I have an IPTables script that I wrote myself. I will paste the relevant parts of the script below:
Code:
## Default policies
#
iptables -P INPUT DROP
# Drops all but approved input
iptables -P OUTPUT ACCEPT
# See output filtering rules below
iptables -P FORWARD ACCEPT
# Forward has to be set to accept for the connections to go through to the other side to the LAN
# See forward filtering rules below
Code:
# FTP
iptables -A OUTPUT -p tcp -s 10.1.10.71 --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp -s 10.1.10.71 --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.1.10.72 --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp -s 10.1.10.72 --dport 21 -j ACCEPT
# SMTP
iptables -A OUTPUT -p tcp -s 10.1.10.71 --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 10.1.10.71 --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.1.10.72 --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 10.1.10.72 --dport 25 -j ACCEPT
The two internal IPs having access to SMTP/FTP is intentional. No other IPs on the LAN do.
Code:
## Dropped outgoing ports
#
iptables -A OUTPUT -p tcp --dport 21 -j DROP
iptables -A OUTPUT -p tcp --dport 22 -j DROP
iptables -A OUTPUT -p tcp --dport 23 -j DROP
iptables -A OUTPUT -p tcp --dport 25 -j DROP
iptables -A OUTPUT -p tcp --dport 43 -j DROP
iptables -A OUTPUT -p tcp --dport 53 -j DROP
iptables -A OUTPUT -p tcp --dport 79 -j DROP
iptables -A OUTPUT -p tcp --dport 80 -j DROP # HTTP
iptables -A OUTPUT -p tcp --dport 110 -j DROP
iptables -A OUTPUT -p tcp --dport 115 -j DROP
iptables -A OUTPUT -p tcp --dport 119 -j DROP
iptables -A OUTPUT -p tcp --dport 143 -j DROP
iptables -A OUTPUT -p tcp --dport 389 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP # HTTPS
Code:
## Dropped forwarding ports
#
iptables -A FORWARD -p tcp --dport 21 -j DROP
iptables -A FORWARD -p tcp --dport 22 -j DROP
iptables -A FORWARD -p tcp --dport 23 -j DROP
iptables -A FORWARD -p tcp --dport 25 -j DROP
iptables -A FORWARD -p tcp --dport 43 -j DROP
iptables -A FORWARD -p tcp --dport 53 -j DROP
iptables -A FORWARD -p tcp --dport 79 -j DROP
iptables -A FORWARD -p tcp --dport 80 -j DROP # HTTP
iptables -A FORWARD -p tcp --dport 110 -j DROP
iptables -A FORWARD -p tcp --dport 115 -j DROP
iptables -A FORWARD -p tcp --dport 119 -j DROP
iptables -A FORWARD -p tcp --dport 143 -j DROP
iptables -A FORWARD -p tcp --dport 389 -j DROP
iptables -A FORWARD -p tcp --dport 443 -j DROP # HTTPS
Code:
## Allowed users
#
iptables -A INPUT -s xx.xxx.xx.xx -j ACCEPT # Allowed Person 1
iptables -A INPUT -s xx.xxx.xx.xx -j ACCEPT # Allowed Person 2
## Permanent allowed users (LAN)
#
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s localhost -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
----------------------
The script is actually quite long, so let me know if something doesn't make sense and I'll try to check and see if i left an important chunk of it out.
The goal here is that I have the following setup
Internet ->
Modem/Router (only one physical port enabled)->
Ubuntu x64 server with OpenVPN (eth0 in and eth1 out, configured to br0 bridge adapter in tap0) ->
Switch ->
Client machines
The idea behind the IPTables config here is to disallow any inputs at all under any circumstances from the outside unless i explicitly allow their IP, no matter what circumstances/programs. If I allow their IP, they should be able to connect to my OpenVPN (port 5556) and SSH (port 5555).
Once the connection is established, these outside systems will have access to port 80 traffic (ONLY the IPs that are reserved for the VPN, not the internal LAN clients). They need access to Windows network drives, but I don't have an explicit rule for that (it's just not blocked once the connection to the VPN is established). I have the rules written and working for that. The systems on the internal LAN, however, I really only need them to be able to use whatever port is used for windows networked drive access/activity (which I admittedly don't know).
My main question though, is about the FORWARD rules I have above. Does forwarding in IPTables mean forwarding from CLIENT#1 the inside of the LAN through the linux box into the outside world, into the Linux box from the outside world on the way to CLIENT#1, or both? Ideally, what I'm trying to do with the above script, is to, again, not allow ANY traffic under any circumstance from the outside world (not even access to SSH/OpenVPN) unless I explicitly allow their IP.
Someone suggested I try the following forwarding rule instead of the one I have at the very top:
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.1.10.0/24 -j ACCEPT
iptables -P FORWARD -j REJECT
The only problem with this rule is that when I enable it, all the internal LAN client computers have access to the ports that I blocked (like port 80 for internet access). I'm not sure why, but I suspect that it has to do with the first line about an established connection being allowed (though admittedly it doesn't make any sense in light of the fact that my original rule is merely ACCEPT).
Sorry if this seems a bit confusing, and I might already have it right, but something I read the other day kind of made me skittish about what could be a misconception about the IPTables forwarding principles.
Thanks for looking!
Bookmarks