License

Copyright (C) 2008-2017 Oliver Bohlen.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

A copy of the license is included in the section entitled "GNU Free Documentation License".

Introduction

This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

Howto: Firewall for Gentoo Linux

Because of the complexity of my network-configuration (2VPNs, 3 NICS, 1 Bridge, DMZ...), I decided to write my own firewall-script. Here it is.
Don't forget to make it executable... ;-)

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-firewall/iptables
emerge sys-apps/iproute2

Changes in /etc/local.d/services.start

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /etc/local.d/services.start

Changed on 06.10.08
Issued by olli
Beginning line 1

Starting the firewall after system boot.

/usr/local/sbin/fire.sh

Changes in /etc/sysctl.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/sysctl.conf

Changed on 06.09.08
Issued by olli
Beginning line 13

This allows kernel routing.


Before change
#net.ipv4.ip_forward = 0
After change
net.ipv4.ip_forward = 1

Changed on 06.09.08
Issued by olli
Beginning line 44

This ignores ICMP-Broadcasts.


Before change
#net.ipv4.icmp_echo_ignore_broadcasts = 1
After change
net.ipv4.icmp_echo_ignore_broadcasts = 1

Changes in /usr/local/sbin/fireoff.sh

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /usr/local/sbin/fireoff.sh

Changed on 10.06.09
Issued by olli
Beginning line 2

With this script you can deactivate everything you counfigured with the fire.sh-Script. This could be helpful if you want to test something without a firewall.

#!/bin/bash

# deactivate antispoofing
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
 echo 0 > $f
done

# deactivate antispoofing logging
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
 echo 0 > $f
done

# allow ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
 echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
 echo 1 > $f
done

# allow source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
 echo 1 > $f
done

# recive ICMP broadcast echos
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# don't ignore wrong ICMP-F
echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# activate IP-Forwardig (routing)
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

echo 1 >/proc/sys/net/ipv4/tcp_timestamps
echo 1 >/proc/sys/net/ipv4/tcp_window_scaling


# reset/allow everything
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE 


Changes in /usr/local/sbin/fire.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/sbin/fire.sh

Changed on 21.04.12
Issued by olli
Beginning line 2

This is my firewall script.

#!/bin/bash

/etc/init.d/fail2ban stop

### CONFIGURATION ###

# Internet Interface
INETIF="ppp0"
# Opened INET Ports TCP/UDP
INETTCP="22 25 66 80 143 443 873 993 995 5222 5269 45863"
INETUDP=""
# Portforwarding(s) for connections from INET-Devices: 
# Syntax: "SourceIP:Sourceport1:Destinationip1:Destinationport1:Protocol1 SourceIP2:Sourceport2:Destinationip2:Destinationport2:Protocol2"
# This enables routing on routed Networks too (but only for the destination-Port/IP)
#INETPORTFW="0.0.0.0/0:82:192.168.178.1:80:tcp"
INETPORTFW="0.0.0.0/0:465:my.lan.ip.addr:25:tcp 0.0.0.0/0:587:my.lan.ip.addr:25:tcp"
# Here you can enter trusted IPs or whole networks for completely routing of them
#INETROUTED=""

# LAN Interface
LANIF="eth0"
# Opened LAN Ports TCP/UDP | 4713=pulseaudio
LANTCP="$INETTCP 20 24 111 139 389 445 631 636 66 2049 6566 32765:32768 45863 8118 4713"
LANUDP="$INETUDP 53 69 123 111 137 138 631 2049 5000:5040 5060 6566 32765:32768"
# Portforwarding(s) for connections from VPN-Devices:
# Syntax: "SourceIP:Sourceport1:Destinationip1:Destinationport1:Protocol1 SourceIP2:Sourceport2:Destinationip2:Destinationport2:Protocol2"
# This enables routing on routed Networks too (but only for the destination-Port/IP)
LANPORTFW="0.0.0.0/0:465:my.lan.ip.addr:25:tcp 0.0.0.0/0:587:my.lan.ip.addr:25:tcp"

# WLAN Interface
WLANIF="wlan0"
WLANTCP="$LANTCP"
WLANUDP="$LANUDP"
# Portforwarding(s) for connections from VPN-Devices:
# Syntax: "SourceIP:Sourceport1:Destinationip1:Destinationport1:Protocol1 SourceIP2:Sourceport2:Destinationip2:Destinationport2:Protocol2"
# This enables routing on routed Networks too (but only for the destination-Port/IP)
WLANPORTFW="0.0.0.0/0:465:my.lan.ip.addr:25:tcp 0.0.0.0/0:587:my.lan.ip.addr:25:tcp"

# VPN Interface(s)
VPNIF="tap0 tap1"
# Opened VPN Ports TCP/UDP
VPNTCP="$INETTCP 24 631 6566"
VPNUDP="$INETUDP 53 123 631 6566"
# Portforwarding(s) for connections from VPN-Devices: 
# Syntax: "SourceIP:Sourceport1:Destinationip1:Destinationport1:Protocol1 SourceIP2:Sourceport2:Destinationip2:Destinationport2:Protocol2"
# This enables routing on routed Networks too (but only for the destination-Port/IP)
#VPNPORTFW="XXX.XXX.XXX.XXX:82:XXX.XXX.XXX.XXX:22:tcp"
# Here you can enter trusted IPs or whole networks for completely routing of them
VPNROUTED=""

# Optional SIP GW for incoming calls
SIPGWS="sip.1und1.de"
RTPRANGE="5000:5040"

### CONFIGURATION END ###



### Some kernel parameters ###

# Antispoofing
for FILTER in /proc/sys/net/ipv4/conf/*/rp_filter; do
 echo 1 > $FILTER
done
# Antispoofing Logging
#for f in /proc/sys/net/ipv4/conf/*/log_martians; do
# echo 1 > $f
#done
# ICMP Redirects Verweigern
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
 echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
 echo 0 > $f
done
# Deny Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
 echo 0 > $f
done
# Ignore ICMP broadcast echos
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Ignore Bogus ICMP-Errors
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Paketgrößenskalierung abstellen
echo 0 >/proc/sys/net/ipv4/tcp_timestamps
echo 0 >/proc/sys/net/ipv4/tcp_window_scaling
# Disable WLAN Power saving
iw dev $WLANIF set power_save off
# activate IP-Forwardig (routing)
echo 1 > /proc/sys/net/ipv4/ip_forward


### prepare iptables - Reset/Deny all ###

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Drop all zeroconf IPs
iptables -A INPUT -s XXX.XXX.XXX.XXX/16 -j DROP
iptables -A FORWARD -s XXX.XXX.XXX.XXX/16 -j DROP

# Drop Reset Packages
iptables -A INPUT -p tcp --tcp-flags ALL RST,ACK -j DROP

### Routing the networks ###

# Masquerade routing into the Internet
iptables -t nat -A POSTROUTING -o $INETIF -j MASQUERADE

# LAN will be routed everywhere
iptables -A FORWARD -i $LANIF -m conntrack --ctstate NEW -j ACCEPT
# WLAN will be routed everywhere
iptables -A FORWARD -i $WLANIF -m conntrack --ctstate NEW -j ACCEPT
# Allow all routed-opened conections. This does not allow incomin/new connections to be routed. The connections has to be opened in the LAN or on a trusted/routed host
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# if you are using that node as a NAT router, the systems behind it have no way to know the real MTU of the PPPoE interface. Therefore the systems will try to use packets bigger than the maximum allowed, which will be dropped without warning by routers.
# The solution for that, unless you want to configure all your devices with a reduced MTU, is to instruct the routing host to intercept all the TCP handshake packets and correct in-fly the wrong MSS value requested by internal hosts.
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# Allow trusted Hosts/Networks to be routed new connections from INETNET
for INETNETIP in $INETROUTED
do
 iptables -A FORWARD -i $INETIF -s $INETNETIP -m conntrack --ctstate NEW -j ACCEPT
done

# Routing VPN Devices
for VIF in $VPNIF
do
 # Allow trusted Hosts/Networks to be routed new connections from VPNNET but not into the INETNET
 for VPNNETIP in $VPNROUTED
 do
  iptables -A FORWARD -i $VIF ! -o $INETIF -s $VPNNETIP -m conntrack --ctstate NEW -j ACCEPT
 done
 # Block broadcasts
 iptables -A INPUT -i $VIF -d XXX.XXX.XXX.XXX -j DROP
 iptables -A FORWARD -i $VIF -d XXX.XXX.XXX.XXX -j DROP
 # Allow routing into VPN(s)
 iptables -t nat -A POSTROUTING -o $VIF -j MASQUERADE
done


### Portforwarding ###

# Portforwarding for INETLAN
for PFW in $INETPORTFW
do
 # Get DATA
 SRCIP=`echo "$PFW" | cut -d':' -f 1`
 SRCPORT=`echo "$PFW" | cut -d':' -f 2`
 DSTIP=`echo "$PFW" | cut -d':' -f 3`
 DSTPORT=`echo "$PFW" | cut -d':' -f 4`
 PROT=`echo "$PFW" | cut -d':' -f 5`
 # Rule for Portorwarding
 iptables -A PREROUTING -t nat -s $SRCIP -p $PROT -i $INETIF --dport $SRCPORT -j DNAT --to $DSTIP:$DSTPORT
 # Allow forwarding
 iptables -A FORWARD -s $SRCIP -p $PROT -i $INETIF -m conntrack --ctstate new -d $DSTIP --dport $DSTPORT -j ACCEPT
done

# Portforwarding for LAN
for PFW in $LANPORTFW
do
 # Get DATA
 SRCIP=`echo "$PFW" | cut -d':' -f 1`
 SRCPORT=`echo "$PFW" | cut -d':' -f 2`
 DSTIP=`echo "$PFW" | cut -d':' -f 3`
 DSTPORT=`echo "$PFW" | cut -d':' -f 4`
 PROT=`echo "$PFW" | cut -d':' -f 5`
 # Rule for Portorwarding
 iptables -A PREROUTING -t nat -s $SRCIP -p $PROT -i $LANIF --dport $SRCPORT -j DNAT --to $DSTIP:$DSTPORT
 # Allow forwarding
 iptables -A FORWARD -s $SRCIP -p $PROT -i $LANIF -m conntrack --ctstate new -d $DSTIP --dport $DSTPORT -j ACCEPT
done

# Portforwarding for LAN
for PFW in $WLANPORTFW
do
 # Get DATA
 SRCIP=`echo "$PFW" | cut -d':' -f 1`
 SRCPORT=`echo "$PFW" | cut -d':' -f 2`
 DSTIP=`echo "$PFW" | cut -d':' -f 3`
 DSTPORT=`echo "$PFW" | cut -d':' -f 4`
 PROT=`echo "$PFW" | cut -d':' -f 5`
 # Rule for Portorwarding
 iptables -A PREROUTING -t nat -s $SRCIP -p $PROT -i $WLANIF --dport $SRCPORT -j DNAT --to $DSTIP:$DSTPORT
 # Allow forwarding
 iptables -A FORWARD -s $SRCIP -p $PROT -i $WLANIF -m conntrack --ctstate new -d $DSTIP --dport $DSTPORT -j ACCEPT
done

# Portforwarding for VPNLAN
for PFW in $VPNPORTFW
do
 # Get DATA
 SRCIP=`echo "$PFW" | cut -d':' -f 1`
 SRCPORT=`echo "$PFW" | cut -d':' -f 2`
 DSTIP=`echo "$PFW" | cut -d':' -f 3`
 DSTPORT=`echo "$PFW" | cut -d':' -f 4`
 PROT=`echo "$PFW" | cut -d':' -f 5`
 # Go through every VPN IF
 for VIF in $VPNIF
 do
  # Rule for Portorwarding
  iptables -A PREROUTING -t nat -p $PROT -s $SRCIP -i $VIF --dport $SRCPORT -j DNAT --to $DSTIP:$DSTPORT
  # Allow forwarding
  iptables -A FORWARD -p $PROT -s $SRCIP -i $VIF -m conntrack --ctstate NEW -d $DSTIP --dport $DSTPORT -j ACCEPT
 done
done

# Last forward rule is for logging. The policy is drop, so all traffig going through this rule are dropped packets
iptables -A FORWARD -j LOG --log-prefix "FW: FORWARD DROP: "


### Outgoing traffic from the Server ###

# Allow all outgoing connections with valid state
iptables -A OUTPUT  -m conntrack --ctstate ESTABLISHED,RELATED,NEW -j ACCEPT
# Last output rule is for logging. The policy is drop, so all traffig going through this rule are dropped packets
iptables -A OUTPUT -j LOG --log-prefix "FW: OUTPUT DROP: "


### Incoming traffic into the Server ###

# Hold built connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow all incoming connections from localhost
iptables -A INPUT  -i lo -j ACCEPT

# Open Ports TCP/UDP
# Create Chains
iptables -N gabosh-inet
iptables -N gabosh-lan
iptables -N gabosh-wlan
iptables -N gabosh-vpn
# Predefine Chains
iptables -A INPUT -i $INETIF -j gabosh-inet
iptables -A INPUT -i $LANIF -j gabosh-lan
iptables -A INPUT -i $WLANIF -j gabosh-wlan
for VIF in $VPNIF
do
 iptables -A INPUT -i $VIF -j gabosh-vpn
done
# INET/TCP
for PORT in $INETTCP 
do
 iptables -A gabosh-inet -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# INET/UDP
for PORT in $INETUDP
do
 iptables -A gabosh-inet -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# LAN/TCP
for PORT in $LANTCP
do
 iptables -A gabosh-lan -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# LAN/UDP
for PORT in $LANUDP
do
 iptables -A gabosh-lan -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# WLAN/TCP
for PORT in $WLANTCP
do
 iptables -A gabosh-wlan -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# WLAN/UDP
for PORT in $WLANUDP
do
 iptables -A gabosh-wlan -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# VPN/TCP
for PORT in $VPNTCP
do
 iptables -A gabosh-vpn -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# VPN/UDP
for PORT in $VPNUDP
do
 iptables -A gabosh-vpn -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# Allow ping from VPNs and LAN
iptables -A gabosh-vpn -p icmp --icmp-type echo-request -j ACCEPT
iptables -A gabosh-lan -p icmp --icmp-type echo-request -j ACCEPT
iptables -A gabosh-wlan -p icmp --icmp-type echo-request -j ACCEPT
# Allow incomming sip Connections (Calls)
#for SIPGW in $SIPGWS
#do
# host $SIPGW | grep "has address" | while read ips
#  do ip=`echo $ips | cut -d" " -f4`
#  iptables -A gabosh-inet -p udp -s $ip --dport 5060 -m conntrack --ctstate NEW -j ACCEPT
#  iptables -A gabosh-inet -p udp -s $ip --dport $RTPRANGE -m conntrack --ctstate NEW -j ACCEPT
# done
#done
iptables -A gabosh-inet -p udp -s XXX.XXX.XXX.XXX/16 --dport 5060 -m conntrack --ctstate NEW -j ACCEPT
iptables -A gabosh-inet -p udp -s XXX.XXX.XXX.XXX/16 --dport $RTPRANGE -m conntrack --ctstate NEW -j ACCEPT

# Last input rule is for logging. The policy is drop, so all traffig going through this rule are dropped packets
iptables -A INPUT -j LOG --log-prefix "FW: INPUT DROP: "

# Fail2Ban restart for revert f2b iptables rules
/etc/init.d/fail2ban start


Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Here you can find the official Gentoo Linux Forums where you can find a lot of answers.

Here a link to the official Gentoo Linux Homepage.

Edit Howto

About / Impressum

Click here for About / Impressum

Wishlist

If you want to support my work you can find my Amazon whishlist here