Freifunk Gera-Greiz

iptables Firewall

Beispiel einer einfache Firewall fuer den Mesh-Server.

Warnung: Die Firewall ist alles andere als optimal oder perfekt! Bei einen Update des Paketes iptables-presistent werden die Regeln erneut eingelesen wodurch z.B. die Kommentare raus fliegen!

Konfiguration

IPv4

/etc/iptables/rules.v4:

#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i mesh-vpn* -j DROP
-A INPUT -i bat0 -j DROP
-A INPUT -i eth1 -j DROP

-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 68 -m comment --comment "dhcp-client" -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name global_cn_limit --hashlimit-htable-expire 3600000 -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -m connlimit --connlimit-upto 10 --connlimit-mask 32 --connlimit-saddr -m limit --limit 1/sec --limit-burst 20 -m comment --comment ssh -j ACCEPT

-A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 80,443 -m comment --comment webserver -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate NEW -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 50 -j ACCEPT
-A INPUT -i eth0 -p udp -m multiport --dports 137,138 -j DROP
-A INPUT -i eth0 -p igmp -j ACCEPT


-A INPUT -i br-client -p udp -m conntrack --ctstate NEW -m udp --dport 53 -m comment --comment "dns local" -j ACCEPT
-A INPUT -i br-client -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -m comment --comment "dns local" -j ACCEPT
-A INPUT -i br-client -p udp --dport 123 -m conntrack --ctstate NEW -m comment --comment "ntp-server" -j ACCEPT
-A INPUT -i br-client -p udp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT
-A INPUT -i br-client -p tcp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT

-A INPUT -i br-client -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT
-A INPUT -i br-client -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT

-A INPUT -i br-client -p tcp -m multiport --dports 20,21 -m conntrack --ctstate NEW -m comment --comment "ftp" -j ACCEPT

#DHCP-Server
#DHCPDISCOVER
-A INPUT -i br-client -p udp --sport 68 --dport 67 -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT
# eigenes empfangen
-A INPUT -i br-client -p udp --sport 67 --dport 68 -d 255.255.255.255 -j ACCEPT
#DHCPREQUEST
-A INPUT -i br-client -p udp --dport 67 -j ACCEPT
-A INPUT -i br-client -p udp --sport 68 --dport 67 -d 255.255.255.255 -j ACCEPT


-A INPUT -i br-client -m pkttype --pkt-type multicast -j DROP
-A INPUT -i br-client -m pkttype --pkt-type broadcast -j DROP
-A INPUT -i br-anycast -j DROP
-A INPUT -p tcp -m hashlimit --hashlimit-above 10/min --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name log_level --hashlimit-htable-expire 3600000 -j LOG
-A INPUT ! -p tcp -j LOG
-A INPUT -p tcp -m state --state NEW -m limit --limit 1/sec --limit-burst 10 -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j DROP

-A FORWARD -i lo -j ACCEPT
-A FORWARD -o lo -j ACCEPT
-A FORWARD -i br-client -o br-client -j ACCEPT
-A FORWARD -j LOG
-A FORWARD -j DROP

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RPFILTER - [0:0]
-A PREROUTING -i eth1 -j DROP
-A PREROUTING -i bat0 -j DROP
-A PREROUTING -i mesh-vpn* -j DROP

-A RPFILTER -m rpfilter -j RETURN
-A RPFILTER -m rpfilter --validmark -j RETURN
-A RPFILTER -m rpfilter --accept-local -j RETURN

-A RPFILTER -m pkttype --pkt-type broadcast -j RETURN
-A RPFILTER -m pkttype --pkt-type multicast -j RETURN

# Internet -> LXC (srv02 hat keine default-route ins internet fuer br-client)
-A RPFILTER -i br-client -d 10.181.0.0/18 -j RETURN

-A RPFILTER -m limit --limit 60/minute --limit-burst 5 -j LOG --log-prefix "RPF: "
-A RPFILTER -j DROP

-A PREROUTING -j RPFILTER
COMMIT

IPv6

/etc/iptables/rules.v6:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i mesh-vpn* -j DROP
-A INPUT -i eth1 -j DROP
-A INPUT -i bat0 -j DROP

-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name global_cn_limit --hashlimit-htable-expire 3600000 -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 128 --connlimit-saddr -j DROP
-A INPUT -m conntrack --ctstate NEW -m connlimit --connlimit-above 100 --connlimit-mask 128 --connlimit-saddr -j DROP

# https://www.cert.org/downloads/IPv6/ip6tables_rules.txt
-A INPUT -i br-client -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i br-client -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i br-client -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i br-client -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT

-A INPUT -i eth0 -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i eth0 -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i eth0 -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i eth0 -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT

-A INPUT -d fe80::/10 -i br-client -p ipv6-icmp -j ACCEPT
-A INPUT -s fe80::/10 -i br-client -p ipv6-icmp -j ACCEPT
-A INPUT -s ff00::/8 -i br-client -p ipv6-icmp -j ACCEPT
-A INPUT -d ff00::/8 -i br-client -p ipv6-icmp -j ACCEPT


-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -m connlimit --connlimit-upto 10 --connlimit-mask 128 --connlimit-saddr -m limit --limit 1/sec --limit-burst 20 -m comment --comment ssh -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 80,443 -m comment --comment webserver -j ACCEPT

-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A INPUT -i br-client -p udp -m udp --dport 16962 -m state --state NEW -m comment --comment alfred -j ACCEPT
-A INPUT -i br-client -p tcp -m conntrack --ctstate NEW --dport 5201 -m comment --comment "iperf3" -j ACCEPT
-A INPUT -i br-client -p udp -m conntrack --ctstate NEW --dport 5201 -m comment --comment "iperf3" -j ACCEPT
-A INPUT -i br-client -p udp -m multiport --dports 1001 -m state --state NEW -m comment --comment "respondd" -j ACCEPT
-A INPUT -i br-client -p udp --dport 123 -m conntrack --ctstate NEW -m comment --comment "ntp-server" -j ACCEPT
-A INPUT -i br-client -p udp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT
-A INPUT -i br-client -p tcp --dport 53 -m conntrack --ctstate NEW -m comment --comment "dns-server" -j ACCEPT

-A INPUT -i br-client -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT
-A INPUT -i br-client -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m comment --comment "samba" -j ACCEPT

-A INPUT -i br-client -p tcp -m multiport --dports 20,21 -m conntrack --ctstate NEW -m comment --comment "ftp" -j ACCEPT

-A INPUT -j LOG
-A INPUT -j DROP
-A FORWARD -i br-client -o br-client -j ACCEPT
-A FORWARD -j LOG
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
COMMIT


*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RPFILTER - [0:0]
-A PREROUTING -i eth1 -j DROP
-A PREROUTING -i bat0 -j DROP
-A PREROUTING -i mesh-vpn* -j DROP

-A RPFILTER -m rpfilter -j RETURN
-A RPFILTER -m rpfilter --validmark -j RETURN
-A RPFILTER -m rpfilter --accept-local -j RETURN

-A RPFILTER -m pkttype --pkt-type broadcast -j RETURN
-A RPFILTER -m pkttype --pkt-type multicast -j RETURN

# Internet -> LXC (srv02 hat keine default-route ins internet fuer br-client)
-A RPFILTER -i br-client -d 2a03:2260:100b::/64 -j RETURN

-A RPFILTER -m limit --limit 60/minute --limit-burst 5 -j LOG --log-prefix "RPF: "
-A RPFILTER -j DROP

-A PREROUTING -j RPFILTER
COMMIT

Kernel-Config

Reverse-Path-Filter erledigen wir in iptables damit wir flexibler sind.

/etc/sysctl.conf:

net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
#net.ipv6.conf.default.rp_filter=0
#net.ipv6.conf.all.rp_filter=0

Befehle

{{{ sudo apt-get install iptables-presistent sudo iptables-apply /etc/iptables/rules.v4 sudo ip6tables-apply /etc/iptables/rules.v6 }}}
Details
Kategorie: Server

<name>space
geschlossen seit 01.05.2024 22:14 Uhr

Weitere Informationen

Veranstaltungen / Ereignisse

08 Mai 2024
18:00 - 22:00
namespace geöffnet
17 Mai 2024
15:00 - 18:00
Repaircafé on Tour