[ale] iptables for wireless firewall

Zachary Link zack at the-links.net
Thu Apr 10 14:02:36 EDT 2003


Just my initial reaction...some tweaks inline.  Also, I am not that
familiar with VPNs on linux, so some of the ipsec rules could be wrong.

> # Script to set up firewalling rules to protect us against wireless #
> interlopers.
> #
> # The network configuration is as follows:
> #
> # The tame interface (eth0) is on net 192.168.81.0/24, the wired LAN. #
> The wireless (wild-side) interface (eth1) is on net 192.168.71.0/24, #
> the wireless LAN.
> # The ipsec interface (ipsec0) is bound to the wild-side interface.
>
> KILL=REJECT
>
> # Start by sealing everything up.
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
>
> # Flush everything.
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD
>
> ###########################
> # Output - don't let packets escape on wrong interfaces.
> ###########################

I would put more emphasis on dropping spoofed packets on the intake, but
if you want these rules, I would make them mean what you really want, i.e.
Also, use DROP unless you have a specific reason to REJECT.

> iptables -A OUTPUT -o eth0 --dest 192.168.71.0/24 -j ${KILL}
iptables -A OUTPUT -o eth0 --dest ! 192.168.81.0/24 -j DROP

> iptables -A OUTPUT -o eth1 --dest ! 192.168.71.0/24 -j ${KILL}
> iptables -A FORWARD -o eth0 --dest 192.168.71.0/24 -j ${KILL}
> iptables -A FORWARD -o eth1 --dest ! 192.168.71.0/24 -j ${KILL}
> iptables -A OUTPUT -o ipsec0 --dest ! 192.168.71.0/24 -j ${KILL}
> iptables -A FORWARD -o ipsec0 --dest ! 192.168.71.0/24 -j ${KILL}

Input spoofing protection would be something along the lines of the
following:  (these should be your first rules)

# anti-spoof eth0
iptables -A INPUT -i eth0 --src ! 192.168.81.0/24 -j DROP
iptables -A FORWARD -i eth0 --src ! 192.168.81.0/24 -j DROP
# anti-spoof eth1
iptables -A INPUT -i eth1 --src ! 192.168.71.0/24 -j DROP
iptables -A FORWARD -i eth1 --src ! 192.168.71.0/24 -j DROP
# anti-spoof ipsec0
iptables -A INPUT -i ipsec0 --src ! 192.168.71.0/24 -j DROP
iptables -A FORWARD -i ipsec0 --src ! 192.168.71.0/24 -j DROP

>
> ###########################
> # Tame interface (eth0).
> # On the tame interface, we want to accept and forward anything that #
> isn't obviously bad.
> # Wildside packets from the tame net are obviously bad.
> ###########################

Mentioned above, don't disallow 1 net, when you want to only allow 1 net.
> iptables -A INPUT -i eth0 --src ! 192.168.71.0/24 -j ACCEPT
iptables -A INPUT -i eth0 --src 192.168.81.0/24 -j ACCEPT
> iptables -A FORWARD -i eth0 --src ! 192.168.71.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 --src 192.168.81.0/24 -j ACCEPT
>
> ###########################
> # Wildside interface (eth1).
> ###########################
>
> # On the wildside interface, we want to:
>
> # Drop packets that don't appear to come from the wildside net.
> iptables -A INPUT -i eth1 -s ! 192.168.71.0/24 -j ${KILL}
>
> # Accept protocols 50 and 51 (IPsec AH, ESP).
> iptables -A INPUT -i eth1 -p 50 -j ACCEPT
> iptables -A INPUT -i eth1 -p 51 -j ACCEPT
>
> # Accept IP on port 500 (ISAKMP), but no other port - all
> # you can do on the wireless side is establish an SA, or
> # send packets out to the Internet. (Do I need both
> # TCP and UDP here?)
not sure, might be UDP only
> iptables -A INPUT -i eth1 -p udp --dport 500 -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 500 -j ACCEPT
>
> # Forward anything whose dest addr is totally outside the local net #
> space. This allows clients who can't or won't do IPsec to live
> # peacefully and not hose anything on the wired LAN. (They're still a #
> security risk, though - all their wireless traffic is in the clear.)
> iptables -A FORWARD -i eth1 -d ! 192.168.81.0/24 -j ACCEPT
>
> # Forward DNS requests to the local DNS server. (I don't
> # really like that, but...) (Do I need both TCP and UDP here?)
DNS queries are only over UDP.  Zone transfers (server <-> server) are
over TCP).
> iptables -A FORWARD -i eth1 -p udp -d 192.168.81.1 --dport 53 -j ACCEPT
> iptables -A FORWARD -i eth1 -p tcp -d 192.168.81.1 --dport 53 -j ACCEPT
>

You also might want to add some of these, although be careful with the
first one (disabling IP spoofing attacks), as it might not play well with
IPSEC (from something I saw in netfilter docs).  This is irrelevant if you
have good antispoofing rules in place anyway.

#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

In addition, depending on what services you run on your firewall, and the
general level of security you want, I would consider locking down your
firewall a bit more, add connection tracking (i.e. lan -> wildside, but
established only from wildside -> lan) and you could also add flood limits
to prevent DoS attacks, and logging to be aware of what's happening.

Anyway, this turned out to be a little longer a response than I intended,
so it is a little disjointed.  Also, for me to be more accurate, I need to
spend a bit more time looking at these rules and learning what exactly you
want to do, and how high level of security you want.  So, feel free to
email me directly, and I can help you out.

Zack





_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list