Look at your *filter policy settings. As soon as you have INPUT ACCEPT, anyone is accepted into your gateway (because the INPUT is only for local traffic entering the gateway/server itself, not the traffic forwarded (passing) through it.
Locking the server and leaving http and https (80 and 443) accepted, and also 65001 for ssh, would be like:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT
That would be the basic that blocks any traffic in INPUT and FORWARD by policy, letting in only what you specify with rules. The first basic rules are to let in back all established and related traffic, so your gateway and clients can communicate.
When you say you want 80 and 443 let in, do you run services on a server on your LAN? Otherwise, your clients will be able to browse just fine, you don't need to open 80 and 443 for incoming traffic. Your clients make outgoing traffic, and that will be let in by the established,related rule.
If you are running web services you need to allow the ports and also forward them to the correct web server private IP on your LAN (in the *nat section):
-A FORWARD -i eth0 -p tcp -m multiport --dports 80,443,65001 -j ACCEPT
That should let in ports 80,443 and 65001. I hope I used the multiport syntax correctly.
If you are only interested in ports 80 and 443 so that your home machines can browse, you will have to allow the forward traffic in the other direction (inside to outside), something like:
-A FORWARD -i eth1 -s 172.16.254.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT
One option, as a temporary solution, is to have the forward policy to ACCEPT, check that everything is working fine, and then change it to DROP and start adding rules until everything works as you want to. In your rules design, just follow the traffic flow.
If you set forward and output to ACCEPT, you don't need to do much except make the DNAT rule for the ssh port. And DNAT rules for http and https if you are running a webserver at home. All the other traffic will be accepted by the forward ACCEPT policy anyway.
But as soon as you set forward to DROP, you have to be ready and prepare rules for all traffic your home machines might need, that was previously accepted by the ACCEPT policy. But that shouldn't be too hard. It might be trial and error a bit, until you get it right.
Bookmarks