Avanti
Indietro
Indice
Single machine with no forwarding: PPP interface
Only ident requests to come in from outside
iptables -A INPUT -i lo -j ACCEPT
iptables -P INPUT DROP
iptables -N LOGDROP
iptables -A LOGDROP --m limit --limit 5/hour -j LOG
iptables -A LOGDROP -j DROP
iptables -N ppp-incoming
iptables -A ppp-incoming -p ! tcp -f -j LOGDROP
iptables -A ppp-incoming -p tcp --dport ident -j ACCEPT
iptables -A ppp-incoming -p tcp ! --syn -j ACCEPT
iptables -A ppp-incoming -p udp --dport 53 -j ACCEPT
iptables -A ppp-incoming -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A ppp-incoming -p icmp --icmp-type pong -j ACCEPT
iptables -A ppp-incoming -j LOGDROP
In ip-up script:
iptables -A INPUT -i $1 -j ppp-incoming
Internal Network, DMZ
We have the following requirements:
Packet Filter box:
- PING any network
- TRACEROUTE any network
- Access DNS
DMZ:
Mail server
- SMTP to external
- Accept SMTP from internal and external
- Accept POP-3 from internal
Name server
- Send DNS to external
- Accept DNS from internal, external and packet filter box
Web server
- Accept HTTP from internal and external
- Rsync access from internal
Internal:
- Allow WWW, ftp, traceroute, ssh to external
- Allow SMTP to Mail server
- Allow POP-3 to Mail server
- Allow DNS to Name server
- Allow rsync to Web server
- Allow WWW to Web server
- Allow ping to packet filter box
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
iptables -A INPUT -i ! lo -j DROP
iptables -A OUTPUT -i ! lo -j DROP
iptables -A FORWARD -j DROP
ifconfig eth0 192.84.219.0 netmask 255.255.255.0
ifconfig eth1 192.168.1.0 netmask 255.255.255.0
pppd
route add default ppp0
iptables -N internal-dmz
iptables -N external-dmz
iptables -N internal-external
iptables -N dmz-internal
iptables -N dmz-external
iptables -N external-internal
iptables -N icmp-accept
iptables -N NEVER
iptables -N LOGDROP
iptables -A NEVER -j LOG --log-level alert --log-prefix "filter ERROR: "
iptables -A NEVER -j DROP
iptables -A LOGDROP -m limit -j LOG --log-prefix "filter: "
iptables -A LOGDROP -j DROP
iptables -A FORWARD -i eth1 -o eth0 -j internal-dmz
iptables -A FORWARD -i eth1 -o ppp0 -j internal-external
iptables -A FORWARD -i eth0 -o ppp0 -j dmz-external
iptables -A FORWARD -i eth0 -o eth1 -j dmz-internal
iptables -A FORWARD -i ppp0 -o eth0 -j external-dmz
iptables -A FORWARD -i ppp0 -o eth1 -j external-internal
iptables -A FORWARD -j NEVER
Define the icmp-accept chain:
iptables -A icmp-accept -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp-accept -p icmp --icmp-type source-quench -j ACCEPT
iptables -A icmp-accept -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmp-accept -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A internal-dmz -p tcp -d $MAILSERVER --dport smtp -j ACCEPT
iptables -A internal-dmz -p tcp -d $MAILSERVER --dport pop-3 -j ACCEPT
iptables -A internal-dmz -p udp -d $NAMESERVER --dport domain -j ACCEPT
iptables -A internal-dmz -p tcp -d $NAMESERVER --dport domain -j ACCEPT
iptables -A internal-dmz -p tcp -d $WEBSERVER --dport www -j ACCEPT
iptables -A internal-dmz -p tcp -d $WEBSERVER --dport rsync -j ACCEPT
iptables -A internal-dmz -p icmp -j icmp-accept
iptables -A internal-dmz -j LOGDROP
iptables -A external-dmz -p tcp -d $MAILSERVER --dport smtp -j ACCEPT
iptables -A external-dmz -p udp -d $NAMESERVER --dport domain -j ACCEPT
iptables -A external-dmz -p tcp -d $NAMESERVER --dport domain -j ACCEPT
iptables -A external-dmz -p tcp -d $WEBSERVER --dport www -j ACCEPT
iptables -A external-dmz -p icmp -j icmp-accept
iptables -A external-dmz -j DROP
iptables -A internal-external -p tcp --dport www -j ACCEPT
iptables -A internal-external -p tcp --dport ssh -j ACCEPT
iptables -A internal-external -p udp --dport 33434:33500 -j ACCEPT
iptables -A internal-external -p tcp --dport ftp -j ACCEPT
iptables -A internal-external -p tcp --dport 1024:65535 -j ACCEPT
iptables -A internal-external -p icmp --icmp-type ping -j ACCEPT
iptables -A internal-external -j LOG
iptables -A internal-external -j REJECT
iptables -A dmz-internal -p tcp ! --syn -s $MAILSERVER smtp -j ACCEPT
iptables -A dmz-internal -p udp -s $NAMESERVER domain -j ACCEPT
iptables -A dmz-internal -p tcp ! --syn -s $NAMESERVER domain -j ACCEPT
iptables -A dmz-internal -p tcp ! --syn -s $WEBSERVER www -j ACCEPT
iptables -A dmz-internal -p tcp ! --syn -s $WEBSERVER rsync -j ACCEPT
iptables -A dmz-internal -p icmp -j icmp-accept
iptables -A dmz-internal -j NEVER
iptables -A dmz-external -p tcp -s $MAILSERVER smtp -j ACCEPT
iptables -A dmz-external -p udp -s $NAMESERVER domain -j ACCEPT
iptables -A dmz-external -p tcp -s $NAMESERVER domain -j ACCEPT
iptables -A dmz-external -p tcp ! --syn -s $WEBSERVER www -j ACCEPT
iptables -A dmz-external -p icmp -j icmp-accept
iptables -A dmz-external -j NEVER
iptables -A external-internal -p tcp ! --syn --sport www -j ACCEPT
iptables -A external-internal -p tcp ! --syn --sport ssh -j ACCEPT
iptables -A external-internal -p tcp ! --syn --sport ftp -j ACCEPT
iptables -A external-internal -p tcp ! --syn --sport 1024:65535 -j ACCEPT
iptables -A external-internal -p icmp --icmp-type pong -j ACCEPT
iptables -A external-internal -j DROP
iptables -N external-if
iptables -N dmz-if
iptables -N internal-if
iptables -A INPUT -i ppp0 -j external-if
iptables -A INPUT -i eth0 -j dmz-if
iptables -A INPUT -i eth1 -j internal-if
iptables -A external-if -p icmp --icmp-type pong -j ACCEPT
iptables -A external-if -j icmp-accept
iptables -A external-if -j DROP
iptables -A dmz-if -p tcp ! --syn -s $NAMESERVER 53 -j ACCEPT
iptables -A dmz-if -p udp -s $NAMESERVER 53 -j ACCEPT
iptables -A dmz-if -p icmp --icmp-type pong -j ACCEPT
iptables -A dmz-if -j icmp-accept
iptables -A dmz-if -j NEVER
iptables -A internal-if -p icmp --icmp-type ping -j ACCEPT
iptables -A internal-if -p icmp --icmp-type pong -j ACCEPT
iptables -A internal-if -j icmp-accept
iptables -A internal-if -j LOGDROP
iptables -D 1 input
iptables -D 1 forward
iptables -D 1 output
Packet filtering this way is logical, but painful
Use routing's source verification
Define your allowed set thoroughly
Always limit external logging
Correct placement of LOG rules can help with problems
Avanti
Indietro
Indice
LINUXCARE