1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Block lan -> wan with iptables?

Discussion in 'Tomato Firmware' started by jza80, Jul 23, 2008.

  1. jza80

    jza80 Network Guru Member

    What I want to do is block all traffic and only allow lan to wan traffic on certain ports. The ports would be 21 (ftp), 22 (ssh), 25 (smtp), 53 (dns), 80 (http), 110 (pop3), 443 (https), and icmp (ping and traceroute).

    I guess I would need a rule to block / drop traffic and rules to allow traffic on certain ports.


    Is this possible with iptables and if so what are the correct commands to do so. I'd try to figure it out myself, but iptables confuses me.
     
  2. LLigetfa

    LLigetfa LI Guru Member

    If you're talking about blocking LAN to LAN, out of the box Tomato cannot do that. AFAIK the firewall does not sit between LAN ports.

    That said, you might be able to get jiggy with VLANs to do that.
     
  3. jza80

    jza80 Network Guru Member

    Sorry if I wasn't specific, but I want to block/drop LAN to WAN (internet) traffic. Not LAN to LAN.

    1. Block LAN to WAN (internet) traffic.

    2. Only allow traffic from LAN to WAN (internet) on certain ports.
     
  4. HennieM

    HennieM Network Guru Member

    Something like this to block FTP traffic from going out the WAN port (or more specific, from being routed):

    iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 0/0 --dport 21 -j DROP

    or maybe

    iptables -A PREROUTING -t nat -p tcp -s 192.168.1.0/24 -d 0/0 --dport 21 -j DROP

    If you still want to allow FTP between machines on your private (192.168.1.0) net, change the "any address" (0/0) to NOT 192.168.1.0:

    iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d ! 192.168.1.0/24 --dport 21 -j DROP
     
  5. jza80

    jza80 Network Guru Member

    ^ Thanks for the reply, but I'm trying to do the opposite. I want to allow FTP, not block it.


    Just to clarify:


    1. Block / drop all LAN to WAN (internet) traffic.

    2. Allow LAN to WAN (internet) traffic on the following ports: 21 (ftp), 22 (ssh), 25 (smtp), 53 (dns), 80 (http), 110 (pop3), 443 (https), and icmp (ping and traceroute).

    So anything that is not allowed gets blocked / dropped.



    I guess the examples you gave would work, if I could specify a range of ports to be blocked / dropped?

    Something like

    iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 0/0 --dport 0-20 -j DROP
    iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 0/0 --dport 23-24 -j DROP
    iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 0/0 --dport 26-52 -j DROP
    iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 0/0 --dport 54-79 -j DROP
    iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 0/0 --dport 81-109 -j DROP
    iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 0/0 --dport 111-442 -j DROP
    iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 0/0 --dport 444-65535 -j DROP

    This would allow 21 (ftp), 22 (ssh), 25 (smtp), 53 (dns), 80 (http), 110 (pop3), 443 (https) and everything else is blocked / dropped?
     
  6. HennieM

    HennieM Network Guru Member

    You allow first, then block all by policy or by a last rule.

    For last rule, it would be:

    iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d ! 192.168.1.0/24 --dport 21 -j ACCEPT
    iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d ! 192.168.1.0/24 --dport 22 -j ACCEPT
    iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d ! 192.168.1.0/24 --dport 25 -j ACCEPT
    .....
    .....
    iptables -A FORWARD -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j DROP

    The last rule don't specify any ports, so it means ALL.
     
  7. nvtweak

    nvtweak LI Guru Member

    You should actually be able to allow multiple ports with one rule, but I can't seem to get iptables multiport option to work in tomato..

    iptables -I FORWARD -p tcp -s 192.168.1.0/24 -m multiport --dports 21,22,25,53,80,110,443 -j ACCEPT
     
  8. nvtweak

    nvtweak LI Guru Member

    Oh, figured it out.

    replace the term multiport with mport

    strange..

    P.S. - I think you should use -I in your rules, not -A. -A will append rules to the bottom of the chain, in which case any given packet might match an iptables rule already higher up in the list. Thus you will probably not get the desired firewall effect with -A (unless you flush all existing rules first, but this will make much more work).
     
  9. jza80

    jza80 Network Guru Member

    That makes sense. So the rules are checked in order from top to bottom?

    Anything that matches the accept rules goes through / gets forwarded. If it doesn't match, it gets dropped.

    I take it that - p = protocol, -s = source, -d = destination, and --dport = destination port.

    Should I use -d ! 192.168.1.0/24 or -d 0/0?

    -d 0/0 = any IP or destination?
    -d ! 192.168.1.0/24 = not to 192.168.1.0/24 (192.168.1.0 - 192.168.1.255) ?


    Should I use -d ! 192.168.1.0/24 or -d 0/0 here?


    Does this rule need a destination, either with -d ! or -d 0/0 ?


    Like this:

    iptables -I FORWARD -p tcp -s 192.168.1.0/24 -d 0/0 -m mport --dports 21,22,25,53,80,110,443 -j ACCEPT

    or

    iptables -I FORWARD -p tcp -s 192.168.1.0/24 -d ! 192.168.1.0/24 -m mport --dports 21,22,25,53,80,110,443 -j ACCEPT


    .
    .
    .
    .

    Taking everything that you've guys said so far. This is what I've come up with.

    iptables -I FORWARD -p tcp -s 192.168.1.0/24 -d ! 192.168.1.0/24 --dport 21 -j ACCEPT
    iptables -I FORWARD -p tcp -s 192.168.1.0/24 -d ! 192.168.1.0/24 --dport 22 -j ACCEPT
    iptables -I FORWARD -p tcp -s 192.168.1.0/24 -d ! 192.168.1.0/24 --dport 25 -j ACCEPT
    iptables -I FORWARD -p tcp -s 192.168.1.0/24 -d ! 192.168.1.0/24 --dport 80 -j ACCEPT
    iptables -I FORWARD -p tcp -s 192.168.1.0/24 -d ! 192.168.1.0/24 --dport 110 -j ACCEPT
    iptables -I FORWARD -p tcp -s 192.168.1.0/24 -d ! 192.168.1.0/24 --dport 443 -j ACCEPT

    iptables -I FORWARD -p udp -s 192.168.1.0/24 -d ! 192.168.1.0/24 --dport 53 -j ACCEPT

    iptables -I FORWARD -p icmp -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j icmp_packets

    iptables -I FORWARD -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j DROP



    Port 53 (dns), is udp. So I specified - p udp.

    I'm not sure if the rule for icmp is correct or not. I got the - p icmp and -j icmp_packets from http://www.iptablesrocks.org/guide/ruleset.php (under the output rule section).

    .
    .
    .


    Using multiport option


    iptables -I FORWARD -p tcp -s 192.168.1.0/24 -m mport --dports 21,22,25,80,110,443 -j ACCEPT

    iptables -I FORWARD -p udp -s 192.168.1.0/24 -d ! 192.168.1.0/24 --dport 53 -j ACCEPT

    iptables -I FORWARD -p icmp -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j icmp_packets

    iptables -I FORWARD -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j DROP



    Let me know if I need to modify any of the rules and thanks for all the help so far.


    P.S. I would change the 192.168.1.0/24 to 172.25.25.0/29 as thats what I'm using on my LAN.
     
  10. HennieM

    HennieM Network Guru Member

    It seems like you have the basic idea, now google for "iptables manual" to satisfy the remaining curiosity... ;)

    Just a few more pointers:
    If you will be -I(nserting) rules, remember that every new rule you insert becomes rule number 1, and the previous rule number one is now number 2, etc.

    See the existing rule numbers by doing

    Code:
    iptables -L -nv --line-numbers
    The more parameters you specify in an iptables rule, the more specific the rule gets:

    iptables -I FORWARD -p tcp -s 192.168.1.0/24 -d ! 192.168.1.0/24 --dport 21 -j ACCEPT

    means (i) the packet must be on it's way to be forwarded [routed to internet], AND (ii) protocol TCP, AND (iii) source = the 192 net, AND (iv) destination NOT 192 net, AND (v) destination port 21

    iptables -I FORWARD -p tcp --dport 21 -j ACCEPT

    means (i) the packet must be on it's way to be forwarded [routed to internet], AND (ii) protocol tcp, AND (iii) destination port 21

    If you have only 1 private network (like your 172.25.25.0/29 net), the short instance of the rule will work just fine.

    In iptables the "jump destination" must be an action or another rule chain. A chain by the name of "icmp_packets" like in
    does not exist by default AFAIK, so you'll have to create such a chain, or not use the "icmp_packets" as a jump destination.
     
  11. jza80

    jza80 Network Guru Member

    Will do. :)

    This is my first time doing something like this with iptables. I've done it with rule based firewalls + gui and its alot easier.

    Hmm.... interesting.

    Maybe I should use -A instead?

    I see. Looks like I'll have to modify this rule.


    iptables -I FORWARD -p icmp -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j ACCEPT

    or

    iptables -I FORWARD -p icmp -j ACCEPT


    .
    .
    .
    .

    Only thing I'm not sure about at this point is -I or -A and the rule for icmp.




    Edit: Looks like I can use -I and specify a rule #. Something like -I FORWARD 1, -I FORWARD 2, and so on.

    Using the command (iptables -L -nv --line-numbers) you gave me, I see that there is 8 rules in the forward chain by default.

    If I specify rule numbers for the new rules that I add, will the existing rules get moved down the list, but maintain its current order? I'm thinking that the current order should be maintained, but I want to make sure.
     
  12. jza80

    jza80 Network Guru Member

    This is what I've come up with:

    iptables -I FORWARD 1 -p tcp -s 172.25.25.0/29 -d 0/0 -m mport --dports 21,22,25,80,110,443,6667,6668,6669,7000 -j ACCEPT
    iptables -I FORWARD 2 -p udp -s 172.25.25.0/29 -d 0/0 --dport 53 -j ACCEPT
    iptables -I FORWARD 3 -p icmp -s 172.25.25.0/29 -d 0/0 -j ACCEPT
    iptables -I FORWARD 4 -s 172.25.25.0/29 -d 0/0 -j DROP



    1. Everything works except for FTP, which is not quite working correctly. It makes the connection just fine on port 21, but then fails to retrieve directory listing.

    Using netstat -n, I can see that its making the initial connection to the server on port 21 and then some other random port after that to the server to retrieve the directory listing.

    I know why its failing (random ports are dropped / blocked with the drop rule), but don't get why its using some other random port to retrieve the directory listing. Maybe thats the way FTP works?


    Edit: Looks like I can use SFTP instead, which uses port 22. I only FTP to the one site anyways, so this will work. :)


    2. Rule numbering worked out just the way I thought it would. The existing rules got moved down in order.
     
  13. nvtweak

    nvtweak LI Guru Member

  14. HennieM

    HennieM Network Guru Member

    Looks like you got the iptables thing....

    As the referred article explains, FTP's data connection is made on port 20, but with "active FTP", the client IP (which is 172...) is specified in the FTP command to the server. In "passive FTP", the IP of the server is used, so always use passive FTP from behind a NAT firewall.

    SFTP is of course the best, as it encrypts and sorts out the IP/port business, but it's slower.
     
  15. nvtweak

    nvtweak LI Guru Member

    It sounds like passive FTP could still be an issue with these firewall rules. From the FTP client's point of view, passive FTP seems to use a random outgoing TCP port (one that the server itself provided, and one which is also hard to predict. Thus it may be difficult to create an iptables ACCEPT rule for).

    With active mode however, it is possible to specify external IP and range of local ports in some FTP client software (Filezilla for example). Maybe that is a solution, if you're able to use Active mode with the server.
     
  16. jza80

    jza80 Network Guru Member

    According to that article, the data port is not always on port 20 depending on mode (passive or active).

    From the diagram for active mode it shows 2 connections being made from the client to server. One to port 21 of server and another to port 20 of server.

    I'll see if I can use active mode. If it doesn't work, I can fall back to SFTP which works.
     

Share This Page