We have a firewall (Debian Linux sid, kernel 2.4.0, iptables 1.2) between our net and Internet. To configure iptables I use http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/rc.firewall.iptables. I had to change the original script so that it matched our environment: Firewall is connected to the Internet via leased line (PPP), and to the private network via 100 MB Ethernet. Private network consist of 7 subnetworks: 172.16.0.0/16, 172.17.0.0/16, 172.18.0.0/16 172.25.0.0/16, 172.26.0.0/16, 172.27.0.0/16, 172.28.0.0/16 We have domain of our own. DNS and Sedmail is running on the firewall. Some users (not everyone) are allowed to send/recieve E-mail to/from the Internet and are not allowed to connect to any other Internet resources. Some users (not everyone) are allowed to connect to any Internet resources (E-mail including).
I made the followinf changes to the script: #!/bin/sh ################################################################## # ## rc.firewall.iptables -- Version 1.1b # ################################################################## ## [EMAIL PROTECTED] ## http://www.sentry.net/~obsid/ ## 10/20/00 ## Example IPTables 1.1.2 script for a dual homed firewall. ## Please feel free to send me any comments or suggestions. ## Visit one of the NetFilter Project Home Pages for more information about IPTables. ## http://netfilter.kernelnotes.org/ [...] ## Variables IPTABLES="/usr/sbin/iptables" INTERNAL="eth0" # Internal Interface EXTERNAL="ppp0" # External Interface LOOPBACK="lo" # Loopback Interface INTERNAL_NET="172.16.0.0/12" ANY_ALLOWED="<IP-addresses of users allowed to connect to any Internet resources>" MAIL_ALLOWED="<IP-addresses of users allowed to send/recieve E-mail to/from the Internet>" [...] ############################################################################### ## New chain for input to the internal interface $IPTABLES -N INTERNAL-input $IPTABLES -F INTERNAL-input ## ACCEPT internal to internal traffic #--- $IPTABLES -A INTERNAL-input -i $INTERNAL -s $INTERNAL_NET -d 0/0 -j ACCEPT for HOST in $ANY_ALLOWED $MAIL_ALLOWED; do $IPTABLES -A INTERNAL-input -i $INTERNAL -s $HOST -d 0/0 -j ACCEPT done [...] ##------------------------------------------------------------------------## ## Source NAT -- (SNAT/Masquerading) ##------------------------------------------------------------------------## ## Source NAT allows us to "masquerade" our internal machines behind our ## firewall. ## Static IP address ## ## Change source address of outgoing packets on external ## interface to our IP address. #--- $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT --to $EXT_IP for HOST in $ANY_ALLOWED; do $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $HOST -j SNAT --to $EXT_IP done ## Dynamic IP address ## #--- $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE for HOST in $ANY_ALLOWED; do $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $HOST -j MASQUERADE done [...] ## EOF It works, I don't see any warnings in the log files, but I'd like to be sure I didn't decrease security level by having made such modifications. My questions are: 1 Is it enough (for security reasons) to modify only INPUT chain for ALL_ALLOWED and MAIL_ALLOWED users, and NAT table for ALL_ALLOWED users. Isn't it be more secure to modify OUTPUT and FORWARD chains as well? I tried to modify FORWARD chain, but it gave me nothing. Any user which passed INPUT chain passed FORWARD as well never mind whether I tried to control his passing or not. Could it be because FORWARD policy is ACCEPT? And here is my 2-d question. 2 In the script default policy are: [...] ## Set Default Policies $IPTABLES -P INPUT DROP ## Highly Recommended $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT [...] Isn't it be more secure to have all of them DROP? 3 To let users send/receive E-mail to/from Internet I add to ALLOW_EXTERNAL_PORTS chain strings: [...] ## SMTP $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 25 -j ACCEPT [...] Shouldn't I add the same string for udp? 4 Do I uderstand right that INTERNAL_NET="172.16.0.0/12" match any network in range 172.16.0.0/16 - 172.32.0.0/16? Thank you, Mikhail.
