[ale] iptables for wireless firewall

Transam bob at verysecurelinux.com
Thu Apr 10 15:07:56 EDT 2003 

There is not security within a wireless network.  Don't kid yourself
with firewall rules.  You need a VPN tunnel through the wireless network.

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002

On Thu, Apr 10, 2003 at 08:26:20AM -0600, Joe wrote:
> Hi folks,

> Some time ago I started thinking about securing my wireless network,
> and further, securing my wired LAN *from* the wireless net. I've
> mostly got it all working now. I decided to post my firewall rules
> for constructive criticism. Here they are:

> # Script to set up firewalling rules to protect us against wireless
> # interlopers.
> #
> # The network configuration is as follows:
> #
> # The tame interface (eth0) is on net 192.168.81.0/24, the wired LAN.
> # The wireless (wild-side) interface (eth1) is on net 192.168.71.0/24,
> # the wireless LAN.
> # The ipsec interface (ipsec0) is bound to the wild-side interface.

> KILL=REJECT

> # Start by sealing everything up.
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT

> # Flush everything.
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD

> ###########################
> # Output - don't let packets escape on wrong interfaces.
> ###########################
> iptables -A OUTPUT -o eth0 --dest 192.168.71.0/24 -j ${KILL}
> iptables -A OUTPUT -o eth1 --dest ! 192.168.71.0/24 -j ${KILL}
> iptables -A FORWARD -o eth0 --dest 192.168.71.0/24 -j ${KILL}
> iptables -A FORWARD -o eth1 --dest ! 192.168.71.0/24 -j ${KILL}
> iptables -A OUTPUT -o ipsec0 --dest ! 192.168.71.0/24 -j ${KILL}
> iptables -A FORWARD -o ipsec0 --dest ! 192.168.71.0/24 -j ${KILL}

> ###########################
> # Tame interface (eth0).
> # On the tame interface, we want to accept and forward anything that
> # isn't obviously bad.
> # Wildside packets from the tame net are obviously bad.
> ###########################
> iptables -A INPUT -i eth0 --src ! 192.168.71.0/24 -j ACCEPT
> iptables -A FORWARD -i eth0 --src ! 192.168.71.0/24 -j ACCEPT

> ###########################
> # Wildside interface (eth1).
> ###########################

> # On the wildside interface, we want to:

> # Drop packets that don't appear to come from the wildside net.
> iptables -A INPUT -i eth1 -s ! 192.168.71.0/24 -j ${KILL}

> # Accept protocols 50 and 51 (IPsec AH, ESP).
> iptables -A INPUT -i eth1 -p 50 -j ACCEPT
> iptables -A INPUT -i eth1 -p 51 -j ACCEPT

> # Accept IP on port 500 (ISAKMP), but no other port - all
> # you can do on the wireless side is establish an SA, or
> # send packets out to the Internet. (Do I need both
> # TCP and UDP here?)
> iptables -A INPUT -i eth1 -p udp --dport 500 -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 500 -j ACCEPT

> # Forward anything whose dest addr is totally outside the local net
> # space. This allows clients who can't or won't do IPsec to live
> # peacefully and not hose anything on the wired LAN. (They're still a
> # security risk, though - all their wireless traffic is in the clear.)
> iptables -A FORWARD -i eth1 -d ! 192.168.81.0/24 -j ACCEPT

> # Forward DNS requests to the local DNS server. (I don't
> # really like that, but...) (Do I need both TCP and UDP here?)
> iptables -A FORWARD -i eth1 -p udp -d 192.168.81.1 --dport 53 -j ACCEPT
> iptables -A FORWARD -i eth1 -p tcp -d 192.168.81.1 --dport 53 -j ACCEPT

> ###########################
> # Wildside IPsec interface (ipsec0).
> # On the wildside ipsec interface, we want to accept and forward
> # anything that isn't obviously bad.
> # Tame-side packets on the wildside interface are obviously bad.
> ###########################
> iptables -A INPUT -i ipsec0 -s 192.168.71.0/24 -j ACCEPT
> iptables -A FORWARD -i ipsec0 -s 192.168.71.0/24 -j ACCEPT

> # END

> Cheers,

> -- Joe Knapka
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list