NSLU2-Linux
view · edit · print · history

Use Openslug 2.6 (currently HEAD) or later, with kernel 2.6.12-r11 or later.
ipkg install iptables kernel-module-ip-tables kernel-module-iptable-filter
This allows you to set up a simple packet filtering (not stateless!) firewall. To add extra functionality, extra kernel modules need to be installed (currently modules to add connection tracking and NAT are available, but have not been heavily tested. If you want to help test connection tracking functionality and secure you box a bit better, visit IptablesConnTrack).

An basic example packet-filtering firewall script can be found below. This firewall script is dual purpose - it can be used to test the firewall, and it also can be used as a permanent init script if you are satisfied with it, and are sure that it will not lock you out of SSH access. Currently, having the firewall being configured by a purpose-built init script, as below, without using iptables-utils, is the recommended method.

1) Edit the firewall rules to suit your configuration, and make the script executable (chmod 755)
2) Copy it to /etc/firewall
3) Run with /etc/firewall start to test
4) Test SSH by exiting the shell and reconnecting. If this fails, reboot Openslug to clear the rules and reconfigure.
5) If you are sure you want to make the rules permanent, run ln -s /etc/firewall /etc/init.d/firewall ; update-rc.d firewall defaults 05
6) If you want to edit the firewall rules at a later date, make sure that you update-rc.d -f firewall remove before changing /etc/firewall. Then test the firewall again as above, and if satisfied, re-run update-rc.d firewall defaults 05 to run the firewall by default on startup.

 
#!/bin/sh
###############################################################################
# 
# Requirements
# Openslug 2.6 or later, kernel 2.6.12-r11 or later. 
# iptables kernel-module-ip-tables kernel-module-iptable-filter
#
###############################################################################
# 
# Local Settings
#

# iptables Location - adjust if needed
IPT="/usr/sbin/iptables"

# Internet Interface
INET_IFACE="eth0"

# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"


flush_existing() {
# Flush Any Existing Rules or Chains
echo "Flushing Tables ..."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

# Flush all rules
$IPT -F

# Erase all non-default chains
$IPT -X
}


create_chains() {
echo "Create custom rule chains ..."

# Create a chain to filter INVALID packets

$IPT -N bad_packets

# Create another chain to filter bad tcp packets

$IPT -N bad_tcp_packets

# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.

$IPT -N icmp_packets

# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound

# Used to block outbound UDP services from internal network
# Default to allow all
$IPT -N udp_outbound

# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound

# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound
}

populate_chains() {
echo "Populate custom rule chains ..."

# bad_packets chain

# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets

# All good, so return
$IPT -A bad_packets -p ALL -j RETURN

# bad_tcp_packets chain
#
# All tcp packets will traverse this chain.
# Every new connection attempt should begin with
# a syn packet.  If it doesn't, it is likely a
# port scan.  This drops packets in state
# NEW that are not flagged as syn packets.

# Stealth scans
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN

# icmp_packets chain
#
# This chain is for inbound (from the Internet) icmp packets only.
# Type 8 (echo Request) is accepted by default
# Enable it if you want remote hosts to be able to reach you.
# 11 (Time Exceeded) is the only one accepted
# that would not already be covered by the established
# connection rule.  Applied to INPUT on the external interface.
# 
# See: http://www.ee.siue.edu/~rwalden/networking/icmp.html
# for more info on ICMP types.
#
# Note that the stateful settings allow replies to ICMP packets.
# These rules allow new packets of the specified types.

# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented.  Fragmented ICMP packets are a typical sign
# of a denial of service attack.
#$IPT -A icmp_packets --fragment -p ICMP -j LOG \
    #--log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP

# Uncomment the LOG command if you want to log PING attempts
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
#    --log-prefix "Ping detected: "
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# comment out above and uncomment below to drop pings without logging.
#$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP

# see ping reply packets
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT

# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN

# TCP & UDP
# Identify ports at:
#    http://www.chebucto.ns.ca/~rakerman/port-table.html
#    http://www.iana.org/assignments/port-numbers

#
# ADD UDP-based services here
#

# udp_inbound chain
# ports you want to accept udp packets on

# netbios/samba
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j ACCEPT

# Network Time Protocol (NTP) Server
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT

# External DHCP Server
# Allow DHCP client request packets inbound from external network
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 68 --destination-port 67 -j ACCEPT

# DNS in
#$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 53 -j ACCEPT

# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN

# udp_outbound chain
# ports you send udp packets to

# netbios/samba
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 138 -j ACCEPT

# Network Time Protocol (NTP) Server
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT

# DHCP out
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 68 -j ACCEPT

# DNS out
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT

# No match, so ACCEPT
# make this DROP if you want to block any other outbound udp traffic
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

# tcp_inbound chain
#
# This chain is used to allow inbound connections to the SLUG

# smb
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 139 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 445 -j ACCEPT

# HTTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT

# FTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port ftp -j ACCEPT
# Passive
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 33201:33210 -j ACCEPT

# Ctorrent incoming ports. Uncomment if you use ctorrent.
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 2706:2700 -j ACCEPT

# DNS
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 53 -j ACCEPT

# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# If you have 2 ssh daemons running, add the second here
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 999 -j ACCEPT

# telnet (not normally used in Openslug)
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 23 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN

# tcp_outbound chain
#
# This chain controlls what tcp traffic is allowed out

# http
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# DNS
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 53 -j ACCEPT
# sshd
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

# No match, so ACCEPT
# Note, you could make this DROP to block any other outbound traffic
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
}


process_input_chain() {
echo "Process INPUT chain ..."

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets

# ******************************
# Inbound Internet Packet Rules

# packet filter accepts inbound packets that are replies to an outbound connection
# this blocks all new connection attempts except to those allowed below
$IPT -A INPUT -p TCP -i $INET_IFACE ! --syn -j ACCEPT

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# Drop without logging broadcasts that get this far.
# Comment this line if testing new rules that impact
# broadcast protocols.
#$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
}


process_output_chain() {
echo "Process OUTPUT chain ..."

# Generally trust the firewall on output

# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# If you want to block outbound connections, uncomment first section below, comment
# out second section, and add rules to tcp_outbound/udp_outbound

# To internet - filtered
#$IPT -A OUTPUT -p TCP -o $INET_IFACE -j tcp_outbound
#$IPT -A OUTPUT -p UDP -o $INET_IFACE -j udp_outbound

# To internet - unfiltered
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
}

case "$1" in
  start)
    echo "Starting iptables firewall"
	flush_existing
	create_chains
	populate_chains
	process_input_chain
	process_output_chain
	;;
  stop)
    echo "Stopping iptables firewall"
	flush_existing
    echo "Firewall rules flushed"
	;;
  reload|force-reload)
    echo "Reloading iptables firewall"
	flush_existing
	create_chains
	populate_chains
	process_input_chain
	process_output_chain
	;;
  restart)
    echo "Restarting iptables firewall"
	flush_existing
	create_chains
	populate_chains
	process_input_chain
	process_output_chain
	;;
  *)
	echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}"
	exit 1
esac

exit 0

If you are running vsftpd and want to be able to accept passive connections, you will need to add this to /etc/vsftpd.conf. The corresponding ports are already opened in the default firewall script.

 
# for our firewall, only use this range of ports
pasv_min_port=33201
pasv_max_port=33210

Much of this info has been adapted from the EnableFirewall page, including the script (though it has been heavily modfied).

An introduction to some advanced iptables configuration can be found in the Gentoo Security Handbook. Note that the example firewall script needs modification to run in Openslug, at least partially because the Gentoo init script system is not used by Openslug, and that you will need to install many more iptables kernel modules than the above two!

If you want to firewall the LAN without adding another ethernet port, see SingleInterfaceFirewall

Shouldn't the default policies be DROP instead of ACCEPT for a firewall? /Ola

view · edit · print · history · Last edited by Ola.
Based on work by ben, koen, blaster8, and repvik.
Originally by blaster8.
Page last modified on February 06, 2008, at 09:07 PM