[ale] iptables for wireless firewall

Joe jknapka at earthlink.net
Thu Apr 10 10:26:20 EDT 2003 

Hi folks,

Some time ago I started thinking about securing my wireless network,
and further, securing my wired LAN *from* the wireless net. I've
mostly got it all working now. I decided to post my firewall rules
for constructive criticism. Here they are:

# Script to set up firewalling rules to protect us against wireless
# interlopers.
#
# The network configuration is as follows:
#
# The tame interface (eth0) is on net 192.168.81.0/24, the wired LAN.
# The wireless (wild-side) interface (eth1) is on net 192.168.71.0/24,
# the wireless LAN.
# The ipsec interface (ipsec0) is bound to the wild-side interface.

KILL=REJECT

# Start by sealing everything up.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Flush everything.
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

###########################
# Output - don't let packets escape on wrong interfaces.
###########################
iptables -A OUTPUT -o eth0 --dest 192.168.71.0/24 -j ${KILL}
iptables -A OUTPUT -o eth1 --dest ! 192.168.71.0/24 -j ${KILL}
iptables -A FORWARD -o eth0 --dest 192.168.71.0/24 -j ${KILL}
iptables -A FORWARD -o eth1 --dest ! 192.168.71.0/24 -j ${KILL}
iptables -A OUTPUT -o ipsec0 --dest ! 192.168.71.0/24 -j ${KILL}
iptables -A FORWARD -o ipsec0 --dest ! 192.168.71.0/24 -j ${KILL}

###########################
# Tame interface (eth0).
# On the tame interface, we want to accept and forward anything that
# isn't obviously bad.
# Wildside packets from the tame net are obviously bad.
###########################
iptables -A INPUT -i eth0 --src ! 192.168.71.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 --src ! 192.168.71.0/24 -j ACCEPT

###########################
# Wildside interface (eth1).
###########################

# On the wildside interface, we want to:

# Drop packets that don't appear to come from the wildside net.
iptables -A INPUT -i eth1 -s ! 192.168.71.0/24 -j ${KILL}

# Accept protocols 50 and 51 (IPsec AH, ESP).
iptables -A INPUT -i eth1 -p 50 -j ACCEPT
iptables -A INPUT -i eth1 -p 51 -j ACCEPT

# Accept IP on port 500 (ISAKMP), but no other port - all
# you can do on the wireless side is establish an SA, or
# send packets out to the Internet. (Do I need both
# TCP and UDP here?)
iptables -A INPUT -i eth1 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 500 -j ACCEPT

# Forward anything whose dest addr is totally outside the local net
# space. This allows clients who can't or won't do IPsec to live
# peacefully and not hose anything on the wired LAN. (They're still a
# security risk, though - all their wireless traffic is in the clear.)
iptables -A FORWARD -i eth1 -d ! 192.168.81.0/24 -j ACCEPT

# Forward DNS requests to the local DNS server. (I don't
# really like that, but...) (Do I need both TCP and UDP here?)
iptables -A FORWARD -i eth1 -p udp -d 192.168.81.1 --dport 53 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -d 192.168.81.1 --dport 53 -j ACCEPT

###########################
# Wildside IPsec interface (ipsec0).
# On the wildside ipsec interface, we want to accept and forward
# anything that isn't obviously bad.
# Tame-side packets on the wildside interface are obviously bad.
###########################
iptables -A INPUT -i ipsec0 -s 192.168.71.0/24 -j ACCEPT
iptables -A FORWARD -i ipsec0 -s 192.168.71.0/24 -j ACCEPT

# END

Cheers,

-- Joe Knapka
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list