Hintergrund: ich habe einen Debian-Rechner als Router eingerichtet und dazu ein iptables-script geschrieben. Meine erste Version dazu hatte ich hier gestern abend schon gepostet, aber so im Nachhinein ist mir klar geworden, dass SuperUser keine Diskussionsplattform ist. Ich habe mein Script mittlerweile ein wenig ueberarbeitet (s.u.).
Verstaendnis: Vor dem Hintergrund, dass der Router einerseits selbst eine IP via DHCP von meinem ISP bezieht und andererseits IPs via DHCP im internen Netzwerk verteilt, wie muss ich das konfigurieren?
Zum DNS: Wenn ich das richtig verstanden habe, dann fragen die Lan-Client den Router (DNS-Server) und wenn der es nicht weiss, dann fragt der Router (DNS-Server) weitere externe DNS-Server. Das heisst aber auch, dass der Router ausgehende (OUTPUT) DNS Verbindungen braucht, aber die Lan-Client keine ausgehenden (FORWARD) DNS-Verbindungen brauchen. Ist das korrekt?
Zu cybernards Antwort bei SuperUser: Wenn ich das richtig verstehe, dann laesst seine Loesung in der FORWARD-Chain alle Verbindungen zu. Ich moechte das allerdings gerne beschraenken und meinen Lan-Clients nur bestimmte Verbindungen in die Aussenwelt erlauben.
So kurz wie moeglich formuliert ist mein Ziel:
- Vom Internet soll nichts reinkommen (keine NEW Verbindungen)
- Das interne Netz soll auf die vom Router bereitgestellten Services zugreifen koennen (DNS, DHCP, etc).
- Die Clients im internen Netz sollen auf bestimmte Dienste im Internet zugreifen koennen (HTTP(S), IMAP(S), etc).
- Erreiche ich die oben genannten Ziele mit diesem Script?
- Sind in dem Script noch (Sicherheits-)luecken?
- Kann man das Script noch besser formulieren, waehrend man gleichzeitig die oben genannten Ziele erfuellt?
Code: Alles auswählen
log() {
echo "$(date '+%b %d %H:%M:%S') $(hostname) iptablesInit: $1"
echo "$(date '+%b %d %H:%M:%S') $(hostname) iptablesInit: $1" >> /var/log/iptablesInit.log
}
IPT="/sbin/iptables"
#WAN="enx00e04c130407"
#LAN="enxb827eb345407"
#WLAN="wlan0"
WAN="WAN"
LAN="LAN"
WLAN="WLAN"
# Flush all chaines
log 'Flush everything...'
$IPT -F
$IPT -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
log 'Flush done'
# unlimited
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -o ${LAN} -j ACCEPT
$IPT -A OUTPUT -o ${WLAN} -j ACCEPT
# set policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# NAT
$IPT -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
#===== BLOCK =====
# Block sync
$IPT -A INPUT -i ${WAN} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
$IPT -A INPUT -i ${WAN} -p tcp ! --syn -m state --state NEW -j DROP
# Block Fragments
$IPT -A INPUT -i ${WAN} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i ${WAN} -f -j DROP
# Block bad stuff
$IPT -A INPUT -i ${WAN} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -i ${WAN} -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -i ${WAN} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT -A INPUT -i ${WAN} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
$IPT -A INPUT -i ${WAN} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i ${WAN} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT -A INPUT -i ${WAN} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
$IPT -A INPUT -i ${WAN} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT -A INPUT -i ${WAN} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
$IPT -A INPUT -i ${WAN} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Block CUPS WAN access
$IPT -A OUTPUT -o ${WAN} -p tcp --dport 631 -j REJECT
$IPT -A OUTPUT -o ${WAN} -p udp --dport 631 -j REJECT
#===== ALLOW =====
# Allow outgoing DNS requests
$IPT -A OUTPUT -o ${WAN} -p tcp -m multiport --dport 53,953 -j ACCEPT
$IPT -A OUTPUT -o ${WAN} -p udp --dport 53 -j ACCEPT
# Allow outgoing HTTP(s) for package updates
$IPT -A OUTPUT -o ${WAN} -p tcp -m multiport --dport 80,443 -j ACCEPT
$IPT -A OUTPUT -o ${WAN} -p udp -m multiport --dport 80,443 -j ACCEPT
# Accept established connections
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow ssh
$IPT -A INPUT -i ${LAN} -p tcp --dport 22 -j ACCEPT
# allow ICMP ping pong stuff
$IPT -A INPUT -i ${LAN} -p icmp -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p icmp -j ACCEPT
# Allow port 53 tcp/udp (DNS Server)
$IPT -A INPUT -i ${LAN} -p tcp -m multiport --dport 53,953 -j ACCEPT
$IPT -A INPUT -i ${LAN} -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p tcp -m multiport --dport 53,953 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p udp --dport 53 -j ACCEPT
# Proxy
$IPT -A INPUT -i ${LAN} -p tcp --dport 3128 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p tcp --dport 3128 -j ACCEPT
#DHCP
$IPT -A INPUT -i ${LAN} -p udp -m multiport --dport 67,68 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p udp -m multiport --dport 67,68 -j ACCEPT
# Open port 631 for CUPS/Printing
$IPT -A INPUT -i ${LAN} -p tcp --dport 631 -j ACCEPT
$IPT -A INPUT -i ${LAN} -p udp --dport 631 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p tcp --dport 631 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p udp --dport 631 -j ACCEPT
# Samba
$IPT -A INPUT -i ${LAN} -p tcp -m multiport --dport 139,445 -j ACCEPT
$IPT -A INPUT -i ${LAN} -p udp -m multiport --dport 137,138 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p tcp -m multiport --dport 139,445 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p udp -m multiport --dport 137,138 -j ACCEPT
#===== FORWARD =====
#iptles -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#ipbles -A FORWARD -i wlan0 -o eth0 -j ACCEPT
#LAN <-> WLAN forwarding
# HTTP(s)
$IPT -A FORWARD -i ${WAN} -o ${LAN} -p tcp -m multiport --dport 80,443 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WAN} -o ${LAN} -p udp -m multiport --dport 80,443 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${LAN} -o ${WAN} -p tcp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${LAN} -o ${WAN} -p udp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WAN} -o ${WLAN} -p tcp -m multiport --dport 80,443 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WAN} -o ${WLAN} -p udp -m multiport --dport 80,443 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WLAN} -o ${WAN} -p tcp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WLAN} -o ${WAN} -p udp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# IMAP(s)
$IPT -A FORWARD -i ${WAN} -o ${LAN} -p tcp -m multiport --dport 143,993 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WAN} -o ${LAN} -p udp -m multiport --dport 143,993 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${LAN} -o ${WAN} -p tcp -m multiport --dport 143,993 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${LAN} -o ${WAN} -p udp -m multiport --dport 143,993 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WAN} -o ${WLAN} -p tcp -m multiport --dport 143,993 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WAN} -o ${WLAN} -p udp -m multiport --dport 143,993 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WLAN} -o ${WAN} -p tcp -m multiport --dport 143,993 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WLAN} -o ${WAN} -p udp -m multiport --dport 143,993 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# SMTP
$IPT -A FORWARD -i ${WAN} -o ${LAN} -p tcp --dport 25 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WAN} -o ${LAN} -p udp --dport 25 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${LAN} -o ${WAN} -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${LAN} -o ${WAN} -p udp --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WAN} -o ${WLAN} -p tcp --dport 25 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WAN} -o ${WLAN} -p udp --dport 25 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WLAN} -o ${WAN} -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WLAN} -o ${WAN} -p udp --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# NTP
$IPT -A FORWARD -i ${WAN} -o ${LAN} -p udp --dport 123 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${LAN} -o ${WAN} -p udp --dport 123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WAN} -o ${WLAN} -p udp --dport 123 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WLAN} -o ${WAN} -p udp --dport 123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# WhatsApp
$IPT -A FORWARD -i ${WAN} -o ${LAN} -p tcp --dport 5222 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${LAN} -o ${WAN} -p tcp --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WAN} -o ${WLAN} -p tcp --dport 5222 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ${WLAN} -o ${WAN} -p tcp --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Reject (W)LAN Traffic rather than drop
$IPT -A INPUT -i ${LAN} -j REJECT --reject-with icmp-host-prohibited
$IPT -A INPUT -i ${WLAN} -j REJECT --reject-with icmp-host-prohibited
$IPT -A FORWARD -i ${LAN} -j REJECT --reject-with icmp-host-prohibited
$IPT -A FORWARD -i ${WLAN} -j REJECT --reject-with icmp-host-prohibited
$IPT -A OUTPUT -j REJECT --reject-with icmp-host-prohibited
exit 0