Checking FC2 Iptables firewall config for PPPoE-enabled Gateway
This is a discussion on Checking FC2 Iptables firewall config for PPPoE-enabled Gateway within the Linux Security forums, part of the System Security and Security Related category; Greetings, Recently, I completed setting up an FC2-enabled server as a home gateway. Its connection to the Internet is ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-29-2004
|
|||
|
|||
Checking FC2 Iptables firewall config for PPPoE-enabled Gateway
Greetings, Recently, I completed setting up an FC2-enabled server as a home gateway. Its connection to the Internet is by way of Verizon's PPPoE DSL. The external Westell modem connects to eth0; the home LAN connects to eth1. Everything seems to be communicating correctly. The concern I have and the request I make of the list is to review the iptables setting for the gateway. Stock FC2 Iptables looks like this: root@leeloo ~> iptables-save # Generated by iptables-save v1.2.9 on Sun Aug 29 17:06:53 2004 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [20310127:17271169167] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -s 127.127.1.0 -p udp -m udp --sport 123 --dport 123 -j ACCEPT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Sun Aug 29 17:06:53 2004 I've amended it; the lines I've added are preceded by >>> and ended w/ <<<: # Generated by iptables-save v1.2.9 on Sun Aug 29 17:08:40 2004 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [10797:1210790] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT >>>-A RH-Firewall-1-INPUT -s 127.127.1.0 -p udp -m udp --sport 123 --dport 123 -j ACCEPT <<< -A RH-Firewall-1-INPUT -i lo -j ACCEPT >>>-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT<<< -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Sun Aug 29 17:08:40 2004 >>>> Everything below was added to stock FC2 Iptables settings<<< # Generated by iptables-save v1.2.9 on Sun Aug 29 17:08:40 2004 *nat :PREROUTING ACCEPT [11662:691042] :POSTROUTING ACCEPT [97:5735] :OUTPUT ACCEPT [96:5659] -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE COMMIT # Completed on Sun Aug 29 17:08:40 2004 >>>>>>>> End addition <<<< I run a standalone server on an ISP loaded w/ FC2 and running the stock Iptables configuration. There doesn't seem to be any security problems. The biggest hurdle was getting machines on the home network making requests through the gateway; initially, no web, ssh, or ftp requests were possible using domain names. They could only be made using explicit ip addresses. Once I added >>>-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT<<< service requests to the internet using domain names began to work correctly. My concern is how exposed/vulnerable is the above gateway configuration? Much thanks for your help! Max Pyziur pyz@brama.com 
|
|
08-29-2004
|
|||
|
|||
|
Re: Checking FC2 Iptables firewall config for PPPoE-enabled Gateway
Max wrote on 29.08.2004 23:30:
> Greetings, > > Recently, I completed setting up an FC2-enabled server as a home gateway. > > Its connection to the Internet is by way of Verizon's PPPoE DSL. The > external Westell modem connects to eth0; the home LAN connects to eth1. > > Everything seems to be communicating correctly. The concern I have and > the request I make of the list is to review the iptables setting for the > gateway. [Configuration] > > My concern is how exposed/vulnerable is the above gateway configuration? Quite. - You're shure you have the following /public/ services: webserver, SSH, FTP, and mailserver? If not, or if you don't know what I'm talking about, remove the lines containing "state NEW ... ACCEPT". - 127.127.1.0 is local clock reference and has nothing to do with firewalling. And more... Better you look here <http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html> or here <http://www.linuxguruz.com/iptables/> before connecting your machine to the internet. Walter
|
Linear Mode
