I am confusing myself with trying to set up a firewall and hope someone here can help me progress.
I have a small cluster of three Raspberry PI's running NOOBS, which I believe is a Debian fork.
I have a "Gateway" machine, if that is the right phrase, that has a USB Wifi dongle that connects to my Home network router. It also has a NIC – eth0 – connected to a switch that has my other two PI's connected.
I've configured this setup to have dnsmasq running on the gateway PI and the two PI's in my subnet pick up their IP's and DNS from it via DHCP.
Internal subnet is 10.10.0.0/24 and has a subdomain name of pi.home.
My home router provides the USB Wifi interface with its name and IP via DHCP.
Up to this point all was well....
Then I decided to be more ambitious and configure the gateway firewall but I am getting nowhere with it.
I have this simple script to create or clear iptables rules:
Code:
#!/bin/sh
# My system IP/set ip address of server
WLAN_IP="192.168.1.88"
ETH0_IP="10.10.0.1"
# Flushing all rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
#CLEAR=true
CLEAR=false
if $CLEAR
then
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
exit
fi
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A OUTPUT -p tcp --sport ssh -j ACCEPT
This allows me to SSH into the Gateway but I can't ssh into my servers on the internal domain.
I appreciate that the above setting will block my DHCP and DNS resolution in the subnet. But at the moment I can't get the simpler task of ssh working.
From the gateway, if I try to ssh to one of the internal servers, I see no traffic at all with tcpdump listening:
Code:
tcpdump -i eth0 dst 10.10.0.11 and port 22
If I set the OUTPUT policy to ACCEPT, then I can connect with:
Code:
ssh -v pi@10.10.0.11
But like I say, I get nothing with the rule set to DROP.
I'm new to iptables and have the impression that I should be able to set the policy to DROP for everything and then allow specific services.
What am I doing wrong here?
Thanks in advance
Brad
PS
I've dug a little deeper; here is the routing table which looks fine to me:
Code:
root@rpifwl:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default rpifwl.pi.home 0.0.0.0 UG 0 0 0 eth0
default BThomehub.home 0.0.0.0 UG 303 0 0 wlan0
10.10.0.0 * 255.255.255.0 U 0 0 0 eth0
link-local * 255.255.0.0 U 202 0 0 eth0
192.168.1.0 * 255.255.255.0 U 303 0 0 wlan0
But still can't ssh from the firewall to an internal server unless I set OUTPUT to ACCEPT
Thought I had fixed this but hadn't noticed that my script was still in clear down mode. Grr.
Some additional info:
I set TCP dump to listen on eth0 with no filters and no firewall rules set to DROP. Then ssh'd to target and took a look at the packets. I found that there were calls to three ports that I didn't recognise. Searching online, these seem to be something to do with IANA. So I added rules for these ports, however I still can't SSH past the gateway machine with the firewall rules in place.
Code:
# The Internet Assigned Numbers Authority (IANA)
iptables -A INPUT -p tcp --dport 57388 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 57388 -j ACCEPT
iptables -A INPUT -p tcp --dport 46477 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 46477 -j ACCEPT
iptables -A INPUT -p tcp --dport 53022 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 53022 -j ACCEPT
I don't know why I am making calls to these ports when I'm just ssh'ing into a subnet, but there you go.
Last edited by steadyonabix; 12-27-2015 at 07:40 AM..
Hi Experts,
Need your help for checking te interprocess communications settings on HP-UX box.
Using ipcs command I am able to view Message queue,semapohores etc, but from that output I m not able to understand how to determine if there is any issue with ipc settings and how to resolve that? (1 Reply)
Hi all
My first post here. I've been told certain things regarding HP-UX's .sh_history file which I'm not so sure I agree with completely.
These things are that the history file gets flushed on every clean shell exit (plausible, but I doubt it seeing as there are more than 11 thousand lines... (9 Replies)
can any one provide me Vi Edior Settings for HP-UX
I searched the forum i cound't able to find much information.
1) Need Vi editor setting for Color Code ... to work in C++ (Highlight Syntax .... as Vi Editor in Linux ... which we enable the syntax)
2)Delete , backspace , arrows , home ,... (3 Replies)
Hi everyone.
I'm trying to setup eMule and torrents on the local network behind the BSD server. And everything seems to work except one detail - it works as long as ${fwcmd} add deny log tcp from any to any in via ${oif} setup is commented out. Meaning that not only required ports are open, but... (2 Replies)
Hi everyone.
I'm trying to setup eMule and torrents on the local network behind the BSD server. And everything seems to work except one detail - it works as long as ${fwcmd} add deny log tcp from any to any in via ${oif} setup
is commented out. Meaning that not only required ports are open,... (1 Reply)
I am trying to set up a home network, with router for internet access
All computers, in both windows and Suse 9.3 can get to the internet.
Gateway 192.168.2.1
Computers on static IPs 192.168.2.2-5
When I go into Suse, the samba shares can be seen, and used, so that part is working, but... (0 Replies)
Hi All
I've been having a lot of errors logged on the Cisco Catalyst (4000 series) which one of my Solaris servers is patched into. I have a feeling they are duplex related, but I'm a bit stuck as to how to confirm that.
How do I:
1. Check the duplex settings on my eri0 card?
2. Set the... (3 Replies)
