[Courses] [Security] Reading Raven's Mind, Part II -- IPtables on a Home Network

Hamster hamster at hamsternet.org
Thu Jul 4 17:10:28 EST 2002 

{Hamster pokes her head around the corner and waves}

Hello!

Sorry that it has taken me more than a month to answer this question!

Regarding our little home dsl setup, I have tried to compose some tables rules. In doing so I have read as much as I can, but unfortunately I now have more questions than I have found answers for. 

I think setting up the firewall on this box requires more than just throwing a few iptables rules at it, so I have broken this up into two sections.

Some entries I dont fully understand. I add them in the hope that I have understood the things that I have been reading, but would really really welcome some discussion on them. 

I've also made the assumption that the isp has some routing setup so that traffic for .3 -.8 will get sent to .2

Oh - and please go easy on me, this is my first ever attempt at doing this :)


* Preliminary setup 

1. Enable forwarding by adding an entry net.ipv4.ip_forward = 1 to the file /etc/sysctl.conf . (assuming that file is supported in all distros?)

2. Disable source routed packets on all interfaces. Do this by  net.ipv4.conf.all.accept_source_route = 0 in the file /etc/sysctl.conf
Am I correct in assuming that .all. will get all the interfaces, or do I need to alter accept_source_route in all the interfaces own directories?

3. Turn on tcp_syncookies ? I'm looking for guidance here as to whether or not this is needed/recommended.

4. Source address verification using proc.sys.net.ipv4.conf.all.rp_filter??
Something else I am looking for guidance on. Is it necessary, and will there be any problems if I set it to 2 (ie full path filtering?) I'm thinking there shouldnt be, but am not sure....

5. I'd also like to get the external (.2) interface to ignore broadcasts (icmp_echo_ignore_broadcasts), seeing how its sitting in the middle of a /24 broadcast domain, which could well be populated with talky win machines. But I am not sure how to limit this to just the .2 interface. Or should I let it take effect on both interfaces, or should I not bother with this option at all? Is there really going to be much pinging of 1.1.1.255?


* The actual firewall script! (at last :)

# Set default behaviour for all chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# what do we want to allow IN to .2 and .3
# allow icmp (rate limit?)
iptables -A INPUT -p icmp -j ACCEPT

# what do we want to allow OUT .2 and .3
# responses to icmp request, and we want to be able to ping too. (rate limit?)
iptables -A OUTPUT -p icmp -j ACCEPT

# what do we allow THROUGH from ext to int (assume eth0 is the if for .2)
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -dst 1.1.1.4 -m multiport --destination-port 80,25,143 -j ACCEPT

#what do we allow THROUGH from int to ext (assume eth1 is the if for .3)
iptables -A FORWARD -i eth1 -j ACCEPT

# what can we allow in either direction?
iptables -A FORWARD -p icmp -j ACCEPT #rate limit? I assume this is bi-directional!

# reject with rst - i understand you cant set a default policy to reject with rst, 
# and i'd rather the rst than a straight drop
# these lines need to be the last lines in the rule set
iptables -A INPUT -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with tcp-reset
iptables -A FORWARD -j REJECT --reject-with tcp-reset



##############################################

Other points I'd like to mention:

I havent dont any logging. I'm not sure what to log :)
Also, is it worth turning on the log_martians setting in /proc? Possibly not for just a home network??

I'd like to rate limit any tcp stuff, but am not sure what a good limit is!
Also, with the icmp stuff, is worth limiting icmp traffic to just the informational stuff, like ping, *-unreachable and timeout, and drop the route-redirect type traffic?

Do I need to explicity allow traffic in and out the loopback interface on the firewall?

I'd also query if these ppl would like to be able to ssh into their boxes remotely (at least to the firewall and the server on .4)

I'm also not sure what to do with ftp - rely on the fact they can all passive ftp effectively, or should I load the ip_conntrack_ftp module? And if I do load it, do I need to do anything else to get the firewall to actually use it?



For anyone still ploughing through this email, I am extremely grateful! I'd love to get the hang of this stuff, but certainly need a lot of help.

Hamster


> 
> 1.1.1.1/24 -- your ISP's gateway machine, which you direct packets to to
> get them to the Internet.
> 
> 1.1.1.2 -- your firewall's external interface
> 1.1.1.3 -- your firewall's internal interface
> 1.1.1.4 -- your personal Web, mail, IMAP, and Icecast server
> 1.1.1.5 -- Linux workstation
> 1.1.1.6 -- OpenBSD laptop
> 1.1.1.7 -- Windows XP workstation
> 1.1.1.8 -- Windows 2000 workstation
> 
> 	Pretty much the only people that use your home network are you
> and your roommates, but the server's services need to be reachable to
> you and your roommates from anywhere on the Net (with the exception of
> IceCast).  The various laptops and workstations want to be able to run
> AIM, Diablo, Gnutella, and ICQ, in addition to being able to browse the
> web, get mail, etc.
>

More information about the Courses mailing list