[Swan] Basic firewall rules for traffic through tunnel
Nick Howitt
nick at howitts.co.uk
Mon Apr 2 08:06:29 UTC 2018
Hi Paul,
ClearOS comes with the following automatic rules to allow traffic to
pass through the tunnel using packet marking:
iptables -I PREROUTING -t mangle -p esp -j MARK --set-mark 0x64
iptables -I INPUT -m mark --mark 0x64 -d my_wan_IP -j ACCEPT #
necessary for incoming traffic
iptables -I INPUT -m mark --mark 0x64 -d my_LAN_IP -j ACCEPT #
not too sure why needed
iptables -I FORWARD -m mark --mark 0x64 -j ACCEPT
It also has the following relevant rules
iptables -I POSTROUTING -t nat -m policy --dir out --pol ipsec -j
ACCEPT
iptables -I FORWARD -s my_LAN_interface -j ACCEPT # general allow
all traffic from LAN out
iptables -I INPUT -s my_LAN_interface -j ACCEPT # general allow
all traffic from LAN into server #not sure if relevant
iptables -I OUTPUT -s my_WAN_interface -j ACCEPT # general allow
all traffic from WAN out
iptables -I OUTPUT -s my_LAN_interface -j ACCEPT # general allow
all traffic from LAN i/f out
iptables -I INPUT -s my_WAN_interface -m state --state NEW
RELATED,ESTABLISHED p- tcp -m multiport --dports 1024:65535 -j
ACCEPT # not sure if relevant to tunnel
iptables -I INPUT -s my_WAN_interface -m state --state NEW
RELATED,ESTABLISHED p- udp -m multiport --dports 1024:65535 -j
ACCEPT # not sure if relevant to tunnel
I am looking to replace the packet marked rules with generic policy
based rules which don't need to know anything about the remote end such
as subnets, so using:
iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec -j ACCEPT
Am I going down the right lines or have I missed something. I have
someone testing it out a bit and is reporting random timeouts connecting
to his mail server and "Random timeouts connecting to websites (DNS
Resolution errors)".
Have I missed anything? Do also I need policy rules for outbound
traffic, so:
iptables -I INPUT -m policy --dir out --pol ipsec -j ACCEPT #
Also would allow low ports
iptables -I FORWARD -m policy --dir out --pol ipsec -j ACCEPT #
covered by the generic FORWARD rule?
iptables -I OUTPUT -m policy --dir out --pol ipsec -j ACCEPT #
covered by the generic OUTPUT rule?
or are they irrelevant. Would they even work because I don't know where
in the processing the packets get policy marked?
Regards,
Nick
More information about the Swan
mailing list