simple newbie question

simple newbie question

[Mario Meríngolo]

[-- Attachment #1: Type: text/plain, Size: 527 bytes --]

Im starting with this iptables stuff and trying to manage a home network
trough linux and adsl + pppoe 

I have two simple questions.

 

I have my adsl router conected to my eth1

 

When im setting my iptables rules, should I think that eth0 routes packages
through eth1 to ppp0 ?

 

Because, if that is, my drop rules should be defined on eth1, and my input
ones on eth0

 

Our should i think that eth1 does not matter and my reliable is eth0 and my
unreliable ppp0 ?

 

Please forgive my crude english

 

Thanx 

 

 


[-- Attachment #2: Type: text/html, Size: 3369 bytes --]

Re: simple newbie question

[Whit Blauvelt]

Since eth1 is the closest to the wider Net, that's where to build your
- firewall unless you're also concerned with other people on your home
network having certain sorts of access to your Linux box, in which case you
might want to have rules for eth0 too. Most of us only worry about the
external interface - eth1 in your setup.

I don't use ppp, but for most purposes rules about ppp0 and eth1 should have
the same effect for you, I think.

Whit

On Sat, Aug 09, 2003 at 06:38:32PM -0300, Mario Mer?ngolo wrote:
> Im starting with this iptables stuff and trying to manage a home network
> trough linux and adsl + pppoe 
> 
> I have two simple questions.
> 
>  
> 
> I have my adsl router conected to my eth1
> 
>  
> 
> When im setting my iptables rules, should I think that eth0 routes packages
> through eth1 to ppp0 ?
> 
>  
> 
> Because, if that is, my drop rules should be defined on eth1, and my input
> ones on eth0
> 
>  
> 
> Our should i think that eth1 does not matter and my reliable is eth0 and my
> unreliable ppp0 ?
> 
>  
> 
> Please forgive my crude english
> 
>  
> 
> Thanx 
> 
>  
> 
>  
> 

Re: simple newbie question

[rverduij]

Hi there,

I used to have adsl I got cable now.

You need to set up a firewall configuration on your ppp0 interface.
(asuming ppp0 is the interface you tunnel through)

Because if you blok on your eth1 and/or eth0 all the traffic still get's 
through to you machine, unless you have issued global rules which blok all 
interfaces.

On your eth1 card you could set up filtering rules if you don't thrust network 
the eth1 network card is connected to.

If you do remember to allow the traffice that builds the vpn (your pppoe 
tunneling).
And if you use a dynamic ip on your eth1 device to allow dhcp traffic as wel.

I'm currently not at my own pc, but I'll post anexample tomorrow for you.

Regards
Rob


Citeren Mario Meríngolo <mmeringolo@arnet.com.ar>:

> Im starting with this iptables stuff and trying to manage a home network
> trough linux and adsl + pppoe 
> 
> I have two simple questions.
> 
>  
> 
> I have my adsl router conected to my eth1
> 
>  
> 
> When im setting my iptables rules, should I think that eth0 routes packages
> through eth1 to ppp0 ?
> 
>  
> 
> Because, if that is, my drop rules should be defined on eth1, and my input
> ones on eth0
> 
>  
> 
> Our should i think that eth1 does not matter and my reliable is eth0 and my
> unreliable ppp0 ?
> 
>  
> 
> Please forgive my crude english
> 
>  
> 
> Thanx 
> 
>  
> 
>  
> 
> 

Re: simple newbie question

[Rob Verduijn]

Hi there,

The script I mentioned before.
It's pretty simple and certainly could do with improvement.
But it keeps the very basic nasty stuff outside and lets you do your
stuff.

ie let everything from the local network through to the internet , and
keep the bad internet out.

Also don't allow anything but the tunnel traffic and if needed the dhcp
traffic on the external interface through.

EXTERNAL_INT="eth?"	# your external interface the one connected to
			# your adsl modem
INTERNAL_INT="eth?"	# your internal network interface

VPN_INT="ppp?"		# this is your pppoe interface (probably ppp0)

INTERNAL_IPADDR="1.2.3.4"# your internal network interface ip address
			# asuming it is static or else cut and paste a
			# bit below
EXTERNAL_IPADDR="1.2.3.4"# your external interface ip address
			# uncomment this line and uncomment below if
			# it is dynamic
# the 3 lines below should all three be unremarked if you got dynamic ip
# EXTERNAL_IPADDR= \
#`ifconfig eth1 | \
#sed -ne's/.*addr:\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\).*/\1/p'`

VPN_IPADDR="1.2.3.4"     # if you got static ip on the vpn interface
# also unremark 2 lines below if your ppp address is dynamic
#VPN_IPADDR=`ifconfig ppp0| \
#sed -ne 's/ .*addr:\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\).*/\1/p'`

DHCP_SERVER="1.2.3.4"	# if you have dhcp on your external interface

IPTABLES="/path/to/iptables" 	# use `which iptables` as root to find
				# out what this should be

PPP_PORT="????"			# fill in the port adsl uses (beats me 				# what that
is)
				# this script asumes it connect from the
				# same port to the same port
				# if not adjust the proper source and
				# destination ports

BROADCAST_SRC="0.0.0.0"                 # broadcast source address
BROADCAST_DEST="255.255.255.255"        # broadcast destination address

PRIVPORTS="0:1023"                      # well-known, privileged port
range
UNPRIVPORTS="1024:65535"                # unprivileged port range


# flush all excisting chains and erase all personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for I in $CHAINS; do $IPTABLES -t $I -F; done
for I in $CHAINS; do $IPTABLES -t $I -X; done
                                                                                                                             
# default policies
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P FORWARD DROP

# accept local traffic
$IPTABLES -A INPUT -i lo -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

# connection tracking and some logging for the INPUT OUTPUT and
# FORWARD chain
# this allows tracking of excisting connections
# this does not allow new traffic
$IPTABLES -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j LOG \
        --log-prefix "INVALID input: "
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG \
        --log-prefix "INVALID ouput: "
$IPTABLES -A FORWARD -i $INTERNAL_INT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -i $INTERNAL_INT -m state --state INVALID -j LOG \
        --log-prefix "INVALID ouput: "

#DHCP this bit is for dhcp traffic (if you need it)
# if you don't need it comment it
$IPTABLES -A OUTPUT -o $EXTERNAL_INT -p udp \
             -s $BROADCAST_SRC --sport 68 \
             -d $DHCP_SERVER --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INT -p udp \
             -s $DHCP_SERVER --sport 67 \
             -d $BROADCAST_DEST --dport 68 -j ACCEPT

#allow ppp traffic on external interface
$IPTABLES -A OUTPUT -o $EXTERNAL_INT -p udp \
        -s $EXTERNAL_IPADDR --sport $PPP_PORT \
        -d $VPN_SERVER --dport $PPP_PORT \
        -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INT -p udp \
        -s $VPN_SERVER --sport $PPP_PORT \
        -d $EXTERNAL_IPADDR --dport $PPP_PORT \
        -m state --state NEW -j ACCEPT

# at this point the gateway accepts only dhcp traffic on
# its external interface and ppp traffic
# the next rule allows all the traffic on the internal
# interface to be forwarded to another interface
# ie no traffice can come in via your external interface 
# or ppp interface (unless it's a reply on your traffic from
# the internal interface

$IPTABLES -A FORWARD -i $INTERNAL_INT -s $INTERNAL_NETWORK \
        -m state --state NEW -j ACCEPT

# no connections to your gateway are allowed in this script
# you need to open up a port for that or log in on the console

# example for ssh connections via the internal interface
# to the gateway machine
$IPTABLES -A INPUT -i $INTERNAL_INT -p tcp \
        -s $INTERNAL_NETWORK --sport $UNPRIVPORTS \
        -d $INTERNAL_IPADDR --dport 22 \
        -m state --state NEW -j ACCEPT

# end script

note if you have dhcp on your external int or ppp
connection this script will only work after the ppp
connection and external interface are up

Regards
Rob


On Sun, 2003-08-10 at 13:53, rverduij@dds.nl wrote:


> Hi there,
> 
> I used to have adsl I got cable now.
> 
> You need to set up a firewall configuration on your ppp0 interface.
> (asuming ppp0 is the interface you tunnel through)
> 
> Because if you blok on your eth1 and/or eth0 all the traffic still get's 
> through to you machine, unless you have issued global rules which blok all 
> interfaces.
> 
> On your eth1 card you could set up filtering rules if you don't thrust network 
> the eth1 network card is connected to.
> 
> If you do remember to allow the traffice that builds the vpn (your pppoe 
> tunneling).
> And if you use a dynamic ip on your eth1 device to allow dhcp traffic as wel.
> 
> I'm currently not at my own pc, but I'll post anexample tomorrow for you.
> 
> Regards
> Rob
> 
> 
> Citeren Mario Meríngolo <mmeringolo@arnet.com.ar>:
> 
> > Im starting with this iptables stuff and trying to manage a home network
> > trough linux and adsl + pppoe 
> > 
> > I have two simple questions.
> > 
> >  
> > 
> > I have my adsl router conected to my eth1
> > 
> >  
> > 
> > When im setting my iptables rules, should I think that eth0 routes packages
> > through eth1 to ppp0 ?
> > 
> >  
> > 
> > Because, if that is, my drop rules should be defined on eth1, and my input
> > ones on eth0
> > 
> >  
> > 
> > Our should i think that eth1 does not matter and my reliable is eth0 and my
> > unreliable ppp0 ?
> > 
> >  
> > 
> > Please forgive my crude english
> > 
> >  
> > 
> > Thanx 
> > 
> >  
> > 
> >  
> > 
> > 
> 
> 
> 
>