Checking FC2 Iptables firewall config for PPPoE-enabled Gateway

Greetings,

Recently, I completed setting up an FC2-enabled server as a home gateway.

Its connection to the Internet is by way of Verizon's PPPoE DSL. The
external Westell modem connects to eth0; the home LAN connects to eth1.

Everything seems to be communicating correctly. The concern I have and
the request I make of the list is to review the iptables setting for the
gateway.

Stock FC2 Iptables looks like this:
root@leeloo ~> iptables-save
# Generated by iptables-save v1.2.9 on Sun Aug 29 17:06:53 2004
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [20310127:17271169167]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -s 127.127.1.0 -p udp -m udp --sport 123 --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Aug 29 17:06:53 2004


I've amended it; the lines I've added are preceded by >>> and ended w/ <<<:

# Generated by iptables-save v1.2.9 on Sun Aug 29 17:08:40 2004
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10797:1210790]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT

>>>-A RH-Firewall-1-INPUT -s 127.127.1.0 -p udp -m udp --sport 123 --dport 123 -j ACCEPT <<<

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

>>>-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT<<<

-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Aug 29 17:08:40 2004

>>>> Everything below was added to stock FC2 Iptables settings<<<

# Generated by iptables-save v1.2.9 on Sun Aug 29 17:08:40 2004
*nat
:PREROUTING ACCEPT [11662:691042]
:POSTROUTING ACCEPT [97:5735]
:OUTPUT ACCEPT [96:5659]
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE
COMMIT
# Completed on Sun Aug 29 17:08:40 2004

>>>>>>>> End addition <<<<

I run a standalone server on an ISP loaded w/ FC2 and running the stock Iptables
configuration. There doesn't seem to be any security problems.


The biggest hurdle was getting machines on the home network making
requests through the gateway; initially, no web, ssh, or ftp
requests were possible using domain names. They could only
be made using explicit ip addresses.

Once I added
>>>-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT<<<

service requests to the internet using domain names began to work
correctly.

My concern is how exposed/vulnerable is the above gateway configuration?

Much thanks for your help!

Max Pyziur
(E-Mail Removed)

Max wrote on 29.08.2004 23:30:

> Greetings,
>
> Recently, I completed setting up an FC2-enabled server as a home gateway.
>
> Its connection to the Internet is by way of Verizon's PPPoE DSL. The
> external Westell modem connects to eth0; the home LAN connects to eth1.
>
> Everything seems to be communicating correctly. The concern I have and
> the request I make of the list is to review the iptables setting for the
> gateway.
[Configuration]
>
> My concern is how exposed/vulnerable is the above gateway configuration?

Quite.
- You're shure you have the following /public/ services: webserver, SSH,
FTP, and mailserver?
If not, or if you don't know what I'm talking about, remove the lines
containing "state NEW ... ACCEPT".
- 127.127.1.0 is local clock reference and has nothing to do with
firewalling.
And more...

Better you look here
<http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html>
or here <http://www.linuxguruz.com/iptables/> before connecting your
machine to the internet.

Walter