# Please QA my Firewall Setup

## myte

I have two IP leases from my ISP. I have 3 ethernet adapters on my server. eth0 = static ip, dnsmasq'ing to the lan for dhcp server. eth1 is dhcp / inet, eth2 is dhcp/inet.

Here's what I have.

```

1.# Copyright 1999-2010 Gentoo Foundation

2.# Distributed under the terms of the GNU General Public License v2

3.# $Header: $

4. 

5.depend() {

6.        need net

7.}

8. 

9.start() {

10.ebegin "Starting Firewall Script"

11. 

12.#First we flush our current rules

13.        iptables -t filter -F

14.        iptables -t nat -F

15.        iptables -t mangle -F

16. 

17.#Setup default policies to handle unmatched traffic

18.        iptables -t filter -P INPUT ACCEPT

19.        iptables -t filter -P OUTPUT ACCEPT

20.        iptables -t filter -P FORWARD ACCEPT

21. 

22.#Copy and paste these examples ...

23.        export LAN=eth0

24.        export WAN0=eth1

25.        export WAN1=eth2

26.        export WAN0ip=$( ifconfig ${WAN0} | grep "inet addr" | sed -e 's/^          inet addr://' -e 's/\ .*$//' )

27.        export WAN1ip=$( ifconfig ${WAN1} | grep "inet addr" | sed -e 's/^          inet addr://' -e 's/\ .*$//' )

28. 

29.#add the rules for NAT

30.        iptables -t nat -A POSTROUTING  -o eth1 -s 192.168.0.0/25   -j SNAT --to-source ${WAN0ip} --random

31.        iptables -t nat -A POSTROUTING  -o eth2 -s 192.168.0.128/25 -j SNAT --to-source ${WAN1ip} --random

32. 

33.#These rules are for access control to this router box and any external hosts (Lan or Wan)

34.#Accept anything coming from the LAN or loopback

35.        iptables -A INPUT -i ${LAN} -j ACCEPT

36.        iptables -A INPUT -i lo -j ACCEPT

37.#Allow ssh from outside

38.        iptables -A INPUT -p TCP --dport 22 -i ${WAN0ip} -j ACCEPT

39.        iptables -A INPUT -p TCP --dport 22 -i ${WAN1ip} -j ACCEPT

40.#Allow DHCP to renew its leases with your ISP.  (if you can get the ip of your dhcp server into a variable, add it to the below lines in an -s argument)

41.        iptables -A INPUT -p UDP --dport bootps ! -i ${WAN0ip} -j REJECT

42.        iptables -A INPUT -p UDP --dport domain ! -i ${WAN1ip} -j REJECT

43.#Allow any return traffic that is part of a connection that was already allowed

44.        iptables -A INPUT -i ${WAN0} -m state --state ESTABLISHED,RELATED -j ACCEPT

45.        iptables -A INPUT -i ${WAN1} -m state --state ESTABLISHED,RELATED -j ACCEPT

46.#Reject all else

47.        iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

48. 

49.#These access control rules are for forwarded traffic between the lan and the internets:

50.#Allow anything originating internally

51.        iptables -A FORWARD -i ${LAN} -d 192.168.0.0/24 -j DROP

52.#Allow any return traffic that is part of a connection that was already allowed

53.        iptables -A FORWARD -i ${WAN0} -d 192.168.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

54.        iptables -A FORWARD -i ${WAN1} -d 192.168.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

55.#Reject all else

56.        iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

57. 

58.#Tell the kernel that ip forwarding is OK

59.        echo 1 > /proc/sys/net/ipv4/ip_forward

60.        for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

61.eend $?

62.}

63. 

64.stop() {

65.        ebegin "Stopping Firewall Script"

66.        iptables -t filter -F

67.        iptables -t nat -F

68.        iptables -t mangle -F

69. 

70.        iptables -t filter -P INPUT ACCEPT

71.        iptables -t filter -P OUTPUT ACCEPT

72.        iptables -t filter -P FORWARD ACCEPT

73.        eend $?

74.}

75. 

76.restart() {

77.        ebegin "Restarting Firewall Script"

78.        /etc/init.d/net.eth0 restart

79.        /etc/init.d/net.eth1 restart

80.        /etc/init.d/net.eth2 restart

81.        /etc/init.d/mynet start

82.        eend $?

83.}

```

Here's the output of iptables -L after starting this script:

```

1.rath init.d # iptables -L

2.Chain INPUT (policy ACCEPT)

3.target     prot opt source               destination

4.ACCEPT     all  --  anywhere             anywhere

5.ACCEPT     all  --  anywhere             anywhere

6.ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

7.ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

8.REJECT     udp  --  anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable

9.REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable

10.ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

11.ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

12.REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

13. 

14.Chain FORWARD (policy ACCEPT)

15.target     prot opt source               destination

16.DROP       all  --  anywhere             192.168.0.0/24

17.ACCEPT     all  --  anywhere             192.168.0.0/24      state RELATED,ESTABLISHED

18.ACCEPT     all  --  anywhere             192.168.0.0/24      state RELATED,ESTABLISHED

19.REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

20. 

21.Chain OUTPUT (policy ACCEPT)

22.target     prot opt source               destination

23.rath init.d #

```

Does this look like it is setup properly to operate? My main goal is to have all IP's from one range route their traffic through one eth1, and all IP's from the other range will go through the other eth2.

Thanks!

----------

## gerdesj

I'm afraid I can't be bothered to read and understand all of that lot - you'll normally get a reply to a specific question!

However, I think what you really want is policy based routing - or more specifically source based routing:

What you do is (make sure you have iproute2 installed) create two additional routing tables which have different default gateways and then you add ip rules to these additional tables based on where the packets are coming FROM.

Normally your routing table is based on where a packet is going TO - destination based routing.

You can do all this in /etc/conf.d/net.  You need to look up how to use "ip rule".  Look at the postup() example in net.example (/etc/conf.d or /usr/share/doc/openrc)

http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html

Once you have the routing sorted out then you worry about the firewall.

Back to your config, I think it may work anyway - does it?  The output of iptables -L -v -t nat would be useful.  You should be able to run traceroutes from client machines to test where packets are actually going or run tcpdump on your router.

Now if you want failover, ie ISP2 link goes down - route ISP2 traffic via ISP1 until ISP2 recovers is a whole different ball game - if you want to do that then just use pfSense!  I have wasted a lot of time over this with Linux and pfSense just works.

Cheers

Jon

----------

## Hu

I see two design problems with this script.  First, you are calling iptables repeatedly without checking whether it succeeds, so you could load a very strange partial configuration if some of the calls fail and others succeed.  Second, when you restart the interfaces, you restart them without regard to whether any of them fail.

To address the first problem, you should use the Gentoo-supplied iptables initscript, which performs an atomic rule load.  Either all the rules load or none of them do.  You could address the second problem with better error checking, but first I would like to hear why you want to restart all the network interfaces any time the firewall is reset.

If you want to post the state of the firewall, use iptables-save -c, not iptables -L.

----------

## d2_racing

IMOO, you should try to do a firewall rules that open things  :Razz: 

```

.#Setup default policies to handle unmatched traffic

18.        iptables -t filter -P INPUT ACCEPT

19.        iptables -t filter -P OUTPUT ACCEPT

20.        iptables -t filter -P FORWARD ACCEPT 

```

Should be :

```

18.        iptables -t filter -P INPUT DROP

19.        iptables -t filter -P OUTPUT DROP

20.        iptables -t filter -P FORWARD DROP

```

And start creating rules that accept connections and packets.

----------

## d2_racing

And for the record, because of this :

```

18. iptables -t filter -P INPUT ACCEPT

19.        iptables -t filter -P OUTPUT ACCEPT

20.        iptables -t filter -P FORWARD ACCEPT 

```

A lot of rules that you created were useless, because by default, your firewall was accepting everything.

Example :

```

38. iptables -A INPUT -p TCP --dport 22 -i ${WAN0ip} -j ACCEPT

39. iiptables -A INPUT -p TCP --dport 22 -i ${WAN1ip} -j ACCEPT 

```

----------

