Beispiel einer einfache Firewall fuer den Mesh-Server.
Warnung: Die Firewall ist alles andere als optimal oder perfekt! Bei einen Update des Paketes iptables-presistent werden die Regeln erneut eingelesen wodurch z.B. die Kommentare raus fliegen!
Konfiguration
IPv4
/etc/iptables/rules.v4:
# *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i mesh-vpn* -j DROP -A INPUT -i bat0 -j DROP -A INPUT -i eth1 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 68 -m comment --comment "dhcp-client" -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A INPUT -p tcp -m conntrack --ctstate NEW -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name global_cn_limit --hashlimit-htable-expire 3600000 -j DROP -A INPUT -p tcp -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j DROP -A INPUT -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j DROP -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -m connlimit --connlimit-upto 10 --connlimit-mask 32 --connlimit-saddr -m limit --limit 1/sec --limit-burst 20 -m comment --comment ssh -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 80,443 -m comment --comment webserver -j ACCEPT -A INPUT -p icmp -m conntrack --ctstate NEW -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 50 -j ACCEPT -A INPUT -i eth0 -p udp -m multiport --dports 137,138 -j DROP -A INPUT -i eth0 -p igmp -j ACCEPT -A INPUT -i br-client -p udp -m conntrack --ctstate NEW -m udp --dport 53 -m comment --comment "dns local" -j ACCEPT -A INPUT -i br-client -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -m comment --comment "dns local" -j ACCEPT -A INPUT -i br-client -p udp --dport 123 -m conntrack --ctstate NEW -m comment --comment "ntp-server" -j ACCEPT -A INPUT -i br-client -p udp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT -A INPUT -i br-client -p tcp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT -A INPUT -i br-client -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT -A INPUT -i br-client -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT -A INPUT -i br-client -p tcp -m multiport --dports 20,21 -m conntrack --ctstate NEW -m comment --comment "ftp" -j ACCEPT #DHCP-Server #DHCPDISCOVER -A INPUT -i br-client -p udp --sport 68 --dport 67 -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT # eigenes empfangen -A INPUT -i br-client -p udp --sport 67 --dport 68 -d 255.255.255.255 -j ACCEPT #DHCPREQUEST -A INPUT -i br-client -p udp --dport 67 -j ACCEPT -A INPUT -i br-client -p udp --sport 68 --dport 67 -d 255.255.255.255 -j ACCEPT -A INPUT -i br-client -m pkttype --pkt-type multicast -j DROP -A INPUT -i br-client -m pkttype --pkt-type broadcast -j DROP -A INPUT -i br-anycast -j DROP -A INPUT -p tcp -m hashlimit --hashlimit-above 10/min --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name log_level --hashlimit-htable-expire 3600000 -j LOG -A INPUT ! -p tcp -j LOG -A INPUT -p tcp -m state --state NEW -m limit --limit 1/sec --limit-burst 10 -j REJECT --reject-with tcp-reset -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -j DROP -A FORWARD -i lo -j ACCEPT -A FORWARD -o lo -j ACCEPT -A FORWARD -i br-client -o br-client -j ACCEPT -A FORWARD -j LOG -A FORWARD -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT COMMIT *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RPFILTER - [0:0] -A PREROUTING -i eth1 -j DROP -A PREROUTING -i bat0 -j DROP -A PREROUTING -i mesh-vpn* -j DROP -A RPFILTER -m rpfilter -j RETURN -A RPFILTER -m rpfilter --validmark -j RETURN -A RPFILTER -m rpfilter --accept-local -j RETURN -A RPFILTER -m pkttype --pkt-type broadcast -j RETURN -A RPFILTER -m pkttype --pkt-type multicast -j RETURN # Internet -> LXC (srv02 hat keine default-route ins internet fuer br-client) -A RPFILTER -i br-client -d 10.181.0.0/18 -j RETURN -A RPFILTER -m limit --limit 60/minute --limit-burst 5 -j LOG --log-prefix "RPF: " -A RPFILTER -j DROP -A PREROUTING -j RPFILTER COMMIT
IPv6
/etc/iptables/rules.v6:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i mesh-vpn* -j DROP -A INPUT -i eth1 -j DROP -A INPUT -i bat0 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A INPUT -p tcp -m conntrack --ctstate NEW -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name global_cn_limit --hashlimit-htable-expire 3600000 -j DROP -A INPUT -p tcp -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 128 --connlimit-saddr -j DROP -A INPUT -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 128 --connlimit-saddr -j DROP # https://www.cert.org/downloads/IPv6/ip6tables_rules.txt -A INPUT -i br-client -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT -A INPUT -i br-client -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT -A INPUT -i br-client -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT -A INPUT -i br-client -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT -A INPUT -i eth0 -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT -A INPUT -i eth0 -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT -A INPUT -i eth0 -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT -A INPUT -i eth0 -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT -A INPUT -d fe80::/10 -i br-client -p ipv6-icmp -j ACCEPT -A INPUT -s fe80::/10 -i br-client -p ipv6-icmp -j ACCEPT -A INPUT -s ff00::/8 -i br-client -p ipv6-icmp -j ACCEPT -A INPUT -d ff00::/8 -i br-client -p ipv6-icmp -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -m connlimit --connlimit-upto 10 --connlimit-mask 128 --connlimit-saddr -m limit --limit 1/sec --limit-burst 20 -m comment --comment ssh -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 80,443 -m comment --comment webserver -j ACCEPT -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT -A INPUT -i br-client -p udp -m udp --dport 16962 -m state --state NEW -m comment --comment alfred -j ACCEPT -A INPUT -i br-client -p tcp -m conntrack --ctstate NEW --dport 5201 -m comment --comment "iperf3" -j ACCEPT -A INPUT -i br-client -p udp -m conntrack --ctstate NEW --dport 5201 -m comment --comment "iperf3" -j ACCEPT -A INPUT -i br-client -p udp -m multiport --dports 1001 -m state --state NEW -m comment --comment "respondd" -j ACCEPT -A INPUT -i br-client -p udp --dport 123 -m conntrack --ctstate NEW -m comment --comment "ntp-server" -j ACCEPT -A INPUT -i br-client -p udp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT -A INPUT -i br-client -p tcp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT -A INPUT -i br-client -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT -A INPUT -i br-client -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT -A INPUT -i br-client -p tcp -m multiport --dports 20,21 -m conntrack --ctstate NEW -m comment --comment "ftp" -j ACCEPT -A INPUT -j LOG -A INPUT -j DROP -A FORWARD -i br-client -o br-client -j ACCEPT -A FORWARD -j LOG -A FORWARD -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT -A OUTPUT -j DROP COMMIT *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RPFILTER - [0:0] -A PREROUTING -i eth1 -j DROP -A PREROUTING -i bat0 -j DROP -A PREROUTING -i mesh-vpn* -j DROP -A RPFILTER -m rpfilter -j RETURN -A RPFILTER -m rpfilter --validmark -j RETURN -A RPFILTER -m rpfilter --accept-local -j RETURN -A RPFILTER -m pkttype --pkt-type broadcast -j RETURN -A RPFILTER -m pkttype --pkt-type multicast -j RETURN # Internet -> LXC (srv02 hat keine default-route ins internet fuer br-client) -A RPFILTER -i br-client -d 2a03:2260:100b::/64 -j RETURN -A RPFILTER -m limit --limit 60/minute --limit-burst 5 -j LOG --log-prefix "RPF: " -A RPFILTER -j DROP -A PREROUTING -j RPFILTER COMMIT
Kernel-Config
Reverse-Path-Filter erledigen wir in iptables damit wir flexibler sind.
/etc/sysctl.conf:
net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.all.rp_filter=0 #net.ipv6.conf.default.rp_filter=0 #net.ipv6.conf.all.rp_filter=0