[ale] iptables for wireless firewall
Joe
jknapka at earthlink.net
Thu Apr 10 13:33:07 EDT 2003
"Zachary Link" <zack at the-links.net> writes:
> Just my initial reaction...some tweaks inline. Also, I am not that
> familiar with VPNs on linux, so some of the ipsec rules could be wrong.
OK.
> > # Script to set up firewalling rules to protect us against wireless #
> > interlopers.
> > #
> > # The network configuration is as follows:
> > #
> > # The tame interface (eth0) is on net 192.168.81.0/24, the wired LAN. #
> > The wireless (wild-side) interface (eth1) is on net 192.168.71.0/24, #
> > the wireless LAN.
> > # The ipsec interface (ipsec0) is bound to the wild-side interface.
> >
> > KILL=REJECT
> >
> > # Start by sealing everything up.
> > iptables -P INPUT DROP
> > iptables -P FORWARD DROP
> > iptables -P OUTPUT ACCEPT
> >
> > # Flush everything.
> > iptables -F INPUT
> > iptables -F OUTPUT
> > iptables -F FORWARD
> >
> > ###########################
> > # Output - don't let packets escape on wrong interfaces.
> > ###########################
>
> I would put more emphasis on dropping spoofed packets on the intake, but
> if you want these rules, I would make them mean what you really want, i.e.
> Also, use DROP unless you have a specific reason to REJECT.
Good point. I wanted to get error notifications while testing, but
once things are running smoothly I'll make KILL=DROP.
> > iptables -A OUTPUT -o eth0 --dest 192.168.71.0/24 -j ${KILL}
> iptables -A OUTPUT -o eth0 --dest ! 192.168.81.0/24 -j DROP
Won't work, because the potential dest for packets leaving on eth0
is the entire Internet. The setup is this:
Internet --- Firewall_A --- 192.168.81.0/24 --- Firewall_B --- 192.168.71.0/24
where the 192.168.71 net is the wireless net and the 192.168.81 net is
the 10/100BaseT LAN. This set of rules is for Firewall B. These
OUTPUT rules are mainly for prudence, not protection; I'd be somewhat
amazed if they ever were triggered.
> > iptables -A OUTPUT -o eth1 --dest ! 192.168.71.0/24 -j ${KILL}
> > iptables -A FORWARD -o eth0 --dest 192.168.71.0/24 -j ${KILL}
> > iptables -A FORWARD -o eth1 --dest ! 192.168.71.0/24 -j ${KILL}
> > iptables -A OUTPUT -o ipsec0 --dest ! 192.168.71.0/24 -j ${KILL}
> > iptables -A FORWARD -o ipsec0 --dest ! 192.168.71.0/24 -j ${KILL}
>
> Input spoofing protection would be something along the lines of the
> following: (these should be your first rules)
>
> # anti-spoof eth0
> iptables -A INPUT -i eth0 --src ! 192.168.81.0/24 -j DROP
> iptables -A FORWARD -i eth0 --src ! 192.168.81.0/24 -j DROP
Again, eth0 talks to the entire Internet, so I can't make this
assumption. I *can* make the assumption for the wild-side
interface, though, and do.
> # anti-spoof eth1
> iptables -A INPUT -i eth1 --src ! 192.168.71.0/24 -j DROP
> iptables -A FORWARD -i eth1 --src ! 192.168.71.0/24 -j DROP
> # anti-spoof ipsec0
> iptables -A INPUT -i ipsec0 --src ! 192.168.71.0/24 -j DROP
> iptables -A FORWARD -i ipsec0 --src ! 192.168.71.0/24 -j DROP
>
> >
> > ###########################
> > # Tame interface (eth0).
> > # On the tame interface, we want to accept and forward anything that #
> > isn't obviously bad.
> > # Wildside packets from the tame net are obviously bad.
> > ###########################
>
> Mentioned above, don't disallow 1 net, when you want to only allow 1 net.
> > iptables -A INPUT -i eth0 --src ! 192.168.71.0/24 -j ACCEPT
> iptables -A INPUT -i eth0 --src 192.168.81.0/24 -j ACCEPT
> > iptables -A FORWARD -i eth0 --src ! 192.168.71.0/24 -j ACCEPT
> iptables -A FORWARD -i eth0 --src 192.168.81.0/24 -j ACCEPT
See above.
> > ###########################
> > # Wildside interface (eth1).
> > ###########################
> >
> > # On the wildside interface, we want to:
> >
> > # Drop packets that don't appear to come from the wildside net.
> > iptables -A INPUT -i eth1 -s ! 192.168.71.0/24 -j ${KILL}
> >
> > # Accept protocols 50 and 51 (IPsec AH, ESP).
> > iptables -A INPUT -i eth1 -p 50 -j ACCEPT
> > iptables -A INPUT -i eth1 -p 51 -j ACCEPT
> >
> > # Accept IP on port 500 (ISAKMP), but no other port - all
> > # you can do on the wireless side is establish an SA, or
> > # send packets out to the Internet. (Do I need both
> > # TCP and UDP here?)
> not sure, might be UDP only
> > iptables -A INPUT -i eth1 -p udp --dport 500 -j ACCEPT
> > iptables -A INPUT -i eth1 -p tcp --dport 500 -j ACCEPT
> >
> > # Forward anything whose dest addr is totally outside the local net #
> > space. This allows clients who can't or won't do IPsec to live
> > # peacefully and not hose anything on the wired LAN. (They're still a #
> > security risk, though - all their wireless traffic is in the clear.)
> > iptables -A FORWARD -i eth1 -d ! 192.168.81.0/24 -j ACCEPT
> >
> > # Forward DNS requests to the local DNS server. (I don't
> > # really like that, but...) (Do I need both TCP and UDP here?)
> DNS queries are only over UDP. Zone transfers (server <-> server) are
> over TCP).
> > iptables -A FORWARD -i eth1 -p udp -d 192.168.81.1 --dport 53 -j ACCEPT
> > iptables -A FORWARD -i eth1 -p tcp -d 192.168.81.1 --dport 53 -j ACCEPT
> >
>
> You also might want to add some of these, although be careful with the
> first one (disabling IP spoofing attacks), as it might not play well with
> IPSEC (from something I saw in netfilter docs). This is irrelevant if you
> have good antispoofing rules in place anyway.
>
> #Disabling IP Spoofing attacks.
> echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
>
> #Don't respond to broadcast pings (Smurf-Amplifier-Protection)
> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> #Block source routing
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
>
> #Kill timestamps
> echo 0 > /proc/sys/net/ipv4/tcp_timestamps
>
> #Enable SYN Cookies
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> #Kill redirects
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
>
> #Enable bad error message protection
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>
> #Log martians (packets with impossible addresses)
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
Thanks, I was unaware of most of the above.
> In addition, depending on what services you run on your firewall, and the
> general level of security you want, I would consider locking down your
> firewall a bit more, add connection tracking (i.e. lan -> wildside, but
> established only from wildside -> lan) and you could also add flood limits
> to prevent DoS attacks, and logging to be aware of what's happening.
>
> Anyway, this turned out to be a little longer a response than I intended,
> so it is a little disjointed. Also, for me to be more accurate, I need to
> spend a bit more time looking at these rules and learning what exactly you
> want to do, and how high level of security you want. So, feel free to
> email me directly, and I can help you out.
Thanks for your comments.
Cheers,
-- Joe Knapka
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list