Firewalls: Difference between revisions

From 44Net Wiki
Jump to navigation Jump to search
(→‎OpenWrt: moved OpenWrt rules here)
m (cleanup)
Line 1: Line 1:
Welcome to the Firewall Wiki.
Welcome to the Firewall Wiki.


NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.
This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the [[44Net mailing list]] Community that nodes be firewalled.


'''NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.''' If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.'''


== Cisco ==
== Cisco ==
Line 11: Line 9:
== DD-WRT ==
== DD-WRT ==


DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall"
DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at '''Administration > Commands > "Save Firewall"''' on the web GUI.


https://www.dd-wrt.com/wiki/index.php/Iptables
See:


https://www.dd-wrt.com/wiki/index.php/Firewall
* https://www.dd-wrt.com/wiki/index.php/Iptables
* https://www.dd-wrt.com/wiki/index.php/Firewall


== D-Link ==
== D-Link ==
Line 23: Line 22:
To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''
To enable input of IPENCAP (IP Protocol Number 4) '''Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.'''


In Port Forwarding
In Port Forwarding on the web GUI:
 
* Create a new Port Forward
* Enter the LAN IP of your AMPR node
* Select "Other"
* Type the number '''4''' into the field


# Create a new Port Forward
== iptables ==
# Enter the LAN IP of your AMPR node
# Select "Other"
# Type the number '''4''' into the field


'''NOTE:'''


== iptables ==
* On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall).
* Since the IPENCAP Linux Kernel Module IPIP is in the kernel, '''you must set the default forwarding policy to DROP or REJECT.'''
* ''If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.''


'''General Bogon rules''' - see: https://en.wikipedia.org/wiki/Bogon_filtering
'''General Bogon rules''' - see: https://en.wikipedia.org/wiki/Bogon_filtering

Revision as of 17:57, 11 January 2019

Welcome to the Firewall Wiki.

This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the 44Net mailing list Community that nodes be firewalled.


Cisco

DD-WRT

DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall" on the web GUI.

See:

D-Link

On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.

To enable input of IPENCAP (IP Protocol Number 4) Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.

In Port Forwarding on the web GUI:

  • Create a new Port Forward
  • Enter the LAN IP of your AMPR node
  • Select "Other"
  • Type the number 4 into the field

iptables

NOTE:

  • On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall).
  • Since the IPENCAP Linux Kernel Module IPIP is in the kernel, you must set the default forwarding policy to DROP or REJECT.
  • If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.

General Bogon rules - see: https://en.wikipedia.org/wiki/Bogon_filtering

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38)
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38)
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
# Block of Test AMPRNet Subnet
# iptables -t raw -I PREROUTING -s 44.128.0.0/16 -i tunl0 -j DROP
############################################################
# THIS PREVENTS NESTED IPENCAP (BCP 38)
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP

Dynamic IPENCAP Filtering of AMPR Nodes (using iptables)

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

NOTE:

  • This script needs work, see Thu Jan 10 11:09:27 PST 2019 message in the 44Net mailing list archive. Due to overheard running on many devices, the ipset script is suggested instead.
  • This rule (or one of the ipset or static rules below) is required for other AMPR nodes to initiate inbound traffic to your node.

REQUIRED: ampr-ripd (using the -x and -d arguments), the diff command from the diffutils package and the sed command.

# Place this rule a the last firewall command
# Uncomment sleep command below if the rule does not appear
# as load_ipipfilter.sh is still executing
# sleep 10
# load ipipfilter list rule
iptables -t filter -I INPUT -p 4 -i <INTERFACE OF WAN> -j ipipfilter
#!/bin/sh
# load encap.txt into ipipfilter list
# by Rob, PE1CHL
# load_ipipfilter.sh

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
AMPRGW="<AMPRGW>"
gwfile="/tmp/gw"

cd /var/lib/ampr-ripd || exit 1

# Parse encap.txt for Node IPs and place in /tmp/gw
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile

# Run command to create CHAIN, IF no system output, CHAIN was created
iptables -N ipipfilter 2>/dev/null
if [ $? -eq 0 ]
# DO NOT PLACE EMPTY LINES BETWEEN THE TWO COMMANDS ABOVE. ###
# THE EQUATION ASKS IF THE LAST SYSTEM COMMAND ENTERED ###
# RETURNS "NOTHING." ADDING A SPACE WILL CHANGE RESULTS OF THE IF COMMAND. ###

##The two lines above replace the line below, which does not work on OpenWRT
# if iptables -N ipipfilter 2>/dev/null
## 

# IF no system output, THEN flush the CHAIN and add AMPRGW,
# add nodes in encap.txt and a final DROP rule
then
    iptables -F ipipfilter
    iptables -A ipipfilter -s $AMPRGW -j ACCEPT

    while read ip
    do
        iptables -A ipipfilter -s $ip -j ACCEPT
    done <$gwfile

    iptables -A ipipfilter -j DROP

# ELSE, the CHAIN already exists, determine changes
# and INSERT new nodes and DELETE old nodes (excluding AMPRGW)
else
    iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \
        sed -e 's/.*--  //' -e 's/ .*//' | sort | diff - $gwfile | \
        while read d ip
        do
            case "$d" in
            ">")
                iptables -I ipipfilter -s $ip -j ACCEPT
                ;;
            "<")
                iptables -D ipipfilter -s $ip -j ACCEPT
                ;;
            *)
                ;;
            esac
        done
fi

# Delete /tmp/gw when done
rm -f $gwfile

# The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x
# option to ampr-ripd.   It will load the entire filter the first time, and later it will only update
# the filters that have changed.  It is required that the -s option is passed as well, so the
# encap.txt file is created by ampr-ripd.

Static IPENCAP Filtering of AMPR Nodes

To enable input of IPENCAP (IP Protocol Number 4)

Note:

  • This rule (the dynamic rule above, or the ipset rules) is required for other AMPR nodes to initiate inbound traffic to your node.
iptables -t filter -I INPUT -p 4 -i <INTERFACE OF YOUR WAN> -j ACCEPT 

If your AMPR node is downstream, you will create an INPUT and DNAT forward rule to the destination LAN IP of your AMPR node.

To enable receipt of RIP44

iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT

Masquerade LAN Subnets to AMPRNet

  • In this instance, eth1 is your 192.168.1.0/24 LAN - (thanks to Brian, N1URO)

See: https://n1uro.ampr.org/linuxconf/44nat.html

# NAT setup
iptables -t nat -A POSTROUTING -s 192.168.0/24 -o tunl0 -j MASQUERADE -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44.0.0.0/8
iptables -A FORWARD -s 192.168.1/22 -i eth1 -o tunl0 -j ACCEPT -d 44.0.0.0/8

ipset

Dynamic IPENCAP Filtering of AMPR Nodes (using ipset)

To enable dynamic filtering of IPENCAP (IP Protocol Number 4)

REQUIRED: ampr-ripd (using the -x and -d arguments) and the ipset package.

#!/bin/sh
# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

cd /var/lib/ampr-ripd || exit 1

ipset -N ipipfilter hash:ip 2>/dev/null
ipset flush ipipfilter
ipset -A ipipfilter <AMPRGW>

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
    ipset -A ipipfilter $ip
done

Microtik

OpenWrt

See: iptables and ipset (above), and the Instructions for setting up a gateway on OpenWRT.

  • iptables-based rules are entered at Network > Firewall > Custom Firewall on the LuCI web GUI interface
  • ipset-based rules are entered on the command line - into the Unified Configuration Interface (UCI) file /etc/config/firewall

Adding IPENCAP Filtering of AMPR Nodes to OpenWrt (using ipset)

# in /etc/config/firewall
config rule
	option target 'ACCEPT'
	option src 'wan'
	option family 'ipv4'
	option proto '4'
	option name 'Allow-AMPR_IPENCAP'
	option extra '-m set --match-set ipipfilter src'

Adding ICMP Filtering of AMPR Nodes to OpenWrt (using ipset)

# in /etc/config/firewall
config rule
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'icmp'
	list icmp_type 'echo-request'
	option src '*' 
	option extra '-m set --match-set ipipfilter src'
	option name 'Ping_fromIPENCAPS'