need help with iptables rules

asimov · 07-19-2006, 10:47 AM

I've just created a server for my family use: it serves as a HTTP, SMTP, SSH and FTP server, and it's routing my home LAN.

As Ubuntu Dapper comes with no firewall (policy ACCEPT) as default, I need to configure a firewall asap.

My needs are: the services i've mentioned, and of course, the ability to browse form any of the LAN clients.

1. I've created a script with all my iptables rules, that is lunched from /etc/rc.local. Is the interface been configured before the execution of rc.local? If so, how can I make the firewall available before the connection to the internet is made?

2. My iptables script is as follows; Can you please have a look at it and see if it's OK?

Thanks.

Code:

#!/bin/sh

#Flush The Remains
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F

#Set Policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#loopback can do anything
$IPTABLES -A INPUT -i lo -j ACCEPT

#Enable Internet Conncection Sharing
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#HTTP OK
iptables -A INPUT -p tcp -dport 80 -j ACCEPT

#SSH OK
iptables -A INPUT -p tcp -dport 22 -j ACCEPT

#SMTP OK
iptables -A INPUT -p tcp -dport 25 -j ACCEPT

#FTP OK
iptables -A INPUT -p tcp -dport 20 -j ACCEPT

seneschal · 07-19-2006, 01:02 PM

You're going to need to add a few rules to explain to IPTables exactly how it should route traffic from your home LAN. I assume that you have one public IP and you're running a DHCP server to assign private IPs to all of your home computers on the LAN. If that's the case, then you should check out some documentation on performing NAT (Network Address Translation) with IPTables (A NAT Tutorial). Once you have that working (or if you already do), you should change the policy on FORWARD to be DROP and add rules allowing only traffic from your LAN to be forwarded out. You don't want to be forwarding arbitrary traffic from the internet. In general, it's best to allow only traffic you know you want through your firewall, not to disallow traffic you don't want.

On a slightly different note, it's very unwise to run FTP, as it sends passwords in cleartext. I recommend disabling the FTP service and using SFTP and/or SCP in it's place. Both of those protocols will encrypt all of your traffic.

win32sux · 07-19-2006, 02:44 PM

your best bet is to forget rc.local and instead use the iptables-save command after executing the script manually... then you know it will be working the way it's meant to... rc.local gets executed way too late in the startup process for it to be used for a firewall script... here's a cleaned-up version of your script... execute this and then do an iptables-save once you've confirmed it works well... make sure you don't have any firewall stuff in your rc.local...

Code:

#!/bin/sh

IPT="/sbin/iptables"
WAN_IFACE="eth0"
LAN_IFACE="eth1"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle


$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

###############################################################################
### INPUT Rules (for WAN side):
###############################################################################

$IPT -A INPUT -p TCP -i $WAN_IFACE --dport 21 \
-m state --state NEW -j ACCEPT

# Are you 100% sure you want SSH on the WAN side?
$IPT -A INPUT -p TCP -i $WAN_IFACE --dport 22 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i $WAN_IFACE --dport 25 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i $WAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

# Uncomment to allow the WAN side to respond to PINGs:
#$IPT -A INPUT -p ICMP -i $WAN_IFACE --icmp-type 8 ! --fragment \
#-m state --state NEW -j ACCEPT


###############################################################################
### INPUT Rules (for LAN side):
###############################################################################

$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 21 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 22 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 25 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p ICMP -i $LAN_IFACE --icmp-type 8 ! --fragment \
-m state --state NEW -j ACCEPT


###############################################################################
### FORWARD/POSTROUTING Rules:
###############################################################################

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-m state --state NEW -j ACCEPT

$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

as you can see, one of the things i changed is your FORWARD policy, because having it set to ACCEPT is a _very_ bad idea...