My other main aim was to do with network traffic. I am in an area that is now Local Loop Unbundled, and so my ISP choices are relatively restricted. Moreover, although I have pretty much unlimited access at weekends and evenings, between 9-6 Mon-Fri I have a download limit of only 1GB per month. I don't access the net at those times, but the kids do.
I also want to ensure that the network is "locked down" so far as possible. Although my Belkin F5D7632 wireless router
iptables is the logical way to progress. Installing on server is once again straightforward via Synaptic.
The aims are:
1. Weekdays 9-6 - allow SSH, Webmin and IM. If possible, allow HTTP to specified URLs only
2. After 6pm - allow HTTP and HTTPS in addition to the more restricted version above.
I originally followed the tutorial here - https://help.ubuntu.com/community/IptablesHowTo - which got me set up, but I then had many more questions. Referral was also made here - http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/ - and here - http://www.dd-wrt.com/wiki/index.php/Iptables_command#Block_all_traffic_except_HTTP_HTTPS_and_FTP and finally here - http://linuxgazette.net/108/odonovan.html and here - http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
There does seem to be a means of putting a time stamp within the iptables themselves - but it requires a kernel rebuild.
This, then, is my incredibly wordy solution (which, thus far, works).
1. Give all machines a static IP
2. Turn off DHCP on the router
3. Set up a crontab (using the friendly gnome-schedule front end) that loads different iptables at different times
4. Have (currently) three sets of iptables to cover the eventualities above.
Here's the crontab first:
0 7 * * * /sbin/iptables-restore < /home/name/Desktop/iptables.rules > /dev/null 2>&1
30 08 * * 1-5 /sbin/iptables-restore < /home/name/Desktop/iptables_lockdown.rules > /dev/null 2>&1
30 15 * * 1-5 /sbin/iptables-restore < /home/name/Desktop/iptables_restricted.rules > /dev/null 2>&1
0 18 * * 1-5 /sbin/iptables-restore < /home/name/Desktop/iptables.rules > /dev/null 2>&1
30 22 * * * /sbin/iptables-restore < /home/name/Desktop/iptables_lockdown.rules > /dev/null 2>&1
So what does this mean? Let's go through the second row in crontab:
- 30 means minutes past hour
- 8 is the hour
- The next two asterisks are where one would place limits by day of the month and month of the year
- 1-5 means this applies on days Monday to Friday (crontab works from Sunday as day 0)
- Then the main command tells the system to replace the running iptables with those specified
- Finally > /dev/null 2>&1 means there is no output
# Generated by iptables-save v1.4.4 on Sun Jan 31 19:11:31 2010
*mangle
:PREROUTING ACCEPT [3706:361966]
:INPUT ACCEPT [1712:249192]
:FORWARD ACCEPT [1993:112718]
:OUTPUT ACCEPT [1840:557887]
:POSTROUTING ACCEPT [3833:670603]
COMMIT
# Completed on Sun Jan 31 19:11:31 2010
# Generated by iptables-save v1.4.4 on Sun Jan 31 19:11:31 2010
*nat
:PREROUTING ACCEPT [6:555]
:POSTROUTING ACCEPT [3:331]
:OUTPUT ACCEPT [3:454]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Jan 31 19:11:31 2010
# Generated by iptables-save v1.4.4 on Sun Jan 31 19:11:31 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.2.x/32 -j ACCEPT
-A INPUT -s 192.168.2.y/32 -j ACCEPT
-A INPUT -s 192.168.2.z/32 -j ACCEPT
-A INPUT -s 192.168.2.1/32 -p tcp -m tcp --dport 60344 -j ACCEPT
-A INPUT -s 192.168.2.3/32 -p tcp -m tcp --dport 49744 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 139,145 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 5900,5901 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A INPUT -p udp -m udp --dport 631 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -p tcp -m multiport --dports 5900,5901 -j ACCEPT
-A FORWARD -s 192.168.2.10/32 -p udp -m multiport --dports 28910,29900,29901,29920,443 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A FORWARD -s 192.168.2.5/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.5/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.3/32 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -j ACCEPT
-A FORWARD -s 192.168.2.15/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.15/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.8/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.2.5/32 -j ACCEPT
-A OUTPUT -d 192.168.2.5/32 -j ACCEPT
-A OUTPUT -j DROP
COMMIT
Now restricted:
# Generated by iptables-save v1.4.4 on Sun Jan 17 17:37:32 2010
*mangle
:PREROUTING ACCEPT [30:2180]
:INPUT ACCEPT [30:2180]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18:6947]
:POSTROUTING ACCEPT [18:6947]
COMMIT
# Completed on Sun Jan 17 17:37:32 2010
# Generated by iptables-save v1.4.4 on Sun Jan 17 17:37:32 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Jan 17 17:37:32 2010
# Generated by iptables-save v1.4.4 on Sun Jan 17 17:37:32 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.2.5/32 -j ACCEPT
-A INPUT -s 192.168.2.3/32 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -j ACCEPT
-A INPUT -s 192.168.2.1/32 -p tcp -m tcp --dport 60344 -j ACCEPT
-A INPUT -s 192.168.2.3/32 -p tcp -m tcp --dport 49744 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 139,145 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 5900,5901 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A INPUT -p udp -m udp --dport 631 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -p tcp -m multiport --dports 5900,5901 -j ACCEPT
-A FORWARD -s 192.168.2.10/32 -p udp -m multiport --dports 28910,29900,29901,29920,443 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A FORWARD -s 192.168.2.5/32 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A FORWARD -d 192.168.2.5/32 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A FORWARD -s 192.168.2.3/32 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -j ACCEPT
-A FORWARD -s 192.168.2.15/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.15/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.2.5/32 -j ACCEPT
-A OUTPUT -d 192.168.2.5/32 -j ACCEPT
-A OUTPUT -j DROP
COMMIT
and finally lockdown:
# Generated by iptables-save v1.4.4 on Mon Jan 18 22:56:31 2010
*mangle
:PREROUTING ACCEPT [134:12204]
:INPUT ACCEPT [134:12204]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [78:17866]
:POSTROUTING ACCEPT [77:17608]
COMMIT
# Completed on Mon Jan 18 22:56:31 2010
# Generated by iptables-save v1.4.4 on Mon Jan 18 22:56:31 2010
*nat
:PREROUTING ACCEPT [1:100]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:258]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Mon Jan 18 22:56:31 2010
# Generated by iptables-save v1.4.4 on Mon Jan 18 22:56:31 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.2.5/32 -j ACCEPT
-A INPUT -s 192.168.2.3/32 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -j ACCEPT
-A INPUT -s 192.168.2.1/32 -p tcp -m tcp --dport 60344 -j ACCEPT
-A INPUT -s 192.168.2.3/32 -p tcp -m tcp --dport 49744 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 139,145 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 5900,5901 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A INPUT -p udp -m udp --dport 631 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -p tcp -m multiport --dports 5900,5901 -j ACCEPT
-A FORWARD -s 192.168.2.10/32 -p udp -m multiport --dports 28910,29900,29901,29920,443 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A FORWARD -s 192.168.2.5/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.5/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.3/32 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j DROP
COMMIT
It can easily be seen that each successive variant is a subset of the previous. Here is an annotated version of the "full" rules showing what it means (based on my far from technical understanding):
-A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7 - I've now removed this logging due to the problems I mention here
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT - this is for DNS
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT - SSH-A INPUT -s 192.168.2.x/32 -j ACCEPT - server can access network whenever
-A INPUT -s 192.168.2.y/32 -j ACCEPT - so can the Macbook
-A INPUT -s 192.168.2.z/32 -j ACCEPT - the other IP address for Macbook
-A INPUT -s 192.168.2.1/32 -p tcp -m tcp --dport 60344 -j ACCEPT
-A INPUT -s 192.168.2.3/32 -p tcp -m tcp --dport 49744 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 - also removed-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 139,145 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 5900,5901 -j ACCEPT - VNC
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT - webmin-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A INPUT -p udp -m udp --dport 631 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT - dns-A FORWARD -p udp -m udp --dport 53 -j ACCEPT - dns
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT -ssh
-A FORWARD -p tcp -m multiport --dports 5900,5901 -j ACCEPT - VNC
-A FORWARD -s 192.168.2.10/32 -p udp -m multiport --dports 28910,29900,29901,29920,443 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A FORWARD -s 192.168.2.5/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.5/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.3/32 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -j ACCEPT
-A FORWARD -s 192.168.2.15/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT - https / IM
-A FORWARD -d 192.168.2.15/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -s 192.168.2.15/32 -p tcp -m tcp --dport 80 -j ACCEPT - http
-A FORWARD -d 192.168.2.15/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j DROP- everything else is dropped
-A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7 - removed
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.2.5/32 -j ACCEPT
-A OUTPUT -d 192.168.2.5/32 -j ACCEPT
-A OUTPUT -j DROP
As Instant Messaging uses https, I can open the iptables to this channel, while still not allowing http
Posts
