Hello everyone and thank you for taking time to read my post. I'm setting up a complicated home network and would like to harden a the security; being my first time on iptables I've struggle a little and came up with the down below setup.
Provided that "everything works", it would be nice if anyone of you could comment and/or propose suggestions for improving security.
Please be nice on me, I'm quite a beginner


Current Raspbian config:
eth0 connected to the DSL modem;
VPN tun0 thru eth0 on standard port 1194;
eth1 internal network;
wlan0 internal wifi;

Raspbian box provides ssh, dns, dhcp, hostapd, samba
Local traffic fully allowed with no problem, I'm just concerned about eth0 where I supposedly open only to VPN and SSH and some local traffic from outside the firewall but within local area.


How is the following? Thank you in advance.



#SET DEFAULT
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROP


#ENABLE LO
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT


#ENABLE ROUTING
sudo /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


#ENABLE LOCAL TRAFFIC
sudo /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo /sbin/iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo /sbin/iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i eth1 -o wlan0 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i wlan0 -o eth1 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i wlan0 -o wlan0 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i tun0 -o eth1 -j ACCEPT
sudo /sbin/iptables -A FORWARD -i tun0 -o wlan0 -j ACCEPT


#PREVENT DOS
sudo iptables -A INPUT -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 10 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 1194 -m limit --limit 5/minute --limit-burst 10 -j ACCEPT


#VPN
sudo iptables -A INPUT -p udp -i eth0 --dport 1194 -j ACCEPT
sudo iptables -A OUTPUT -p udp -o eth0 --sport 1194 -j ACCEPT


#SSH on eth0
sudo iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT


#DNS remote
sudo iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
sudo iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT


#DNS local on eth0
sudo iptables -A INPUT -p udp -s 192.168.1.0/24 -i eth0 --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p udp -o eth0 --sport 53 -j ACCEPT


#APT-GET on eth0
sudo iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT


#ACCEPT ALL LOCAL TRAFFIC
sudo iptables -A INPUT -i eth1 -j ACCEPT
sudo iptables -A INPUT -i wlan0 -j ACCEPT
sudo iptables -A INPUT -i tun0 -j ACCEPT
sudo iptables -A OUTPUT -o eth1 -j ACCEPT
sudo iptables -A OUTPUT -o wlan0 -j ACCEPT
sudo iptables -A OUTPUT -o tun0 -j ACCEPT


#LOGGING
sudo iptables -N LOGGING
#all remaining connections into logging
sudo iptables -A INPUT -j LOGGING
#custom tag
sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
#drop the packet
sudo iptables -A LOGGING -j DROP

My only suggestion is, open what you want then do some scans from outside to make sure it meets your satisfaction. Close anything left open that is not needed. As for internally, unless you have other people on your network, I wouldn't worry about hardening a device too much, if someone gets past the initial firewall settings, game is probably already over anyways.

Oh, so silly of mine!
Thank you trickykid for having given me such a basic idea. Really, I'm not ironic, just a little too focused on the actual "doing" and little on keeping an open eye on the broad spectrum.

I'll scan from outside! So brilliant, haha
And yes, I agree if someone gets past the firewall, it's over. That's where pencil and paper gets handy for very important stuff.


Thanks, have a good day!

1. I think you have excess rules in the "ENABLE LOCAL TRAFFIC" block...
You can cut it to the following:

2. If you are using the connection tracking system then you can optimize other rules too.
You can enable all ESTABLISHED and RELATED packets in the INPUT and the OUTPUT chains for any type of traffic:

There are no reasons to use filters and add separate rules for every ESTABLISHED or RELATED flow.
Restrictions for packets with the NEW state are enough.
So, your following rules can look as these:

As you see, you need to add just one rule for each network service in general.


3. About preventing DDoS.
The limit module of iptables will be applied to every packet allowed by rule's filter. I think you have to limit new connections only and allow to other packets to flow without limitations:

However, I think these rules not enough to prevent you from a DDoS.
There are many types of DDoS exists.
So you have to add many other rules, or you should update your firewall continuously, from one attack to another, according to kind of the attack.

Uao! Beautifully clear! Thank you!!!

Have a happy new year everyone.