iptables firewall do-over - Networking

This is a discussion on iptables firewall do-over - Networking ; I am revisiting my firewall and before I begin, I need to make sure my understandings are right. Here's the geography: WAN (Internet) public routable IPs Interface (ppp0) fw machine interface (eth1) LAN private non-routable IPs Assuming NAT is setup ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: iptables firewall do-over

  1. iptables firewall do-over

    I am revisiting my firewall and before I begin, I need to make sure my
    understandings are right.

    Here's the geography:

    WAN (Internet) public routable IPs

    Interface (ppp0)

    fw machine

    interface (eth1)

    LAN private non-routable IPs

    Assuming NAT is setup correctly, Here's what I'm thinking.

    Since the LAN uses only non-routable IP's, and there is no one on the
    LAN that I'm worried about, I only need to focus on NEW packets from
    ppp0 destined for the fw machine (INPUT chain where -i ppp0 and --state
    NEW). Any NEW packets from the WAN are blocked from the LAN by virtue
    of non-routable IP addresses.

    Default policies should be; INPUT DROP, OUTPUT ACCEPT, and FORWARD DROP.
    Then by looking at specific ports, protocols, and interface sources,
    selectively jump to ACCEPT. Everything else should fall through to the
    default policy (DROP). It almost sounds like I could get away with one
    rule -i ppp0 -m state --state ESTABLISHED, RELATED -j ACCEPT.

    If these assumptions are correct, is there anything onppp0 --state NEW
    that should get accepted?


    Bill







  2. Re: iptables firewall do-over

    On 19 juin, 00:59, William Gill wrote:
    > I am revisiting my firewall and before I begin, I need to make sure my
    > understandings are right.
    >
    > Here's the geography:
    >
    > WAN (Internet) public routable IPs
    >
    > Interface (ppp0)
    >
    > fw machine
    >
    > interface (eth1)
    >
    > LAN private non-routable IPs
    >
    > Assuming NAT is setup correctly, Here's what I'm thinking.
    >
    > Since the LAN uses only non-routable IP's, and there is no one on the
    > LAN that I'm worried about, I only need to focus on NEW packets from
    > ppp0 destined for the fw machine (INPUT chain where -i ppp0 and --state
    > NEW). Any NEW packets from the WAN are blocked from the LAN by virtue
    > of non-routable IP addresses.
    >
    > Default policies should be; INPUT DROP, OUTPUT ACCEPT, and FORWARD DROP.
    > Then by looking at specific ports, protocols, and interface sources,
    > selectively jump to ACCEPT. Everything else should fall through to the
    > default policy (DROP). It almost sounds like I could get away with one
    > rule -i ppp0 -m state --state ESTABLISHED, RELATED -j ACCEPT.
    >
    > If these assumptions are correct, is there anything onppp0 --state NEW
    > that should get accepted?
    >
    > Bill


    I prefere to set DROP as default policy for OUTPUT. It prevent
    connection from your firewall to internet to be established.
    Generally for a firewall only (ie no servers runing) machine I like
    that :
    on ppp0
    INPUT : DROP except icmp (and ssh if you want to connect to your fws
    from the outside)
    OUTPUT : DROP except icmp (and ssh if you want to connect to your fws
    from the outside)
    on eth1
    INPUT : DROP except ping / ssh <-- here you need the new/established
    OUTPUT : DROP except ping / ssh <-- here you need the established (no
    new nor related)
    for the nat :
    FORWARD : DROP except protocols that may pass (http(s) / smtp(s), ssh,
    ftp, icmp...) <-- here : (new, established, related for packet coming
    from eth1, established/related fro packet from ppp0)



  3. Re: iptables firewall do-over



    Mouquiette wrote:
    > On 19 juin, 00:59, William Gill wrote:
    >> I am revisiting my firewall and before I begin, I need to make sure my
    >> understandings are right.
    >>
    >> Here's the geography:
    >>
    >> WAN (Internet) public routable IPs
    >>
    >> Interface (ppp0)
    >>
    >> fw machine
    >>
    >> interface (eth1)
    >>
    >> LAN private non-routable IPs
    >>
    >> Assuming NAT is setup correctly, Here's what I'm thinking.
    >>
    >> Since the LAN uses only non-routable IP's, and there is no one on the
    >> LAN that I'm worried about, I only need to focus on NEW packets from
    >> ppp0 destined for the fw machine (INPUT chain where -i ppp0 and --state
    >> NEW). Any NEW packets from the WAN are blocked from the LAN by virtue
    >> of non-routable IP addresses.
    >>
    >> Default policies should be; INPUT DROP, OUTPUT ACCEPT, and FORWARD DROP.
    >> Then by looking at specific ports, protocols, and interface sources,
    >> selectively jump to ACCEPT. Everything else should fall through to the
    >> default policy (DROP). It almost sounds like I could get away with one
    >> rule -i ppp0 -m state --state ESTABLISHED, RELATED -j ACCEPT.
    >>
    >> If these assumptions are correct, is there anything onppp0 --state NEW
    >> that should get accepted?
    >>
    >> Bill

    >
    > I prefere to set DROP as default policy for OUTPUT. It prevent
    > connection from your firewall to internet to be established.
    > Generally for a firewall only (ie no servers runing) machine I like
    > that :


    It has a couple of servers (for LAN side only) that I use for testing,
    but I am reevaluating their necessity, and may shut them down.

    > on ppp0
    > INPUT : DROP except icmp (and ssh if you want to connect to your fws
    > from the outside)


    I debated the need to allow ICMP. Is it "bad etiquette " to ignore pings?

    > OUTPUT : DROP except icmp (and ssh if you want to connect to your fws
    > from the outside)
    > on eth1


    > INPUT : DROP except ping / ssh <-- here you need the new/established
    > OUTPUT : DROP except ping / ssh <-- here you need the established (no
    > new nor related)
    > for the nat :
    > FORWARD : DROP except protocols that may pass (http(s) / smtp(s), ssh,
    > ftp, icmp...) <-- here : (new, established, related for packet coming
    > from eth1, established/related fro packet from ppp0)


    Ok, here's where I may be off in my thinking. I thought routable v
    nonroutable address provided most of the needed security without having
    to examine every packet? I suppose someone could guess destination
    addresses, but how could they do the needed NAT?

    Anyway, I will evaluate and make some adjustments (like INPUT && -i
    eth1 && -p ??? = ACCEPT, etc.) I may not get to it today, but I'll post
    generic logic, and questions for consideration before I hammer out the
    rule syntax.

    Thanks,

    Bill



  4. Re: iptables firewall do-over

    William Gill said:
    >I am revisiting my firewall and before I begin, I need to make sure my
    >understandings are right.

    ....
    >Default policies should be; INPUT DROP, OUTPUT ACCEPT, and FORWARD DROP.
    > Then by looking at specific ports, protocols, and interface sources,
    >selectively jump to ACCEPT. Everything else should fall through to the
    >default policy (DROP). It almost sounds like I could get away with one
    >rule -i ppp0 -m state --state ESTABLISHED, RELATED -j ACCEPT.


    That's pretty much it. Blanket allowing inbound ICMP has no use; however
    the ESTABLISHED,RELATED rule is important, as it also covers ICMP that
    is related to something you've sent out. In other words, in general
    no-one is interested any longer whether a source address responds to ping
    or not.

    What might happen, in some rare cases is that when authenticating to
    a remote service, the remote system tries to do an ident query to
    the originating IP address, and will wait for quite a while if you
    just drop the packet. Thus, it'll be better to actively reject any
    traffic to ident port.

    Overall, whether it is better to DROP or REJECT is a conversation
    topic of its own; some claim that DROPping saves your bandwidth
    (no need to send rejects for robots knocking your machine), others
    claim that with an active reject, the robot moves on to the next
    target, but dropping a packet will cause retries.
    --
    Wolf a.k.a. Juha Laiho Espoo, Finland
    (GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
    PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
    "...cancel my subscription to the resurrection!" (Jim Morrison)

  5. Re: iptables firewall do-over

    William Gill wrote:
    > I am revisiting my firewall and before I begin, I need to make sure my
    > understandings are right.


    > Here's the geography:


    > WAN (Internet) public routable IPs


    > Interface (ppp0)


    > fw machine


    > interface (eth1)


    > LAN private non-routable IPs


    > Assuming NAT is setup correctly, Here's what I'm thinking.


    > Since the LAN uses only non-routable IP's, and there is no one on the
    > LAN that I'm worried about, I only need to focus on NEW packets from
    > ppp0 destined for the fw machine (INPUT chain where -i ppp0 and --state
    > NEW). Any NEW packets from the WAN are blocked from the LAN by virtue
    > of non-routable IP addresses.


    > Default policies should be; INPUT DROP, OUTPUT ACCEPT, and FORWARD DROP.
    > Then by looking at specific ports, protocols, and interface sources,
    > selectively jump to ACCEPT. Everything else should fall through to the
    > default policy (DROP). It almost sounds like I could get away with one
    > rule -i ppp0 -m state --state ESTABLISHED, RELATED -j ACCEPT.


    > If these assumptions are correct, is there anything onppp0 --state NEW
    > that should get accepted?


    Given some limited experience and my reading of man iptables, the answer
    is no - unless you want to run a server of some sort (ftp, ssh, etc.).
    However to allow access to "fw machine" and the Internet from the rest
    of your LAN a rule to ACCEPT new connections from the LAN interface is
    needed for the INPUT and FORWARD chains. A very basic PPP firewall for
    PPP is given in

    http://www.netfilter.org/documentati...g-HOWTO-5.html

    --
    Clifford Kite
    /* Speak softly and carry a +6 two-handed sword. */

+ Reply to Thread