Re: workstation iptables

Mario Koppensteiner Sat, 03 Mar 2007 04:33:50 -0800

Hello Sascha

Yes, there are advantages.


I think your first router (the avm-box) has only one ethernet port.
If you decide to setup a DMZ (for your Servers) and/or a separate
Network for wireless-LAN than it's very usefull to have more then one
ethernet-port available in your router.

For example:
           [Internet]
                |
                |
                |
          [small_routerbox]
                |
                |
                |
[DMZ] --- [Linux Router] --- [Wireless LAN]
                |
                |
                |
              [LAN]

The other thing is if you want to block unknown computers with unknown
MAC-Adresses or unknown MAC-Adress/IP-Adress combinations and you add
a new host, then you have to add the new rule on every host in your
network.

For example on my router there is a chain like that:
[EMAIL PROTECTED]:~# iptables -nvL eth0_MACCHECK
Chain eth0_MACCHECK (3 references)
 pkts bytes target     prot opt in     out     source               destination 
        
 2091  130K RETURN     all  --  *      *       192.168.9.4          0.0.0.0/0   
        MAC aa:bb:ee:ff:gg:hh 
   23  1687 RETURN     all  --  *      *       192.168.9.8          0.0.0.0/0   
        MAC ii:jj:kk:ll:mm:nn 
[...]
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        LOG flags 7 level 4 prefix `FW: eth0_MACCHECK -j DROP ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        

[EMAIL PROTECTED]:~#

You can see there is "RETURN" instead of "ACCEPT" in the chain above.

And this chain (eth0_MACCHECK) is used in my eth0_INPUT and
eth0_FORWARD chain.

[EMAIL PROTECTED]:~# iptables -nvL eth0_INPUT
Chain eth0_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
  228 18332 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        state RELATED,ESTABLISHED 
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
        tcp dpt:22 
    7  3784 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
        udp dpt:67 
   66  5016 eth0_MACCHECK  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
        icmp type 8 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
        tcp dpt:113 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
        udp dpt:53 
   66  5016 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
        udp dpt:123 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        LOG flags 7 level 4 prefix `FW: eth0_INPUT -j DROP ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        
[EMAIL PROTECTED]:~#

You can see there is "eth0_MACCHECK" instead of "ACCEPT".

and last but not least my INPUT chain:

[EMAIL PROTECTED]:~# iptables -nvL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
   54  5958 eth2_INPUT  all  --  eth2   *       0.0.0.0/0            0.0.0.0/0  
         
  249 24910 eth1_INPUT  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0  
         
  404 34536 eth0_INPUT  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0  
         
   56  5698 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   
        
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        LOG flags 7 level 4 prefix `FW: INPUT -j DROP ' 
[EMAIL PROTECTED]:~# 

Here there is "eth0_INPUT" instead of "ACCEPT".
My forward-chains look similar to my input-chains with a few
differences and the eth0_MACCHECK chain is used in both INPUT and FORWARD.

You can use a brute-force-check chain too like that:
Chain brute_force_check (2 references)
 pkts bytes target     prot opt in     out     source               destination 
        
85619   13M            all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        state NEW recent: SET name: DEFAULT side: source 
52330 7461K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        state NEW recent: UPDATE seconds: 60 hit_count: 4 name: DEFAULT side: so
urce LOG flags 7 level 4 prefix `FW: brute_force_check ' 
52330 7461K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        state NEW recent: UPDATE seconds: 60 hit_count: 4 name: DEFAULT side: so
urce 
38676 7956K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   


I know there could be more security by dropping new packets without
the SYN-Flag set, and so on.

Perhaps you and or other people on the list can give me/us some hints
about that.


best regards

Mario Koppensteiner

On Sat, Mar 03, 2007 at 01:36:19AM -0800, sascha s wrote:
> hey list,
> 
> im using two router to set up my internet connection and protect my home 
> network. the first is just a little router from avm and the second is a pIII 
> with linux and iptables. since the second box had some hardware trouble im 
> considering to use just the first router and add the iptables rules to 
> workstations (also linux). i dont use any special feature like vpn or 
> something like that. are there any big advantages of having a dedicated linux 
> router?
> 
> 
> thanks for help and best regards

pgpYLlYKryNUT.pgp
Description: PGP signature

Re: workstation iptables

Reply via email to