I have been asked a couple of times to provide a starting point for a firewall based on iptables for AMPRnet gateways based on Linux. I’ll try to accomplish this here.
I’m assuming your Linux gateway uses the following interfaces:
- eth0 : connected to the Internet, has a public static IP address (this post does NOT cover AMPRnet gateways behind NAT or within DMZ)
- eth1 : connected to your local AMPRnet LAN, has a static 44net IP address
- tunl0 : the IPIP tunnel interface
The following script will allow to receive IPIP, RIPv2 and Management traffic. It will also allow connection to be initiated from the gateway or the LAN by employing a stateful firewall:
(ATTENTION: you will most probably lose connectivity to your gateway if you apply these rules remotely)
### Drop everything by default
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP### Allow traffic on loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT### ICMP is important and must work
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT### Allow remote management via SSH
### repeat for every subnet or IP address you want to allow
iptables -A INPUT -p tcp –dport 22 -s 192.0.2.0/24 -j ACCEPT### allow inbound IPIP packets (from everywhere)
iptables -A INPUT -i eth0 -p 4 -j ACCEPT### allow inbound RIPv2 messages
iptables -A INPUT -i tunl0 -s 44.0.0.1 -p udp –port 520 -j ACCEPT### allow inbound packets related to outbound packets (answers to request initiated locally)
iptables -A INPUT -i eth0 -p udp -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT### allow outbound IPIP packets (to everywhere)
iptables -A OUTPUT -o eth0 -p 4 -j ACCEPT### allow outbound connections from the local gateway
iptables -A OUTPUT -o eth0 -p udp -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -j ACCEPT### allow traffic from LAN to outside (BCP38 applied)
iptables -A FORWARD -i eth1 -s 44.256.0.0/24 -p udp -j ACCEPT
iptables -A FORWARD -i eth1 -s 44.256.0.0/24 -p tcp -j ACCEPT### allow packets related to outbound packets (answers to request initiated locally) to be forwarded
iptables -A FORWARD -i tunl0 -p udp -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tunl0 -p tcp -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
MODIFICATIONS to do by you:
- replace 192.0.2.0/24 by the subnet or IP from where you want to connect to your gateway to manage it.
- replace 44.256.0.0/24 by your AMPRnet subnet.
TODO:
- Add more rules to allow specific services (please provide your ideas/wishes)
- Allow more protocols from LAN to outside
UPDATES:
- Tried to make it clear that this post does NOT (yet) cover AMPRnet gateways behind NAT.
- Corrected typo –port instead of –dport.
- Allow traffic on loopback interface.
- Allow ICMP everywhere.
- Corrected last pair of rules where I accidentally had -i eth0 instead of -i tunl0
16 Comments
Leave a reply →