Having trouble properly configuring my firewall

Having trouble properly configuring my firewall

[Richard Thornton]

Hi,

I hope you can help, please be gentle as it's my first time with raw
iptables, I have used other firewalls though.

I have a working config, my internal network can get out to the
internet but because of a lack of understanding I have opened up SSH
on the firewall to the internet:

1# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
2*mangle
3:PREROUTING ACCEPT [3292:1334085]
4:INPUT ACCEPT [462:36946]
5:FORWARD ACCEPT [2826:1297011]
6:OUTPUT ACCEPT [268:37651]
7:POSTROUTING ACCEPT [3075:1327352]
8-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss
--mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu
9COMMIT
10# Completed on Tue Apr 24 16:51:19 2012
11# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
12*nat
13:PREROUTING ACCEPT [130:12667]
14:INPUT ACCEPT [4:586]
15:OUTPUT ACCEPT [4:264]
16:POSTROUTING ACCEPT [0:0]
17-A POSTROUTING -o ppp0 -j MASQUERADE
18COMMIT
19# Completed on Tue Apr 24 16:51:19 2012
20# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
21*filter
22:INPUT DROP [0:0]
23:FORWARD DROP [0:0]
24:OUTPUT DROP [0:0]
25-A INPUT -i lo -j ACCEPT
26-A INPUT -d 192.168.100.254/32 -p tcp -m physdev --physdev-in eth2
-m tcp --dport 22 -j ACCEPT
27-A INPUT -i ppp0 -j ACCEPT
28-A INPUT -j DROP
29-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
30-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
31-A FORWARD -i br0 -o ppp0 -j ACCEPT
32-A FORWARD -j DROP
33-A OUTPUT -o lo -j ACCEPT
34-A OUTPUT -o br0 -j ACCEPT
35-A OUTPUT -o ppp0 -j ACCEPT
36-A OUTPUT -j DROP
37COMMIT
37# Completed on Tue Apr 24 16:51:19 2012

I believe my mistake is in either line 27 or line 35 but if I remove
either of them my firewall fails to be able to access the internet
locally for apt and stuff.

To add some background basically I have the following running on an
ubuntu 12.04 server:

ppp0 brought up on eth0
br0 a bridge which includes wlan0 and eth2 (office lan)
eth3 (lab mgmt)
eth4 (lab)
eth5 (quarantined pc)

So the firewall should be able to access the internet but the internet
should not be able to access the firewall.
Users on br0 should be able to access the internet, lab, lab mgmt, firewall
The lab should be able to access the internet
Lab mgmt should be able to access the internet, there are 8 IPs in
here and I have public IPs for them all but I need to setup SNAT and
fwknop doing DNAT to access them:

iptables -t nat -A POSTROUTING -s x.x.x.x -o eth0 -j SNAT --to-source y.y.y.y

With the above I am worried that this will conflict with line 17...

I believe fwknop will handle the DNAT stuff automagically.

The quarantined PC should be able to access the internet but nothing else

I have a way to go :)

Thanks for looking.

Kind Regards
Richard

Re: Having trouble properly configuring my firewall

[John Lister]

A quick perusal, shows a couple of things. Firstly I'm not familiar with 
the conntrack or physdev modules, I'd just use the state module and -i 
respectively - but i'd imagine they do the same. Secondly, it is usually 
cleaner to set the policy on INPUT to drop and remove line 28.  Add a 
rule to let anything on eth2 in (I assume it is safe).
Remove the output rules, I generally don't drop outgoing stuff - unless 
you need to restrict access for a specific reason and then block that. 
Add rules to block eth5 from seeing anything internal. The same goes for 
FORWARD

Also I assume you've enabled forwarding in the kernel

Hope that helps

On 24/04/2012 09:09, Richard Thornton wrote:
> Hi,
>
> I hope you can help, please be gentle as it's my first time with raw
> iptables, I have used other firewalls though.
>
> I have a working config, my internal network can get out to the
> internet but because of a lack of understanding I have opened up SSH
> on the firewall to the internet:
>
> 1# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
> 2*mangle
> 3:PREROUTING ACCEPT [3292:1334085]
> 4:INPUT ACCEPT [462:36946]
> 5:FORWARD ACCEPT [2826:1297011]
> 6:OUTPUT ACCEPT [268:37651]
> 7:POSTROUTING ACCEPT [3075:1327352]
> 8-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss
> --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu
> 9COMMIT
> 10# Completed on Tue Apr 24 16:51:19 2012
> 11# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
> 12*nat
> 13:PREROUTING ACCEPT [130:12667]
> 14:INPUT ACCEPT [4:586]
> 15:OUTPUT ACCEPT [4:264]
> 16:POSTROUTING ACCEPT [0:0]
> 17-A POSTROUTING -o ppp0 -j MASQUERADE
> 18COMMIT
> 19# Completed on Tue Apr 24 16:51:19 2012
> 20# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
> 21*filter
> 22:INPUT DROP [0:0]
> 23:FORWARD DROP [0:0]
> 24:OUTPUT DROP [0:0]
> 25-A INPUT -i lo -j ACCEPT
> 26-A INPUT -d 192.168.100.254/32 -p tcp -m physdev --physdev-in eth2
> -m tcp --dport 22 -j ACCEPT
> 27-A INPUT -i ppp0 -j ACCEPT
> 28-A INPUT -j DROP
> 29-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 30-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 31-A FORWARD -i br0 -o ppp0 -j ACCEPT
> 32-A FORWARD -j DROP
> 33-A OUTPUT -o lo -j ACCEPT
> 34-A OUTPUT -o br0 -j ACCEPT
> 35-A OUTPUT -o ppp0 -j ACCEPT
> 36-A OUTPUT -j DROP
> 37COMMIT
> 37# Completed on Tue Apr 24 16:51:19 2012
>
> I believe my mistake is in either line 27 or line 35 but if I remove
> either of them my firewall fails to be able to access the internet
> locally for apt and stuff.
>
> To add some background basically I have the following running on an
> ubuntu 12.04 server:
>
> ppp0 brought up on eth0
> br0 a bridge which includes wlan0 and eth2 (office lan)
> eth3 (lab mgmt)
> eth4 (lab)
> eth5 (quarantined pc)
>
> So the firewall should be able to access the internet but the internet
> should not be able to access the firewall.
> Users on br0 should be able to access the internet, lab, lab mgmt, firewall
> The lab should be able to access the internet
> Lab mgmt should be able to access the internet, there are 8 IPs in
> here and I have public IPs for them all but I need to setup SNAT and
> fwknop doing DNAT to access them:
>
> iptables -t nat -A POSTROUTING -s x.x.x.x -o eth0 -j SNAT --to-source y.y.y.y
>
> With the above I am worried that this will conflict with line 17...
>
> I believe fwknop will handle the DNAT stuff automagically.
>
> The quarantined PC should be able to access the internet but nothing else
>
> I have a way to go :)
>
> Thanks for looking.
>
> Kind Regards
> Richard
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
www.pricegoblin.co.uk

Re: Having trouble properly configuring my firewall

[Jan Engelhardt]

On Tuesday 2012-04-24 10:49, John Lister wrote:

> A quick perusal, shows a couple of things. Firstly I'm not familiar with the
> conntrack or physdev modules, I'd just use the state module and -i respectively
> - but i'd imagine they do the same.

conntrack does more than state, so in any case you should definitely use 
it.
physdev is obviously required for bridge (if there is one) interaction.

>> I have a working config, my internal network can get out to the
>> internet but because of a lack of understanding I have opened up SSH
>> on the firewall to the internet:
>>
>> 1# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
>> 2*mangle
>> 3:PREROUTING ACCEPT [3292:1334085]
>> 4:INPUT ACCEPT [462:36946]
>> 5:FORWARD ACCEPT [2826:1297011]
>> 6:OUTPUT ACCEPT [268:37651]
>> 7:POSTROUTING ACCEPT [3075:1327352]
>> 8-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss
>> --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu

One does not really need TCPMSS, for there is PMTUD.

Re: Having trouble properly configuring my firewall

[Andy Furniss]

Jan Engelhardt wrote:
> On Tuesday 2012-04-24 10:49, John Lister wrote:

>>> 8-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss
>>> --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu
>
> One does not really need TCPMSS, for there is PMTUD.

Hmm, did someone mend the internet for pppoe users, or maybe I 
misunderstand what you mean.

-m tcpmss --mss 1400:65495

looks redundant. I suppose you really need to assess your own situation 
in any case (I had an ISP once that for a while caused 64k mtu on ppp).

Re: Having trouble properly configuring my firewall

[Humberto Jucá]

Hi,

For your INPUT rules:

- Change the order of rules 28 and 29 - process the "DROP" rule after
"state ACCEPT"
- Remove rule 27



2012/4/24 Richard Thornton <richie.thornton@gmail.com>:
> Hi,
>
> I hope you can help, please be gentle as it's my first time with raw
> iptables, I have used other firewalls though.
>
> I have a working config, my internal network can get out to the
> internet but because of a lack of understanding I have opened up SSH
> on the firewall to the internet:
>
> 1# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
> 2*mangle
> 3:PREROUTING ACCEPT [3292:1334085]
> 4:INPUT ACCEPT [462:36946]
> 5:FORWARD ACCEPT [2826:1297011]
> 6:OUTPUT ACCEPT [268:37651]
> 7:POSTROUTING ACCEPT [3075:1327352]
> 8-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss
> --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu
> 9COMMIT
> 10# Completed on Tue Apr 24 16:51:19 2012
> 11# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
> 12*nat
> 13:PREROUTING ACCEPT [130:12667]
> 14:INPUT ACCEPT [4:586]
> 15:OUTPUT ACCEPT [4:264]
> 16:POSTROUTING ACCEPT [0:0]
> 17-A POSTROUTING -o ppp0 -j MASQUERADE
> 18COMMIT
> 19# Completed on Tue Apr 24 16:51:19 2012
> 20# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
> 21*filter
> 22:INPUT DROP [0:0]
> 23:FORWARD DROP [0:0]
> 24:OUTPUT DROP [0:0]
> 25-A INPUT -i lo -j ACCEPT
> 26-A INPUT -d 192.168.100.254/32 -p tcp -m physdev --physdev-in eth2
> -m tcp --dport 22 -j ACCEPT
> 27-A INPUT -i ppp0 -j ACCEPT
> 28-A INPUT -j DROP
> 29-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 30-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 31-A FORWARD -i br0 -o ppp0 -j ACCEPT
> 32-A FORWARD -j DROP
> 33-A OUTPUT -o lo -j ACCEPT
> 34-A OUTPUT -o br0 -j ACCEPT
> 35-A OUTPUT -o ppp0 -j ACCEPT
> 36-A OUTPUT -j DROP
> 37COMMIT
> 37# Completed on Tue Apr 24 16:51:19 2012
>
> I believe my mistake is in either line 27 or line 35 but if I remove
> either of them my firewall fails to be able to access the internet
> locally for apt and stuff.
>
> To add some background basically I have the following running on an
> ubuntu 12.04 server:
>
> ppp0 brought up on eth0
> br0 a bridge which includes wlan0 and eth2 (office lan)
> eth3 (lab mgmt)
> eth4 (lab)
> eth5 (quarantined pc)
>
> So the firewall should be able to access the internet but the internet
> should not be able to access the firewall.
> Users on br0 should be able to access the internet, lab, lab mgmt, firewall
> The lab should be able to access the internet
> Lab mgmt should be able to access the internet, there are 8 IPs in
> here and I have public IPs for them all but I need to setup SNAT and
> fwknop doing DNAT to access them:
>
> iptables -t nat -A POSTROUTING -s x.x.x.x -o eth0 -j SNAT --to-source y.y.y.y
>
> With the above I am worried that this will conflict with line 17...
>
> I believe fwknop will handle the DNAT stuff automagically.
>
> The quarantined PC should be able to access the internet but nothing else
>
> I have a way to go :)
>
> Thanks for looking.
>
> Kind Regards
> Richard
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html