PPPOE xDSL Firewall with IPTABLES
From: dustin (froula1_at_llnl.gov)
Date: 09/17/04
- Next message: Adam Balgach: "Sending a struct over a UDP socket..."
- Previous message: P Gentry: "Re: verizon DSL kit requires windows software"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 17 Sep 2004 12:10:49 -0700
I have recently had to introduce PPPOE into my system (RH8.0) and
don't know how to modify my firewall to account for this. My firewall
is below. Any help is great. PPPOe seems to act as a gateway??
x.x.x.150. I guess I need to open this address?
#!/bin/sh
#
# ------------------------------------------------------------------------
# Copyright (C) 1999, 2001 OpenNA.com
# Last modified by Gerhard Mourani: 04-01-2001
<http://www.openna.com/>
# This firewall configuration is suitable for Primary/Master DNS
Server.
#-------------------------------------------------------------------------
#
# Invoked from /etc/rc.d/init.d/iptables.
# chkconfig: - 60 95
# description: Starts and stops the IPTABLES packet filter \
# used to provide firewall network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/iptables ]; then
exit 0
fi
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewalling: "
# ------------------------------------------------------------------------
# Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
IPADDR="x.x.x.145" # X1.com
IPADDR_2="x.x.x.146" # X2.com
IPADDR_3="x.x.x.147" # X3.com
IPADDR_4="x.x.x.148" # X4.com
EXTERNAL_INTERFACE="eth0" # Internet connected
interface
LOOPBACK_INTERFACE="lo" # Your local naming
convention
LOCAL_INTERFACE="eth1" # Internal LAN network
WLOCAL_INTERFACE="eth2" # Internal WLAN network
INTRANET="192.168.100.1/24" # Private IP Addr Range (dhcp)
WINTRANET="192.168.0.1/24" # Private wireless IP Addr
Range (dhcp)
PRIMARY_NAMESERVER="x.x.x.x" # Your Primary NS
SECONDARY_NAMESERVER="x.x.x.x" # Your Secondary Name Server
SMTP_SERVER="x.x.x.145" # Your Central Mail Hub Server
LOOPBACK="127.0.0.0/8" # Reserved loopback addr
range
CLASS_A="10.0.0.0/8" # Class A private networks
CLASS_B="172.16.0.0/12" # Class B private networks
CLASS_C="192.168.0.0/16" # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addr
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addr
BROADCAST_SRC="0.0.0.0" # Broadcast source addr
BROADCAST_DEST="255.255.255.248" # Broadcast destination
addr
PRIVPORTS="0:1023" # Privileged port range
UNPRIVPORTS="1024:" # Unprivileged port range
# ------------------------------------------------------------------------
# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged
port.
# Clients can optionally be configured to use only unprivileged ports.
SSH_LOCAL_PORTS="1022:65535" # Port range for local
clients
SSH_REMOTE_PORTS="513:65535" # Port range for
remote clients
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
#-------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
iptables -F
iptables -F -t nat
# Remove any existing user-defined chains.
iptables -X
# Set the default policy of the filter to deny.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# -------------------------------------------------------------------------
# LOOPBACK
# --------
# Unlimited traffic on the loopback interface.
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
#--------------------------------------------------------------------------
# Unlimited traffic within the local network.
# All internal machines have access to the firewall machine.
iptables -A INPUT -i $LOCAL_INTERFACE -s $INTRANET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE -d $INTRANET -j ACCEPT
iptables -A INPUT -i $WLOCAL_INTERFACE -s $WINTRANET -j ACCEPT
iptables -A OUTPUT -o $WLOCAL_INTERFACE -d $WINTRANET -j ACCEPT
#--------------------------------------------------------------------------
# STATEFUL PART!
# Kill malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
# Kill maformed NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
# Block faked, or "spoofed" packets from getting through the firewall.
iptables -A FORWARD -i $LOCAL_INTERFACE -s ! $INTRANET -j DROP
iptables -A FORWARD -i $WLOCAL_INTERFACE -s ! $WINTRANET -j DROP
# Allow all internal packets out of our network.
iptables -A FORWARD -m state --state NEW,ESTABLISHED \
-i $LOCAL_INTERFACE -s $INTRANET -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED \
-i $WLOCAL_INTERFACE -s $WINTRANET -j ACCEPT
# Allow the associated packets with those connections back in.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-i $EXTERNAL_INTERFACE -s ! $INTRANET -j ACCEPT
# Allow the associated packets with those connections back in.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-i $EXTERNAL_INTERFACE -s ! $WINTRANET -j ACCEPT
# All internal traffic is masqueraded externally.
iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE
#---------------------------------------------------------------------
# Network Ghouls
# Deny access to jerks
# --------------------
# /etc/rc.d/rc.firewall.blocked contains a list of
# iptables -A INPUT -i $EXTERNAL_INTERFACE -s address -j DROP
# rules to block from any access.
# Refuse any connection from problem sites
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
deny_file="/etc/rc.d/rc.firewall.blocked"
temp_file="/tmp/temp.ip.addresses"
cat $deny_file | sed -n -e "s/^[ ]*\([0-9.]*\).*$/\1/p" \
| awk ' $1 ' > $temp_file
while read ip_addy
do
case $ip_addy in
*) iptables -A INPUT -i $EXTERNAL_INTERFACE -s $ip_addy -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $ip_addy -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $ip_addy -j REJECT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $ip_addy -j REJECT
;;
esac
done < $temp_file
rm -f $temp_file > /dev/null 2>&1
unset temp_file
unset deny_file
fi
# -----------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse incoming packets pretending to be from the external address.
iptables -A INPUT -s $IPADDR -j DROP
# Refuse incoming packets claiming to be from a Class A, B or C
private network
iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
# iptables -A INPUT -s $CLASS_C -j DROP
# Refuse broadcast address SOURCE packets
iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP
# Refuse Class D multicast addresses
# Multicast is illegal as a source address.
# Multicast uses UDP.
iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
# Refuse special addresses defined as reserved by the IANA.
# Note: The remaining reserved addresses are not included
# filtering them causes problems as reserved blocks are
# being allocated more often now. The following are based on
# reservations as listed by IANA as of 2001/01/04. Please regularly
# check at http://www.iana.org/ for the latest status.
# Note: this list includes the loopback, multicast, & reserved
addresses.
# 0.*.*.* - Can't be blocked for DHCP users.
# 127.*.*.* - LoopBack
# 169.254.*.* - Link Local Networks
# 192.0.2.* - TEST-NET
# 224-255.*.*.* - Classes D & E, plus unallocated.
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
# ---------------------------------------------------------------------
# UDP TRACEROUTE
# --------------
# Traceroute usually uses -S 32769:65535 -D 33434:33523
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
-d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
# ------------------------------------------------------------------------
# DNS: full server (53)
# ---------------------
# server/client to server query or response
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port 53 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port 53 \
-d $IPADDR --destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port 53 \
--destination-port 53 -j ACCEPT
# DNS client (53)
# ---------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 53 -j ACCEPT
# DNS Zone Transfers (53)
# -----------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $SECONDARY_NAMESERVER --source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port 53 \
-d $SECONDARY_NAMESERVER --destination-port $UNPRIVPORTS -j
ACCEPT
# ---------------------------------------------------------------
# SSH server (22)
# ---------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $SSH_REMOTE_PORTS \
-d $IPADDR --destination-port 22 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port 22 \
--destination-port $SSH_REMOTE_PORTS -j ACCEPT
# ----------------------------------------------------------------
# POP server (110)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 110 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port 110 \
--destination-port $UNPRIVPORTS -j ACCEPT
# POP client (110)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 110 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 110 -j ACCEPT
# --------------------------------------------------------------
# SMTP server (25)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 25 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port 25 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $WLOCAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 25 -j ACCEPT
iptables -A OUTPUT -o $WLOCAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port 25 \
--destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# SMTP client (25)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 25 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 25 -j ACCEPT
# --------------------------------------------------------------
# HTTP server (80)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 80 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port 80 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR_2 --destination-port 80 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR_2 --source-port 80 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR_3 --destination-port 80 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR_3 --source-port 80 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR_4 --destination-port 80 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR_4 --source-port 80 \
--destination-port $UNPRIVPORTS -j ACCEPT
# HTTPS server (443)
# ------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 443 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port 443 \
--destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# MySQL server (3306)
# -------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 3306 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port 3306 \
--destination-port $UNPRIVPORTS -j ACCEPT
#-------------------------------------------------------------------------
# ICMP
# ----
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded
(11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded
(11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed,
etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type echo-reply \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type source-quench \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type time-exceeded \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type parameter-problem \
-d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type parameter-problem -j ACCEPT
#------------------------------------------------------------------------
# Enable logging for selected denied packets
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $PRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 5 -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 13/255 -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j REJECT
#-------------------------------------------------------------------------
;;
stop)
echo -n "Shutting Firewalling: "
# Remove all existing rules belonging to this filter
iptables -F
# Delete all user-defined chain to this filter
iptables -X
# Reset the default policy of the filter to accept.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
status iptables
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: iptables {start|stop|status|restart|reload}"
exit 1
esac
echo "done"
exit 0
- Next message: Adam Balgach: "Sending a struct over a UDP socket..."
- Previous message: P Gentry: "Re: verizon DSL kit requires windows software"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
