Iptables

From 0xWIKI
Jump to: navigation, search

Contents

Router Config

Configuring the kernel

Networking options  --->
   [*] TCP/IP networking
      [*] IP: advanced router
   [*] Network packet filtering (replaces ipchains)

   IP: Netfilter Configuration  --->
      [*] Connection tracking (required for masq/NAT)
         [x] FTP protocol support
         [x] IRC protocol support
      [*] IP tables support (required for filtering/masq/NAT)
         [*] IP range match support
         [x] MAC address match support
         [*] Multiple port match support
         [*] Packet filtering
            [*] REJECT target support
            [x] REDIRECT target support
         [*] Full NAT
            [*] MASQUERADE target support
         [s] Packet mangling
            [s] MARK target support
         [x] LOG target support

   QoS and/or fair queueing  --->
      [s] QoS and/or fair queueing
         [s] HTB packet scheduler
         [s] Ingress Qdisc

   [a] PPP (point-to-point protocol) support
      [a] PPP filtering
      [a] PPP support for async serial ports
      [a] PPP support for sync tty ports
      [a] PPP Deflate compression
      [a] PPP BSD-Compress compression
      [a] PPP over Ethernet

Configuring Network Interfaces

First find your network interfaces

# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:60:F5:07:07:B8
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:11 Base address:0x9800

eth1      Link encap:Ethernet  HWaddr 00:60:F5:07:07:B9
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:10 Base address:0x9400

You can change the names of them by editing /etc/udev/rules.d/70-persistent-net.rules
The Important part is NAME="<interface name>"

# PCI device 0x10de:0x0ab0 (forcedeth)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:60:F5:07:07:B8", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
  
# PCI device 0x10b7:0x9200 (3c59x)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:60:F5:07:07:B9", ATTR{type}=="1", KERNEL=="eth*", NAME="wan0"

Common Stuff

For iptables to use the necessary variables, we need to make them globally usable by adding them to /etc/env.d/06iptables

echo "LAN=eth0" >> /etc/env.d/06iptables
echo "WAN=wan0" >> /etc/env.d/06iptables


# First we flush our current rules
iptables -F
iptables -t nat -F

# Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Set variables for interfaces
export LAN=eth0
export WAN=wan0

# Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

# (Optional) Allow access to our ssh server from the WAN
iptables -A INPUT -p TCP --dport 22 -i ${WAN} -j ACCEPT

# Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

# Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.255.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

Transparent Proxying

This assumes that the external ip address is 55.55.55.55 and the proxy server is at 192.168.0.3 on a 24 bit subnet

#  Transparent proxy forward to port 3128 on localhost
iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${LAN} -j REDIRECT --to-port 3128

If you are redirecting to another host behind the firewall, you need to make an exception allowing the proxy server to bypass the forwarding rule

#  Transparent proxy forward to port 3128 on another internal host
iptables -t nat -A PREROUTING -p tcp -d 192.168.0.3 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 55.55.55.55 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${LAN} -j REDIRECT --to 192.168.0.3:3128

VPN

This section covers how to forward VPN traffic to a VPN server thats behind the firewall.
This assumes that the external ip address is 55.55.55.55 and the vpn server is at 192.168.0.3 on a 24 bit subnet

# VPN Forwarding #
## DNAT ##
iptables -t nat -A PREROUTING -i ${LAN} -p tcp -s ! 192.168.0.0/24 --dport 1723 -j DNAT --to 192.168.0.3:1723
iptables -t nat -A PREROUTING -i ${LAN} -p gre -s ! 192.168.0.0/24 -j DNAT --to 192.168.0.3
iptables -t nat -A PREROUTING -i ${WAN} -p tcp --dport 1723 -j DNAT --to 192.168.0.3:1723
iptables -t nat -A PREROUTING -i ${WAN} -p gre -j DNAT --to 192.168.0.3
iptables -t nat -A PREROUTING -p gre -d 55.55.55.55 -j DNAT --to 192.168.0.3
iptables -t nat -A PREROUTING -p tcp -d 55.55.55.55 --dport 1723 -j DNAT --to 192.168.0.3:1723

## INPUT ##
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT
iptables -A INPUT -p tcp --sport 1723 -j ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0/0 --sport 1723 -j ACCEPT

## FORWARD ##
iptables -A FORWARD -p tcp -i ${LAN} -o ${LAN} -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.3 --dport 1723 -j ACCEPT
iptables -A FORWARD -i ${LAN} -p gre -j ACCEPT
iptables -A FORWARD -i ${LAN} -o ${WAN} -m state --state NEW -p gre -j ACCEPT
iptables -A FORWARD -o ${LAN} -i ${WAN} -m state --state NEW -p gre -j ACCEPT
iptables -A FORWARD -i ${LAN} -o ${WAN} -m state --state NEW -p icmp -j ACCEPT
iptables -A FORWARD -o ${LAN} -i ${WAN} -m state --state NEW -p icmp -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Additional Ports to forward

This example shows a basic tcp port forward of port 80 to a machine at 192.168.0.2

iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.0.2



Basic Machine

Kernel config

Networking options  --->
     [*]Network packet filtering framework (Netfilter)  --->
          [*]Advanced netfilter configuration
             Core Netfilterconfiguration  --->
               <M>Netfilter connection tracking support
               {M}Netfilter Xtables support (required for ip_tables)
               <M> "NFLOG" target support
               <M> "pkttype" packet type match support
               <M> "state" match support
             IP: Netfilter Configuratioon  --->
               <M>IPv4 connection tracking support (required for NAT)
               [*]  proc/sysctl compatibility with old connection tracking
               <M>IP tables support (required for filtering/masq/NAT)
               <M> Packet filtering
               <M>  REJECT target support
               <M> Full NAT
               <M>  MASQUERADE target support
               <M>  NETMAP target support
               <M> Packet mangling

iptables config

First emerge iptables, then reboot

emerge iptables && reboot

The only changes that should need to be made are for the ports you want to open

# First we flush our current rules
iptables -F
iptables -t nat -F

# Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Accept all connections from localhost
iptables -A INPUT -s 127.0.0.1 -j ACCEPT

# Accept all previously established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Permit ssh traffic to the local machine
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# Permit Samba traffic to the local machine
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

# Permit mDNS
iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
iptables -A OUTPUT -m pkttype --pkt-type unicast -j ACCEPT

# Open any other ports
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

# Reject all other incoming traffic
iptables -A INPUT -j DROP

/etc/init.d/iptables save
/etc/init.d/iptables start
Personal tools