Hello everyone and thank you for taking time to read my post. I'm setting up a complicated home network and would like to harden a the security; being my first time on iptables I've struggle a little and came up with the down below setup.
Provided that "everything works", it would be nice if anyone of you could comment and/or propose suggestions for improving security.
Please be nice on me, I'm quite a beginner
Current Raspbian config:
eth0 connected to the DSL modem;
VPN tun0 thru eth0 on standard port 1194;
eth1 internal network;
wlan0 internal wifi;
Raspbian box provides ssh, dns, dhcp, hostapd, samba
Local traffic fully allowed with no problem, I'm just concerned about eth0 where I supposedly open only to VPN and SSH and some local traffic from outside the firewall but within local area.
How is the following? Thank you in advance.
#SET DEFAULT
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROP
#ENABLE LO
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
#ENABLE ROUTING
sudo /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#ENABLE LOCAL TRAFFIC
sudo /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo /sbin/iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo /sbin/iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i eth1 -o wlan0 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i wlan0 -o eth1 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i wlan0 -o wlan0 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i tun0 -o eth1 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i tun0 -o wlan0 -j ACCEPT
#PREVENT DOS
sudo iptables -A INPUT -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 10 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 1194 -m limit --limit 5/minute --limit-burst 10 -j ACCEPT
#VPN
sudo iptables -A INPUT -p udp -i eth0 --dport 1194 -j ACCEPT
sudo iptables -A OUTPUT -p udp -o eth0 --sport 1194 -j ACCEPT
#SSH on eth0
sudo iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#DNS remote
sudo iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
sudo iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
#DNS local on eth0
sudo iptables -A INPUT -p udp -s 192.168.1.0/24 -i eth0 --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p udp -o eth0 --sport 53 -j ACCEPT
#APT-GET on eth0
sudo iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
#ACCEPT ALL LOCAL TRAFFIC
sudo iptables -A INPUT -i eth1 -j ACCEPT
sudo iptables -A INPUT -i wlan0 -j ACCEPT
sudo iptables -A INPUT -i tun0 -j ACCEPT
sudo iptables -A OUTPUT -o eth1 -j ACCEPT
sudo iptables -A OUTPUT -o wlan0 -j ACCEPT
sudo iptables -A OUTPUT -o tun0 -j ACCEPT
#LOGGING
sudo iptables -N LOGGING
#all remaining connections into logging
sudo iptables -A INPUT -j LOGGING
#custom tag
sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
#drop the packet
sudo iptables -A LOGGING -j DROP