Various questions

Various questions

[António Godinho]

Hya,

	I'm kinda new at iptables so I've been using scripts that I've
downloaded from the internet and latelly using shorewall.
	Trying to learn more and improve what I have I've several
questions about iptables. 
	I'm running a pentium 166 with 32M ram has my home gateway. Eth1
it's my dhcp connection to the cable modem/internet and eth0 my
connection to internal switch 10.10.10.0/24 with 4 computers inside.
	I've made a script to catch all rules that shorewall sends to
iptables and I'll start from that on. I'll post the rules at the end of
the email.
	
	I think that each redundante rule I add will decrease the
performance of my gateway, since I've an old computer and not enought
money to upgrade it...

	1. Like you can see on the list of rules below I've lots of
rules loging and after droping invalid ( internal IP's ) comming from
the internet:

iptables -A rfc1918 -s 172.16.0.0/12 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 172.16.0.0/12 -j logdrop
	
	Is it possible to DROP all those IP's in one rule? ( I don't
need to log them since they are invalid anyway )


	2. I've this in one of the rules:

iptables -A rfc1918 -m conntrack --ctorigdst 255.255.255.255 -j RETURN

	RETURN isn't a user defined chain, and I don't see any info
about this on the how-to's, can someone explain me what that does?


	3. This is defining priority ports? Like shaping the traffic?

iptables -t mangle -A outtos -p tcp -d 0.0.0.0/0 --dport ssh -j TOS
--set-tos 16
iptables -t mangle -A pretos -p tcp -d 0.0.0.0/0 --dport ssh -j TOS
--set-tos 16
iptables -t mangle -A outtos -p tcp -d 0.0.0.0/0 --sport ssh -j TOS
--set-tos 16
iptables -t mangle -A pretos -p tcp -d 0.0.0.0/0 --sport ssh -j TOS
--set-tos 16

	3. Since all my traffic from intranet to gateway loc2fw chain
it's from trusted ip's ( it's from me or any member of my famely ),
that's one of the things I can remove, anyone has any other advice or
improvent to the listo f rules I've bellow?



	Sorry for this really long email, thanx,

		António Godinho


###		Rules
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -F
iptables -X
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p ! icmp -m state --state INVALID -j DROP
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p ! icmp -m state --state INVALID -j DROP
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p ! icmp -m state --state INVALID -j DROP
iptables -N newnotsyn
iptables -A newnotsyn -j LOG --log-level info --log-prefix
FIREWALL:newnotsyn:DROP:
iptables -A newnotsyn -j DROP
iptables -N icmpdef
iptables -N common
iptables -N reject
iptables -N dynamic
iptables -N eth1_fwd
iptables -A eth1_fwd -j dynamic
iptables -N eth1_in
iptables -A eth1_in -j dynamic
iptables -N eth0_fwd
iptables -A eth0_fwd -j dynamic
iptables -N eth0_in
iptables -A eth0_in -j dynamic
iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
iptables -A reject -p udp -j REJECT
iptables -A common -p icmp -j icmpdef
iptables -A common -p udp --dport 135 -j reject
iptables -A common -p udp --dport 137:139 -j reject
iptables -A common -p udp --dport 445 -j reject
iptables -A common -p tcp --dport 139 -j reject
iptables -A common -p tcp --dport 445 -j reject
iptables -A common -p tcp --dport 135 -j reject
iptables -A common -p udp --dport 1900 -j DROP
iptables -A common -d 255.255.255.255 -j DROP
iptables -A common -d 224.0.0.0/4 -j DROP
iptables -A common -p tcp --dport 113 -j reject
iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
iptables -A common -d 213.22.99.255 -j DROP
iptables -A common -d 10.10.10.255 -j DROP
iptables -A eth1_in -p udp --dport 67:68 -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --dport 67:68 -j ACCEPT
iptables -N rfc1918
iptables -N logdrop
iptables -A logdrop -j LOG --log-level info --log-prefix
FIREWALL:logdrop:DROP:
iptables -A logdrop -j DROP
iptables -A rfc1918 -s 255.255.255.255 -j RETURN
iptables -A rfc1918 -m conntrack --ctorigdst 255.255.255.255 -j RETURN
iptables -A rfc1918 -s 169.254.0.0/16 -j DROP
iptables -A rfc1918 -m conntrack --ctorigdst 169.254.0.0/16 -j DROP
iptables -A rfc1918 -s 172.16.0.0/12 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 172.16.0.0/12 -j logdrop
iptables -A rfc1918 -s 192.0.2.0/24 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 192.0.2.0/24 -j logdrop
iptables -A rfc1918 -s 192.168.0.0/16 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 192.168.0.0/16 -j logdrop
iptables -A rfc1918 -s 0.0.0.0/7 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 0.0.0.0/7 -j logdrop
iptables -A rfc1918 -s 2.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 2.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 5.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 5.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 7.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 7.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 10.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 10.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 23.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 23.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 27.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 27.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 31.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 31.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 36.0.0.0/7 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 36.0.0.0/7 -j logdrop
iptables -A rfc1918 -s 39.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 39.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 41.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 41.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 42.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 42.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 49.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 49.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 50.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 50.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 58.0.0.0/7 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 58.0.0.0/7 -j logdrop
iptables -A rfc1918 -s 60.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 60.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 70.0.0.0/7 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 70.0.0.0/7 -j logdrop
iptables -A rfc1918 -s 72.0.0.0/5 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 72.0.0.0/5 -j logdrop
iptables -A rfc1918 -s 83.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 83.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 84.0.0.0/6 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 84.0.0.0/6 -j logdrop
iptables -A rfc1918 -s 88.0.0.0/5 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 88.0.0.0/5 -j logdrop
iptables -A rfc1918 -s 96.0.0.0/3 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 96.0.0.0/3 -j logdrop
iptables -A rfc1918 -s 127.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 127.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 197.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 197.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 198.18.0.0/15 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 198.18.0.0/15 -j logdrop
iptables -A rfc1918 -s 201.0.0.0/8 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 201.0.0.0/8 -j logdrop
iptables -A rfc1918 -s 240.0.0.0/4 -j logdrop
iptables -A rfc1918 -m conntrack --ctorigdst 240.0.0.0/4 -j logdrop
iptables -A eth1_fwd -m state --state NEW -j rfc1918
iptables -A eth1_in -m state --state NEW -j rfc1918
iptables -N fw2net
iptables -A fw2net -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A fw2net -m state --state NEW -p tcp ! --syn -j newnotsyn
iptables -A fw2net -p tcp -m state --state NEW --dport 53 -j ACCEPT
iptables -A fw2net -p udp -m state --state NEW --dport 53 -j ACCEPT
iptables -N loc2net
iptables -A loc2net -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A loc2net -m state --state NEW -p tcp ! --syn -j newnotsyn
iptables -A loc2net -p udp -m state --state NEW --dport 53 -j ACCEPT
iptables -N loc2fw
iptables -A loc2fw -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A loc2fw -m state --state NEW -p tcp ! --syn -j newnotsyn
iptables -A loc2fw -p tcp -m state --state NEW --dport 53 -j ACCEPT
iptables -A loc2fw -p udp -m state --state NEW --dport 53 -j ACCEPT
iptables -A loc2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT
iptables -N net2fw
iptables -A net2fw -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A net2fw -m state --state NEW -p tcp ! --syn -j newnotsyn
iptables -A net2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT
iptables -A loc2fw -p icmp --icmp-type 8 -j ACCEPT
iptables -A net2fw -p icmp --icmp-type 8 -j ACCEPT
iptables -N fw2loc
iptables -A fw2loc -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A fw2loc -m state --state NEW -p tcp ! --syn -j newnotsyn
iptables -A fw2loc -p icmp --icmp-type 8 -j ACCEPT
iptables -A fw2net -p icmp --icmp-type 8 -j ACCEPT
iptables -A loc2fw -p tcp -m state --state NEW --dport 80 -j ACCEPT
iptables -A net2fw -p tcp -m state --state NEW --dport 80 -j ACCEPT
iptables -A loc2fw -p tcp -m state --state NEW --dport 21 -j ACCEPT
iptables -A loc2fw -p tcp -m state --state NEW --dport 5900:5910 -j
ACCEPT
iptables -A net2fw -p tcp -m state --state NEW --dport 21 -j ACCEPT
iptables -N net2all
iptables -A net2all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A net2all -m state --state NEW -p tcp ! --syn -j newnotsyn
iptables -A net2all -j common
iptables -A net2all -j LOG --log-level info --log-prefix
FIREWALL:net2all:DROP:
iptables -A net2all -j DROP
iptables -N all2all
iptables -A all2all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A all2all -m state --state NEW -p tcp ! --syn -j newnotsyn
iptables -A all2all -j common
iptables -A all2all -j LOG --log-level info --log-prefix
FIREWALL:all2all:REJECT:
iptables -A all2all -j reject
iptables -A fw2net -j ACCEPT
iptables -A fw2loc -j all2all
iptables -A net2fw -j net2all
iptables -A loc2fw -j all2all
iptables -A loc2net -j ACCEPT
iptables -t mangle -N pretos
iptables -t mangle -N outtos
iptables -t mangle -A outtos -p tcp -d 0.0.0.0/0 --dport ssh -j TOS
--set-tos 16
iptables -t mangle -A pretos -p tcp -d 0.0.0.0/0 --dport ssh -j TOS
--set-tos 16
iptables -t mangle -A outtos -p tcp -d 0.0.0.0/0 --sport ssh -j TOS
--set-tos 16
iptables -t mangle -A pretos -p tcp -d 0.0.0.0/0 --sport ssh -j TOS
--set-tos 16
iptables -t mangle -A outtos -p tcp -d 0.0.0.0/0 --dport ftp -j TOS
--set-tos 16
iptables -t mangle -A pretos -p tcp -d 0.0.0.0/0 --dport ftp -j TOS
--set-tos 16
iptables -t mangle -A outtos -p tcp -d 0.0.0.0/0 --sport ftp -j TOS
--set-tos 16
iptables -t mangle -A pretos -p tcp -d 0.0.0.0/0 --sport ftp -j TOS
--set-tos 16
iptables -t mangle -A outtos -p tcp -d 0.0.0.0/0 --sport ftp-data -j TOS
--set-tos 8
iptables -t mangle -A pretos -p tcp -d 0.0.0.0/0 --sport ftp-data -j TOS
--set-tos 8
iptables -t mangle -A outtos -p tcp -d 0.0.0.0/0 --dport ftp-data -j TOS
--set-tos 8
iptables -t mangle -A pretos -p tcp -d 0.0.0.0/0 --dport ftp-data -j TOS
--set-tos 8
iptables -t mangle -A PREROUTING -j pretos
iptables -t mangle -A OUTPUT -j outtos
iptables -A OUTPUT -o eth1 -d 0.0.0.0/0 -j fw2net
iptables -A eth1_in -s 0.0.0.0/0 -j net2fw
iptables -A eth1_fwd -o eth0 -d 0.0.0.0/0 -j net2all
iptables -A OUTPUT -o eth0 -d 0.0.0.0/0 -j fw2loc
iptables -A eth0_in -s 0.0.0.0/0 -j loc2fw
iptables -A eth0_fwd -o eth1 -d 0.0.0.0/0 -j loc2net
iptables -A FORWARD -i eth1 -j eth1_fwd
iptables -A INPUT -i eth1 -j eth1_in
iptables -A FORWARD -i eth0 -j eth0_fwd
iptables -A INPUT -i eth0 -j eth0_in
iptables -A INPUT -j common
iptables -A INPUT -j LOG --log-level info --log-prefix
FIREWALL:INPUT:REJECT:
iptables -A INPUT -j reject
iptables -A OUTPUT -j common
iptables -A OUTPUT -j LOG --log-level info --log-prefix
FIREWALL:OUTPUT:REJECT:
iptables -A OUTPUT -j reject
iptables -A FORWARD -j common
iptables -A FORWARD -j LOG --log-level info --log-prefix
FIREWALL:FORWARD:REJECT:
iptables -A FORWARD -j reject
iptables -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -D INPUT -p udp --dport 53 -j ACCEPT
iptables -D OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -D OUTPUT -p udp --dport 53 -j ACCEPT
iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -D FORWARD -p udp --dport 53 -j ACCEPT

RE: Various questions

[Daniel Chemko]

	
>	Is it possible to DROP all those IP's in one rule? ( I don't
>need to log them since they are invalid anyway )


Ideally this is done for you with /proc/sys/net/ipv4/conf/*/rp_filter == 1 or 2. Basically it says that if a packet enters the interface with an ip address that is not on the subnet associated with it, then just drop the packet. That said, I don't see how these rules would seriously determent performance that much.

>	RETURN isn't a user defined chain, and I don't see any info
>about this on the how-to's, can someone explain me what that does?

RETURN means return to the chain that called it, so

iptables -A INPUT -j MYCHAIN 
iptables -A MYCHAIN -j RETURN (Returns back to the INPUT chain)


>	3. This is defining priority ports? Like shaping the traffic?

yes

>	3. Since all my traffic from intranet to gateway loc2fw chain
>it's from trusted ip's ( it's from me or any member of my famely ),
>that's one of the things I can remove, anyone has any other advice or
>improvent to the listo f rules I've bellow?

If you are memory bound, these will not help you much. If your memory is really the contention, then try lowering the timeouts for things like established or unreplied connections, etc.. these things are what takes up the memory.

RE: Various questions

[António Godinho]

>>	Is it possible to DROP all those IP's in one rule? ( I don't
>>need to log them since they are invalid anyway )
>
>
>Ideally this is done for you with /proc/sys/net/ipv4/conf/*/rp_filter
== 1 >or 2. Basically it says that if a packet enters the interface with
an ip >address that is not on the subnet associated with it, then just
drop the >packet. That said, I don't see how these rules would seriously
determent >performance that much.

Well I've made an script to enable this on a specific run level and I've
added this:
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter

It was on the packet filter how-to:)


>	3. This is defining priority ports? Like shaping the traffic?
>
>yes
>
>>	3. Since all my traffic from intranet to gateway loc2fw chain
>>it's from trusted ip's ( it's from me or any member of my famely ),
>>that's one of the things I can remove, anyone has any other advice or
>>improvent to the listo f rules I've bellow?
>
>If you are memory bound, these will not help you much. If your memory
is >really the contention, then try lowering the timeouts for things
like >established or unreplied connections, etc.. these things are what
takes up >the memory.

I've seen a comment on some forum that iptables "eats" lots of memory,
so on old computers the scripts should be optimized. Anyway scripts
should be optimized on any computer I guess. Thanx for your advice I'll
dig on that.


	António Godinho

RE: Various questions

[Daniel Chemko]

A lot of the memory 'eating' in Netfilter is from storing runtime information about active connections when you are NATing connections, which I imagine you are.

To reduce the memory glut in Netfilter, I would say use less connections :-) or else limit the time that connections stay in the system. Mind you, if you shrink them too much, you will get dropped connections during normal operations.

I would say that 32MB is very limited. You may want to scalp any and everything else on the machine. You can save up a decent chunk of mem by just shutting down crap. For a firewall machine, this is pretty obvious.


Maybe I am not the best to describe this. I have a memory leak somewhere in my setup that leads to a reboot every month, and I have 256 MB.

Re: Various questions

[Mogens Valentin]

Daniel Chemko wrote:
> 
> 
> >       Is it possible to DROP all those IP's in one rule? ( I don't
> >need to log them since they are invalid anyway )
> 
> Ideally this is done for you with /proc/sys/net/ipv4/conf/*/rp_filter == 1 or 2.

Do note that the rp_filter code will check only for zero (0) or
non-zero.
It changed sometime in the kernel 2.2 tree. Up until that point we could
use 1,2, or 3 to achieve ingress, egress or both. Nowadays it'll do
ingress and egress when using any non-zero value.

-- 
Kind regards / venlig hilsen,
Mogens Valentin, Mr Dev

IT Networking, Security, Server Setup
www.danbbs.dk/~monz   mrdev@danbbs.dk
Phone +45 32 525 878  Cell 51 227 668