I am setting up a small CentOS-5.3 host to act as a router. I have the device configured and working. What I am trying to accomplish now is configuring the firewall so as to protect both the router and the LAN.
The host configuration has the WAN attached to eth0 (IP_ADDR = A) and the LAN attached to eth1 (IP_ADDR = B). The default gateway for B is A. The default gateway for B is B-1. There is a static route set for eth0 (A) to route traffic for B/24 to B.
My understanding is that INCOMING packets, for the purposes of iptables, originate outside the host interfaces and that OUTGOING packets originate from, or are forwarded across, the host itself. So, as I understand things, traffic from network C/24 destined to B/24 comes IN eth0, is forwarded to eth1, and then goes OUT eth1. Similarly, traffic from B/24 to C/24 comes IN eth1 and goes OUT eth0. Is my understanding correct?
I have set up four custom chains, one each for IN and OUT on each of the two eth i/f. Incoming packets for eth0 are sent to the WAN-IN-CHAIN, outgoing are sent to the WAN-OUT-CHAIN. In a similar fashion I have LAN-IN-CHAIN and LAN-OUT-CHAIN.
My confusion arises from trying to setup an iptables filter on the WAN-In-CHAIN so that traffic arriving to eth0 cannot connect to either A or B, but can nonetheless pass through B to B/24. I cannot seem to discover an arrangement whereby I can do this and still maintain network connectivity to B/24 from a console session running on the router itself.
Further, I wish to prevent any incoming connection from the WAN for any source address purporting to belong to the B/24 netblock (IP spoofing). Again, whatever arrangements that I try, whenever I enable such a rule I lose network connectivity from the console session to the LAN.
I would appreciate some guidance and an explanation of what fundamental issue it is that I am missing.
On Fri, 7 Aug 2009, James B. Byrne wrote:
I am setting up a small CentOS-5.3 host to act as a router. I have the device configured and working. What I am trying to accomplish now is configuring the firewall so as to protect both the router and the LAN. [....]
In the past, I'd have tried to craft the iptables rules by hand. Now, older and lazier, I rely on shorewall.
Shorewall generally produces pretty good rules. You can "compile" your logic to iptables rules without implementing them, so you could use shorewall to generate a set of rules that essentially do what you want, look them over, and then revise/implement the ones you like.
Paul Heinlein wrote:
On Fri, 7 Aug 2009, James B. Byrne wrote:
I am setting up a small CentOS-5.3 host to act as a router. I have the device configured and working. What I am trying to accomplish now is configuring the firewall so as to protect both the router and the LAN. [....]
In the past, I'd have tried to craft the iptables rules by hand. Now, older and lazier, I rely on shorewall.
Shorewall generally produces pretty good rules. You can "compile" your logic to iptables rules without implementing them, so you could use shorewall to generate a set of rules that essentially do what you want, look them over, and then revise/implement the ones you like.
If one really does want to configure by hand, I have found this to be very useful:
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html
Personally, I now use IPCOP to do this ... shorewall is another good firewall distro.
Thanks, Johnny Hughes
On Fri, 7 Aug 2009, Paul Heinlein wrote:
In the past, I'd have tried to craft the iptables rules by hand. Now, older and lazier, I rely on shorewall.
This is a +1 for shorewall, which is 42 times simpler [*] than doing it by hand.
Steve
[*] Actually, it's more than 42, but 42 is The Answer.
James B. Byrne wrote:
My understanding is that INCOMING packets, for the purposes of iptables, originate outside the host interfaces and that OUTGOING packets originate from, or are forwarded across, the host itself. So, as I understand things, traffic from network C/24 destined to B/24 comes IN eth0, is forwarded to eth1, and then goes OUT eth1. Similarly, traffic from B/24 to C/24 comes IN eth1 and goes OUT eth0. Is my understanding correct?
No. You don't have it right.
INPUT packets are packets destined for the router own IP addresses (not going to any other machines) FORWARD packets are packets being routed through the router (but not targeted for the routers own IP addresses) OUTPUT packets are packets originated from the router itself (not packets being routed from other machines).
Hi,
On Fri, Aug 7, 2009 at 12:07, James B. Byrnebyrnejb@harte-lyne.ca wrote:
The host configuration has the WAN attached to eth0 (IP_ADDR = A) and the LAN attached to eth1 (IP_ADDR = B). The default gateway for B is A. The default gateway for B is B-1.
This statement does not make any sense to me... Could you please use real IPs where possible and fake IPs (be consistent) where you don't want to disclose your private information?
My understanding is that INCOMING packets, for the purposes of iptables, originate outside the host interfaces and that OUTGOING packets originate from, or are forwarded across, the host itself. So, as I understand things, traffic from network C/24 destined to B/24 comes IN eth0, is forwarded to eth1, and then goes OUT eth1. Similarly, traffic from B/24 to C/24 comes IN eth1 and goes OUT eth0. Is my understanding correct?
If packets are traversing the router, you should add rules in the FORWARD chain and not INPUT and OUTPUT (those apply only to packets destined at the router).
You must also enable forwarding by adding this to /etc/sysctl.conf: net.ipv4.ip_forward = 1
And then running as root: sysctl -p
I have set up four custom chains, one each for IN and OUT on each of the two eth i/f. Incoming packets for eth0 are sent to the WAN-IN-CHAIN, outgoing are sent to the WAN-OUT-CHAIN. In a similar fashion I have LAN-IN-CHAIN and LAN-OUT-CHAIN.
Also, very confusing. How do those relate to INPUT, OUTPUT and FORWARD? Could you please post the rules you are using, maybe anonymizing the external IPs for privacy?
Further, I wish to prevent any incoming connection from the WAN for any source address purporting to belong to the B/24 netblock (IP spoofing). Again, whatever arrangements that I try, whenever I enable such a rule I lose network connectivity from the console session to the LAN.
Please post the rules you are trying. If you don't, there is no way we can tell you what is wrong there...
HTH, Filipe
On Fri, August 7, 2009 12:07, James B. Byrne wrote:
I am setting up a small CentOS-5.3 host to act as a router. I have the device configured and working. What I am trying to accomplish now is configuring the firewall so as to protect both the router and the LAN.
Thank you for the replies. I have been reading about iptables all weekend and have clarified a number of misconceptions that I had.
I have a few specific questions wrt rp_filter. Is this set anywhere in the startup scripts that ship with CentOS? If so then where? How would one best configure this setting or should it be left off, as I believe that it is by default? Does it make any sense to enable this on the eth0 i/f given that eth0 is the WAN i/f?
Sincerely,
-
Benjamin Franz -
Filipe Brandenburger -
James B. Byrne -
Johnny Hughes -
Paul Heinlein -
Steve Thompson