Secure Firewall

Secure Firewall

[Alexander Salmin]

Hello friends,

I'm trying to set up a secure NAT firewall in my home, for that I need
help with some rules.

I've got a total of four computers, including the server. 

These are the ones who should be NAT'ed:

#1 --- 192.168.51.20 --- Should be able to access all internet.
#2 --- 192.168.51.40 --- Should be able to access only websites (port 80,443).
#3 --- 192.168.51.80 --- Should be able to access only websites (port 80,443).

This is how my non-working iptables-script looks like right now:
-------------------------------------------------------------------------------------
INT="eth0"
EXT="eth1"
IPTABLES=/sbin/iptables

$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT -i $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT
$IPTABLES -A INPUT -p UDP --dport bootps -i $INT -j ACCEPT
$IPTABLES -A INPUT -p UDP --dport domain -i $INT -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -s 192.168.51.20 -o $EXT -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 192.168.51.40 -dport 80 -o $EXT -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 192.168.51.80 -dport 80 -o $EXT -j MASQUERADE

$IPTABLES -A INPUT -j DROP
-------------------------------------------------------------------------------------

Somehow, it doesn't work with -dport 80, and I believe that I have
missed some allow-rules because the -j DROP denies the computer from
192.168.51.20 too.

Any help would be appreciated!


Thanks,
--Alexander.

Re: Secure Firewall

[Sp0oKeR]

I think you can complet with

Change this

$IPTABLES -t nat -A POSTROUTING -s 192.168.51.40 -p tcp -dport 80 -o
$EXT -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 192.168.51.80 -p tcp -dport 80 -o
$EXT -j MASQUERADE

Add this

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -d
192.168.51.0/24 -j ACCEPT

$IPTABLES -A FORWARD -s 192.168.51.20 -j ACCEPT

$IPTABLES -A FORWARD -s 192.168.51.40 -p tcp --dport 80 -j ACCEPT

$IPTABLES -A FORWARD -s 192.168.51.80 -p tcp --dport 80 -j ACCEPT

Try this!

Att,

Sp0oKeR
On 8/9/05, Alexander Salmin <security.member@gmail.com> wrote:
> Hello friends,
> 
> I'm trying to set up a secure NAT firewall in my home, for that I need
> help with some rules.
> 
> I've got a total of four computers, including the server.
> 
> These are the ones who should be NAT'ed:
> 
> #1 --- 192.168.51.20 --- Should be able to access all internet.
> #2 --- 192.168.51.40 --- Should be able to access only websites (port 80,443).
> #3 --- 192.168.51.80 --- Should be able to access only websites (port 80,443).
> 
> This is how my non-working iptables-script looks like right now:
> -------------------------------------------------------------------------------------
> INT="eth0"
> EXT="eth1"
> IPTABLES=/sbin/iptables
> 
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
> $IPTABLES -F -t nat
> 
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
> 
> $IPTABLES -A INPUT -i $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT
> $IPTABLES -A INPUT -p UDP --dport bootps -i $INT -j ACCEPT
> $IPTABLES -A INPUT -p UDP --dport domain -i $INT -j ACCEPT
> 
> $IPTABLES -t nat -A POSTROUTING -s 192.168.51.20 -o $EXT -j MASQUERADE
> $IPTABLES -t nat -A POSTROUTING -s 192.168.51.40 -dport 80 -o $EXT -j MASQUERADE
> $IPTABLES -t nat -A POSTROUTING -s 192.168.51.80 -dport 80 -o $EXT -j MASQUERADE
> 
> $IPTABLES -A INPUT -j DROP
> -------------------------------------------------------------------------------------
> 
> Somehow, it doesn't work with -dport 80, and I believe that I have
> missed some allow-rules because the -j DROP denies the computer from
> 192.168.51.20 too.
> 
> Any help would be appreciated!
> 
> 
> Thanks,
> --Alexander.
> 
>

Re: Secure Firewall

[curby .]

On 8/9/05, Alexander Salmin <security.member@gmail.com> wrote:
> #1 --- 192.168.51.20 --- Should be able to access all internet.
> #2 --- 192.168.51.40 --- Should be able to access only websites (port 80,443).
> #3 --- 192.168.51.80 --- Should be able to access only websites (port 80,443).

Consider your reasons for restricting #2 and #3.  It is trivially easy
to get around port restrictions only (just run a ssh server on port 80
for example).

> This is how my non-working iptables-script looks like right now:
> -------------------------------------------------------------------------------------
> INT="eth0"
> EXT="eth1"
> IPTABLES=/sbin/iptables
> 
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
> $IPTABLES -F -t nat
> 
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
> 
> $IPTABLES -A INPUT -i $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT
> $IPTABLES -A INPUT -p UDP --dport bootps -i $INT -j ACCEPT
> $IPTABLES -A INPUT -p UDP --dport domain -i $INT -j ACCEPT

Since you have no OUTPUT rules and OUTPUT drops by default, these
INPUT rules don't do anything useful.  You probably want to allow
ESTABLISHED,RELATED traffic in OUTPUT as well, for example.

> $IPTABLES -t nat -A POSTROUTING -s 192.168.51.20 -o $EXT -j MASQUERADE
> $IPTABLES -t nat -A POSTROUTING -s 192.168.51.40 -dport 80 -o $EXT -j MASQUERADE
> $IPTABLES -t nat -A POSTROUTING -s 192.168.51.80 -dport 80 -o $EXT -j MASQUERADE
> 
> $IPTABLES -A INPUT -j DROP
> -------------------------------------------------------------------------------------
 
Definitely add the FORWARD rules spooker talked about.  And consider
some more intelligent/"deep" traffic inspection if you want to
restrict some of your hosts.