Custom Home Router - iptables Help

Blue|Fusion

Over the past few months I have been vastly improving my tiny home network in an effort to learn a little more about more advanced networks. Just recently I replaced my Linksys Router with a spare PC running Linux with dual NICs and iptables.

Right now, it's doing it's job fine with NAT. I am new to manually setting iptables rules, but am trying to learn it in the process. I want to make the system drop or reject (whatever's best suited for the situation) all incoming traffic that shouldn't be coming in. Since there's desktops surfing the web, using IM, and mail, obviously the related traffic would need to get back to the FORWARD chain. I'm not certain, but would assume that's related to checking the packet's state? In essence, I want this PC to firewall all outside traffic to INPUT and FORWARD chains except for that traffic that really should be there.

Here's the relative info:
LAN: eth0: 10.1.1.1
WAN: eth1: 64.233.255.0
Network: 10.1.1.0/24

I have most of the rules set from this HOWTO: http://www.gentoo.org/doc/en/home-router-howto.xml

I also have TCP port 80 forwarded to 10.1.1.20 for web. One thing about this, though is outsiders can view it, but when I attempt to go to the site hosted on the server with the WAN IP, I get connection refused. Any idea about that one?

Any help very appreciated! I really want to learn this iptables stuff already! I've been putting this off for years Rolling Eyes

.

BeerCheeze · Posted: Sun, 13 May 2007 21:44:05 Post Subject:

Going from inside to outside back in generally confuses things. Don't do it Grin

Also, you want to drop, not reject. Just don't respond to requests.

As for manually setting it up... it's been years since I did it, so I would have to dig through it all and figure it back out. If you can't get it done, let me know and I'll look through the doc's and help you out.

knight0334 · Posted: Sun, 13 May 2007 23:33:11 Post Subject:

I had the same problem back when I was trying to do the same thing, ...view the site from within the LAN via the WAN IP. However I was using WinXP or Win2K3 with Apache. There were a few "fixes" that I tried, but none really worked. One sorta worked, had to make changes to the config file for certain allowed IP ranges.

I had to setup a local DNS server for my LAN machines to use for resolving for it to work. For LAN viewing of the page, it redirected to the LAN IP of the server rather then going through the WAN IP for local viewing. The rest of the world resolved via remote DNS to my WAN IP.

Not that familiar with Linux, but if it has a "hosts" type file, you might be able to redirect to the LAN IP of the server on each local machine without having to use a DNS server.

knight0334 · Posted: Sun, 13 May 2007 23:41:39 Post Subject:

I see you're running Apache, check this out.

http://www.webservertalk.com/message1892313.html

Blue|Fusion · Posted: Mon, 14 May 2007 11:02:31 Post Subject:

Thanks for the replies. Prior to using the PC-as-router, the Linksys router allowed me to view Apache via the WAN IP, and I'm trying to emulate that. For now I do have it set in the hosts file, but hopefully only temporarily.

Here are the current iptables rules I have in place. I got these rules from the Gentoo documentation link I posted above.

acruxksa · Posted: Mon, 14 May 2007 13:08:14 Post Subject:

I know it might be cheating, but have you tried one of the many iptables script generators?

http://www.iptables.1go.dk/index1.php

http://qtables.radom.org/

http://easyfwgen.morizot.net/gen/

There are dozens of these things out there. Most will give you a good basic firewall that you can then customize to either lock it down further or punch holes in it for specific purposes.

LinuxQuestions - Linux Security Forum can also be a pretty good source of general configuration info.

Blue|Fusion · Posted: Mon, 14 May 2007 19:08:46 Post Subject:

Thanks for the links. I found a cool howto from a Stanford user and modified it slightly for my own use:

BeerCheeze · Posted: Mon, 14 May 2007 19:50:41 Post Subject:

Deny all ICMP except echo-request & echo-reply.

Blue|Fusion · Posted: Mon, 14 May 2007 20:32:05 Post Subject:

OK, only accepting echo-request and echo-reply. All others are dropped as per INPUT profile.

BeerCheeze · Posted: Mon, 14 May 2007 21:16:39 Post Subject:

You also want to drop anything on eth1 coming from an RFC-1918 address (I'm not giving you those, because I want you to look them up... so you remember what it is in case you don't already know it).

Also DHCP (Bootp) doesn't use TCP, no need to allow that. If you have a static IP, you shouldn't need that at all.

You are allowing ssh from the internet, are you sure you want that?

Also this: