Thread: VPN Through Firewall To Office
View Single Post

  #7 (permalink)  
Old 07-25-2005
Joachim Schipper
 
Posts: n/a
Default Re: VPN Through Firewall To Office
googlemike@hotpop.com wrote:
> Llanzlan Klazmon wrote:
>> Just wanted to comment on your configuration.
>> The usual procedure is to make the default policy for each chain to be
>> either DROP, or REJECT depending on your taste.
>
> Let's try and be more specific if I could.
>
> This is currently what I'm using as a normal home user behind a cable
> modem firewall NAT router with a static workstation address who needs
> nothing more than VPN to office, web surfing, email, IRC chat, and FTP
> download:

> 1$ lokkit --disabled; # is necessary only on my workstation until I
> uninstall lokkit and quit experimenting with it
> 2$ iptables -F
> 3$ iptables -A INPUT -i lo -j ACCEPT
> 4$ iptables -A INPUT -p tcp -m tcp --dport 500 --syn -j ACCEPT

'-m tcp' is unnecessary here. It doesn't hurt, but '... -p tcp --dport
500 ...' is easier.

Also note that it may be better to use '-m state NEW instead' of '--syn' -
while decent people will send SYNs for new connections and not send SYNs
for existing connections, that's not necessarily the case for crackers.

> 5$ iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> 6$ iptables -A INPUT -p udp -m udp -s MyDNS.com --sport 53 -d 0/0 -j
> ACCEPT
> 7$ iptables -A INPUT -p udp -m udp -s MyDNS.com --sport 53 -d 0/0 -j
> ACCEPT
> 8$ iptables -A INPUT -p tcp -m tcp --syn -j REJECT
> 9$ iptables -A INPUT -p udp -m udp -j REJECT

The intention here seems to be to reject everything. This is best
achieved by doing 'iptables -A INPUT -j REJECT'; not everything is TCP
or UDP, IPSec (commonly used for VPNs) for instance is not matched by
the above.

> * Drop line 4 because isakmp doesn't use tcp.
> * Copy line 5 as line 4 and replace the port number with 4500 for
> better compatibility with some VPNs -- only for those users who need
> that, unless your VPN accepts this just fine.

Those are good ideas.

> * Append (or did you mean "prepend"?)
>
> 10$ iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
> 11$ iptables -A INPUT -p tcp --sport -m state --state ESTABLISHED -j
> ACCEPT

This should, of course, read '... --sport 80 ...'; the above will give
you a syntax error.

> * You also mentioned in your last statement that when I run these
> commands and type "iptables -L", I get (policy ACCEPT) on each chain. I
> think you implied that this might not be a good idea, so I was
> wondering specifically what statements I must type to change that to
> something that would work.

iptables -P INPUT DROP
iptables -P OUTPUT REJECT
iptables -P FORWARD DROP

or something along these lines. I prefer REJECT to DROP, but there is
some argument on that topic.

> P.S. Readers, if you're on DHCP, not a static address, insert these
> statements between lines 3 and 4 or your workstation will not renew
> DHCP properly.
>
> $ iptables -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport
> 67:68 -i eth0 -j ACCEPT
> $ iptables -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport
> 67:68 -i eth1 -j ACCEPT

Erm... -s 0/0 means 'anywhere', as does -d 0/0. They don't hurt, but
they don't exactly help either... Additionally, you'll also want to
allow outgoing DHCP traffic.

Your configuration still allows all locally-initiated connections. While
this isn't too bad, it is quite a bit better to disallow those too.
Start with 'iptables -P OUTPUT DROP', and add allow rules until it
works. Don't forget state tracking (as used in #11 above).

Your configuration also does not allow active FTP; though active FTP is
rare, you'll want to allow it. To do this, allow inbound RELATED
connections (iptables -A INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT). ESTABLISHED is necessary, as RELATED only covers the first
packet of the data stream sent your way.

Joachim
Reply With Quote