Difference between revisions of "Firewall principle"

(Created page with "The firewall (FW) is a key component of your server's security. =Key points= ==Default policy== This is how you defined a default policy. Note: * You have to adjust th...")
 
Line 136: Line 136:
 
$IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
 
$IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
 
$IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT  
 
$IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT  
 +
</syntaxhighlight>
 +
 +
 +
==VPN==
 +
 +
Adjust the following to your own port, network ID and protocol:
 +
 +
<syntaxhighlight lang="bash">
 +
IPTABLES=`which iptables`
 +
 +
INT_VPN=tun0
 +
VPN_PORT="8080"
 +
VPN_PROTOCOL="udp"
 +
LAN_ADDRESS_VPN="172.16.60.0/24"
 +
 +
echo -e " "
 +
echo -e "------------------------"
 +
echo -e " VPN configuration"
 +
echo -e "------------------------"
 +
 +
echo " "
 +
echo -e "# VPN interface  : $INT_VPN"
 +
echo -e "# VPN IP @      : $LAN_ADDRESS_VPN"
 +
echo -e "# VPN port      : $VPN_PORT"
 +
echo -e "# VPN protocol  : $VPN_PROTOCOL"
 +
echo -e "-------------------------------------- "
 +
 +
# Allow devices communication $ETH0 <--> tun0
 +
$IPTABLES -t nat -A POSTROUTING -s $LAN_ADDRESS_VPN -o $INT_ETH -j MASQUERADE
 +
$IPTABLES -A FORWARD -s $LAN_ADDRESS_VPN -j ACCEPT
 +
 +
echo -e " ... Allow VPN connections"
 +
$IPTABLES -A INPUT -p $VPN_PROTOCOL --dport $VPN_PORT -j ACCEPT
 +
$IPTABLES -A OUTPUT -p tcp --dport $VPN_PORT -j ACCEPT
 +
 +
echo -e " ... Allow everything to go through VPN - all INPUT,OUTPUT,FORWARD"
 +
$IPTABLES -A INPUT -i $INT_VPN -m state ! --state INVALID -j ACCEPT
 +
$IPTABLES -A OUTPUT -o $INT_VPN -m state ! --state INVALID -j ACCEPT
 +
$IPTABLES -A FORWARD -o $INT_VPN -m state ! --state INVALID -j ACCEPT
 +
 +
echo -e " ... Allow VPN network communication (required for client <> client comm.)"
 +
$IPTABLES -A INPUT -s $LAN_ADDRESS_VPN -d $LAN_ADDRESS_VPN -j ACCEPT
 +
$IPTABLES -A OUTPUT -s $LAN_ADDRESS_VPN -d $LAN_ADDRESS_VPN -j ACCEPT
 
</syntaxhighlight>
 
</syntaxhighlight>

Revision as of 17:17, 2 June 2014

The firewall (FW) is a key component of your server's security.


Key points

Default policy

This is how you defined a default policy.


Note:

  • You have to adjust the policy to your own settings
  • You should NOT set the INPUT in ACCEPT mode. That's risky!


IPTABLES=`which iptables`

echo -e " "		
echo -e "------------------------"
echo -e " Flush existing rules "
echo -e "------------------------"

$IPTABLES -t filter -F
$IPTABLES -t filter -X

# delete NAT rules
$IPTABLES -t nat -F
$IPTABLES -t nat -X

# delete MANGLE rules (packets modifications)
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X

echo -e " "		
echo -e "------------------------"
echo -e " Default policy"
echo -e "------------------------"
echo -e "              || --> OUTGOING    reject all "
echo -e "          --> ||     INCOMING    reject all "
echo -e "          --> || --> FORWARDING  accept all (each redirection needs configuration)"

# INCOMING = avoid intrusions
# OUTGOING = avoid disclosure of sensitive / private data
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT			

echo -e " ... Reject invalid packets"
$IPTABLES -A INPUT -p tcp -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p udp -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p icmp -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p tcp -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p udp -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p icmp -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -p tcp -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -p udp -m state --state INVALID -j DROP

echo -e " ... Keep ESTABLISHED connections "
$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED -j ACCEPT

echo -e " ... Keep RELATED connections (required for FTP)"
$IPTABLES -A INPUT -m state --state RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state RELATED -j ACCEPT

# Allow localhost communication
echo -e " ... Allow localhost"
$IPTABLES -A INPUT -i lo -s 127.0.0.0/24 -d 127.0.0.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.0/24 -d 127.0.0.0/24 -j ACCEPT


DHCP

You need to following to use DHCP: 

IPTABLES=`which iptables`

# DHCP client >> Broadcast IP request 
$IPTABLES -A OUTPUT -p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT

# DHCP server >> send / reply to IPs requests
$IPTABLES -A INPUT -p udp -s 255.255.255.255 --sport 67 --dport 68 -j ACCEPT


DNS

This will allow your computer to perform DNS requests: 

IPTABLES=`which iptables`

$IPTABLES -A OUTPUT -p udp --dport 53 -m limit --limit 100/s -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport 53 -m limit --limit 100/s -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -m limit --limit 100/s -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -m limit --limit 100/s -j ACCEPT


LAN communication

To allow communication in the local network, without any restrictions: 

IPTABLES=`which iptables`
LAN_ADDRESS="172.16.50.0/24"

$IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -j ACCEPT


FTP client

IPTABLES=`which iptables`

# FTP client - base rules
$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

# Active FTP
$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

# Passive FTP
$IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT


VPN

Adjust the following to your own port, network ID and protocol: 

IPTABLES=`which iptables`

INT_VPN=tun0
VPN_PORT="8080"
VPN_PROTOCOL="udp"
LAN_ADDRESS_VPN="172.16.60.0/24"

echo -e " "		
echo -e "------------------------"
echo -e " VPN configuration"
echo -e "------------------------"

echo " " 
echo -e "# VPN interface  : $INT_VPN"
echo -e "# VPN IP @       : $LAN_ADDRESS_VPN"
echo -e "# VPN port       : $VPN_PORT"
echo -e "# VPN protocol   : $VPN_PROTOCOL"
echo -e "-------------------------------------- "

# Allow devices communication $ETH0 <--> tun0
$IPTABLES -t nat -A POSTROUTING -s $LAN_ADDRESS_VPN -o $INT_ETH -j MASQUERADE
$IPTABLES -A FORWARD -s $LAN_ADDRESS_VPN -j ACCEPT

echo -e " ... Allow VPN connections"
$IPTABLES -A INPUT -p $VPN_PROTOCOL --dport $VPN_PORT -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport $VPN_PORT -j ACCEPT

echo -e " ... Allow everything to go through VPN - all INPUT,OUTPUT,FORWARD"
$IPTABLES -A INPUT -i $INT_VPN -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_VPN -m state ! --state INVALID -j ACCEPT
$IPTABLES -A FORWARD -o $INT_VPN -m state ! --state INVALID -j ACCEPT

echo -e " ... Allow VPN network communication (required for client <> client comm.)"
$IPTABLES -A INPUT -s $LAN_ADDRESS_VPN -d $LAN_ADDRESS_VPN -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_ADDRESS_VPN -d $LAN_ADDRESS_VPN -j ACCEPT
Retrieved from "http://www.daxiongmao.eu/wiki/index.php?title=Firewall_principle&oldid=377"