Difference between pages "Configuration files" and "IPTables"

From Wikislax
(Difference between pages)
Jump to: navigation, search
(Created page with "The location of the configuration files depend on the specific distribution, but is usually subdirectories of, or files in <tt>'''/etc'''</tt>, <tt>'''/usr/etc'''</tt>, <tt>''...")
 
(Created page with "{{RightTOC}} Packet filtering affords opening access only to these services you have decided to open. The TCP or UDP packets include a piece of information called the port nu...")
 
Line 1: Line 1:
The location of the configuration files depend on the specific distribution, but is usually subdirectories of, or files in <tt>'''/etc'''</tt>, <tt>'''/usr/etc'''</tt>, <tt>'''/usr/local/etc'''</tt>. The files are set up by installation but can be updated later. Applying the configuration change will then be a matter of restarting the corresponding daemon. The main Slackware configuration files are :
+
{{RightTOC}}
<br/>
 
  
== Init configuration ==
+
Packet filtering affords opening access only to these services you have decided to open. The TCP or UDP packets include a piece of information called the port number, that is used to identify the type of service. Secure ports were defined as SSL counterparts of the native ports but were superseded by [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and are now deprecated due to security weaknesses in the SSL protocol. SSL should not be used any longer. Instead, use TLS. Current version is v1.2.
  
 
{| {{thead}}
 
{| {{thead}}
 
|-
 
|-
! {{chead}} width="200" | File
+
! {{chead}} width="100" | Protocol
! {{chead}} | Content
+
! {{chead}} | Port #
 +
! {{chead}} | Secure Protocol
 +
! {{chead}} | Secure Port #
 +
! {{chead}} | Service
 
|-
 
|-
| <tt>'''/etc/inittab'''</tt>||contains the default runlevel (3=multi-user, 4=graphical). On a live system, <tt>'''telinit n'''</tt> affords changing the level interactively.
+
|SMTP||25||SMTPS||465||Mail exchange
 
|-
 
|-
| <tt>'''/etc/fstab'''</tt>||contains descriptions on the filesystems used on this computer, including the device, the mount point, the filesystem type and the opening options. Use <tt>'''man fstab'''</tt>, copy, and try !
+
|HTTP||80||HTTPS||443||Web browsing
 
|-
 
|-
| <tt>'''/etc/http'''</tt>||Directory containing the Apache configuration files such as httpd.conf.
+
|POP3||110||POP3S||995||Mail retrieval
 
|-
 
|-
| <tt>'''/etc/lilo.conf'''</tt>||used by lilo to generate a boot sector on the device or on the MBR (master boot record). If on the device and using the Windows bootloader, don't forget to copy the boot sector on a disquette so as to be able to use it from Windows.
+
|NTTP||119||NTTPS||563||News exchange
 
|-
 
|-
| <tt>'''/etc/mail'''</tt>||Directory containing the Sendmail configuration files such as sendmail.mc and sendmail.cf. Spamassassin configuration also goes here as a subdirectory.
+
|IMAP||143||IMAPS||993||Mail retrieval
 
|-
 
|-
| <tt>'''/etc/mail/aliases'''</tt>||File containing a list of users that do not exist on the server and whose mail is redirected to existing users. After modifying this file the command <tt>'''newaliases'''</tt> must be ran.
+
|LDAP||389||LDAPS||636||Ldap Directory
# redirect news
 
usenet:        news
 
|-
 
| <tt>'''/etc/ntpd.conf'''</tt>||Configuration for the network time protocol. Add ntp servers for your region as below. After an update, restart using <tt>'''/etc/rc.d/rc.ntpd restart'''</tt>.
 
# NTP server (list one or more) to synchronize with:
 
server 0.fr.pool.ntp.org
 
server 1.fr.pool.ntp.org
 
server 2.fr.pool.ntp.org
 
server 3.fr.pool.ntp.org
 
|-
 
| <tt>'''/etc/profile'''</tt>||don't forget to update the paths:
 
MANPATH=/usr/local/share/man:/usr/local/man:/usr/man
 
|-
 
| <tt>'''/etc/profile.d'''</tt>||the files contained in this directory are executed at login when executable.
 
|-
 
| <tt>'''/etc/ld.so.conf'''</tt>||list of additional libraries. Needs <tt>'''/sbin/ldconfig'''</tt> after adding new libraries. Add <tt>'''/usr/local/lib64'''</tt> here.
 
|-
 
| <tt>'''.bashrc'''</tt>||Specify <tt>'''. /etc/profile'''</tt> on a line of itself to use in <tt>'''konsole'''</tt> the same environment as in the command line. This will afford <tt>'''colorls'''</tt> to work in new <tt>'''konsole'''</tt> tabs.
 
 
|}
 
|}
 +
 
<br clear=all>
 
<br clear=all>
  
== The /etc/rc.d directory ==
+
On server side, the services are provided by applications that may have vulnerabilities and be attacked. Examples of attacks are buffer overflow or format string attacks, that afford getting full access on the target machine by crafting special strings sent to it. An attacker could then obtain any information present there or modify or destroy the system.
 +
 
 +
To reduce the number of possible attacks, the number of services authorized, or who can access the system, must be restricted. This is known as packet filtering. It is only an aspect of security (obviously, the applications on the server side must also be secured ...), but it is important. <u>Never *** ever *** connect to the network a computer not protected by a packet filter !</u>
 +
 
 +
To illustrate, let's configure our two-interfaces computer to be its own firewall. '''eth0''' is the Internet interface, it uses network 192.168.0.x, the gateway is an ADSL router/switch at 192.168.0.254. '''eth1''' is the (Intranet) interface to the internal network 192.168.1.x.
 +
 
 +
== Iptables Filtering ==
 +
 
 +
Since Linux 2.4, packet filtering is effected inside the kernel, and configuration effected by the '''iptables''' user-space program. In addition to rules for incoming and outgoing packets, iptables affords defining rules for routing between the interfaces. The '''iptables''' command affords entering the rules '''one by one'''. Using a script affords entering all the rules. '''iptable -L -v''' affords viewing the current rules.
 +
 
 +
For more information, see the [http://www.netfilter.org/ netfilter] official site. This site has links to various documents, including a simple introduction to packet filtering in this [http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html HOWTO].
 +
 
 +
In Slackware, the script used is <tt>'''/etc/rc.d/rc.firewall'''</tt>. It is called  automatically when the system starts or stops, using commands <tt>'''./rc.firewall start'''</tt> or <tt>'''./rc.firewall stop'''</tt>.
 +
 
 +
#! /bin/sh
 +
#
 +
# startup script for local packet filter
 +
#
 +
fw_start () {
 +
echo "Loading packet filter rules"
 +
 
 +
The flush command affords deleting all the active nat and filtering rules:
 +
 
 +
# flush old rules
 +
iptables -t nat --flush
 +
iptables -flush
 +
 
 +
The -P option affords defining the default policy. A good practise is to forbid by default everything not authorized. This is done here for packets incoming, outgoing, and routed between the interfaces:
 +
 
 +
# drop by default
 +
iptables -P INPUT DROP
 +
iptables -P FORWARD DROP
 +
iptables -P OUTPUT DROP
 +
 
 +
The -A option affords adding a rule. Here all the packets on the loopback interface are accepted:
 +
 
 +
# pass all traffic for network 127.0.0.0/8 on loopback interface
 +
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 +
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 +
 
 +
Broadcast traffic is also OK:
 +
 
 +
# pass all broadcast traffic
 +
iptables -A INPUT -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT
 +
iptables -A OUTPUT -s 255.255.255.255 -d 0.0.0.0 -j ACCEPT
 +
 
 +
Connections already established are authorized to continue:
 +
 
 +
# accept packets that are part of previously OK'ed sessions
 +
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
 +
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
 +
iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
 +
 
 +
Some noisy VoiP packets are dropped:
 +
 
 +
# drop SIP Cirpack KeepAlive Packet
 +
iptables -A INPUT -p udp -j DROP --dport 5060 -m string --string "Cirpack KeepAlive Packet" --algo bm
 +
 
 +
On both interfaces, we forbid communications where the remote address is a private network address, as specified by RFC 1918 (except 192.168.x.x, that we use internally). On the Internet, addresses of RFC 1918 private networks are not routable. So packets with such addresses are not expected on the internal network:
 +
 
 +
# INBOUND POLICY
 +
 +
# multicast traffic
 +
iptables -A INPUT -s 0.0.0.0/8 -d 224.0.0.0/8 -j LOG --log-prefix "INPUT multicast traffic "
 +
iptables -A INPUT -s 0.0.0.0/8 -d 224.0.0.0/8 -j DROP
 +
 +
# anti-spoofing rules
 +
iptables -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "INPUT spoofed IP "
 +
iptables -A INPUT -s 0.0.0.0/8 -j DROP
 +
iptables -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "INPUT spoofed IP "
 +
iptables -A INPUT -s 10.0.0.0/8 -j DROP
 +
iptables -A INPUT -s 127.0.0.0/8 -j LOG --log-prefix "INPUT spoofed IP "
 +
iptables -A INPUT -s 127.0.0.0/8 -j DROP
 +
iptables -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "INPUT spoofed IP "
 +
iptables -A INPUT -s 172.16.0.0/12 -j DROP
 +
iptables -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "INPUT spoofed IP "
 +
iptables -A INPUT -s 255.0.0.0/8 -j DROP
 +
 
 +
The protocols corresponding to services offered externally are accepted:
 +
 
 +
# services SMTP HTTP HTTPS
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 25 -m state --state NEW
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 143 -m state --state NEW
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 443 -m state --state NEW
 +
 
 +
The protocols corresponding to services offered on the local network are accepted:
 +
 
 +
# services on local network FTP DNS BOOTP NNTP SUBMIT VNC VOIP
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 20 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 53 -s 192.168.0.0/16
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 53 -m state --state NEW -s 192.168.0.0/16
 +
iptables -A INPUT -p udp -j ACCEPT --dport 69 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 119 -m state --state NEW -s 192.168.0.0/16
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 587 -m state --state NEW -s 192.168.0.0/16
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 5088 -m state --state NEW -s 192.168.0.0/16
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 5900:5910 -m state --state NEW -s 192.168.0.0/16
 +
iptables -A INPUT -p udp -j ACCEPT --dport 5060:5061 -s 192.168.0.0/16
 +
iptables -A INPUT -p udp -j ACCEPT --dport 10000:20000 -s 192.168.0.0/16
 +
 
 +
We accept NFS on the local network and fix the NFS ports:
 +
 
 +
# NFS ports
 +
iptables -A INPUT -p udp -j ACCEPT --dport 111 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 111 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 2049 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 2049 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 32764 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 32764 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 32765 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 32765 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 32766 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 32766 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 32767 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 32767 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 32768 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 32768 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 32769 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 32769 -m state --state NEW -s 192.168.0.0/24
  
The <tt>'''/etc/rc.d'''</tt> directory contains the scripts used to initialize the system services at the end of the bootTo use a specific script at startup, make it user-executable. To stop using it, remove the execution rights. Depending on the situation, scripts are called with the <tt>'''start'''</tt>, <tt>'''stop'''</tt>, or <tt>'''restart'''</tt> parameter.
+
We accept samba traffic on the local network:
<br/>
+
 
 +
# samba ports
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 135 -m state --state NEW -s 192.168.0.0/16
 +
iptables -A INPUT -p udp -j ACCEPT --dport 135 -s 192.168.0.0/16
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 137 -m state --state NEW -s 192.168.0.0/16
 +
iptables -A INPUT -p udp -j ACCEPT --dport 137 -s 192.168.0.0/16
 +
iptables -A INPUT -p udp -j ACCEPT --dport 138 -s 192.168.0.0/16
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 139 -m state --state NEW -s 192.168.0.0/16
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 445 -m state --state NEW -s 192.168.0.0/16
 +
iptables -A INPUT -p udp -j ACCEPT --dport 445 -s 192.168.0.0/16
 +
 
 +
We accept VOIP traffic from freephonie.net:
 +
 
 +
# services to freephonie network VOIP
 +
iptables -A INPUT -p udp -j ACCEPT --dport 5060:5061 -s 212.27.52.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 10000:20000 -s 212.27.52.0/24
 +
 
 +
We accept X-Window traffic on the local network:
 +
 
 +
# SSH-tunnelled X-Window output appears as input on interface lo
 +
iptables -A INPUT -p udp -j ACCEPT --dport 177 -s 192.168.0.0/16
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 6000:6063 -m state --state NEW -s 192.168.0.0/16
 +
iptables -A INPUT -i lo -p tcp -j ACCEPT --dport 6000:6063 -m state --state NEW -s 192.168.0.0/16
 +
 
 +
We accept pings on the local network:
 +
 
 +
# accept echo-request icmp packets
 +
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -s 192.168.0.0/16
 +
 
 +
We accept antispam dcc answers:
 +
 
 +
# accept dcc answers (dcc antispam service)
 +
  iptables -A INPUT -p udp -j ACCEPT --dport 1024:65535 --sport 6277
 +
 
 +
We log anything not accepted above:
 +
 
 +
# log anything not accepted above
 +
iptables -A INPUT -j LOG --log-prefix "INPUT bad traffic "
 +
 
 +
We accept all outbound packets, which would for example afford using a network scanner. In a production environment, there would be a stricter policy:
 +
 
 +
# OUTBOUND POLICY
 +
 +
# accept all outbound packets
 +
iptables -A OUTPUT -j ACCEPT
 +
 +
# log anything not accepted above
 +
# iptables -A OUTPUT -j LOG --log-prefix "OUTPUT bad traffic "
 +
 
 +
For routing between the interfaces, everything is accepted. In a production environment, there might be a stricter policy:
 +
 
 +
# FORWARD POLICY
 +
 +
# forward all outbound packets
 +
iptables -A FORWARD -j ACCEPT
 +
 +
# log anything not accepted above
 +
# iptables -A FORWARD -j LOG --log-prefix "FORWARD bad traffic "
 +
 
 +
The Network Address Translation rule below affords replacing the source address in the packets coming from the internal interface by the source address of the external interface. The packets outgoing to the Internet then all seem to come from the external interface, whatever their real origin (this translation affords hiding to the outside the addresses used internally):
 +
 
 +
# POSTROUTING POLICY
 +
 +
# nat traffic going to internet with our local network address
 +
iptables -t nat -A POSTROUTING -o br0 -j SNAT --to 192.168.0.1
 +
}
 +
 +
After the fw_start() function ends, the fw_stop() function is defined to authorize everything:
 +
 
 +
fw_stop () {
 +
  echo "Unloading all packet filter rules"
 +
  iptables -t nat --flush
 +
  iptables -flush
 +
 +
# accept by default
 +
  iptables -P INPUT ACCEPT
 +
  iptables -P FORWARD ACCEPT
 +
  iptables -P OUTPUT ACCEPT
 +
  }
 +
 +
case "$1" in
 +
‘start’)
 +
  fw_start
 +
  ;;
 +
’stop’)
 +
  fw_stop
 +
  ;;
 +
’restart’)
 +
  fw_start
 +
  ;;
 +
*)
 +
  echo "usage $0 start | stop | restart"
  
== Network configuration ==
+
== Testing the firewall ==
  
The network configuration is done during system installation but it is possible to change it later by editing the files and restarting the right daemon:
+
Use '''nmap -sU hostname''' (UDP) and '''nmap -sT hostname''' (TCP) to make sure what ports are visible locally and do the same from the outside.
  
{| {{thead}}
+
== Download example ==
|-
 
! {{chead}} width="200" | File
 
! {{chead}} | Content
 
|-
 
| <tt>'''/etc/rc.d/rc.inet1.conf'''</tt>||configuration of the network. For Xen the standard configuration uses a bridge. A bridge gathers several physical network interfaces. The bridge is configured with an IP address while the physical network interfaces are left unconfigured. After an update, restart using <tt>'''/etc/rc.d/rc.inet1 restart'''</tt>.
 
# Config information for eth0:
 
IPADDR[0]=""
 
NETMASK[0]=""
 
USE_DHCP[0]=""
 
DHCP_HOSTNAME[0]=""
 
. . .
 
# Example of how to configure a bridge:
 
# Note the added "BRNICS" variable which contains a space-separated list
 
# of the physical network interfaces you want to add to the bridge.
 
IFNAME[0]="br0"
 
BRNICS[0]="eth0"
 
IPADDR[0]="192.168.0.1"
 
NETMASK[0]="255.255.255.0"
 
USE_DHCP[0]=""
 
DHCP_HOSTNAME[0]=""
 
|-
 
| <tt>'''/etc/rc.d/rc.ipforward'''</tt>||is a script to allow forwarding of packets between the interfaces. This is useful for a computer with several interfaces, for instance a firewall. To allow forwarding, just make the script executable.
 
|-
 
| <tt>'''/etc/ssh/sshd_config'''</tt>||ssh server configuration. '''PermitRootLogin yes''' affords login as root. To authorize X11Forwarding use '''ForwardX11 yes'''. After an update, restart using '''/etc/rc.d/rc.sshd restart'''.
 
|-
 
| <tt>'''/etc/ssh/ssh_config'''</tt>||ssh client configuration. To authorize X11Forwarding use '''ForwardX11 yes''' and '''ForwardX11Trusted yes''' to avoid a warning using '''ssh''' and get better security.
 
|-
 
| <tt>'''/etc/hosts'''</tt>||contains the addresses of the local hosts that bind cannot resolve, as they are in a private addressing plan. It is also possible to specify here addresses that will be chosen in lieu of their official address.
 
|-
 
| <tt>'''/etc/rc.d/rc.bind'''</tt>||setting this script as user-executable will afford running the local computer to be its own DNS.
 
|-
 
| <tt>'''/etc/named.conf'''</tt>||uncomment the query-source directive to suppress the port-unreachable packets on '''lo'''.
 
|-
 
| <tt>'''/etc/resolv.conf'''</tt>||if using local bind, append a line with <tt>'''nameserver 127.0.0.1'''</tt>.
 
|-
 
| <tt>'''/etc/udev/rules.d/70-persistent-net.rules'''</tt>||affords changing which interface is eth0.
 
|}
 
<br clear=all>
 
  
<u>Note</u> : In case of network issue, it can be a good idea to check the configuration using <tt>'''ifconfig -a'''</tt>, <tt>'''netstat -f inet -rn'''</tt>, and <tt>'''route'''</tt>. The routes are kept from one boot to the other and it may become necessary to delete the existing routes using <tt>'''route flush'''</tt>, then reboot.
+
[{{SERVER}}/slax/download/rc.firewall Download file rc.firewall]
  
 
<br/>
 
<br/>
  
{{pFoot|[[Linux basics]]|[[Main Page]]|[[IPTables]]}}
+
{{pFoot|[[Configuration files]]|[[Main Page]]|[[X11 configuration]]}}

Revision as of 23:23, 6 December 2017

Packet filtering affords opening access only to these services you have decided to open. The TCP or UDP packets include a piece of information called the port number, that is used to identify the type of service. Secure ports were defined as SSL counterparts of the native ports but were superseded by TLS and are now deprecated due to security weaknesses in the SSL protocol. SSL should not be used any longer. Instead, use TLS. Current version is v1.2.

Protocol Port # Secure Protocol Secure Port # Service
SMTP 25 SMTPS 465 Mail exchange
HTTP 80 HTTPS 443 Web browsing
POP3 110 POP3S 995 Mail retrieval
NTTP 119 NTTPS 563 News exchange
IMAP 143 IMAPS 993 Mail retrieval
LDAP 389 LDAPS 636 Ldap Directory


On server side, the services are provided by applications that may have vulnerabilities and be attacked. Examples of attacks are buffer overflow or format string attacks, that afford getting full access on the target machine by crafting special strings sent to it. An attacker could then obtain any information present there or modify or destroy the system.

To reduce the number of possible attacks, the number of services authorized, or who can access the system, must be restricted. This is known as packet filtering. It is only an aspect of security (obviously, the applications on the server side must also be secured ...), but it is important. Never *** ever *** connect to the network a computer not protected by a packet filter !

To illustrate, let's configure our two-interfaces computer to be its own firewall. eth0 is the Internet interface, it uses network 192.168.0.x, the gateway is an ADSL router/switch at 192.168.0.254. eth1 is the (Intranet) interface to the internal network 192.168.1.x.

Iptables Filtering

Since Linux 2.4, packet filtering is effected inside the kernel, and configuration effected by the iptables user-space program. In addition to rules for incoming and outgoing packets, iptables affords defining rules for routing between the interfaces. The iptables command affords entering the rules one by one. Using a script affords entering all the rules. iptable -L -v affords viewing the current rules.

For more information, see the netfilter official site. This site has links to various documents, including a simple introduction to packet filtering in this HOWTO.

In Slackware, the script used is /etc/rc.d/rc.firewall. It is called automatically when the system starts or stops, using commands ./rc.firewall start or ./rc.firewall stop. 

#! /bin/sh
#
# startup script for local packet filter
#
fw_start () {
echo "Loading packet filter rules"

The flush command affords deleting all the active nat and filtering rules: 

# flush old rules
iptables -t nat --flush
iptables -flush

The -P option affords defining the default policy. A good practise is to forbid by default everything not authorized. This is done here for packets incoming, outgoing, and routed between the interfaces: 

# drop by default
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

The -A option affords adding a rule. Here all the packets on the loopback interface are accepted: 

# pass all traffic for network 127.0.0.0/8 on loopback interface
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

Broadcast traffic is also OK: 

# pass all broadcast traffic
iptables -A INPUT -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT
iptables -A OUTPUT -s 255.255.255.255 -d 0.0.0.0 -j ACCEPT

Connections already established are authorized to continue: 

# accept packets that are part of previously OK'ed sessions
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED

Some noisy VoiP packets are dropped: 

# drop SIP Cirpack KeepAlive Packet
iptables -A INPUT -p udp -j DROP --dport 5060 -m string --string "Cirpack KeepAlive Packet" --algo bm

On both interfaces, we forbid communications where the remote address is a private network address, as specified by RFC 1918 (except 192.168.x.x, that we use internally). On the Internet, addresses of RFC 1918 private networks are not routable. So packets with such addresses are not expected on the internal network: 

# INBOUND POLICY

# multicast traffic
iptables -A INPUT -s 0.0.0.0/8 -d 224.0.0.0/8 -j LOG --log-prefix "INPUT multicast traffic "
iptables -A INPUT -s 0.0.0.0/8 -d 224.0.0.0/8 -j DROP

# anti-spoofing rules
iptables -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "INPUT spoofed IP "
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "INPUT spoofed IP "
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j LOG --log-prefix "INPUT spoofed IP "
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "INPUT spoofed IP "
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "INPUT spoofed IP "
iptables -A INPUT -s 255.0.0.0/8 -j DROP

The protocols corresponding to services offered externally are accepted: 

# services SMTP HTTP HTTPS
iptables -A INPUT -p tcp -j ACCEPT --dport 25 -m state --state NEW
iptables -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW
iptables -A INPUT -p tcp -j ACCEPT --dport 143 -m state --state NEW
iptables -A INPUT -p tcp -j ACCEPT --dport 443 -m state --state NEW

The protocols corresponding to services offered on the local network are accepted: 

# services on local network FTP DNS BOOTP NNTP SUBMIT VNC VOIP
iptables -A INPUT -p tcp -j ACCEPT --dport 20 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 53 -s 192.168.0.0/16
iptables -A INPUT -p tcp -j ACCEPT --dport 53 -m state --state NEW -s 192.168.0.0/16
iptables -A INPUT -p udp -j ACCEPT --dport 69 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 119 -m state --state NEW -s 192.168.0.0/16
iptables -A INPUT -p tcp -j ACCEPT --dport 587 -m state --state NEW -s 192.168.0.0/16
iptables -A INPUT -p tcp -j ACCEPT --dport 5088 -m state --state NEW -s 192.168.0.0/16
iptables -A INPUT -p tcp -j ACCEPT --dport 5900:5910 -m state --state NEW -s 192.168.0.0/16
iptables -A INPUT -p udp -j ACCEPT --dport 5060:5061 -s 192.168.0.0/16
iptables -A INPUT -p udp -j ACCEPT --dport 10000:20000 -s 192.168.0.0/16

We accept NFS on the local network and fix the NFS ports: 

# NFS ports
iptables -A INPUT -p udp -j ACCEPT --dport 111 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 111 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 2049 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 2049 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 32764 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 32764 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 32765 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 32765 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 32766 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 32766 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 32767 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 32767 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 32768 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 32768 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 32769 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 32769 -m state --state NEW -s 192.168.0.0/24

We accept samba traffic on the local network: 

# samba ports
iptables -A INPUT -p tcp -j ACCEPT --dport 135 -m state --state NEW -s 192.168.0.0/16
iptables -A INPUT -p udp -j ACCEPT --dport 135 -s 192.168.0.0/16
iptables -A INPUT -p tcp -j ACCEPT --dport 137 -m state --state NEW -s 192.168.0.0/16
iptables -A INPUT -p udp -j ACCEPT --dport 137 -s 192.168.0.0/16
iptables -A INPUT -p udp -j ACCEPT --dport 138 -s 192.168.0.0/16
iptables -A INPUT -p tcp -j ACCEPT --dport 139 -m state --state NEW -s 192.168.0.0/16
iptables -A INPUT -p tcp -j ACCEPT --dport 445 -m state --state NEW -s 192.168.0.0/16
iptables -A INPUT -p udp -j ACCEPT --dport 445 -s 192.168.0.0/16

We accept VOIP traffic from freephonie.net: 

# services to freephonie network VOIP
iptables -A INPUT -p udp -j ACCEPT --dport 5060:5061 -s 212.27.52.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 10000:20000 -s 212.27.52.0/24

We accept X-Window traffic on the local network: 

# SSH-tunnelled X-Window output appears as input on interface lo
iptables -A INPUT -p udp -j ACCEPT --dport 177 -s 192.168.0.0/16
iptables -A INPUT -p tcp -j ACCEPT --dport 6000:6063 -m state --state NEW -s 192.168.0.0/16
iptables -A INPUT -i lo -p tcp -j ACCEPT --dport 6000:6063 -m state --state NEW -s 192.168.0.0/16

We accept pings on the local network: 

# accept echo-request icmp packets
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -s 192.168.0.0/16

We accept antispam dcc answers: 

# accept dcc answers (dcc antispam service)
iptables -A INPUT -p udp -j ACCEPT --dport 1024:65535 --sport 6277

We log anything not accepted above: 

# log anything not accepted above
iptables -A INPUT -j LOG --log-prefix "INPUT bad traffic "

We accept all outbound packets, which would for example afford using a network scanner. In a production environment, there would be a stricter policy: 

# OUTBOUND POLICY

# accept all outbound packets
iptables -A OUTPUT -j ACCEPT

# log anything not accepted above
# iptables -A OUTPUT -j LOG --log-prefix "OUTPUT bad traffic "

For routing between the interfaces, everything is accepted. In a production environment, there might be a stricter policy: 

# FORWARD POLICY

# forward all outbound packets
iptables -A FORWARD -j ACCEPT

# log anything not accepted above
# iptables -A FORWARD -j LOG --log-prefix "FORWARD bad traffic "

The Network Address Translation rule below affords replacing the source address in the packets coming from the internal interface by the source address of the external interface. The packets outgoing to the Internet then all seem to come from the external interface, whatever their real origin (this translation affords hiding to the outside the addresses used internally): 

# POSTROUTING POLICY

# nat traffic going to internet with our local network address
iptables -t nat -A POSTROUTING -o br0 -j SNAT --to 192.168.0.1 
}

After the fw_start() function ends, the fw_stop() function is defined to authorize everything: 

fw_stop () {
  echo "Unloading all packet filter rules"
  iptables -t nat --flush
  iptables -flush

# accept by default
  iptables -P INPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P OUTPUT ACCEPT
  }

case "$1" in
‘start’)
  fw_start
  ;;
’stop’)
  fw_stop
  ;;
’restart’)
  fw_start
  ;;
*)
  echo "usage $0 start | stop | restart"

Testing the firewall

Use nmap -sU hostname (UDP) and nmap -sT hostname (TCP) to make sure what ports are visible locally and do the same from the outside.

Download example

Download file rc.firewall


Configuration files Main Page X11 configuration
Retrieved from "http://studioware.com/wikislax/index.php?title=Configuration_files&oldid=14"