High-Availability Obsession: Simple linux firewall for dedicated company network

Hi, we will setup basic firewall for small dedicated company network. Situation: all services for LAN users (email, proxy, dns, ntp) are situated in main company network, to which we connect using OpenVPN. So router acts as OpenVPN client, enabling tunneled incoming connections to this LAN from main company network. Created for Slackware. Take all this as fun example.

You just need to know about router interfaces and LAN IP range. I assume eth0 is LAN and eth1 is INTERNET interface, tun0 is interface made by OpenVPN. There are few hints.. as you can see, pings are enabled, also at bottom you will find lines, which uncommenting will result in enabling various connections from LAN to INTERNET.

# cat /etc/rc.d/rc.firewall
#!/bin/sh

IPTABLES="/sbin/iptables"
ETH_LAN="eth0"
ETH_INET="eth1"
ETH_VPN0="tun0"
LAN="194.44.44.0/26"

modprobe ip_conntrack_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward

$IPTABLES -F
$IPTABLES -X

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

$IPTABLES -N icmp_packets
$IPTABLES -A icmp_packets -p ICMP --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP --icmp-type 11 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -j DROP

# INPUT, pings, ssh connections from LAN
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p ICMP -j icmp_packets
$IPTABLES -A INPUT -i ${ETH_LAN} -s ${LAN} -p TCP --dport 22 -j ACCEPT

# OUTPUT, pings, web updates, dns queries, openvpn client
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -p ICMP -j icmp_packets
$IPTABLES -A OUTPUT -p TCP --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p UDP --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p UDP --dport 1194 -j ACCEPT

# LAN->INTERNET, pings, wanna enable direct ftp ssh http https for LAN users?
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -o ${ETH_INET} -s ${LAN} -p ICMP -j icmp_packets
#$IPTABLES -A FORWARD -o ${ETH_INET} -s ${LAN} -p TCP --dport 21 -j ACCEPT
#$IPTABLES -A FORWARD -o ${ETH_INET} -s ${LAN} -p TCP --dport 22 -j ACCEPT
#$IPTABLES -A FORWARD -o ${ETH_INET} -s ${LAN} -p TCP --dport 80 -j ACCEPT
#$IPTABLES -A FORWARD -o ${ETH_INET} -s ${LAN} -p TCP --dport 443 -j ACCEPT
# LAN<->VPN, connections to and from LAN
${IPTABLES} -A FORWARD -o ${ETH_VPN0} -i ${ETH_LAN} -j ACCEPT
${IPTABLES} -A FORWARD -i ${ETH_VPN0} -o ${ETH_LAN} -j ACCEPT

echo "Firewall updated: `date`"

High-Availability Obsession

Pages

November 1, 2007

Simple linux firewall for dedicated company network

No comments:

Post a Comment