contributed linux notes - Linux Research Project

Displaying firewall-router.txt

[notes index] | [home]

__ _ -o)/ / (_)__ __ ____ __ Derek Winterstien /\\ /__/ / _ \/ // /\ \/ / r.o.a.c.h.@.r.o.b.o.t.z...c.o.m _\_v __/_/_//_/\_,_/ /_/\_\ supplemental: iptables firewall and internet connection sharing using netfilter under linux. This messy document has recently been revised ##################################################################### ## PART I: Education Section ## ##################################################################### ..................................................................... IPTABLES DEFINITIONS (chains) ````````````````````````````````````````````````````````````````````` INPUT - meant solely for packets to local host that do not get routed to any other destination. Do all filtering here for packets destined for the firewall itself. FORWARD - all packets passing though the firewall. first routing decisions that is not destined for the local machine itself. Do all filtering here for packets passing though to other internal hosts. packets may be destined for the local machine, but the destination address may be changed within the PREROUTING chain by doing NAT OUTPUT - can filter outbound packets from local host. Locally generated packets are handled in the OUTPUT chain. PREROUTING - decide if packet goes to local machine INPUT or nat FORWARD. Done before other chains. Very first chain before all others. POSTROUTING - After routing, very last chain after all others. Used to alter packets just as they are about to leave the firewall. Never do filtering here. ..................................................................... DNAT SNAT MASQUERADE REDIRECT ##################################################################### ## PART II: INSTRUCTIONAL EXAMPLES ## ##################################################################### ..................................................................... BASIC IPTABLES RULES FOR HOME BROADBAND INTERNET CONNECTION SHARING: ````````````````````````````````````````````````````````````````````` # Create file touch /var/lock/subsys/local #Flush old rules /sbin/iptables -F #Add a rule icmp protocol max 3 connections /sbin/iptables -A INPUT -p icmp -m limit --limit 3 -j ACCEPT #Add rule: forward packets from eth1 to eth0(internet) outbound /sbin/iptables -A FORWARD -i eth1 -o eth0 -s 10.10.0.0/24 -j ACCEPT #This is the main part..internet connection sharing /sbin/iptables -A POSTROUTING -t nat -o eth0 -s 10.10.0.0/24 -j MASQUERADE note: You can place these iptables rules in your /etc/rc.local file. They will get executed when the system starts. Do not forget to enable packet forwarding in the kernel. You could also do this in rc.local. echo 1 > /proc/sys/net/ipv4/ip_forward ..................................................................... DELETING RULES AND KEEPING THEM IN THE SAME ORDER: ````````````````````````````````````````````````````````````````````` The order of IPTABLES rules are significant. By deleting a rule and trying to "re-add" it there may be undesired results. Some preconfigured firewalls have sections not to be user edited. You may wish to experiment without the risk of locking yourself out of an iptables firewall appliance. You can remote a chain of rules and add them again in the same order. (example) #FLUSH ALL INPUT RULES SO THEY CAN BE RELOADED iptables -D INPUT -j LAN_ACCEPT iptables -D INPUT -p icmp -j ACCEPT iptables -D INPUT -p gre -j ACCEPT iptables -D INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -D INPUT -j REJECT --reject-with icmp-port-unreachable #RELOAD THEM IN THE SAME ORDER iptables -A INPUT -j LAN_ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -p gre -j ACCEPT iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable Here the significance of the final REJECT rules will not impact modifications to middle rules if the entire set is reloaded. You can also -R replace a rule, however, there are circumstances where this will fail. ##################################################################### ## PART III: WORKING EXAMPLES AND RELATED MATERIAL ## ##################################################################### ..................................................................... WATCH MASQUERADED LAN TRAFFIC (SEE WHAT USERS ARE CONNECTING TO): ````````````````````````````````````````````````````````````````````` cat /proc/net/ip_conntrack ..................................................................... MORE SOPHISTICATED INTERNET AND IP-NAT EXAMPLE: ````````````````````````````````````````````````````````````````````` touch /var/lock/subsys/local /sbin/modprobe -a ip_nat_ftp /sbin/modprobe -a ip_conntrack_ftp # eth0: INTERNET ADDRESS eth1: 10.10.0.1 # -i --in-interface -o --out-interface -p --protocol (tcp, udp, icmp, all) -m --match /sbin/iptables -F # Flush Old Tables /sbin/iptables -t nat -F # Flust NAT Rules /sbin/iptables -P INPUT DROP # /sbin/iptables -P FORWARD DROP # /sbin/iptables -A INPUT -p icmp -m limit --limit 3 -j ACCEPT # ping of death # part 1 to establish conduit to an internal MOHAA game server iptables -t nat -A PREROUTING -p tcp -d X.X.X.X --dport 23 -j DNAT --to 10.10.0.X:23 iptables -t nat -A PREROUTING -p udp -d X.X.X.X --dport 12203 -j DNAT --to 10.10.0.X:23 iptables -t nat -A PREROUTING -p udp -d X.X.X.X --dport 12300 -j DNAT --to 10.10.0.X:23 # block sites and networks we dont want such as sitefinder.verisign.com and banners /sbin/iptables -A FORWARD -p tcp -d 12.158.80.10 -j DROP /sbin/iptables -A FORWARD -p tcp -d 64.94.110.11 -j DROP /sbin/iptables -A FORWARD -p tcp -d 216.73.86.0/24 -j REJECT --reject-with tcp-reset /sbin/iptables -A FORWARD -p tcp -d 216.73.85.0/24 -j REJECT --reject-with tcp-reset /sbin/iptables -A FORWARD -p tcp -d 206.65.183.0/24 -j REJECT --reject-with tcp-reset # protect your ms windowze and other computers inside your lan /sbin/iptables -A FORWARD -p udp --dport 4156 -j DROP # slapper /sbin/iptables -A FORWARD -p tcp --dport 135 -j DROP # msblaster /sbin/iptables -A FORWARD -p tcp --dport 136 -j DROP # msblaster /sbin/iptables -A FORWARD -p tcp --dport 137 -j DROP # msblaster /sbin/iptables -A FORWARD -p tcp --dport 138 -j DROP # msblaster /sbin/iptables -A FORWARD -p tcp --dport 139 -j DROP # msblaster /sbin/iptables -A FORWARD -p tcp --dport 445 -j DROP # msblaster /sbin/iptables -A FORWARD -p tcp --dport 593 -j DROP # msblaster /sbin/iptables -A FORWARD -p udp --dport 69 -j DROP # tftp /sbin/iptables -A FORWARD -p tcp --dport 4444 -j DROP # tftp /sbin/iptables -A FORWARD -p udp --dport 135 -j DROP # Windows Messenger /sbin/iptables -A FORWARD -p udp --dport 1026 -j DROP # Windows Messenger # part 2 to establish conduit to an internal MOHAA game server iptables -A FORWARD -p tcp --dport 23 -j ACCEPT iptables -A FORWARD -p udp --dport 12203 -j ACCEPT iptables -A FORWARD -p udp --dport 12300 -j ACCEPT # for Internet sharing sbin/iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # established connections # machines allowed access to our firewall /sbin/iptables -A INPUT -i eth1 -s 10.10.0.0/24 -j ACCEPT # accept connections from inside /sbin/iptables -A INPUT -i eth0 -s X.X.X.X/29 -j ACCEPT # friend has access to firewall # more security related stuff /sbin/iptables -A INPUT -p tcp --tcp-flags SYN FIN -j DROP # drop TCP SYN packets FIN flag set /sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 3 -j ACCEPT # Syn-flood protection /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 3 -j ACCEPT # furtive port scanner /sbin/iptables -A FORWARD -p icmp -m limit --limit 3 -j ACCEPT # ping of death protection # all computers on our lan are allowed access to Internet via ip masquerade /sbin/iptables -A FORWARD -i eth1 -o eth0 -s 10.10.0.0/24 -j ACCEPT # everything from lan, out to inet /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A POSTROUTING -t nat -o eth0 -s 10.10.0.0/24 -j MASQUERADE # masquerade packets from lan ip ..................................................................... RANDOM CODE SAMPLES TO PERFORM VARIOUS TASKS SUCH AS FORWARDING ETC: ````````````````````````````````````````````````````````````````````` ##### touch /var/lock/subsys/local echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth2 -j ACCEPT ptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p tcp -m tcp --dport 995 -j DNAT --to-destination 10.0.0.2:995 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p udp -m udp --dport 995 -j DNAT --to-destination 10.0.0.2:995 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p udp -m udp --dport 80 -j DNAT --to-destination 10.0.0.2:80 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.0.0.2:53 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p udp -m udp --dport 53 -j DNAT --to-destination 10.0.0.2:53 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.0.2:25 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p udp -m udp --dport 25 -j DNAT --to-destination 10.0.0.2:25 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.0.0.2:110 iptables -t nat -A PREROUTING -d 202.63.167.192 -i eth0 -p udp -m udp --dport 110 -j DNAT --to-destination 10.0.0.2:110 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p udp -m udp --dport 80 -j DNAT --to-destination 10.0.0.2:80 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.0.0.2:53 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p udp -m udp --dport 53 -j DNAT --to-destination 10.0.0.2:53 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.0.0.2:110 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p udp -m udp --dport 110 -j DNAT --to-destination 10.0.0.2:110 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p tcp -m tcp --dport 995 -j DNAT --to-destination 10.0.0.2:995 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p udp -m udp --dport 995 -j DNAT --to-destination 10.0.0.2:995 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.0.2:25 iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d 202.63.167.192 -i eth2 -p udp -m udp --dport 25 -j DNAT --to-destination 10.0.0.2:25 ################### ..................................................................... OPTIONAL SECURITY CONFIGURATIONS FOR YOUR FIREWALL ````````````````````````````````````````````````````````````````````` To turn off answers to icmp_echos (such as ping) may help to avoid some types of attacks. Open the /etc/sysctl.conf and add the following lines: net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_echo_ignore_all = 1 Command 'sysctl -p' will cause these modifications to start immediately. or echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all You can block PING with an IPTABLE rule also, and still allow other types of icmp traffic. iptables -A INPUT -p icmp --icmp-type 8 -s SourceIPAddress -j DROP ..................................................................... BLOCK OR RESTRICT INTERNET TRAFFIC TO SPECIFIC CLIENTS ON LAN ````````````````````````````````````````````````````````````````````` For clients with a static IP address on your LAN, you can restrict internet traffic on a per host basis. In this example all Internet hosts (including web sites) will be blocked for a specific LAN host with a static IP, except the user will be allowed access to one specific network, robotz.com The following goes after : /sbin/iptables -A INPUT -p icmp -m limit --limit 3 -j ACCEPT (and also after any specific hosts being restricted to all users) /sbin/iptables -A FORWARD -p tcp -s 192.168.254.7 -d 64.21.192.0/19 -j ACCEPT /sbin/iptables -A FORWARD -p tcp -s 192.168.254.7 -d 0.0.0.0/0 -j REJECT --reject-with tcp-reset First line, if the network destination is robotz.com, then allow the Internet host access. Second line, for the internal host block everything else.

Robotz.com Developer's Project
developer@robotz.com