Marc's Blog

Things from me about me …

Basic paranoid iptables firewall for an AMPRnet gateway

| 15 Comments

I have been asked a couple of times to provide a starting point for a firewall based on iptables for AMPRnet gateways based on Linux. I’ll try to accomplish this here.

I’m assuming your Linux gateway uses the following interfaces:

  • eth0 : connected to the Internet, has a public static IP address (this post does NOT cover AMPRnet gateways behind NAT or within DMZ)
  • eth1 : connected to your local AMPRnet LAN, has a static 44net IP address
  • tunl0 : the IPIP tunnel interface

The following script will allow to receive IPIP, RIPv2 and Management traffic. It will also allow connection to be initiated from the gateway or the LAN by employing a stateful firewall:

(ATTENTION: you will most probably lose connectivity to your gateway if you apply these rules remotely)

### Drop everything by default
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

### Allow traffic on loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

### ICMP is important and must work
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

### Allow remote management via SSH
### repeat for every subnet or IP address you want to allow
iptables -A INPUT -p tcp –dport 22 -s 192.0.2.0/24 -j ACCEPT

### allow inbound IPIP packets (from everywhere)
iptables -A INPUT -i eth0 -p 4 -j ACCEPT

### allow inbound RIPv2 messages
iptables -A INPUT -i tunl0 -s 44.0.0.1 -p udp –port 520 -j ACCEPT

### allow inbound packets related to outbound packets (answers to request initiated locally)
iptables -A INPUT -i eth0 -p udp -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

### allow outbound IPIP packets (to everywhere)
iptables -A OUTPUT -o eth0 -p 4 -j ACCEPT

### allow outbound connections from the local gateway
iptables -A OUTPUT -o eth0 -p udp -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -j ACCEPT

### allow traffic from LAN to outside (BCP38 applied)
iptables -A FORWARD -i eth1 -s 44.256.0.0/24 -p udp -j ACCEPT
iptables -A FORWARD -i eth1 -s 44.256.0.0/24 -p tcp -j ACCEPT

### allow packets related to outbound packets (answers to request initiated locally) to be forwarded
iptables -A FORWARD -i tunl0 -p udp -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tunl0 -p tcp -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

MODIFICATIONS to do by you:

  • replace 192.0.2.0/24 by the subnet or IP from where you want to connect to your gateway to manage it.
  • replace 44.256.0.0/24 by your AMPRnet subnet.

TODO:

  • Add more rules to allow specific services (please provide your ideas/wishes)
  • Allow more protocols from LAN to outside

UPDATES:

  •  Tried to make it clear that this post does NOT (yet) cover AMPRnet gateways behind NAT.
  • Corrected typo –port instead of –dport.
  • Allow traffic on loopback interface.
  • Allow ICMP everywhere.
  • Corrected last pair of rules where I accidentally had -i eth0 instead of -i tunl0

15 Comments

  1. Hi again Marc,

    Is the network 192.0.2.0/24 your LAN Network where eth0 has it’s own IP and it is not a real Internet Network! I have a LinuxBox here whose eth0 is 192.168.240.2 and my ADSL route’s LAN IP is 192.168.240.1 . The LinuxBox is in the DMZ of the router. Will your script work if I replace 192.0.2.0/24 with my LAN 192.168.240.0/24 or not. I hope your 192.0.2.0/24 is only an example of an unroutable 192.168.x.xx/24 network we all have in our homes were we use NAT for all our PCs and other devices.

    Also eth1 is your AMPRnet interface. I guess I can use whatever ports I have for AMPRnet, i.e. ax0 (AXUDP), ax1, ax2, ax3 and ax4 (Radio ports with TNCs connected to them.

    Thanks in advance

    73 de Demetre SV1UY

    • This howto currently does NOT cover AMPRnet gateway which are located behind a NAT!

      192.0.2.0/24 is a network reserved for documentation purposes and I use it here within the scope of RFC5737 e.g. example in documentation.

  2. Hi Marc,

    I find that line:

    iptables -A INPUT -p tcp –port 22 -s 192.0.2.0/24 -j ACCEPT

    should be:

    iptables -A INPUT -p tcp –-dport 22 -s 192.0.2.0/24 -j ACCEPT

    otherwise the iptables in my LinuxMint 15 do not accept it.

    Also I have a very serious problem:
    I can’t connect to localhost (127.0.0.1) from my console. Any ideas please?

    Otherwise most seem to work OK.

    73 de Demetre SV1UY

  3. Marc,

    Also I cannot ping! hi hi hi!!!

    73 de SV1UY

    • Thanks. ICMP is really important in setups with tunnels. Especially for path MTU detection. I corrected the settings, ICMP is now allowed everywhere.

  4. What about DMZ hosts Marc? do I put my 192.168.x.xx/24 network instead of 192.0.2.0/24 in Allow remote management?
    73 de SV1UY

    • you should replace 192.0.2.0/24 with the network or IP address (/32 network) from where you would like to manage your AMPRnet gateway.

      Assume that you want to manage your AMPRnet gateway from your Laptop. In case your laptop is on a LAN with DHCP using the network 44.128.0.0/24 then replace 192.0.2.0/24 with 44.128.0.0/24. In case your laptop has a static IP 44.128.129.130 then replace 192.0.2.0/24 with 44.128.129.130/32.

      This howto does not cover AMPRnet gateways behind NAT (or within DMZ). I’m not sure when and if I will be able to simulate and verify such a setup and post the results here.

  5. FB FB FB Marc,

    I followed the info and my GATEWAY which is behind DMZ seems to work up to now. The lo interface was important because I could not make outside connections either.

    I guess if you want to open incoming ports you have to use the trick with port 22 but use as a net 0.0.0.0/0 ???

    Thanks a lot.

    73 de Demetre SV1UY

    • Yes, you may allow SMTP service via

      iptables -A INPUT -p tcp –dport 25 -j ACCEPT

      Omitting the -s x.x.x.x/x parameter will allows any source.

      The loopback rules should be unrelated to outgoing traffic, unless that outgoing traffic relied on action via loopback (DNS query?).

  6. Hey man, you are the best. I’ve got my Dynamic (in my DMZ zone not NAT) AMPRnet GATEWAY 44.154.0.1 working almost fully and securely, by following your examples.

    I have also installed ddclient in my LinuxMint box and it works FB FB FB.

    All that is left now is a way (small script perhaps?) to make my Linux Box to understand that my IP has changed and restart ripd44d which I start as follows and it works FB FB FB.

    # Start rip44d daemon
    echo “starting rip44d”
    /etc/ax25/rip44d -a `dig +short sv1uy.dyndns.org` -p passwordforrip < /dev/null &
    echo "rip44d started"
    /bin/sleep 4

    Of course passwordforrip is an example password not the correct one, just in case prying eyes see it here.

    73 de Demetre SV1UY

  7. Hi Marc,

    In the end I had to add the following:

    ### Allow all ports from 44net
    /sbin/iptables -A INPUT -p tcp -i tunl0 -s 44.0.0.0/8 -j ACCEPT
    /sbin/iptables -A INPUT -p udp -i tunl0 -s 44.0.0.0/8 -j ACCEPT

    otherwise no 44 incoming traffic was possible.

    Also in the:
    ### Allow outbound IPIP packets (to everywhere)
    I have to add a line with the tunl0 interface as well as eth0.

    The same in the section
    ### Allow outbound connections from the local gateway
    I added the tunl0 interface

    And finally in this section
    ### Allow traffic from LAN to outside (BCP38 applied)
    I also added the tunl0 and all my radio interfaces and netrom interfaces and rose interface.

    I wonder if this is OK.

    73 de Demetre SV1UY

    • 1) if you intend to allow AMPRnet hosts to access all services on your gateway then you may use
      /sbin/iptables -A INPUT -p tcp -i tunl0 -s 44.0.0.0/8 -j ACCEPT
      /sbin/iptables -A INPUT -p udp -i tunl0 -s 44.0.0.0/8 -j ACCEPT

      2) if you want to access other hosts from your gateway you may want to use:
      iptables -A OUTPUT -p udp -j ACCEPT
      iptables -A OUTPUT -p tcp -j ACCEPT
      iptables -A INPUT -p udp -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -A INPUT -p tcp -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

      3) if you want your LAN hosts to be accessible either replace the last pair of rules with
      iptables -A FORWARD -i tunl0 -p udp -j ACCEPT
      iptables -A FORWARD -i tunl0 -p tcp -j ACCEPT

      or open certain services specifically by adding similar lines (not replacing the last pair).
      iptables -A FORWARD -i tunl0 -d 44.256.0.11 -p udp –dport 53 -j ACCEPT
      iptables -A FORWARD -i tunl0 -d 44.256.0.22 -p tcp –dport 80,443 -j ACCEPT

      As stated in the title the rules are sort of “paranoïd” so you need to add more rules to allow other traffic patterns than those shown in the post.

  8. OK Marc,

    I will try your suggestions and report back to tell you exactly what I have here.

    If you want I can send you my FIREWALL rules as they are modified from me so that you can post accordingly for people with Gateways in the DMZ zone.

    I bet many are interested because many I know have dynamic IP addresses.

    73 de SV1UY

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close