Firewall core (main) protocols

Revision as of 22:10, 2 April 2015 by WikiFreak (talk | contribs) (DNS)


Allow services and network protocols

DHCP

DHCP client:

IPTABLES=`which iptables`


# DHCP client >> Broadcast IP request 
$IPTABLES -A OUTPUT -p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 67 -j ACCEPT 
$IPTABLES -A OUTPUT -p udp --dport 68 -j ACCEPT


DNS

This will allow your computer to perform DNS requests:

IPTABLES=`which iptables`
IP6TABLES=`which ip6tables`

    # DNS (udp)
    $IPTABLES -A OUTPUT -p udp --sport 53 -j ACCEPT
    $IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
    $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
    $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

    $IP6TABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
    $IP6TABLES -A OUTPUT -p udp --sport 53 -j ACCEPT
    $IP6TABLES -A INPUT -p udp --dport 53 -j ACCEPT
    $IP6TABLES -A INPUT -p udp --sport 53 -j ACCEPT


    # DNS sec (tcp)
    $IPTABLES -A OUTPUT -p tcp --sport 53 -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT

    $IP6TABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
    $IP6TABLES -A OUTPUT -p tcp --sport 53 -j ACCEPT

LAN communication

To allow communication in the local network, without any restrictions:

IPTABLES=`which iptables`
IP_LAN_V4="172.16.50.0/24"
IP_LAN_V6="2001:DB8:1::1"


# Allow LAN communication
if [ ! -z "$IP_LAN_V4" ] 
then
 	echo -e " ... Allow LAN communication - IP v4"
	$IPTABLES -A INPUT -s $IP_LAN_V4 -d $IP_LAN_V4 -j ACCEPT
	$IPTABLES -A OUTPUT -s $IP_LAN_V4 -d $IP_LAN_V4 -j ACCEPT
        # Allow forwarding within the LAN
        $IPTABLES -A FORWARD -s $IP_LAN_V4 -j ACCEPT
fi

if [ ! -z "$IP_LAN_V6" ] 
then
	echo -e " ... Allow LAN communication - IP v6"
	$IP6TABLES -A INPUT -s $IP_LAN_V6 -d $IP_LAN_V6 -j ACCEPT
	$IP6TABLES -A OUTPUT -s $IP_LAN_V6 -d $IP_LAN_V6 -j ACCEPT
        # Allow forwarding within the LAN
        $IP6TABLES -A FORWARD -s $IP_LAN_V6 -j ACCEPT
fi

Note: thanks to the ! -z operator if the variable is not set or "" then the rule will be skipped.


NTP (time syncronization) client

IPTABLES=`which iptables`


# NTP client
echo -e " ... Allow NTP time sync"
$IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 123 -j ACCEPT

$IP6TABLES -A OUTPUT -p udp --dport 123 -j ACCEPT
$IP6TABLES -A INPUT -p udp --sport 123 -j ACCEPT


Samba file-share

IPTABLES=`which iptables`


# SAMBA share
# Access filtering is done in /etc/samba/smb.conf
$IPTABLES -A INPUT -p udp --dport 137 -j ACCEPT                 # NetBios Name Service
$IPTABLES -A INPUT -p udp --dport 138 -j ACCEPT                 # NetBios Data Exchange
$IPTABLES -A INPUT -p tcp --dport 139 -j ACCEPT                 # NetBios Session + Samba
$IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT                 # CIFS - Partage Win2K and more
$IPTABLES -A INPUT -p tcp --dport 548 -j ACCEPT                 # Apple File Sharing Protocol


FTP client

IPTABLES=`which iptables`


# FTP client - base rules
$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

# Active FTP
$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

# Passive FTP
$IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT