Dave Duperon
07-24-2004, 10:07 PM
I have set up a Linx (RH8) system as a firewall that connects to my
DSL provider with pppoe. It's in my garage where I can play MP3's
while I work, check weather, etc, and provides an always on gateway
connection for our other multi-boot systems (Windoze & Linux). All
hosts are trusted on the local network (we have no kids!) and all have
access to the internet through the firewall via NAT/MASQUERADE. The
firewall also provides a local intranet web and file server where I
put stuff I want access to from all the machines. I want NO services
on the ppp0 side (internet) but ALL services available on the local
net side (eth0) of the firewall.
I used levy.pl to get me started, but the script it created had some
lines I thought were not necessary and it didn't work for the gateway
for the other machines. I had to add the following line:
iptables --append FORWARD -j ACCEPT
This seems a bit insecure, but the firewall test at http://grc.com/
showed perfect stealth when run from both the firewall instelf, and a
Windoze 2K box behind it. A ping to my ppp0 IP address showed 100%
packet loss. Are these good indications of an effective firewall? I
would really appreciate a critique by any experts who would be willing
to take a look at my script (which is run as ip-up.local when the
pppoe connects). I've thrown a few comments in where I have
questions. Here it is:
#!/bin/sh
# Iptables Firewall - created by levy.pl on Mon Oct 20 21:56:15 2003
# Created with ./levy.pl ppp0 -l -n 192.168.0.0/16 -e -t
192.168.0.0/16
# http://muse.linuxmafia.org/levy
# chain policies
# set default policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
# flush tables
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -X
/sbin/iptables -F -t nat
# create DUMP table
/sbin/iptables -N DUMP > /dev/null
/sbin/iptables -F DUMP
/sbin/iptables -A DUMP -p tcp -j LOG
/sbin/iptables -A DUMP -p udp -j LOG
# need these? They make it not stealthy in the grc.com firewall test.
#/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
#/sbin/iptables -A DUMP -p udp -j REJECT --reject-with
icmp-port-unreachable
/sbin/iptables -A DUMP -j DROP
# Stateful table
/sbin/iptables -N STATEFUL > /dev/null
/sbin/iptables -F STATEFUL
/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables -A STATEFUL -m state --state NEW -i ! ppp0 -j ACCEPT
/sbin/iptables -A STATEFUL -j DUMP
# loopback rules
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# drop reserved addresses incoming
/sbin/iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DUMP
/sbin/iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DUMP
/sbin/iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DUMP
# allow certain inbound ICMP types
# need these? Seems to work without them.
#/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type
destination-unreachable -j ACCEPT
#/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type time-exceeded -j
ACCEPT
#/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type echo-reply -j
ACCEPT
# Set up NAT for internal network
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j
MASQUERADE
# How come it needs this for internal hosts to reach internet?
# Seems a little insecure(?).
iptables --append FORWARD -j ACCEPT
# unfiltered network/host (internal LAN)
/sbin/iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
# push everything else to state table
/sbin/iptables -A INPUT -j STATEFUL
That's it. Please let me know if there's something I'm not handling
that I should or should do differently. Thanks a bunch!
Dave Duperon
DSL provider with pppoe. It's in my garage where I can play MP3's
while I work, check weather, etc, and provides an always on gateway
connection for our other multi-boot systems (Windoze & Linux). All
hosts are trusted on the local network (we have no kids!) and all have
access to the internet through the firewall via NAT/MASQUERADE. The
firewall also provides a local intranet web and file server where I
put stuff I want access to from all the machines. I want NO services
on the ppp0 side (internet) but ALL services available on the local
net side (eth0) of the firewall.
I used levy.pl to get me started, but the script it created had some
lines I thought were not necessary and it didn't work for the gateway
for the other machines. I had to add the following line:
iptables --append FORWARD -j ACCEPT
This seems a bit insecure, but the firewall test at http://grc.com/
showed perfect stealth when run from both the firewall instelf, and a
Windoze 2K box behind it. A ping to my ppp0 IP address showed 100%
packet loss. Are these good indications of an effective firewall? I
would really appreciate a critique by any experts who would be willing
to take a look at my script (which is run as ip-up.local when the
pppoe connects). I've thrown a few comments in where I have
questions. Here it is:
#!/bin/sh
# Iptables Firewall - created by levy.pl on Mon Oct 20 21:56:15 2003
# Created with ./levy.pl ppp0 -l -n 192.168.0.0/16 -e -t
192.168.0.0/16
# http://muse.linuxmafia.org/levy
# chain policies
# set default policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
# flush tables
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -X
/sbin/iptables -F -t nat
# create DUMP table
/sbin/iptables -N DUMP > /dev/null
/sbin/iptables -F DUMP
/sbin/iptables -A DUMP -p tcp -j LOG
/sbin/iptables -A DUMP -p udp -j LOG
# need these? They make it not stealthy in the grc.com firewall test.
#/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
#/sbin/iptables -A DUMP -p udp -j REJECT --reject-with
icmp-port-unreachable
/sbin/iptables -A DUMP -j DROP
# Stateful table
/sbin/iptables -N STATEFUL > /dev/null
/sbin/iptables -F STATEFUL
/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables -A STATEFUL -m state --state NEW -i ! ppp0 -j ACCEPT
/sbin/iptables -A STATEFUL -j DUMP
# loopback rules
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# drop reserved addresses incoming
/sbin/iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DUMP
/sbin/iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DUMP
/sbin/iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DUMP
# allow certain inbound ICMP types
# need these? Seems to work without them.
#/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type
destination-unreachable -j ACCEPT
#/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type time-exceeded -j
ACCEPT
#/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type echo-reply -j
ACCEPT
# Set up NAT for internal network
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j
MASQUERADE
# How come it needs this for internal hosts to reach internet?
# Seems a little insecure(?).
iptables --append FORWARD -j ACCEPT
# unfiltered network/host (internal LAN)
/sbin/iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
# push everything else to state table
/sbin/iptables -A INPUT -j STATEFUL
That's it. Please let me know if there's something I'm not handling
that I should or should do differently. Thanks a bunch!
Dave Duperon