Firewall Configuration – No internet, just internal networks

Forums Network Management Networking Firewall Configuration – No internet, just internal networks

  • This topic is empty.
Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • February 19, 2009 at 9:26 pm #41485
    vapour
    Member

    I have planned to deploy zeroshell to seal off our internal lab environment.

    Basically, I have 4 NICs, none of which is connected to the internet. I have them configured and traffic works fine as-is (although all ports open). I am trying to figure out the chains of FORWARD, INPUT and OUTPUT. By default, the policy is ACCEPT, thus everything is working. However, I want to have a policy of DENY, and only allow certain ports between segments.

    ETH00 – 192.168.0.x
    ETH01 – 192.168.10.x
    ETH02 – 192.168.20.x
    ETH03 – 192.168.30.x

    I want traffic from any segment to 192.168.0.x (any IP) only on ports 8222 and 8333. That would be good to begin. What rules to I add to what chains for this, assuming a default of DENY on the chain?

    February 22, 2009 at 2:38 pm #47647
    bbozo
    Member

    It is a bad idea to make any of the default chains DENY.

    you should first make rules that allow traffic (there are almost always less things you want to allow then deny) and after that add deny rules. watch for sequences numbers.

    INPUT chain deals with traffic that has its destination the firewall IPs
    FORWARD chain deals with traffic that has its destiantion IPs different from firewalls
    OUTPUT chain deals with traffic coming from firewall

    this is simple explanation there are many other things to consider.

    for your exapmle:
    fwd chain
    input ETH00
    Protocol Matching: chose source or destination ports you want to allow
    for examle if you would allow http then you chose destination port 80 protocol tcp
    Action: allow

    hope this helps

    February 23, 2009 at 8:48 pm #47648
    vapour
    Member

    I left the INPUT and OUTPUT chains alone for now. Just want to get the FORWARD working. I created a rule to allow all RELATED traffic from each subnet to each other subnet. I then added a rule under FORWARD to allow tcp/8333 and tcp/8222 from ETH01 to ETH00. It seems to function ok. I am trying to figure out the logging part now so I can see if stuff is dropping/etc.

    Thanks for the reply!
    [/quote]

    February 26, 2009 at 8:34 am #47649
    wbschindler
    Member

    vapor, you are on the right track. I will strongly disagree with others who say the default should not be DENY. It will be the LAST rule in the chain and thus should be DENY.

    But, when you set your tables up you may want to do it like so:

    # Flush all the previous rules

    /sbin/iptables -F INPUT
    /sbin/iptables -F FORWARD
    /sbin/iptables -F OUTPUT

    # Disable all routing until rules are in place

    /sbin/iptables -P INPUT DENY
    /sbin/iptables -P FORWARD DENY
    /sbin/iptables -P OUTPUT DENY

    # Now, add the FORWARD rules

    /sbin/iptables -A FORWARD … becomes rule 2
    /sbin/iptables -A FORWARD … becomes rule 1

    #NOTE, each time you add a rule, it becomes the first one in the chain, so the DENY rule is indeed the default rule (3)

    # Lastly, allow the INPUT and OUTPUT traffic

    /sbin/iptables -P INPUT ACCEPT
    /sbin/iptables -P OUTPUT ACCEPT

    This is certainly not complete or an exhaustive description, you may want to look at:

    http://iptables-tutorial.frozentux.net/iptables-tutorial.html

    HTH

    March 6, 2009 at 1:13 am #47650
    vapour
    Member

    Thanks. What I did was add the rules that I wanted, set them to logging to make sure all the traffic I wanted was being hit by those rules, then set the default to be deny. Works fine so far I think.. 🙂

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.