IPTables Configuration

Having delved into IPtables and NFtables about the same time, my feelings are that NFTables is generally superior in just about every way, I can not be bothered explaining this, this is just my experience and feeling. I would preferentially use NFTables over IPtables where I have a choice. Unfortunately some software still uses IPtables, e.g. Docker. So it is good to be able to be sufficiently fluent and be able to work in both at this time.

tl;dr;

I have not cross checked this IPTable version against the working NFTables version, and it is definitely out of alignment and untested.

Edit iptables configuration file: sudo vim /etc/network/iptables:

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# eno1 is WAN interface, br1 is LAN interface (bridged eno2 - eno4), 
# ppp1 is the PPPoE connection on eno1, is effectively the WAN
-A POSTROUTING -o ppp1 -j MASQUERADE

# WAN Ports DNAT to LAN
-A PREROUTING -p tcp -m tcp -i ppp1 --dport 80 -j DNAT --to-destination 192.168.1.15:80
-A PREROUTING -p tcp -m tcp -i ppp1 --dport 443 -j DNAT --to-destination 192.168.1.15:443
-A PREROUTING -p tcp -m tcp -i ppp1 --dport 25 -j DNAT --to-destination 192.168.1.18:25
-A PREROUTING -p tcp -m tcp -i ppp1 --dport 993 -j DNAT --to-destination 192.168.1.18:993
-A PREROUTING -p tcp -m tcp -i ppp1 --dport 995 -j DNAT --to-destination 192.168.1.18:995

COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]


# Service rules

# basic global accept rules - ICMP, loopback, traceroute, established 
# all accepted
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT

# enable traceroute rejections to get sent out
-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable

# DNS - accept from LAN
-A INPUT -i br1 -p tcp --dport 53 -j ACCEPT
-A INPUT -i br1 -p udp --dport 53 -j ACCEPT

# SSH - accept from LAN
-A INPUT -i br1 -p tcp --dport 22 -j ACCEPT

# DHCP client requests - accept from LAN
-A INPUT -i br1 -p udp --dport 67:68 -j ACCEPT

# drop all other inbound traffic
-A INPUT -j DROP


# Forwarding rules

# Clamp the MSS to MTU size. Both rules work, this depends on if you specify the MSS or not.
#-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452

# forward packets along related/established connections
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Syn-flood protection
-A FORWARD -p tcp --syn -m limit --limit 1/s --limit-burst 5 -j ACCEPT
# Furtive port scanner
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 5 -j ACCEPT
# Ping attack
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 2/s --limit-burst 10 -j ACCEPT

# forward from LAN (br1) to PPPoE (ppp0)
-A FORWARD -i br1 -o ppp1 -j ACCEPT

# allow specific WAN traffic to be forwarded to LAN
-A FORWARD -p tcp -d 192.168.1.15 --dport 80,443 -j ACCEPT
-A FORWARD -p tcp -d 192.168.1.18 --dport 25,993,995 -j ACCEPT

# drop all other forwarded traffic
-A FORWARD -j DROP

COMMIT

To initialise IPtables on boot, before the networks is brought on line:

• Edit this file: sudo vim /etc/network/if-pre-up.d/iptables
• Add the following:

    #!/bin/sh
    /sbin/iptables-restore < /etc/network/iptables

• Change the file permissions: sudo chown root /etc/network/if-pre-up.d/iptables, and sudo chmod 755 /etc/network/if-pre-up.d/iptable.

Note that if /etc/network/if-pre-up.d/iptables is not complete the network may not start-up. This is desirable, as router connectivity is dangerous without firewall in place.

• iptable -L , lists the tables, by default the filter table. To list the nat table, add -t nat. For more verbose information, add -v.