iptables firewall do-over

I am revisiting my firewall and before I begin, I need to make sure my
understandings are right.

Here's the geography:

WAN (Internet) public routable IPs

Interface (ppp0)

fw machine

interface (eth1)

LAN private non-routable IPs

Assuming NAT is setup correctly, Here's what I'm thinking.

Since the LAN uses only non-routable IP's, and there is no one on the
LAN that I'm worried about, I only need to focus on NEW packets from
ppp0 destined for the fw machine (INPUT chain where -i ppp0 and --state
NEW). Any NEW packets from the WAN are blocked from the LAN by virtue
of non-routable IP addresses.

Default policies should be; INPUT DROP, OUTPUT ACCEPT, and FORWARD DROP.
Then by looking at specific ports, protocols, and interface sources,
selectively jump to ACCEPT. Everything else should fall through to the
default policy (DROP). It almost sounds like I could get away with one
rule -i ppp0 -m state --state ESTABLISHED, RELATED -j ACCEPT.

If these assumptions are correct, is there anything onppp0 --state NEW
that should get accepted?


Bill

On 19 juin, 00:59, William Gill <nore...@gcgroup.net> wrote:
> I am revisiting my firewall and before I begin, I need to make sure my
> understandings are right.
>
> Here's the geography:
>
> WAN (Internet) public routable IPs
>
> Interface (ppp0)
>
> fw machine
>
> interface (eth1)
>
> LAN private non-routable IPs
>
> Assuming NAT is setup correctly, Here's what I'm thinking.
>
> Since the LAN uses only non-routable IP's, and there is no one on the
> LAN that I'm worried about, I only need to focus on NEW packets from
> ppp0 destined for the fw machine (INPUT chain where -i ppp0 and --state
> NEW). Any NEW packets from the WAN are blocked from the LAN by virtue
> of non-routable IP addresses.
>
> Default policies should be; INPUT DROP, OUTPUT ACCEPT, and FORWARD DROP.
> Then by looking at specific ports, protocols, and interface sources,
> selectively jump to ACCEPT. Everything else should fall through to the
> default policy (DROP). It almost sounds like I could get away with one
> rule -i ppp0 -m state --state ESTABLISHED, RELATED -j ACCEPT.
>
> If these assumptions are correct, is there anything onppp0 --state NEW
> that should get accepted?
>
> Bill

I prefere to set DROP as default policy for OUTPUT. It prevent
connection from your firewall to internet to be established.
Generally for a firewall only (ie no servers runing) machine I like
that :
on ppp0
INPUT : DROP except icmp (and ssh if you want to connect to your fws
from the outside)
OUTPUT : DROP except icmp (and ssh if you want to connect to your fws
from the outside)
on eth1
INPUT : DROP except ping / ssh <-- here you need the new/established
OUTPUT : DROP except ping / ssh <-- here you need the established (no
new nor related)
for the nat :
FORWARD : DROP except protocols that may pass (http(s) / smtp(s), ssh,
ftp, icmp...) <-- here : (new, established, related for packet coming
from eth1, established/related fro packet from ppp0)

Mouquiette wrote:
> On 19 juin, 00:59, William Gill <nore...@gcgroup.net> wrote:
>> I am revisiting my firewall and before I begin, I need to make sure my
>> understandings are right.
>>
>> Here's the geography:
>>
>> WAN (Internet) public routable IPs
>>
>> Interface (ppp0)
>>
>> fw machine
>>
>> interface (eth1)
>>
>> LAN private non-routable IPs
>>
>> Assuming NAT is setup correctly, Here's what I'm thinking.
>>
>> Since the LAN uses only non-routable IP's, and there is no one on the
>> LAN that I'm worried about, I only need to focus on NEW packets from
>> ppp0 destined for the fw machine (INPUT chain where -i ppp0 and --state
>> NEW). Any NEW packets from the WAN are blocked from the LAN by virtue
>> of non-routable IP addresses.
>>
>> Default policies should be; INPUT DROP, OUTPUT ACCEPT, and FORWARD DROP.
>> Then by looking at specific ports, protocols, and interface sources,
>> selectively jump to ACCEPT. Everything else should fall through to the
>> default policy (DROP). It almost sounds like I could get away with one
>> rule -i ppp0 -m state --state ESTABLISHED, RELATED -j ACCEPT.
>>
>> If these assumptions are correct, is there anything onppp0 --state NEW
>> that should get accepted?
>>
>> Bill
>
> I prefere to set DROP as default policy for OUTPUT. It prevent
> connection from your firewall to internet to be established.
> Generally for a firewall only (ie no servers runing) machine I like
> that :

It has a couple of servers (for LAN side only) that I use for testing,
but I am reevaluating their necessity, and may shut them down.

> on ppp0
> INPUT : DROP except icmp (and ssh if you want to connect to your fws
> from the outside)

I debated the need to allow ICMP. Is it "bad etiquette " to ignore pings?

> OUTPUT : DROP except icmp (and ssh if you want to connect to your fws
> from the outside)
> on eth1

> INPUT : DROP except ping / ssh <-- here you need the new/established
> OUTPUT : DROP except ping / ssh <-- here you need the established (no
> new nor related)
> for the nat :
> FORWARD : DROP except protocols that may pass (http(s) / smtp(s), ssh,
> ftp, icmp...) <-- here : (new, established, related for packet coming
> from eth1, established/related fro packet from ppp0)

Ok, here's where I may be off in my thinking. I thought routable v
nonroutable address provided most of the needed security without having
to examine every packet? I suppose someone could guess destination
addresses, but how could they do the needed NAT?

Anyway, I will evaluate and make some adjustments (like INPUT && -i
eth1 && -p ??? = ACCEPT, etc.) I may not get to it today, but I'll post
generic logic, and questions for consideration before I hammer out the
rule syntax.

Thanks,

Bill

William Gill <(E-Mail Removed)> said:
>I am revisiting my firewall and before I begin, I need to make sure my
>understandings are right.
....
>Default policies should be; INPUT DROP, OUTPUT ACCEPT, and FORWARD DROP.
> Then by looking at specific ports, protocols, and interface sources,
>selectively jump to ACCEPT. Everything else should fall through to the
>default policy (DROP). It almost sounds like I could get away with one
>rule -i ppp0 -m state --state ESTABLISHED, RELATED -j ACCEPT.

That's pretty much it. Blanket allowing inbound ICMP has no use; however
the ESTABLISHED,RELATED rule is important, as it also covers ICMP that
is related to something you've sent out. In other words, in general
no-one is interested any longer whether a source address responds to ping
or not.

What might happen, in some rare cases is that when authenticating to
a remote service, the remote system tries to do an ident query to
the originating IP address, and will wait for quite a while if you
just drop the packet. Thus, it'll be better to actively reject any
traffic to ident port.

Overall, whether it is better to DROP or REJECT is a conversation
topic of its own; some claim that DROPping saves your bandwidth
(no need to send rejects for robots knocking your machine), others
claim that with an active reject, the robot moves on to the next
target, but dropping a packet will cause retries.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

William Gill <(E-Mail Removed)> wrote:
> I am revisiting my firewall and before I begin, I need to make sure my
> understandings are right.

> Here's the geography:

> WAN (Internet) public routable IPs

> Interface (ppp0)

> fw machine

> interface (eth1)

> LAN private non-routable IPs

> Assuming NAT is setup correctly, Here's what I'm thinking.

> Since the LAN uses only non-routable IP's, and there is no one on the
> LAN that I'm worried about, I only need to focus on NEW packets from
> ppp0 destined for the fw machine (INPUT chain where -i ppp0 and --state
> NEW). Any NEW packets from the WAN are blocked from the LAN by virtue
> of non-routable IP addresses.

> Default policies should be; INPUT DROP, OUTPUT ACCEPT, and FORWARD DROP.
> Then by looking at specific ports, protocols, and interface sources,
> selectively jump to ACCEPT. Everything else should fall through to the
> default policy (DROP). It almost sounds like I could get away with one
> rule -i ppp0 -m state --state ESTABLISHED, RELATED -j ACCEPT.

> If these assumptions are correct, is there anything onppp0 --state NEW
> that should get accepted?

Given some limited experience and my reading of man iptables, the answer
is no - unless you want to run a server of some sort (ftp, ssh, etc.).
However to allow access to "fw machine" and the Internet from the rest
of your LAN a rule to ACCEPT new connections from the LAN interface is
needed for the INPUT and FORWARD chains. A very basic PPP firewall for
PPP is given in

http://www.netfilter.org/documentati...g-HOWTO-5.html

--
Clifford Kite
/* Speak softly and carry a +6 two-handed sword. */