Page 1 of 1

iptables firewall

Posted: 2020/12/29 17:54:42
by wp.rauchholz
Not sure I am asking too much now...
Attached is the script of the firewall I am using on my home server which is modem/router and serves the LAN.
Wanted to get an expert opinion whether this is good enough of a firewall.

Code: Select all

#!/bin/sh
#
###############################################################
### Define interfaces here
SERVER_IP=10.5.2.1
EXT_DEV=ppp0
INT_DEV=enp3s0
INT_NET=10.5.2.0/24
VPN_NET=10.37.76.0/24

### Loading firewall modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp

###############################################################
### Enable Packet Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

### Remove all previous rules, and delete any user defined chains
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

### Set the default policies to drop
iptables -P INPUT   DROP
iptables -P OUTPUT  DROP
iptables -P FORWARD DROP

### Loopback device OK
iptables -A INPUT  -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

### Allow all ICMP Traffic (optional) - IN, OUT and THROUGH.
iptables -A INPUT   -p icmp --icmp-type any -j ACCEPT
iptables -A OUTPUT  -p icmp --icmp-type any -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT

### Allow all Internal traffic to Server
iptables -A INPUT  -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT

### Allow traic for nextcloud/collabora
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

### Enable Logging
#iptables -N LOGGING
#iptables -A INPUT -j LOGGING
#iptables -A OUTPUT -j LOGGING
#iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
#iptables -A LOGGING -j DROP

###############################################################
### OUTBOUND Rule: Allow ALL packets out the external device
iptables -A OUTPUT  -o $EXT_DEV -j ACCEPT
iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT

###############################################################
### MASQUERADING: All packets from the internal network will appear as if they had originated from the firewall.
iptables -t nat -A POSTROUTING -o $EXT_DEV -s $INT_NET -j MASQUERADE

###############################################################
### INBOUND Rule: Allow ALL EXT packets if a connection already exists (See "NEW" Inbound Rules)
iptables -A INPUT   -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT

###############################################################
### Stop attacks
# Stop smurf attacks
iptables -A INPUT -i $EXT_DEV -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -i $EXT_DEV -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -i $EXT_DEV -p icmp -m icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

# Drop all invalid packets
iptables -A INPUT   -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT  -m state --state INVALID -j DROP

# Drop excessive RST packets to avoid smurf attacks
iptables -A INPUT -i $EXT_DEV -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Attempt to block portscans, anyone who tried to portscan us is locked out for an entire day.
iptables -A INPUT   -i $EXT_DEV -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -i $EXT_DEV -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
iptables -A INPUT   -i $EXT_DEV -m recent --name portscan --remove
iptables -A FORWARD -i $EXT_DEV -m recent --name portscan --remove

# Prevent external packets from using loopback addr
iptables -A INPUT   -i $EXT_DEV -s 127.0.0.0/8 -j DROP
iptables -A FORWARD -i $EXT_DEV -s 127.0.0.0/8 -j DROP
iptables -A INPUT   -i $EXT_DEV -d 127.0.0.0/8 -j DROP
iptables -A FORWARD -i $EXT_DEV -d 127.0.0.0/8 -j DROP

##############################################################
# OPENVPN config
# Allow udp connection on the openvpn port. 
iptables -A INPUT -i $EXT_DEV -m state --state NEW -p udp --dport 1194 -j ACCEPT
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $EXT_DEV -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
# NAT VPN client traffic to the Internet. Change IP address mask according to info of tun0
iptables -t nat -A POSTROUTING -s $VPN_NET -o $EXT_DEV -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT

##############################################################
### INBOUND Rules: Allow ONLY NEW packets on these ports.
# New INBOUND Connection: nsupdate to bind
iptables -A INPUT -i $INT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 53 -j ACCEPT

# New INBOUND Connection: Secure Shell
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 4381 -j ACCEPT

# New INBOUND Connection: SMTP and SMTPS (over TLS/SSL)
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 25  -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 465 -j ACCEPT

# New INBOUND Connection: HTTP (Plain and SSL)
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 80  -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 443 -j ACCEPT

# New INBOUND Connection: IMAP Email Clients (over SSL and non-encrypted)
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 993 -j ACCEPT
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 143 -j ACCEPT

# Submission
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 587 -j ACCEPT

# New INBOUND Connection: NTP server
iptables -I INPUT -i $EXT_DEV -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT

# New INBOUND Connection: Emby server
iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 8920 -j ACCEPT  

##############################################################
# Squid Transparent Proxy: Enable rule for transparent proxy redirection
# Redirect all WWW (port 80) OUTBOUNT packets to the Squid Server on port 3128
#iptables -t nat -A PREROUTING -i $INT_DEV -s $INT_NET -p tcp --dport 80  -j REDIRECT --to-port 3128
#iptables -I INPUT              -i $INT_DEV -s $INT_NET -p tcp --dport 3128 -j ACCEPT
#iptables -I INPUT              -i $INT_DEV -s $INT_NET -p tcp --dport 3129 -j ACCEPT

# list all Safe_ports (and common ports) that Squid allows, and block them if they came directly from any of the internal workstations.
#iptables -I FORWARD -o ppp0 -s 10.5.2.0/24 -p tcp -m multiport --dports 21,23,70,80,280,443,488,563,591,777,1900,4381,8080,8096,8920 -j DROP
Thanks.

Wolfgang