Consulting Ian Tighe Putting Technology To Work

Adding Value

Technology and Project Advice


Making Things Work Better
Know-How
IPtables firewall::Clarity through layout

This note is about how iptables protections might be structured. It assumes you are familiar with iptables.- if not try this site for an introduction.

Many people say something along the lines of "I have three interfaces and get in a mess when applying rules because they end up out of any sequence". This in itself makes life hard to make changes and reduces your chances of making sure all the risks you should cover are indeed covered.

A pre requisite is

What policy do you want to employ?
  • Either you accept everything and drop what you do not want or
  • You drop everything by default apart from that you wish to keep.

    Its crucial to know what you are doing here. In general if you are running a server that has services plus say your clients' games then it may well be you want to accept everything and work out the few things you want to drop. Alternatively if you are running a server  that sends/receives mail for you you may wish to drop everything except mail transactions thus you leave port 25 open but everything else may well be closed. The choice is based entirely on what you are trying to achieve.

    The next important step to take is make sure you create a script file with all the iptables command in it. Its much better to this than have several files all setting up different interfaces. In one place you can see all the rules for instance and what interactions may be at play.

    In setting up iptables you are running the iptables as a service and adding to "tables" the rules you want to use to protect your systems and data. You must make sure that for every network interface on your system you have planned and implemented the rules you need to have in  place. You may decide that internal interface traffic is safe and all the traffic should be accepted. Alternatively you believe the opposite and want to restrict internal user to certain services for example. In any event best results are achieved through being methodical.

    Experience says deal with each network card and the rules you want to apply to traffic across it rather than any other way of approaching it. So on a 3 NIC system you might do this:

    #eth0

    #rules for eth0
    #eth1
    #rules for eth1
    #eth2
    #rules for eth2

    Additionally you may want to group by function so for eth0 you deal with PREOUTING first and FORWARDing second

    #eth0
    # PREROUTING rules for eth0
    # FORWARDing rules for eth0
    #eth1
    # PREROUTING rules for eth1
    # FORWARDing rules for eth1
    #eth2
    # PREROUTING rules for eth2
    # FORWARDing rules for eth2

    Further it is good to split by protocol type so you get say all tcp rules and then all udp rules.

    #eth0
    # PREROUTING rules for eth0 TCP
    # PREROUTING rules for eth0 UDP
    # FORWARDing rules for eth0 TCP
    # FORWARDing rules for eth0 UDP
    #eth1
    # PREROUTING rules for eth1 TCP
    # PREROUTING rules for eth1 UDP
    # FORWARDing rules for eth1 TCP
    # FORWARDing rules for eth1 UDP
    #eth2
    # PREROUTING rules for eth2 TCP
    # PREROUTING rules for eth2 UDP
    # FORWARDing rules for eth2 TCP
    # FORWARDing rules for eth2 UDP
     

    It is through approaching it this way that you will cover all the risks and in the future be able to make quick decisions about changes far more safely than having applied rules randomly.

    Example

    Here is an example of what is meant for the Internet facing interfaces eth0 and eth1. Added to this are some filter clearing commands and some tail-end blocks

    #!/bin/bash
    ###
    # Clear tables
    ###
    /sbin/iptables --flush
    /sbin/iptables -t nat --flush
    /sbin/iptables -t mangle --flush
    echo "Tables cleared"

    #######################
    # eth0 - First Internet facing interface
    #######################
    ###
    # PREROUTI|NG
    # TCP - Drop External net packets we do not want
    ###
    /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0  --dport 1:19 -j DROP
    ###
    # UDPP - Drop External net packets we do not want
    ###
    /sbin/iptables -t nat -A PREROUTING -p udp -i eth0  --dport 23:52 -j DROP
    /sbin/iptables -t nat -A PREROUTING -p udp -i eth0  --dport 54:66 -j DROP

    ###
    # FORWRARDing
    # TCP - Drop External net packets we do not want
    ###
    /sbin/iptables -A FORWARD -p tcp -i eth0 -o $WIRELESS_IF -d 10.10.10.243 --dport 80 --sport 1028:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    #######################
    # eth1 - Second Internet facing interface
    #######################
    ###
    # PREROUTI|NG
    # TCP - Drop External net packets we do not want
    ###
    /sbin/iptables -t nat -A PREROUTING -p tcp -i eth1  --dport 1:19 -j DROP
    ###
    # UDPP - Drop External net packets we do not want
    ###
    /sbin/iptables -t nat -A PREROUTING -p udp -i eth1  --dport 23:52 -j DROP
    /sbin/iptables -t nat -A PREROUTING -p udp -i eth1  --dport 54:66 -j DROP

    ###
    # FORWRARDing
    # TCP - Drop External net packets we do not want
    ###
    /sbin/iptables -A FORWARD -p tcp -i eth1 -o $WIRELESS_IF -d 10.10.10.243 --dport 80 --sport 1028:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    ###
    # Set up forwarding etc
    ###
    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo 1 > /proc/sys/net/ipv4/ip_forward

    As you can imagine when there are hundreds of rules in this script file it will look considerably more complex,

    • Return to Know-How Index of articles
    Return to Home Page
    Copyright © Consulting Ian Tighe 2005-2008.