Marc's Blog

Things from me about me …

Basic paranoid iptables firewall for an AMPRnet gateway

| 16 Comments

I have been asked a couple of times to provide a starting point for a firewall based on iptables for AMPRnet gateways based on Linux. I’ll try to accomplish this here.

I’m assuming your Linux gateway uses the following interfaces:

  • eth0 : connected to the Internet, has a public static IP address (this post does NOT cover AMPRnet gateways behind NAT or within DMZ)
  • eth1 : connected to your local AMPRnet LAN, has a static 44net IP address
  • tunl0 : the IPIP tunnel interface

The following script will allow to receive IPIP, RIPv2 and Management traffic. It will also allow connection to be initiated from the gateway or the LAN by employing a stateful firewall:

(ATTENTION: you will most probably lose connectivity to your gateway if you apply these rules remotely)

### Drop everything by default
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

### Allow traffic on loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

### ICMP is important and must work
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

### Allow remote management via SSH
### repeat for every subnet or IP address you want to allow
iptables -A INPUT -p tcp –dport 22 -s 192.0.2.0/24 -j ACCEPT

### allow inbound IPIP packets (from everywhere)
iptables -A INPUT -i eth0 -p 4 -j ACCEPT

### allow inbound RIPv2 messages
iptables -A INPUT -i tunl0 -s 44.0.0.1 -p udp –port 520 -j ACCEPT

### allow inbound packets related to outbound packets (answers to request initiated locally)
iptables -A INPUT -i eth0 -p udp -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

### allow outbound IPIP packets (to everywhere)
iptables -A OUTPUT -o eth0 -p 4 -j ACCEPT

### allow outbound connections from the local gateway
iptables -A OUTPUT -o eth0 -p udp -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -j ACCEPT

### allow traffic from LAN to outside (BCP38 applied)
iptables -A FORWARD -i eth1 -s 44.256.0.0/24 -p udp -j ACCEPT
iptables -A FORWARD -i eth1 -s 44.256.0.0/24 -p tcp -j ACCEPT

### allow packets related to outbound packets (answers to request initiated locally) to be forwarded
iptables -A FORWARD -i tunl0 -p udp -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tunl0 -p tcp -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

MODIFICATIONS to do by you:

  • replace 192.0.2.0/24 by the subnet or IP from where you want to connect to your gateway to manage it.
  • replace 44.256.0.0/24 by your AMPRnet subnet.

TODO:

  • Add more rules to allow specific services (please provide your ideas/wishes)
  • Allow more protocols from LAN to outside

UPDATES:

  •  Tried to make it clear that this post does NOT (yet) cover AMPRnet gateways behind NAT.
  • Corrected typo –port instead of –dport.
  • Allow traffic on loopback interface.
  • Allow ICMP everywhere.
  • Corrected last pair of rules where I accidentally had -i eth0 instead of -i tunl0

16 Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close