| 78 | |
| 79 | === Firewall rules (Linux) === |
| 80 | We used to use MARKs to tag what traffic is known, unknown or in validation. |
| 81 | |
| 82 | Now, traffic should be simply known or unknown, specific deny rules (for example, nothing but 80) should be sent as "deny acl rules". |
| 83 | |
| 84 | We should try to stop using MARKs, as we only have 255 (it wouldn't be trivial or good I think to track "who has which mark", and have a limite of 255). |
| 85 | |
| 86 | Here's what I experienced, it's not complete but I'm posting anyway: |
| 87 | {{{ |
| 88 | /* Everything from LAN to WAN interface */ |
| 89 | iptables -t filter -N wd_lan2wan |
| 90 | /* Default rules (example, deny TCP 25 always) */ |
| 91 | iptables -t filter -N wd_lan2wan_fromauth |
| 92 | /* Allowed clients (we can track outgoing traffic here */ |
| 93 | iptables -t filter -N wd_lan2wan_clients |
| 94 | /* The last REJECT rule (unknown trafic) */ |
| 95 | iptables -t filter -N wd_lan2wan_defaults |
| 96 | /* For incoming stats */ |
| 97 | iptables -t filter -N wd_incoming_stats |
| 98 | |
| 99 | /* Insert the "catch everything from lan to wan" */ |
| 100 | iptables -t filter -I FORWARD 1 -i LAN_INTERFACE -o WAN_INTERFACE -j wd_lan2wan |
| 101 | /* |
| 102 | * Insert the incoming stats rule _ON TOP_ (we'll RETURN in this chain so we still go to the next chains |
| 103 | * |
| 104 | * We do not seem to be able to track incoming traffic by mac address, needs the IP |
| 105 | */ |
| 106 | iptables -t filter -I FORWARD 1 -j wd_incoming_stats |
| 107 | /* 1. Global settings (drop going to port 25 for everyone) |
| 108 | iptables -t filter -A wd_lan2wan -j wd_lan2wan_fromauth |
| 109 | /* 2. Allowed clients and specific client rules (and outgoing bandwidth) */ |
| 110 | iptables -t filter -A wd_lan2wan -j wd_lan2wan_clients |
| 111 | /* 3. Deny rule */ |
| 112 | iptables -t filter -A wd_lan2wan -j wd_lan2wan_defaults |
| 113 | |
| 114 | /* We can only do the redirect to local port 2060 in the PREROUTING or OUTPUT chains in the "nat" table */ |
| 115 | iptables -t nat -N wd_redirect |
| 116 | iptables -t nat -I PREROUTING 1 -j wd_redirect |
| 117 | |
| 118 | /* For pppoe to work properly..... make sure we have this, even though the router will probably have it, we just have to insert ourselves at the right places? */ |
| 119 | iptables -t filter -A wd_lan2wan -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
| 120 | |
| 121 | /* Allow DNS please */ |
| 122 | iptables -t filter -A wd_lan2wan_defaults -p tcp --dport 53 -j ACCEPT |
| 123 | iptables -t filter -A wd_lan2wan_defaults -p udp --dport 53 -j ACCEPT |
| 124 | |
| 125 | /* Allow auth server */ |
| 126 | iptables -t filter -A wd_lan2wan_defaults -d AUTHSERV_HOSTNAME -j ACCEPT |
| 127 | |
| 128 | /* Base "reject" rule */ |
| 129 | iptables -t filter -A wd_lan2wan_defaults -j REJECT |
| 130 | |
| 131 | /* Redirect to local wifidog port 2060 |
| 132 | iptables -t nat -A wd_redirect -p tcp --dport 80 -j REDIRECT --to-ports 2060 |
| 133 | }}} |
| 134 | |
| 135 | Almost all of this works, but we have to find the right recipe. |