Hi,
>
> I hope you can help, please be gentle as it's my first time with raw
> iptables, I have used other firewalls though.
>
> I have a working config, my internal network can get out to the
> internet but because of a lack of understanding I have opened up SSH
> on the firewall to the internet:
>
> 1# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
> 2*mangle
> 3:PREROUTING ACCEPT [3292:1334085]
> 4:INPUT ACCEPT [462:36946]
> 5:FORWARD ACCEPT [2826:1297011]
> 6:OUTPUT ACCEPT [268:37651]
> 7:POSTROUTING ACCEPT [3075:1327352]
> 8-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss
> --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu
> 9COMMIT
> 10# Completed on Tue Apr 24 16:51:19 2012
> 11# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
> 12*nat
> 13:PREROUTING ACCEPT [130:12667]
> 14:INPUT ACCEPT [4:586]
> 15:OUTPUT ACCEPT [4:264]
> 16:POSTROUTING ACCEPT [0:0]
> 17-A POSTROUTING -o ppp0 -j MASQUERADE
> 18COMMIT
> 19# Completed on Tue Apr 24 16:51:19 2012
> 20# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
> 21*filter
> 22:INPUT DROP [0:0]
> 23:FORWARD DROP [0:0]
> 24:OUTPUT DROP [0:0]
> 25-A INPUT -i lo -j ACCEPT
> 26-A INPUT -d 192.168.100.254/32 -p tcp -m physdev --physdev-in eth2
> -m tcp --dport 22 -j ACCEPT
> 27-A INPUT -i ppp0 -j ACCEPT
> 28-A INPUT -j DROP
> 29-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 30-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 31-A FORWARD -i br0 -o ppp0 -j ACCEPT
> 32-A FORWARD -j DROP
> 33-A OUTPUT -o lo -j ACCEPT
> 34-A OUTPUT -o br0 -j ACCEPT
> 35-A OUTPUT -o ppp0 -j ACCEPT
> 36-A OUTPUT -j DROP
> 37COMMIT
> 37# Completed on Tue Apr 24 16:51:19 2012
>
> I believe my mistake is in either line 27 or line 35 but if I remove
> either of them my firewall fails to be able to access the internet
> locally for apt and stuff.
>
> To add some background basically I have the following running on an
> ubuntu 12.04 server:
>
> ppp0 brought up on eth0
> br0 a bridge which includes wlan0 and eth2 (office lan)
> eth3 (lab mgmt)
> eth4 (lab)
> eth5 (quarantined pc)
>
> So the firewall should be able to access the internet but the internet
> should not be able to access the firewall.
> Users on br0 should be able to access the internet, lab, lab mgmt, firewall
> The lab should be able to access the internet
> Lab mgmt should be able to access the internet, there are 8 IPs in
> here and I have public IPs for them all but I need to setup SNAT and
> fwknop doing DNAT to access them:
>
> iptables -t nat -A POSTROUTING -s x.x.x.x -o eth0 -j SNAT --to-source y.y.y.y
>
> With the above I am worried that this will conflict with line 17...
>
> I believe fwknop will handle the DNAT stuff automagically.
>
> The quarantined PC should be able to access the internet but nothing else
>
> I have a way to go :)
>
> Thanks for looking.
>
> Kind Regards
> Richard
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-04-24 17:09 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-04-24 8:09 Having trouble properly configuring my firewall Richard Thornton
2012-04-24 8:49 ` John Lister
2012-04-24 10:34 ` Jan Engelhardt
2012-04-24 13:13 ` Andy Furniss
2012-04-24 17:09 ` Humberto Jucá
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.