Copyright (C) 2008-2021 Oliver Bohlen.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU Free Documentation License".
This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Because of the complexity of my network-configuration, I decided to write my own firewall-script. Here it is.
Don't forget to make it executable... ;-)
If you want to use this solution you need the following howto(s) finished:
emerge net-firewall/iptables emerge sys-apps/iproute2
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /etc/local.d/01_services.start
Changed on 06.10.08Starting the firewall after system boot.
/usr/local/sbin/fire.sh
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/sysctl.conf
Changed on 06.09.08This allows kernel routing.
#net.ipv4.ip_forward = 0After change
net.ipv4.ip_forward = 1 # IP spoofing protection net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/sysctl.d/gabosh.conf
Changed on 06.09.08This ignores ipv4 ICMP-Broadcasts.
net.ipv4.icmp_echo_ignore_broadcasts = 1
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /usr/local/sbin/fireoff.sh
Changed on 10.06.09With this script you can deactivate everything you counfigured with the fire.sh-Script. This could be helpful if you want to test something without a firewall.
#!/bin/bash # deactivate antispoofing for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f done # deactivate antispoofing logging for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 0 > $f done # allow ICMP redirects for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 1 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 1 > $f done # allow source routed packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 1 > $f done # recive ICMP broadcast echos echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # don't ignore wrong ICMP-F echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # activate IP-Forwardig (routing) echo 1 > /proc/sys/net/ipv4/ip_forward #echo 1 > /proc/sys/net/ipv6/conf/all/forwarding echo 1 >/proc/sys/net/ipv4/tcp_timestamps echo 1 >/proc/sys/net/ipv4/tcp_window_scaling # reset/allow everything iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -F iptables -t nat -F iptables -t mangle -F iptables -X ip6tables -P INPUT ACCEPT ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -F ip6tables -X iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /usr/local/sbin/fire.sh
Changed on 21.04.12This is my firewall script.
#!/bin/bash /etc/init.d/fail2ban stop >/dev/null 2>&1 /etc/init.d/fail2ban zap >/dev/null 2>&1 sleep 2 while ps ax | grep -v grep | grep -q fail2ban do echo -n "." kill -9 $(pidof /usr/bin/python3.9 /usr/bin/fail2ban-server) sleep 1 done ### CONFIGURATION ### WANIF="eth1" WANUDP="123 514" # Internet Interface INETIF="ppp0" # Opened INET Ports TCP/UDP # ssh, smtp, http, https, smtps, smtp/submission, rsync, imaps, pop3s, turn/stun, xmpp, xmpp, ssh-tunnel INETTCP="22 25 28 80 443 465 587 873 993 995 3478 5222 5269 8081" # syslog, turn/stun INETUDP="514 3478" # Portforwarding(s) for connections from INET-Devices: # Syntax: "SourceIP:Sourceport1:Destinationip1:Destinationport1:Protocol1 SourceIP2:Sourceport2:Destinationip2:Destinationport2:Protocol2" # This enables routing on routed Networks too (but only for the destination-Port/IP) #INETPORTFW="0.0.0.0/0:82:192.168.178.1:80:tcp" INETPORTFW="" #INETPORTFW="0.0.0.0/0:465:my.lan.ip.addr:25:tcp 0.0.0.0/0:587:my.lan.ip.addr:25:tcp" # Here you can enter trusted IPs or whole networks for completely routing of them #INETROUTED="" # Deny (untrusted) MACs for ROUTING/FORWARDING to the Internet # EPSON-Printer NOINETMACS="XX:XX:XX:XX:XX:XX" # Here you can add Domains in the Internet to be not routed NOINETDOMAINS="" # Disallow Internet DNS requests NOINETDNS="no" # Block IPs coming from Internet BLOCKINETIPS="XXX.XXX.XXX.XXX/24 XXX.XXX.XXX.XXX/24 XXX.XXX.XXX.XXX/24 XXX.XXX.XXX.XXX/24 XXX.XXX.XXX.XXX/24 XXX.XXX.XXX.XXX/16 XXX.XXX.XXX.XXX/16 XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX" # LAN Interface LANIF="eth0" # Opened LAN Ports TCP/UDP # ssh-sftp, nfs, ldap, ipp-cups, ldaps, hugo-blog, nfs, nfs, pulseaudio, drbd , drbd LANTCP="$INETTCP 24 111 222 389 587 631 636 1313 2049 3000 3128 32765:32768 4713 5901 7788 7789 7790 10102 5950 " # dns, tftp, ntp, nfs-rpc, syslog, ipp-cups, nfs, squid, asterisk, asterisk, nfs LANUDP="$INETUDP 53 69 123 111 514 631 2049 5000:5040 5060 32765:32768" # Portforwarding(s): # Syntax: "SourceIP:Sourceport1:Destinationip1:Destinationport1:Protocol1 SourceIP2:Sourceport2:Destinationip2:Destinationport2:Protocol2" # This enables routing on routed Networks too (but only for the destination-Port/IP) LANPORTFW="" #LANPORTFW="0.0.0.0/0:10102:127.0.0.1:10102:tcp" #LANPORTFW="0.0.0.0/0:5901:my.lan.ip.addr:5900:tcp 0.0.0.0/0:587:my.lan.ip.addr:25:tcp" # WLAN Interface WLANIF="wlan0" WLANTCP="$LANTCP" WLANUDP="$LANUDP" # Portforwarding(s): # Syntax: "SourceIP:Sourceport1:Destinationip1:Destinationport1:Protocol1 SourceIP2:Sourceport2:Destinationip2:Destinationport2:Protocol2" # This enables routing on routed Networks too (but only for the destination-Port/IP) WLANPORTFW="" #WLANPORTFW="0.0.0.0/0:465:my.lan.ip.addr:25:tcp 0.0.0.0/0:587:my.lan.ip.addr:25:tcp" VNETIF="vnet0" VNETTCP="$LANTCP" VNETUDP="$LANUDP" DOCKERIF="docker0" DOCKERTCP="" DOCKERUDP="" # Optional SIP GW for incoming calls #SIPGWS="SIP-PROVIDER-HOSTNAME" RTPRANGE="5000:5040" ### CONFIGURATION END ### ### Some kernel parameters ### # Antispoofing for FILTER in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $FILTER done # Antispoofing Logging #for f in /proc/sys/net/ipv4/conf/*/log_martians; do # echo 1 > $f #done # ICMP Redirects Verweigern for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done # Deny Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # Ignore ICMP broadcast echos echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Ignore Bogus ICMP-Errors echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Disable WLAN Power saving iw dev $WLANIF set power_save off # activate IP-Forwardig (routing) echo 1 > /proc/sys/net/ipv4/ip_forward ### prepare iptables - Reset/Deny all ### iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # Drop all zeroconf IPs iptables -A INPUT -s XXX.XXX.XXX.XXX/16 -j DROP iptables -A FORWARD -s XXX.XXX.XXX.XXX/16 -j DROP # No Internet DNS if echo $NOINETDNS | grep -q yes then iptables -A FORWARD -p udp -o $INETIF --dport 53 -j DROP iptables -A FORWARD -p tcp -o $INETIF --dport 53 -j DROP fi # Drop Reset Packages iptables -A INPUT -p tcp --tcp-flags ALL RST,ACK -j DROP ### Routing the IPv4 networks ### # Masquerade routing into the Internet iptables -t nat -A POSTROUTING -o $INETIF -j MASQUERADE # DOCKER will be routed everywhere iptables -A FORWARD -i $DOCKERIF -m conntrack --ctstate NEW -j ACCEPT # LAN will be routed everywhere iptables -A FORWARD -i $LANIF -m conntrack --ctstate NEW -j ACCEPT # VNET will be routed everywhere iptables -A FORWARD -i $VNETIF -m conntrack --ctstate NEW -j ACCEPT # WLAN will be routed everywhere iptables -A FORWARD -i $WLANIF -m conntrack --ctstate NEW -j ACCEPT # MACs not to be routed to the Internet for NOINETMAC in $NOINETMACS do iptables -A FORWARD -m mac --mac-source $NOINETMAC -o $INETIF -j DROP done # Block some domains to be routed to the Internet for NOINETDOMAIN in $NOINETDOMAINS do iptables -A FORWARD -m string --string "Host: $NOINETDOMAIN" --algo bm -o $INETIF -j REJECT done # Allow all routed-opened conections. This does not allow incomin/new connections to be routed. The connections has to be opened in the LAN or on a trusted/routed host iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # if you are using that node as a NAT router, the systems behind it have no way to know the real MTU of the PPPoE interface. Therefore the systems will try to use packets bigger than the maximum allowed, which will be dropped without warning by routers. # The solution for that, unless you want to configure all your devices with a reduced MTU, is to instruct the routing host to intercept all the TCP handshake packets and correct in-fly the wrong MSS value requested by internal hosts. iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Allow trusted Hosts/Networks to be routed new connections from INETNET for INETNETIP in $INETROUTED do iptables -A FORWARD -i $INETIF -s $INETNETIP -m conntrack --ctstate NEW -j ACCEPT done ### Portforwarding ### # Portforwarding for INETLAN for PFW in $INETPORTFW do # Get DATA SRCIP=`echo "$PFW" | cut -d':' -f 1` SRCPORT=`echo "$PFW" | cut -d':' -f 2` DSTIP=`echo "$PFW" | cut -d':' -f 3` DSTPORT=`echo "$PFW" | cut -d':' -f 4` PROT=`echo "$PFW" | cut -d':' -f 5` # Rule for Portforwarding iptables -A PREROUTING -t nat -s $SRCIP -p $PROT -i $INETIF --dport $SRCPORT -j DNAT --to $DSTIP:$DSTPORT # Allow forwarding iptables -A FORWARD -s $SRCIP -p $PROT -i $INETIF -m conntrack --ctstate new -d $DSTIP --dport $DSTPORT -j ACCEPT done # Portforwarding for LAN for PFW in $LANPORTFW do # Get DATA SRCIP=`echo "$PFW" | cut -d':' -f 1` SRCPORT=`echo "$PFW" | cut -d':' -f 2` DSTIP=`echo "$PFW" | cut -d':' -f 3` DSTPORT=`echo "$PFW" | cut -d':' -f 4` PROT=`echo "$PFW" | cut -d':' -f 5` # Rule for Portorwarding iptables -A PREROUTING -t nat -s $SRCIP -p $PROT -i $LANIF --dport $SRCPORT -j DNAT --to $DSTIP:$DSTPORT # Allow forwarding iptables -A FORWARD -s $SRCIP -p $PROT -i $LANIF -m conntrack --ctstate new -d $DSTIP --dport $DSTPORT -j ACCEPT done # Portforwarding for WLAN for PFW in $WLANPORTFW do # Get DATA SRCIP=`echo "$PFW" | cut -d':' -f 1` SRCPORT=`echo "$PFW" | cut -d':' -f 2` DSTIP=`echo "$PFW" | cut -d':' -f 3` DSTPORT=`echo "$PFW" | cut -d':' -f 4` PROT=`echo "$PFW" | cut -d':' -f 5` # Rule for Portorwarding iptables -A PREROUTING -t nat -s $SRCIP -p $PROT -i $WLANIF --dport $SRCPORT -j DNAT --to $DSTIP:$DSTPORT # Allow forwarding iptables -A FORWARD -s $SRCIP -p $PROT -i $WLANIF -m conntrack --ctstate new -d $DSTIP --dport $DSTPORT -j ACCEPT done # Last forward rule is for logging. The policy is drop, so all traffig going through this rule are dropped packets iptables -A FORWARD -j LOG --log-prefix "fire.sh: FORWARD4 DROP: " ### Outgoing traffic from the Server ### # Allow all outgoing connections with valid state iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED,NEW -j ACCEPT # Allow pong from ipv6ping # Last output rule is for logging. The policy is drop, so all traffig going through this rule are dropped packets iptables -A OUTPUT -j LOG --log-prefix "fire.sh: OUTPUT4 DROP: " ### Incoming traffic into the Server ### # Hold built connections iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Allow all incoming connections from localhost iptables -A INPUT -i lo -j ACCEPT # Open Ports TCP/UDP # Create Chains iptables -N gabosh-inet iptables -N gabosh-wan iptables -N gabosh-lan iptables -N gabosh-wlan iptables -N gabosh-vnet iptables -N gabosh-docker # Predefine Chains iptables -A INPUT -i $INETIF -j gabosh-inet iptables -A INPUT -i $WANIF -j gabosh-wan iptables -A INPUT -i $LANIF -j gabosh-lan iptables -A INPUT -i $WLANIF -j gabosh-wlan iptables -A INPUT -i $VNETIF -j gabosh-vnet iptables -A INPUT -i $DOCKERIF -j gabosh-docker # INET/UDP for PORT in $INETUDP do iptables -A gabosh-inet -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # INET/TCP for PORT in $INETTCP do iptables -A gabosh-inet -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # LAN/TCP for PORT in $LANTCP do iptables -A gabosh-lan -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # LAN/UDP for PORT in $LANUDP do iptables -A gabosh-lan -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # WLAN/TCP for PORT in $WLANTCP do iptables -A gabosh-wlan -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # WLAN/UDP for PORT in $WLANUDP do iptables -A gabosh-wlan -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # VNET/TCP for PORT in $VNETTCP do iptables -A gabosh-vnet -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # VNET/UDP for PORT in $VNETUDP do iptables -A gabosh-vnet -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done for PORT in $DOCKERTCP do iptables -A gabosh-docker -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done for PORT in $DOCKERUDP do iptables -A gabosh-docker -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT done # Allow ping from LAN iptables -A gabosh-lan -p icmp --icmp-type echo-request -j ACCEPT iptables -A gabosh-vnet -p icmp --icmp-type echo-request -j ACCEPT iptables -A gabosh-wlan -p icmp --icmp-type echo-request -j ACCEPT iptables -A gabosh-docker -p icmp --icmp-type echo-request -j ACCEPT #iptables -A gabosh-inet -p icmp --icmp-type echo-request -j ACCEPT # Last input rule is for logging. The policy is drop, so all traffig going through this rule are dropped packets iptables -A INPUT -j LOG --log-prefix "fire.sh: INPUT4 DROP: " # Fail2Ban restart for revert f2b iptables rules #/etc/init.d/fail2ban start >/dev/null 2>&1
Please send a feedback to: doc<at>gabosh.net
Howto listingHere you can find the official Gentoo Linux Forums where you can find a lot of answers.
Here a link to the official Gentoo Linux Homepage.