[Swan] Basic firewall rules for traffic through tunnel
Tuomo Soini
tis at foobar.fi
Tue Apr 3 07:13:18 UTC 2018
On Mon, 2 Apr 2018 09:06:29 +0100
Nick Howitt <nick at howitts.co.uk> wrote:
> Hi Paul,
>
> ClearOS comes with the following automatic rules to allow traffic to
> pass through the tunnel using packet marking:
>
> iptables -I PREROUTING -t mangle -p esp -j MARK --set-mark 0x64
> iptables -I INPUT -m mark --mark 0x64 -d my_wan_IP -j ACCEPT #
> necessary for incoming traffic
> iptables -I INPUT -m mark --mark 0x64 -d my_LAN_IP -j ACCEPT #
> not too sure why needed
> iptables -I FORWARD -m mark --mark 0x64 -j ACCEPT
>
Wow. That is /legacy/. From times when kernel didn't have netfilter
policy matching module.
> It also has the following relevant rules
>
> iptables -I POSTROUTING -t nat -m policy --dir out --pol ipsec -j
> ACCEPT
This one looks kind of reverse. My guess is this is ment to be
exception for not to SNAT/MASQUERADE ipsec traffic but it would be much
better to apply -m policy --dir out --pol none to SNAT/MASQURADE rules
so order wouldn't be that important.
> iptables -I FORWARD -s my_LAN_interface -j ACCEPT # general
> allow all traffic from LAN out
That matches both ipsec and non-ipsec traffic.
> iptables -I INPUT -s my_LAN_interface -j ACCEPT # general allow
> all traffic from LAN into server #not sure if relevant
That does exactly what documented - I can't guess if that is relevant
or not - use case matters.
> iptables -I OUTPUT -s my_WAN_interface -j ACCEPT # general
> allow all traffic from WAN out
> iptables -I OUTPUT -s my_LAN_interface -j ACCEPT # general
> allow all traffic from LAN i/f out
No restriction to firewall generated traffic - if that is what you want
then this is the way to do it.
> iptables -I INPUT -s my_WAN_interface -m state --state NEW
> RELATED,ESTABLISHED p- tcp -m multiport --dports 1024:65535 -j
> ACCEPT # not sure if relevant to tunnel
> iptables -I INPUT -s my_WAN_interface -m state --state NEW
> RELATED,ESTABLISHED p- udp -m multiport --dports 1024:65535 -j
> ACCEPT # not sure if relevant to tunnel
Netfilter won't allo these two rules because they are not valid - I
guess you wanted "-p".
These are badly designed imho. They allow NEW states to all >1023
ports. So no firwalling at all - and that's from your WAN so this is
completely open firewall.
>
> I am looking to replace the packet marked rules with generic policy
> based rules which don't need to know anything about the remote end
> such as subnets, so using:
>
> iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
> iptables -I FORWARD -m policy --dir in --pol ipsec -j ACCEPT
That is more generic than those marking tricks and do same.
> Am I going down the right lines or have I missed something. I have
> someone testing it out a bit and is reporting random timeouts
> connecting to his mail server and "Random timeouts connecting to
> websites (DNS Resolution errors)".
>
> Have I missed anything? Do also I need policy rules for outbound
> traffic, so:
>
> iptables -I INPUT -m policy --dir out --pol ipsec -j ACCEPT #
> Also would allow low ports
> iptables -I FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> # covered by the generic FORWARD rule?
> iptables -I OUTPUT -m policy --dir out --pol ipsec -j ACCEPT #
> covered by the generic OUTPUT rule?
If your generic rules won't cover outbound ipsec secured traffic you
need these. Generally: Nobody can judge your firewalling rules without
seeing real ones. Unfortunately designing whole firewall is really out
of our scope here.
>
> or are they irrelevant. Would they even work because I don't know
> where in the processing the packets get policy marked?
That's deep inside netfilter - that is totally automatic and you don't
need to handle that manually.
I guess your problem is you don't allow RELATED,ESTABLISHED states to
all directions - that's what real firewall design includes, so that
response packets can come back from destinations you allow those to
pass. You'd need to allow those in INPUT, FORWARD and OUTPUT chains.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
More information about the Swan
mailing list