home 
wiki
wiki
Spelling: MWRPFirewall
still a work in progress - dna.
Be a few days before I get it all up
* Introduction [1]
* Netfilter? what\'s that? [2]
* iptables [3]
* The S45firewall script [4]
* What should the firewall do? [5]
* Example router port configurations and firewall scripts [6]
* OpenWRT default configuration and firewall [7]
* Port configuration [8]
* Firewall configuration [9]
* Private WAN interface, public LAN interface [10]
* Port configuration [11]
* Firewall configuration [12]
INTRODUCTION
The OpenWRT [13] Linux distribution used on the Linksys WRT54G(s) has
a basic firewall as part of the distribution. This firewall is
configured for typical home AP use. The firewall uses iptables to load
rules into the netfilter part of the Linux kernel. As a firewall this
is pretty neat, there is no running process, you can verify it is
configured how you want and you can log what is going on.
This Wiki page makes a brief introduction to netfilter and iptables
and details what a MW Node firewall should do. Examples are then given
for six different configurations. These examples should be able to be
used with only minor changes (such as the interfaces in your
particular router).
A future evolution will reduce these configurations to a single
script with a small number of input parameters (probably through
environment variables).
NETFILTER? WHAT\'S THAT?
Well, there is a lot of stuff written about netfilter. Probably the
best place to start is in the netfilter FAQ page [14].
In a nutshell there is a packet switch/filter built into the linux
kernel. As packets are received they pass through the netfilter and
may be acted upon at various points.
/ / -> NIC - PREROUTING - routing ---- FOREWARD ----------
POSTROUTING - NIC -> / | / | | | | | INPUT --- applications --- OUTPUT
There are two tables of interest, the filter table where the INPUT,
OUTPUT and FOREWARD chains are defined and the nat table where the
PREROUTING and POSTROUTING chains live.
The routing decission determines the path a packet takes through
netfilter. If IP forewarding is "on" then packets that are not
addressed to the router itself are passed through to the FORWARD
chain. Note, only packets for networks this router is configured for
are passed through here.
Well, if you want to get technical this is what it really looks like:
netfilter diagram [15]
At each of the chains in the path rules can be defined that tell
netfilter what to do with packets that match a rule. This could be as
simple as ACCEPTing the packet or it could send it to a different
chain for further processing.
IPTABLES
iptables is a tool that is used to manipulate the filtering rules. It
is very flexible and has lots of options. Check the man page for
details.
In our firewall scripts we use iptables to clear the netfilter tables
and create the rules we want to apply.
We use the following tables/chains:
* filter / INPUT for packets inbound to our router
* filter / OUTPUT for packets outbound from our router
* filter / FOREWARD for packets we are forwarding from one segment
to another
* nat / PREROUTING for SNAT from our private segment to public
segment
* nat / POSTROUTING for DNAT for port forwarding into our private
segment
THE S45FIREWALL SCRIPT
The default firewall script ( /etc/init.d/S45firewall ) serves as the
base for developing variations for the other described router
configurations. There are a couple of bad configuration examples and
it is a little more verbose than it needs to be ( for such a simple
use ) but nevertheless it is a good starting point.
This script is used when the WAN port is connected to the Internet (
unsecure side) and allows the following:
* ssh connection from WAN
* Port forwarding (bad example conflicts with ssh from WAN)
* forwarding to DMZ machine (again bad example)
* INPUT rules to allow access to the router from the LAN and allow
ICMP/GRE packets
* OUTPUT rules to allow anything out from the router
* FORWARD rules to allow LAN to LAN and LAN to WAN
* FORWARD rules to support the specified port forwarding and DMZ
configuration
* PREROUTING rules for port forwarding and DMZ DNAT address
conversion
* POSTROUTING rules for LAN to WAN SNAT (well, MASQ actually)
address conversion
annotated S45firewall script
#!/bin/sh . /etc/functions.sh WAN=$(nvram get wan_ifname) LAN=$(nvram
get lan_ifname)
clear the iptables and creates a new "user" chain for each
table/chain combination
## CLEAR TABLES for T in filter nat mangle; do iptables -t $T -F
iptables -t $T -X done
iptables -N input_rule iptables -N output_rule iptables -N
forwarding_rule
iptables -t nat -N prerouting_rule iptables -t nat -N
postrouting_rule
Optional things are added to the "user" chains
## Allow SSH from WAN # iptables -t nat -A prerouting_rule -i $WAN -p
tcp --dport 22 -j ACCEPT # iptables -A input_rule -i $WAN -p tcp
--dport 22 -j ACCEPT
This example conflicts with the above one. The rule entered first
will take precdence
## Port forwarding # iptables -t nat -A prerouting_rule -i $WAN -p
tcp --dport 22 -j DNAT --to 192.168.1.2 # iptables -A forwarding_rule
-i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
This example sends incoming ports to the 192.168.1.2 machine, it is
not a true DMZ which should be on a separate network segment
## DMZ (should be placed after port forwarding / accept rules) #
iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2 #
iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT
The default tables/chains have the general policy set along with
actions to deal with junk
## INPUT ## (connections with the router as destination)
# base case iptables -P INPUT DROP iptables -A INPUT -m state --state
INVALID -j DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED
-j ACCEPT iptables -A INPUT -p tcp --syn --tcp-option ! 2 -j DROP
we alow packets from the private segment and ICMP(ping) and
GRE(router chatter) from anywhere
# allow iptables -A INPUT -i ! $WAN -j ACCEPT # allow from lan/wifi
interfaces iptables -A INPUT -p icmp -j ACCEPT # allow ICMP iptables
-A INPUT -p gre -j ACCEPT # allow GRE
The input_rule chain has one target (above) to allow ssh form the WAN
interface
# # insert accept rule or to jump to new accept-check table here #
iptables -A INPUT -j input_rule
# reject (what to do with anything not allowed earlier) iptables -A
INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -j
REJECT --reject-with icmp-port-unreachable
## OUTPUT ## (connections with the router as source)
# base case iptables -P OUTPUT DROP iptables -A OUTPUT -m state
--state INVALID -j DROP iptables -A OUTPUT -m state --state
RELATED,ESTABLISHED -j ACCEPT
# allow iptables -A OUTPUT -j ACCEPT #allow everything out
everything after the above line is unreachable in this chain
# # insert accept rule or to jump to new accept-check table here #
iptables -A OUTPUT -j output_rule
# reject (what to do with anything not allowed earlier) iptables -A
OUTPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A OUTPUT -j
REJECT --reject-with icmp-port-unreachable
## FORWARDING ## (connections routed through the router)
# base case iptables -P FORWARD DROP iptables -A FORWARD -m state
--state INVALID -j DROP iptables -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags
SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# allow iptables -A FORWARD -i br0 -o br0 -j ACCEPT iptables -A
FORWARD -i $LAN -o $WAN -j ACCEPT
The forwarding_rule chain is where all the exciting things are
happening
# # insert accept rule or to jump to new accept-check table here #
iptables -A FORWARD -j forwarding_rule
# reject (what to do with anything not allowed earlier) # uses the
default -P DROP
In this case postrouting SNAT is performed using the MASQ target
makes all packets from the private segment look like they come from
the router
## MASQ iptables -t nat -A PREROUTING -j prerouting_rule iptables -t
nat -A POSTROUTING -j postrouting_rule iptables -t nat -A POSTROUTING
-o $WAN -j MASQUERADE
WHAT SHOULD THE FIREWALL DO?
The firewall has to do a couple of things to be usefull in a MW node:
* Allow unrestricted access from your private segment into the MW
segment.
* NAT the addresses from your private segment to an address in your
node segment.
* Allow you to access your private segment from the MW network (only
you, or your machines).
* Allow administrative access (ssh) to the router from both the
private and public segments.
In addition you may want to allow some services to be accessible:
* DNS lookup
* ssh to a server on the Internet
* POP3 email from an email server
* SMTP to an email server
* HTTP to selected web sites
* forward ports from the MW segment to a machine in either the
private or DMZ segment
Note: By exposing these services clients connected to your Node will
be "tunneling" through your private network to reach the Internet via
your broadband connection. You may want to think about what you expose
if you have a capped connection.
EXAMPLE ROUTER PORT CONFIGURATIONS AND FIREWALL SCRIPTS
OPENWRT DEFAULT CONFIGURATION AND FIREWALL
This configuration is useful for setting up a private wireless
network but should not be used as part of a MW Node. Any machine
connected to the LAN ports would be bridged with the Node and exposed
to hacking.
Public WAN WRT PORT Private LAN +-------+ -------------------| WAN |
+-------+ +----- +-------+ | | WLAN |----------< Antenna (radio used
as AP) | +-------+ | +-------+ ports bridges | | LAN 1 |----------
together | +-------+ | +-------+ | | LAN 2 |---------- | +-------+ |
+-------+ | | LAN 3 |---------- | +-------+ | +-------+ | | LAN 4
|---------- +----- +-------+
PORT CONFIGURATION
No changes required.
FIREWALL CONFIGURATION
Use the S45firewall script as is out of the box.
PRIVATE WAN INTERFACE, PUBLIC LAN INTERFACE
This is the simplest useful node configuration. It does not require
any changes to the OpenWRT [16] port assignment. In this configuration
there is a single WAN port and a bridged LAN ( bridge the remaining 4
switch ports and the wirless port ).
Private LAN WRT PORT Public LAN ( i.e. Melbourne wireless space )
+-------+ -------------------| WAN | +-------+ +----- +-------+ | |
WLAN |----------< Antenna (radio used as Node AP) | +-------+ |
+-------+ ports bridges | | LAN 1 |---------- to link radio together |
+-------+ | +-------+ | | LAN 2 |---------- to node server | +-------+
| +-------+ | | LAN 3 |---------- Switch port 3 | +-------+ |
+-------+ | | LAN 4 |---------- Switch port 4 +----- +-------+
In this configuration the router is using the WAN port to give you a
connection from your private LAN space into the MW node. The firewall
needs to be set up differently to the case where the LAN is the
private side and the WAN is the public (Internet) side.
PORT CONFIGURATION
No changes in NVRAM required.
FIREWALL CONFIGURATION
Links:
------
[1] http://www.melbournewireless.org.au/#introduction
[2] http://www.melbournewireless.org.au/#netfilter__what_s_that_
[3] http://www.melbournewireless.org.au/#iptables
[4] http://www.melbournewireless.org.au/#the_s45firewall_script
[5] http://www.melbournewireless.org.au/#what_should_the_firewall_do_
[6]
http://www.melbournewireless.org.au/#example_router_port_configurations_and_firewall_scripts
[7]
http://www.melbournewireless.org.au/#openwrt_default_configuration_and_firewall
[8] http://www.melbournewireless.org.au/#port_configuration
[9] http://www.melbournewireless.org.au/#firewall_configuration
[10]
http://www.melbournewireless.org.au/#private_wan_interface__public_lan_interface
[11] http://www.melbournewireless.org.au/#port_configuration
[12] http://www.melbournewireless.org.au/#firewall_configuration
[13] http://www.melbournewireless.org.au/?OpenWRT
[14]
http://www.netfilter.org/documentation/index.html#documentation-faq
[15] http://www.melbournewireless.org.au/files/Misc/netfilter.png
[16] http://www.melbournewireless.org.au/?OpenWRT
[EditText] [Spelling] [Current] [Raw] [Code] [Diff] [Subscribe] [VersionHistory] [Revert] [Delete] [RecentChanges]