NSLU2-Linux
view · edit · print · history

OpenSlug.OpenSlugIptables History

Hide minor edits - Show changes to markup

February 06, 2008, at 09:07 PM by Ola --
Changed lines 360-363 from:

If you want to firewall the LAN without adding another ethernet port, see SingleInterfaceFirewall

to:

If you want to firewall the LAN without adding another ethernet port, see SingleInterfaceFirewall

Shouldn't the default policies be DROP instead of ACCEPT for a firewall? /Ola

January 16, 2007, at 02:53 AM by ben --
Changed line 360 from:

If you want to firewall the LAN without adding another ethernet port, see SingleInterfaceFirewall?

to:

If you want to firewall the LAN without adding another ethernet port, see SingleInterfaceFirewall

January 16, 2007, at 02:52 AM by ben -- added link to SingleInterfaceFirewall
Changed lines 358-360 from:

An introduction to some advanced iptables configuration can be found in the Gentoo Security Handbook. Note that the example firewall script needs modification to run in Openslug, at least partially because the Gentoo init script system is not used by Openslug, and that you will need to install many more iptables kernel modules than the above two!

to:

An introduction to some advanced iptables configuration can be found in the Gentoo Security Handbook. Note that the example firewall script needs modification to run in Openslug, at least partially because the Gentoo init script system is not used by Openslug, and that you will need to install many more iptables kernel modules than the above two!

If you want to firewall the LAN without adding another ethernet port, see SingleInterfaceFirewall?

August 28, 2005, at 10:09 AM by koen -- Change ixp0 to eth0
Changed lines 33-34 from:

INET_IFACE="ixp0"

to:

INET_IFACE="eth0"

August 17, 2005, at 03:54 PM by blaster8 -- Adding a warning about editing the firewall after the init scripts are in place
Changed line 7 from:

1) Edit the firewall rules to suit your configuration\\

to:

1) Edit the firewall rules to suit your configuration, and make the script executable (chmod 755)\\

Changed lines 11-12 from:

5) If you are sure you want to make the rules permanent, run ln -s /etc/firewall /etc/init.d/firewall ; update-rc.d firewall defaults 05

to:

5) If you are sure you want to make the rules permanent, run ln -s /etc/firewall /etc/init.d/firewall ; update-rc.d firewall defaults 05
6) If you want to edit the firewall rules at a later date, make sure that you update-rc.d -f firewall remove before changing /etc/firewall. Then test the firewall again as above, and if satisfied, re-run update-rc.d firewall defaults 05 to run the firewall by default on startup.

August 17, 2005, at 08:09 AM by blaster8 -- Neatening ConnTrack link
Changed lines 3-4 from:

This allows you to set up a simple packet filtering (not stateless!) firewall. To add extra functionality, extra kernel modules need to be installed (currently modules to add connection tracking and NAT are available, but have not been heavily tested. If you want to help test connection tracking functionality and secure you box a bit better, visit [IptablesConnTrack]).

to:

This allows you to set up a simple packet filtering (not stateless!) firewall. To add extra functionality, extra kernel modules need to be installed (currently modules to add connection tracking and NAT are available, but have not been heavily tested. If you want to help test connection tracking functionality and secure you box a bit better, visit IptablesConnTrack).

August 17, 2005, at 08:07 AM by blaster8 -- Adding IptablesConnTrack reference
Changed lines 3-6 from:

This allows you to set up a simple packet filtering (not stateless!) firewall. To add extra functionality, extra kernel modules need to be installed (currently modules to add connection tracking and NAT are available, but have not been heavily tested).

An example firewall script can be found below. This firewall script is dual purpose - it can be used to test the firewall, and it also can be used as a permanent init script if you are satisfied with it, and are sure that it will not lock you out of SSH access. Currently, having the firewall being configured by a purpose-built init script, as below, without using iptables-utils, is the recommended method.

to:

This allows you to set up a simple packet filtering (not stateless!) firewall. To add extra functionality, extra kernel modules need to be installed (currently modules to add connection tracking and NAT are available, but have not been heavily tested. If you want to help test connection tracking functionality and secure you box a bit better, visit [IptablesConnTrack]).

An basic example packet-filtering firewall script can be found below. This firewall script is dual purpose - it can be used to test the firewall, and it also can be used as a permanent init script if you are satisfied with it, and are sure that it will not lock you out of SSH access. Currently, having the firewall being configured by a purpose-built init script, as below, without using iptables-utils, is the recommended method.

August 15, 2005, at 05:40 PM by blaster8 -- changed iptables PATH
Changed lines 29-30 from:

IPT="/sbin/iptables"

to:

IPT="/usr/sbin/iptables"

August 15, 2005, at 05:33 PM by repvik -- Added ctorrent stuff to script
Added lines 223-225:
  1. Ctorrent incoming ports. Uncomment if you use ctorrent.
  2. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 2706:2700 -j ACCEPT
August 15, 2005, at 05:25 PM by blaster8 -- Added link to Gentoo Security Handbook
Changed lines 352-354 from:

Much of this info has been adapted from the EnableFirewall page, including the script (though it has been heavily modfied).

to:

Much of this info has been adapted from the EnableFirewall page, including the script (though it has been heavily modfied).

An introduction to some advanced iptables configuration can be found in the Gentoo Security Handbook. Note that the example firewall script needs modification to run in Openslug, at least partially because the Gentoo init script system is not used by Openslug, and that you will need to install many more iptables kernel modules than the above two!

August 15, 2005, at 05:18 PM by blaster8 -- adding iptables-utils note
Changed lines 5-6 from:

An example firewall script can be found below. This firewall script is dual purpose - it can be used to test the firewall, and it also can be used as a permanent init script if you are satisfied with it, and are sure that it will not lock you out of SSH access.

to:

An example firewall script can be found below. This firewall script is dual purpose - it can be used to test the firewall, and it also can be used as a permanent init script if you are satisfied with it, and are sure that it will not lock you out of SSH access. Currently, having the firewall being configured by a purpose-built init script, as below, without using iptables-utils, is the recommended method.

August 15, 2005, at 05:12 PM by blaster8 -- Changed telnet setting
Changed lines 231-233 from:
  1. telnet

$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 23 -j ACCEPT

to:
  1. telnet (not normally used in Openslug)
  2. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 23 -j ACCEPT
August 15, 2005, at 05:02 PM by blaster8 -- updated FIXME
Changed lines 11-12 from:

5) If you want to make the rules permanent, run ln -s /etc/firewall /etc/init.d/firewall && FIXME Add /etc/init.d/firewall to every runlevel at about S30

to:

5) If you are sure you want to make the rules permanent, run ln -s /etc/firewall /etc/init.d/firewall ; update-rc.d firewall defaults 05

August 15, 2005, at 04:59 PM by blaster8 -- added note about new kernel modules
Changed lines 3-4 from:

This allows you to set up a simple packet filtering (not stateless!) firewall. To add extra functionality, extra kernel modules need to be installed.

to:

This allows you to set up a simple packet filtering (not stateless!) firewall. To add extra functionality, extra kernel modules need to be installed (currently modules to add connection tracking and NAT are available, but have not been heavily tested).

August 15, 2005, at 04:58 PM by blaster8 -- minor fix
Changed line 352 from:

Much of this info has been adapted from the EnableFirewall? page, including the script (though it has been heavily modfied).

to:

Much of this info has been adapted from the EnableFirewall page, including the script (though it has been heavily modfied).

August 15, 2005, at 04:57 PM by blaster8 -- Added vsftpd info & recognition of EnableFirewall page
Added lines 341-352:

If you are running vsftpd and want to be able to accept passive connections, you will need to add this to /etc/vsftpd.conf. The corresponding ports are already opened in the default firewall script.

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 
# for our firewall, only use this range of ports
pasv_min_port=33201
pasv_max_port=33210

(:tableend:)

Much of this info has been adapted from the EnableFirewall? page, including the script (though it has been heavily modfied).

August 15, 2005, at 04:45 PM by blaster8 -- formatting etc
Deleted lines 0-1:

UNDER CONSTRUCTION

Changed lines 11-12 from:

5) If you want to make the rules permanent, run ln -s /etc/firewall /etc/init.d/firewall && FIXME Add /etc/init.d/firewall to every runlevel at about S30

to:

5) If you want to make the rules permanent, run ln -s /etc/firewall /etc/init.d/firewall && FIXME Add /etc/init.d/firewall to every runlevel at about S30

August 15, 2005, at 04:44 PM by blaster8 -- FIXME added
Changed lines 9-14 from:

1) Edit the firewall rules to suit your configuration 2) Copy it to /etc/firewall 3) Run with /etc/firewall start to test 4) Test SSH by exiting the shell and reconnecting. If this fails, reboot Openslug to clear the rules and reconfigure. 5) If you want to make the rules permanent, run ln -s /etc/firewall /etc/init.d/firewall

to:

1) Edit the firewall rules to suit your configuration
2) Copy it to /etc/firewall
3) Run with /etc/firewall start to test
4) Test SSH by exiting the shell and reconnecting. If this fails, reboot Openslug to clear the rules and reconfigure.
5) If you want to make the rules permanent, run ln -s /etc/firewall /etc/init.d/firewall && FIXME Add /etc/init.d/firewall to every runlevel at about S30

August 15, 2005, at 04:42 PM by blaster8 -- Almost there
Changed lines 7-8 from:

An example firewall script can be found below. This firewall script is dual purpose - it can be used to test the firewall, and to setup a permanent init script if you are satisfied with it, and are sure that it will not lock you out of SSH access.

to:

An example firewall script can be found below. This firewall script is dual purpose - it can be used to test the firewall, and it also can be used as a permanent init script if you are satisfied with it, and are sure that it will not lock you out of SSH access.

1) Edit the firewall rules to suit your configuration 2) Copy it to /etc/firewall 3) Run with /etc/firewall start to test 4) Test SSH by exiting the shell and reconnecting. If this fails, reboot Openslug to clear the rules and reconfigure. 5) If you want to make the rules permanent, run ln -s /etc/firewall /etc/init.d/firewall

August 15, 2005, at 04:36 PM by repvik --
Changed line 16 from:
  1. Openslug 2.6 or later
to:
  1. Openslug 2.6 or later, kernel 2.6.12-r11 or later.
August 15, 2005, at 04:31 PM by repvik --
Changed line 3 from:

Use Openslug 2.6 (currently HEAD) or later\\

to:

Use Openslug 2.6 (currently HEAD) or later, with kernel 2.6.12-r11 or later.\\

August 15, 2005, at 04:29 PM by blaster8 -- Add iptables script
Changed lines 4-5 from:

ipkg install iptables iptables-utils kernel-module-ip-tables kernel-module-iptable-filter
This gives you a simple packet filtering firewall. To add extra functionality, extra kernel modules need to be installed.

to:

ipkg install iptables kernel-module-ip-tables kernel-module-iptable-filter
This allows you to set up a simple packet filtering (not stateless!) firewall. To add extra functionality, extra kernel modules need to be installed.

An example firewall script can be found below. This firewall script is dual purpose - it can be used to test the firewall, and to setup a permanent init script if you are satisfied with it, and are sure that it will not lock you out of SSH access.

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 
#!/bin/sh
###############################################################################
# 
# Requirements
# Openslug 2.6 or later
# iptables kernel-module-ip-tables kernel-module-iptable-filter
#
###############################################################################
# 
# Local Settings
#

# iptables Location - adjust if needed
IPT="/sbin/iptables"

# Internet Interface
INET_IFACE="ixp0"

# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"


flush_existing() {
# Flush Any Existing Rules or Chains
echo "Flushing Tables ..."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

# Flush all rules
$IPT -F

# Erase all non-default chains
$IPT -X
}


create_chains() {
echo "Create custom rule chains ..."

# Create a chain to filter INVALID packets

$IPT -N bad_packets

# Create another chain to filter bad tcp packets

$IPT -N bad_tcp_packets

# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.

$IPT -N icmp_packets

# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound

# Used to block outbound UDP services from internal network
# Default to allow all
$IPT -N udp_outbound

# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound

# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound
}

populate_chains() {
echo "Populate custom rule chains ..."

# bad_packets chain

# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets

# All good, so return
$IPT -A bad_packets -p ALL -j RETURN

# bad_tcp_packets chain
#
# All tcp packets will traverse this chain.
# Every new connection attempt should begin with
# a syn packet.  If it doesn't, it is likely a
# port scan.  This drops packets in state
# NEW that are not flagged as syn packets.

# Stealth scans
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN

# icmp_packets chain
#
# This chain is for inbound (from the Internet) icmp packets only.
# Type 8 (echo Request) is accepted by default
# Enable it if you want remote hosts to be able to reach you.
# 11 (Time Exceeded) is the only one accepted
# that would not already be covered by the established
# connection rule.  Applied to INPUT on the external interface.
# 
# See: http://www.ee.siue.edu/~rwalden/networking/icmp.html
# for more info on ICMP types.
#
# Note that the stateful settings allow replies to ICMP packets.
# These rules allow new packets of the specified types.

# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented.  Fragmented ICMP packets are a typical sign
# of a denial of service attack.
#$IPT -A icmp_packets --fragment -p ICMP -j LOG \
    #--log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP

# Uncomment the LOG command if you want to log PING attempts
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
#    --log-prefix "Ping detected: "
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# comment out above and uncomment below to drop pings without logging.
#$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP

# see ping reply packets
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT

# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN

# TCP & UDP
# Identify ports at:
#    http://www.chebucto.ns.ca/~rakerman/port-table.html
#    http://www.iana.org/assignments/port-numbers

#
# ADD UDP-based services here
#

# udp_inbound chain
# ports you want to accept udp packets on

# netbios/samba
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j ACCEPT

# Network Time Protocol (NTP) Server
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT

# External DHCP Server
# Allow DHCP client request packets inbound from external network
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 68 --destination-port 67 -j ACCEPT

# DNS in
#$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 53 -j ACCEPT

# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN

# udp_outbound chain
# ports you send udp packets to

# netbios/samba
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 138 -j ACCEPT

# Network Time Protocol (NTP) Server
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT

# DHCP out
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 68 -j ACCEPT

# DNS out
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT

# No match, so ACCEPT
# make this DROP if you want to block any other outbound udp traffic
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

# tcp_inbound chain
#
# This chain is used to allow inbound connections to the SLUG

# smb
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 139 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 445 -j ACCEPT

# HTTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT

# FTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port ftp -j ACCEPT
# Passive
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 33201:33210 -j ACCEPT

# DNS
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 53 -j ACCEPT

# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# If you have 2 ssh daemons running, add the second here
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 999 -j ACCEPT

# telnet
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 23 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN

# tcp_outbound chain
#
# This chain controlls what tcp traffic is allowed out

# http
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# DNS
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 53 -j ACCEPT
# sshd
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

# No match, so ACCEPT
# Note, you could make this DROP to block any other outbound traffic
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
}


process_input_chain() {
echo "Process INPUT chain ..."

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets

# ******************************
# Inbound Internet Packet Rules

# packet filter accepts inbound packets that are replies to an outbound connection
# this blocks all new connection attempts except to those allowed below
$IPT -A INPUT -p TCP -i $INET_IFACE ! --syn -j ACCEPT

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# Drop without logging broadcasts that get this far.
# Comment this line if testing new rules that impact
# broadcast protocols.
#$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
}


process_output_chain() {
echo "Process OUTPUT chain ..."

# Generally trust the firewall on output

# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# If you want to block outbound connections, uncomment first section below, comment
# out second section, and add rules to tcp_outbound/udp_outbound

# To internet - filtered
#$IPT -A OUTPUT -p TCP -o $INET_IFACE -j tcp_outbound
#$IPT -A OUTPUT -p UDP -o $INET_IFACE -j udp_outbound

# To internet - unfiltered
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
}

case "$1" in
  start)
    echo "Starting iptables firewall"
	flush_existing
	create_chains
	populate_chains
	process_input_chain
	process_output_chain
	;;
  stop)
    echo "Stopping iptables firewall"
	flush_existing
    echo "Firewall rules flushed"
	;;
  reload|force-reload)
    echo "Reloading iptables firewall"
	flush_existing
	create_chains
	populate_chains
	process_input_chain
	process_output_chain
	;;
  restart)
    echo "Restarting iptables firewall"
	flush_existing
	create_chains
	populate_chains
	process_input_chain
	process_output_chain
	;;
  *)
	echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}"
	exit 1
esac

exit 0

(:tableend:)

August 15, 2005, at 03:19 PM by blaster8 -- Under construction
Added lines 1-5:

UNDER CONSTRUCTION

Use Openslug 2.6 (currently HEAD) or later
ipkg install iptables iptables-utils kernel-module-ip-tables kernel-module-iptable-filter
This gives you a simple packet filtering firewall. To add extra functionality, extra kernel modules need to be installed.

view · edit · print · history · Last edited by Ola.
Based on work by ben, koen, blaster8, and repvik.
Originally by blaster8.
Page last modified on February 06, 2008, at 09:07 PM