Hi Michael,
> I have never done any iptables rules so this will be a first.
This is a great way to learn, the INT_INPUT_CHAIN chain defaults to ACCEPT
anyway, so any changes will only be more restrictive. Always test your
changes, the CLI "arno-iptables-firewall restart" will show an error if you
make an iptables syntax error.
Using the example shown below with the custom_wg_lan_input() function, you can
make tweaks.
One tweak may be a special case for a WireGuard source address ... added within
the custom_wg_lan_input() function:
## Allow WG LAN->Local for source IP 10.4.0.15 all packets
iptables -A INT_INPUT_CHAIN -i $wg_if -s 10.4.0.15 -j ACCEPT
--or--
## Allow WG LAN->Local for source IP 10.4.0.15 to TCP 443
iptables -A INT_INPUT_CHAIN -i $wg_if -s 10.4.0.15 -p tcp --dport 443 -j ACCEPT
--or--
## Allow WG LAN->Local for source IP 10.4.0.15 to UDP 5060
iptables -A INT_INPUT_CHAIN -i $wg_if -s 10.4.0.15 -p udp --dport 5060 -j ACCEPT
Understand the order of the rules added to the INT_INPUT_CHAIN chain matters,
as soon as a packet matches a rule and jumps to ACCEPT the packet will flow on
(allowed), regardless of any other rules.
Similarly, when a packet matches a rule and jumps to DROP the packet will not
flow (ie. denied), regardless of any other rules.
Lonnie
> On Sep 14, 2019, at 9:12 PM, Michael Knill
> <michael.kn...@ipcsolutions.com.au> wrote:
>
> Thanks Lonnie
>
> I have never done any iptables rules so this will be a first.
>
> Regards
> Michael Knill
>
> Sent from my iPhone so please excuse my brevity.
>
>> On 10 Sep 2019, at 8:32 am, Lonnie Abelbeck <li...@lonnie.abelbeck.com>
>> wrote:
>>
>> Hi Michael,
>>
>> OK, that is best done via custom rules in
>> "/mnt/kd/arno-iptables-firewall/custom-rules".
>>
>> For this example WireGuard LAN->Local will drop all traffic except SSH.
>>
>> -- /mnt/kd/arno-iptables-firewall/custom-rules --
>> # Put any custom (iptables) rules here down below:
>> ##################################################
>>
>> custom_wg_lan_input()
>> {
>> local wg_if
>>
>> wg_if="${WIREGUARD_IF:-wg0}"
>>
>> echo "[CUSTOM RULE] Custom WireGuard LAN->Local"
>> iptables -A INT_INPUT_CHAIN -i $wg_if -p tcp --dport 22 -j ACCEPT
>> iptables -A INT_INPUT_CHAIN -i $wg_if -j DROP
>> }
>> custom_wg_lan_input
>> --
>>
>> apply changes...
>> pbx # arno-iptables-firewall restart
>>
>> test new rules with...
>> pbx # iptables -nvL INT_INPUT_CHAIN
>> Chain INT_INPUT_CHAIN (3 references)
>> pkts bytes target prot opt in out source
>> destination
>> 1 60 ACCEPT tcp -- wg0 * 0.0.0.0/0 0.0.0.0/0
>> tcp dpt:22
>> 3 180 DROP all -- wg0 * 0.0.0.0/0 0.0.0.0/0
>>
>> ...
>>
>> and for IPv6...
>> pbx # ip6tables -nvL INT_INPUT_CHAIN
>> Chain INT_INPUT_CHAIN (3 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 ACCEPT tcp wg0 * ::/0 ::/0
>> tcp dpt:22
>> 0 0 DROP all wg0 * ::/0 ::/0
>>
>> ...
>>
>> Since the default LAN->Local policy is ACCEPT we need to use DROP to block
>> all for wg0.
>>
>> As always, test the firewall rule changes to make sure it works as expected.
>>
>> Lonnie
>>
>>
>>> On Sep 9, 2019, at 3:17 PM, Michael Knill
>>> <michael.kn...@ipcsolutions.com.au> wrote:
>>>
>>> Hi sorry Lonnie, I didn't explain it well enough.
>>>
>>> I want to provide different access to Local from a physical LAN than the
>>> wg0 interface.
>>> For instance I want to open TCP443, my SSH Port and possibly other ports
>>> from the physical LAN but open my SSH Port only from wg0.
>>>
>>> I could do it based on the Source IP however as there is only Deny
>>> LAN->Local rules possible, I'm not sure how I could just open a single port
>>> and deny all the rest?
>>>
>>> Regards
>>> Michael Knill
>>>
>>> On 9/9/19, 11:05 pm, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
>>>
>>> I don't understand what you are asking, but the default isolated wg0
>>> interface can be allowed to access physical LAN interfaces with:
>>>
>>> _x_ Allow WireGuard VPN tunnel to the [ 1st ] LAN Interface(s)
>>>
>>> And LAN's can access Local by default.
>>>
>>> Lonnie
>>>
>>>
>>>
>>>> On Sep 8, 2019, at 10:57 PM, Michael Knill
>>>> <michael.kn...@ipcsolutions.com.au> wrote:
>>>>
>>>> Thanks Lonnie.
>>>>
>>>> Just wondering how I could use Deny LAN->Local when I actually want to
>>>> allow onsite local LAN traffic to access the system admin interface?
>>>> I really need a Pass LAN->Local to do this!
>>>>
>>>> Regards
>>>> Michael Knill
>>>>
>>>> On 9/9/19, 1:11 pm, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
>>>>
>>>>
>>>>
>>>>> On Sep 8, 2019, at 8:46 PM, Michael Knill
>>>>> <michael.kn...@ipcsolutions.com.au> wrote:
>>>>>
>>>>> Hi Group
>>>>>
>>>>> I am seeing lots of hacking attempts on my systems as they have found my
>>>>> non standard SSH port. Although there is no issue as I have SSH Key
>>>>> access only, I'm sick of the long list of addresses in the Adaptive Ban
>>>>> list and I'm thinking I should be adding another line of defence in my
>>>>> security anyway.
>>>>> As such, along with implementing Geoblocking Netset files (next release),
>>>>> I also want to use a Jump box for management. This server would connect
>>>>> to each system via Wireguard VPN allowing management also when in a
>>>>> failover condition through NAT e.g. 4G backup, firewall managed by others.
>>>>>
>>>>> With this architecture in mind, I was wondering how I would go about
>>>>> restricting access to a single port only from this Wireguard VPN tunnel
>>>>> to the local interface e.g. wg0 address. I think is completely open
>>>>> currently.
>>>>>
>>>>> Is it easy to do?
>>>>>
>>>>> Regards
>>>>> Michael Knill
>>>>
>>>> If SSH access can only occur within a WireGuard tunnel, no port filtering
>>>> is required since access is secured by WireGuard.
>>>>
>>>> As such, only allow remote user access to the management VPN via a
>>>> WireGuard tunnel.
>>>>
>>>> But, if you want to filter SSH from wg0 to the local device by source IP
>>>> address, try
>>>>
>>>> Firewall Rules:
>>>> Action: [ Deny LAN->Local ]
>>>>
>>>> keeping in mind that the wg0 interface is treated as an isolated LAN
>>>> subnet from any other LAN subnet.
>>>>
>>>> Lonnie
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Astlinux-users mailing list
>>>> Astlinux-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>
>>>> Donations to support AstLinux are graciously accepted via PayPal to
>>>> pay...@krisk.org.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Astlinux-users mailing list
>>>> Astlinux-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>
>>>> Donations to support AstLinux are graciously accepted via PayPal to
>>>> pay...@krisk.org.
>>>
>>>
>>>
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Astlinux-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to
>>> pay...@krisk.org.
>>>
>>>
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Astlinux-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to
>>> pay...@krisk.org.
>>
>>
>>
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
>> pay...@krisk.org.
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
