how is this iptables firewall config?

[JOHNGALT99]

Any input would be great. Numbers are there just to point out mistakes

My networks is cable modem to linux router using dhcp, connected to a switch that has four computers connected to it.

primary and a secondary DNS server are the made up values of 2.3.4.10 and 2.3.4.11 for this example

thanks for the help, trying to learn iptables, got some of this from a rought sckech of a firewall config for a typical network

1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 😱UTPUT DROP [0:0]
5
6 # allow local loopback connections
7 -A INPUT -i lo -j ACCEPT
8
9 # drop INVALID connections
10 -A INPUT -m state --state INVALID -j DROP
11 -A OUTPUT -m state --state INVALID -j DROP
12 -A FORWARD -m state --state INVALID -j DROP
13
14 # allow all established and related
15 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
16 -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
17 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
18
19 # allow connections to my ISP's DNS servers
20 -A OUTPUT -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT
21 -A OUTPUT -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT
22 -A FORWARD -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -i eth1 -o eth0 -j ACCEPT
23 -A FORWARD -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -i eth1 -o eth0 -j ACCEPT
24
25 # allow outgoing connections to web servers
26 -A OUTPUT -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -j ACCEPT
27 -A FORWARD -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 \
-i eth1 -j ACCEPT
28
29 # allow outgoing mail connections to my ISP's SMTP and POP3 server only
30 -A OUTPUT -d mail.my-isp.com -m state --state NEW -p tcp -m multiport --dport smtp,pop3 \
-o eth0 -j ACCEPT
31 -A FORWARD -d mail.my-isp.com -m state --state NEW -p tcp -m multiport --dport smtp,pop3 \
-o eth0 -j ACCEPT
32
33 # log all other attempted out going connections
34 -A OUTPUT -o eth0 -j LOG
35 -A FORWARD -j LOG
36 # default is to DROP out-going connections
37
38 COMMIT
39
40 *nat
41
42 # set up IP forwarding and nat
43 -A POSTROUTING -o eth0 -j MASQUERADE
44
45 COMMIT

 

[eigen]

Originally posted by: JOHNGALT99
Any input would be great. Numbers are there just to point out mistakes

My networks is cable modem to linux router using dhcp, connected to a switch that has four computers connected to it.

primary and a secondary DNS server are the made up values of 2.3.4.10 and 2.3.4.11 for this example

thanks for the help, trying to learn iptables, got some of this from a rought sckech of a firewall config for a typical network

1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 😱UTPUT DROP [0:0]
5
6 # allow local loopback connections
7 -A INPUT -i lo -j ACCEPT
8
9 # drop INVALID connections
10 -A INPUT -m state --state INVALID -j DROP
11 -A OUTPUT -m state --state INVALID -j DROP
12 -A FORWARD -m state --state INVALID -j DROP
13
14 # allow all established and related
15 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
16 -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
17 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
18
19 # allow connections to my ISP's DNS servers
20 -A OUTPUT -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT
21 -A OUTPUT -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT
22 -A FORWARD -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -i eth1 -o eth0 -j ACCEPT
23 -A FORWARD -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -i eth1 -o eth0 -j ACCEPT
24
25 # allow outgoing connections to web servers
26 -A OUTPUT -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -j ACCEPT
27 -A FORWARD -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 \
-i eth1 -j ACCEPT
28
29 # allow outgoing mail connections to my ISP's SMTP and POP3 server only
30 -A OUTPUT -d mail.my-isp.com -m state --state NEW -p tcp -m multiport --dport smtp,pop3 \
-o eth0 -j ACCEPT
31 -A FORWARD -d mail.my-isp.com -m state --state NEW -p tcp -m multiport --dport smtp,pop3 \
-o eth0 -j ACCEPT
32
33 # log all other attempted out going connections
34 -A OUTPUT -o eth0 -j LOG
35 -A FORWARD -j LOG
36 # default is to DROP out-going connections
37
38 COMMIT
39
40 *nat
41
42 # set up IP forwarding and nat
43 -A POSTROUTING -o eth0 -j MASQUERADE
44
45 COMMIT

\

Not bad< i would prolly add in af few rules to handle special packets i.e XMAS packets or SSR packets
but othrewise pretty good.I feel cool with my network behind it.You could also sandbox invalids.

 

[n0cmonkey]

Block RFC1918 addresses from coming in on the outside interface.

 

[JOHNGALT99]

suggestions for rules dealing with XMAS packets or SSR packets ? I am not sure how to write one for those

are xmass packets mostly allways and attack? also how do i sandbox invalids?

thanks

 

[n0cmonkey]

XMAS is a scan. It's sometimes a prelude to an attack. I think it has the SYN, FIN, RST, and maybe another flag set, but I can't remember for sure off hand.

 

[JOHNGALT99]

thanks i am going to look into it,

also looking into Blocking RFC1918 addresses

iptables is not nearly as hard as everyone has been saying , however my network is small and not complex

 

[JOHNGALT99]

ok for blocking RFC1918 i should block these adresses going into my external interface?

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
169.254.0.0 - 169.254.255.255 (169.254/16 prefix)
192.0.2.0 - 192.0.2.255 (192.0.2/24 prefix)

 

[n0cmonkey]

I Thought it was 172.16/16 and 192.168/24

Not sure what the other 192.0.2/24 address is off hand..

 

[n0cmonkey]

Oh, and I think it's complicated because I'm used to rules like:
block in on $EXT from <rfc1918>

😉

 

[JOHNGALT99]

is that what the rule would look like in a openbsd firewall?

 

[eigen]

if this is for a home network you may also want to check out this cool little script over a p2p guardian. It basically takes the p2pguardian blacklist and format then iptables uses the list to block ips. Could be useful if you have windows machines as it block spammer/bot/ etc... But also is good if you , well you know do other quasi-legal activities. I have not intergrated it but this is due to my school course load.

Edit forgot links.

Ipblacklist

Iptables You have been here I am sure just in case.

tarpit


I don't know what I was thinking in my original post when I stated " sandbox invalids " meant tarpit invalids. Sand boxing invalid packet would be rather resource expensive 🙂.

 

[n0cmonkey]

Originally posted by: JOHNGALT99
is that what the rule would look like in a openbsd firewall?

Yes, after setting up the <rfc1918> table with something like:
table <rfc1918> { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

And I was wrong about what I thought 172.16 and everything was earlier. 😛