Port Forwarding (iptables)

[jlacroix]

Okay, this is strange. Today it is working. I haven't changed anything since the last time I tried it. I am using the 3G on my phone to SSH into my home network (with WIFI disabled) and now that I'm in a different physical location, it's working. Perhaps there is something with the cell tower in my neighborhood.

That said, the reason I opened this thread is solved and I appreciate the input. However, I am curious if there is an easy way to lock down the firewall without losing the remote access functionality. Do I just remove the ACCEPT lines?

[darkod]

Look at your *filter policy settings. As soon as you have INPUT ACCEPT, anyone is accepted into your gateway (because the INPUT is only for local traffic entering the gateway/server itself, not the traffic forwarded (passing) through it.

Locking the server and leaving http and https (80 and 443) accepted, and also 65001 for ssh, would be like:

Code:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

COMMIT

That would be the basic that blocks any traffic in INPUT and FORWARD by policy, letting in only what you specify with rules. The first basic rules are to let in back all established and related traffic, so your gateway and clients can communicate.

When you say you want 80 and 443 let in, do you run services on a server on your LAN? Otherwise, your clients will be able to browse just fine, you don't need to open 80 and 443 for incoming traffic. Your clients make outgoing traffic, and that will be let in by the established,related rule.

If you are running web services you need to allow the ports and also forward them to the correct web server private IP on your LAN (in the *nat section):
-A FORWARD -i eth0 -p tcp -m multiport --dports 80,443,65001 -j ACCEPT

That should let in ports 80,443 and 65001. I hope I used the multiport syntax correctly.

If you are only interested in ports 80 and 443 so that your home machines can browse, you will have to allow the forward traffic in the other direction (inside to outside), something like:
-A FORWARD -i eth1 -s 172.16.254.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT

One option, as a temporary solution, is to have the forward policy to ACCEPT, check that everything is working fine, and then change it to DROP and start adding rules until everything works as you want to. In your rules design, just follow the traffic flow.

If you set forward and output to ACCEPT, you don't need to do much except make the DNAT rule for the ssh port. And DNAT rules for http and https if you are running a webserver at home. All the other traffic will be accepted by the forward ACCEPT policy anyway.

But as soon as you set forward to DROP, you have to be ready and prepare rules for all traffic your home machines might need, that was previously accepted by the ACCEPT policy. But that shouldn't be too hard. It might be trial and error a bit, until you get it right.

[jlacroix]

Look at your *filter policy settings. As soon as you have INPUT ACCEPT, anyone is accepted into your gateway (because the INPUT is only for local traffic entering the gateway/server itself, not the traffic forwarded (passing) through it.

Locking the server and leaving http and https (80 and 443) accepted, and also 65001 for ssh, would be like:

Code:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

COMMIT

That would be the basic that blocks any traffic in INPUT and FORWARD by policy, letting in only what you specify with rules. The first basic rules are to let in back all established and related traffic, so your gateway and clients can communicate.

When you say you want 80 and 443 let in, do you run services on a server on your LAN? Otherwise, your clients will be able to browse just fine, you don't need to open 80 and 443 for incoming traffic. Your clients make outgoing traffic, and that will be let in by the established,related rule.

If you are running web services you need to allow the ports and also forward them to the correct web server private IP on your LAN (in the *nat section):
-A FORWARD -i eth0 -p tcp -m multiport --dports 80,443,65001 -j ACCEPT

That should let in ports 80,443 and 65001. I hope I used the multiport syntax correctly.

If you are only interested in ports 80 and 443 so that your home machines can browse, you will have to allow the forward traffic in the other direction (inside to outside), something like:
-A FORWARD -i eth1 -s 172.16.254.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT

One option, as a temporary solution, is to have the forward policy to ACCEPT, check that everything is working fine, and then change it to DROP and start adding rules until everything works as you want to. In your rules design, just follow the traffic flow.

If you set forward and output to ACCEPT, you don't need to do much except make the DNAT rule for the ssh port. And DNAT rules for http and https if you are running a webserver at home. All the other traffic will be accepted by the forward ACCEPT policy anyway.

But as soon as you set forward to DROP, you have to be ready and prepare rules for all traffic your home machines might need, that was previously accepted by the ACCEPT policy. But that shouldn't be too hard. It might be trial and error a bit, until you get it right.

I just wanted to say, thank you VERY MUCH for your help. By using your guidance as a base, I was able to create a script that sets up all my rules, with security in mind. I checked my new policy against Shields Up and all ports don't respond to outside pings, but my internal SSH and web traffic seems to work fine. I am sure there will be more ports that I will have to open as I go, but after four hours of intense trial and error testing all my network stuff, the script below is what I ended up with (hopefully it will help someone else):

Code:

#!/bin/bash
# init

## Flush current configuration:
iptables -F
iptables -t nat -F
iptables -t mangle -F

## Delete current chains:
iptables -X
iptables -t nat -X
iptables -t mangle -X

## Set policy
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

## Allow routing between eth0 and eth1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT

## Allow internal SSH:
iptables -A INPUT -s 172.16.254.0/24 -m state --state NEW -p tcp -m multiport --dports 65001,65010 -j ACCEPT

## Allow external SSH:
iptables -A INPUT -p tcp -m multiport --dports 65001,65010 -j ACCEPT

## Allow port forwarding for SSH:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 65001 -j DNAT --to-destination 172.16.254.1
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 65010 -j DNAT --to-destination 172.16.254.10

## Required for internal host name resolution to function:
iptables -I INPUT -s 172.16.254.0/24 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -s 172.16.254.0/24 -p tcp --dport 53 -j ACCEPT

## Required for Samba to function:
iptables -A INPUT -s 172.16.254.0/24 -m state --state NEW -p tcp -m multiport --dports 137,138,139,445 -j ACCEPT

iptables-save > /etc/iptables.rules

Now I'm on my way to begin learning iptables!