Book

Calendar

May

M	T	W	T	F	S	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

SoHo - IPtables configuration example

/etc/sysconfig/iptables

# NAT
*nat

# Transparent proxying
-A PREROUTING -s 172.16.162.57 -p tcp --dport 80 -j ACCEPT
-A PREROUTING -s 10.20.0.0/16 -p tcp --dport 80 -j REDIRECT --to-port 3128
-A PREROUTING -s 172.16.112.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
-A PREROUTING -s 172.16.113.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
-A PREROUTING -s 127.0.0.1/32 -p tcp --dport 80 -j REDIRECT --to-port 3128

# SSH hiding
-A PREROUTING -d 172.16.162.57 -p tcp --dport 13577 -j DNAT --to-destination 172.16.111.1:22

# Masquerading
-A POSTROUTING -s 10.20.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.112.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.113.0/24 -o eth0 -j MASQUERADE

COMMIT

# Filtering
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

:FWL - [0:0]
:OFL - [0:0]

-A INPUT -j FWL
-A FORWARD -j FWL
-A OUTPUT -j FWL

# Output
# Disable *.counterpath.net:13840 *.amazonaws.com:3478
#-A FWL -d 64.69.76.0/24 -j REJECT
#-A OFL -d 64.69.76.0/24 -j REJECT
#-A FWL -p udp -d 75.101.0.0/16 --dport 3478 -j REJECT
#-A OFL -p udp -d 75.101.0.0/16 --dport 3478 -j REJECT
-A OFL -j ACCEPT

# Internal clients (everything)
-A FWL -i lo -j ACCEPT
-A FWL -i eth1 -j ACCEPT
-A FWL -i vmnet1 -j ACCEPT
-A FWL -i tun+ -j ACCEPT
-A FWL -s 10.20.0.0/16 -j ACCEPT

# ICMP
-A FWL -p icmp -j ACCEPT

# VPN on non-standard port
-A FWL -p udp -d 172.16.162.57 --dport 13578 -j ACCEPT

# SSH with hiding
-A FWL -m state --state NEW -p tcp --dport 22 -d 172.16.162.57 -j REJECT
-A FWL -m state --state NEW -p tcp -m multiport --dports 22,13577 -j ACCEPT

# UDP: DNS, NTP
-A FWL -p udp -m multiport --dports 53,123 -o ! tun+ -j ACCEPT

# XDMCP
-A FWL -p udp --dport 177 -i tun+ -j ACCEPT
-A FWL -p udp --dport 177 -i ! tun+ -j REJECT

# TCP: SSH, DNS XFER, HTTP, HTTPS, LDAPS
-A FWL -m state --state NEW -m tcp -p tcp -m multiport --dports 22,53,80,443,636 -o ! tun+ -j ACCEPT
# TCP (CGP): SMTP, SMTPs, IMAPs, XMPP, XMPPs
-A FWL -m state --state NEW -m tcp -p tcp -m multiport --dports 25,465,993,5222,5223 -o ! tun+ -j ACCEPT

# FTP
-A FWL -m state --state NEW -m tcp -p tcp -m multiport --dports 20,21,11001,11002,11003,11004,11005 -j ACCEPT

# == Communigate ==
# .... CGP: SMTP, SMTPs, IMAPs, POPs, LDAPs
-A FWL -m state --state NEW -p tcp -m multiport --dports 25,465,993,995,5636 -o ! tun+ -j ACCEPT
# .... CGP: XMPP / Jabber
-A FWL -m state --state NEW -p tcp -m multiport --dports 5222,5223,5269 -o ! tun+ -j ACCEPT
# .... CGP: SIP
-A FWL -m state --state NEW -p tcp -m multiport --dports 5060,5061 -o ! tun+ -j ACCEPT
-A FWL -p udp --dport 5060 -o ! tun+ -j ACCEPT

# Remaining
-A FWL -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FWL -j REJECT
COMMIT

1. We disable access via SSH port 22 from outer world and hide SSH under custom port number 13577 on the outer interface. The custom port is redirected via PREROUTING/DNAT to standard port 22 on an internal interface. Second ethernet should not beused for that as we can shutdown o reconfigure it in future. Loopback cannot be used as the kernel disabled access to loopback for packets from non-loopback interfaces for security purposes (and considers them martians. We trick kernel by creating a loopback alias above. Another solution would be to create such alias on the primary ethernet, but I not tried that yet. Accessing port 22 with outer address still for clients from within the server, while accessing 13577 does not work for them. I have not investigated this in detail, but it seems internal clients are always routed via loopback.

2. OpenVPN is accepted on a non-standard port (e.g. 13578)and only on the outer interface.

3. The lines srcip=10.20.1.1/dports(80,443,8000,8080)=MASQUERADE;other=REJECT accept from the windows host to outer world only the ports specified so that domain browsing and other specific protocols are locked inside kiosk.

4. The OFL chain is an experimental one. It was intended to improve the X-Lite behaviour, yet not reached.

Image attachments

Bookmark this post on:

Book

Tags

Calendar

May

SoHo - IPtables configuration example

Comments

Post new comment