[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

IPTables/Firewall setup for a linux gateway

Posted on 2011-10-31
10
Medium Priority
?
660 Views
Last Modified: 2012-06-27
I need some help on the iptables to block incomming and outgoing for various types of traffic on diffrent intferfaces
but would like to allow few types for routing between these ports

Below is my scnario
PC with Ubuntu installed have 3 ethernet ports
Eth0 10.xx.xx.xx  connected to a machine 10.xx.xx.xx
Eth1 90.xx.xx.xx  connected to internet
Eth2 192.xx.xx.xx connected to a machine on internal network

route incomming SSH traffic from a domain name on eth1 towards eth0 where connected machine (IP) should recieve the request and drop all other incomming communications on eth1, but allow all outgoing communication
Eth2 should be able to communicate to eth0 only but etho and eth1 must not be able to communicate to eth2.

i have tried my best to depict my scnario but please ask if i left something.
thanks figure.pdf
0
Comment
Question by:quddusa
  • 4
  • 3
  • 3
10 Comments
 
LVL 41

Accepted Solution

by:
noci earned 300 total points
ID: 37060092
The next should work out....

iptables -t nat -A PRE-ROUTING -i eth1 -p tcp --dport 22 -j DNAT --to-dest $IP:22

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -o eth1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -j DROP



0
 
LVL 12

Assisted Solution

by:mccracky
mccracky earned 200 total points
ID: 37060260

iptables -t nat -A PRE-ROUTING -i eth1 -p tcp --dport 22 -j DNAT --to-dest $IP:22

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -o eth1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -j DROP

That should almost work for what you want.  "PRE-ROUTING" should be "PREROUTING".  You also mentioned that outgoing traffic to the Internet should only be from eth0, so you need to change the 4th forward rule to:
iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT

I would also suggest you move your external ssh off of port 22 or you will get a lot of script kiddies banging away at your box to try to get in, so the PREROUTING rule should be something like (using external port 54321 for ssh access to your linux box and using 10.aa.bb.cc for the IP of your linux box):

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 54321 -j DNAT --to 10.aa.bb.cc:22

I'd also be nice and send error messages to the internal network rather than just DROPping the packets, so I'd add (after accepting the eth2 traffic going to eth0):
iptables -A FORWARD -i eth2 -j REJECT

So the whole thing would be:

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 54321 -j DNAT --to 10.aa.bb.cc:22
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth2 -j REJECT
iptables -A FORWARD -j DROP
0
 
LVL 41

Expert Comment

by:noci
ID: 37060289
With respect to the script kiddies, checkout  fail2ban
http://fail2ban.sourceforge.net/

to block repeated attempts of breakin...
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:quddusa
ID: 37061442
Hi Mcc,

thanks for the prompt reply
just to be on the safe side
eth0 to eth2, communication should be blocked.
eth2 to eth0 communication should be allowed.
eth2 should be blocked to access eth1

communication comming on eth2 should be forwarded to machine IP on eth0 (something similar to rule one)
Besides this do we need to setup the routes manually to have it working more efficiently.
0
 

Author Comment

by:quddusa
ID: 37061444
eth2 should be blocked to access eth1 and vice versa
0
 
LVL 41

Expert Comment

by:noci
ID: 37061489
guddusa,

Anything that is not allowed is dropped (or rejected on eth2).

eth0 -> eth2 isn't mentioned ==> blocked
eth2 -> eth0 is mentioned so allowed
anything from eth2 is rejected
eth1 -> eth2 isn't mentioned ==> blocked.

You have to keep in mind that ALL rules mentioned are tried on all packets passing until a match is found so adding rules means adding a slight delay for every test that fails...
0
 

Author Comment

by:quddusa
ID: 37063250

I am expecting to have eth1 --> eth2 blocked and vise versa
Simply eth2 should not have any communication with eth1 in any direction

do we need antoher rule for this !
0
 
LVL 12

Expert Comment

by:mccracky
ID: 37063254
You need to keep in mind that the order of these rules matter.  A packet falls through from the top until a rule matches and "jumps" to the target of that rule.  So, if there is an ACCEPT rule that matches, it will be ACCEPTed.  If not the packet will fall through to either be REJECTed if coming from eth2 or completely DROPped if coming from elsewhere.  

Your blocking happens with the REJECT and DROP rules.  DROPping the packet does just that.  It drops the packet as if it never came in with no reply.  A REJECT sends back an error packet to the originator of the packet, but still blocks the traffic.
0
 
LVL 12

Assisted Solution

by:mccracky
mccracky earned 200 total points
ID: 37063409
I also assume you have either added "net/ipv4/ip_forward = 1" to sysctl.conf
or have in the startup scripts "echo 1 > /proc/sys/net/ipv4/ip_forward" to allow forwarding through the linux firewall.

You also need to realize that none of these rules actually apply to the firewall itself, but only traffic going through the firewall on to elsewhere (hence the FORWARD rules).  If you want to protect the firewall itself you need to probably have some INPUT and/or OUTPUT rules in there.

If you have console access to the actual firewall you could just add in DROP as the default policies:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

These default policies would be what happens if a packet falls completely through not matching any rule.  Be aware, though, that if you are relying on ssh access rather than console access that you will lock yourself out of the firewall box if you don't add in any rule to allow access from somewhere (e.g. your linux box).

For ssh access from eth0:
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
0
 

Author Closing Comment

by:quddusa
ID: 37138609
an incomplete solution becuase of the missing information.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month18 days, 23 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question