I went down the route of attempting to configure the firewall using NFtables. NFTables has some nice features that look to make it more user friendly than IPTables. On larger, more complex installs NFTables looks to have some significant technical advantages over IPTables, but these benefits are probably less significant on my smaller undertaking. That being said for those already familiar with IPTables this will not be the case.

As of year ending 2019 general support and functionality of NFTables is much improved. That being said overall information and support for IPTables is more comprehensive. Application packages such as Docker and Fail2ban basically still have default enbedment of IPTables with use of NFTables required greater care and effort.

Unfortunately the package version supplied with Ubuntu 16.04 was released in 2015-11, and during my configuration I found some bugs. Also mss clamping is not supported in this version. I tried the Ubuntu 18.04 development version and the previous noted bugs were no longer apparent and mss clamping was supported.

I have not cross checked this IPTable version against the working NFTables version, and it is definitely out of alignment and untested.

Edit iptables configuration file: sudo vim /etc/network/iptables:

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# eno1 is WAN interface, br1 is LAN interface (bridged eno2 - eno4), 
# ppp1 is the PPPoE connection on eno1, is effectively the WAN
-A POSTROUTING -o ppp1 -j MASQUERADE

# WAN Ports DNAT to LAN
-A PREROUTING -p tcp -m tcp -i ppp1 --dport 80 -j DNAT --to-destination 192.168.1.15:80
-A PREROUTING -p tcp -m tcp -i ppp1 --dport 443 -j DNAT --to-destination 192.168.1.15:443
-A PREROUTING -p tcp -m tcp -i ppp1 --dport 25 -j DNAT --to-destination 192.168.1.18:25
-A PREROUTING -p tcp -m tcp -i ppp1 --dport 993 -j DNAT --to-destination 192.168.1.18:993
-A PREROUTING -p tcp -m tcp -i ppp1 --dport 995 -j DNAT --to-destination 192.168.1.18:995

COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]


# Service rules

# basic global accept rules - ICMP, loopback, traceroute, established 
# all accepted
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT

# enable traceroute rejections to get sent out
-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable

# DNS - accept from LAN
-A INPUT -i br1 -p tcp --dport 53 -j ACCEPT
-A INPUT -i br1 -p udp --dport 53 -j ACCEPT

# SSH - accept from LAN
-A INPUT -i br1 -p tcp --dport 22 -j ACCEPT

# DHCP client requests - accept from LAN
-A INPUT -i br1 -p udp --dport 67:68 -j ACCEPT

# drop all other inbound traffic
-A INPUT -j DROP


# Forwarding rules

# Clamp the MSS to MTU size. Both rules work, this depends on if you specify the MSS or not.
#-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452

# forward packets along related/established connections
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Syn-flood protection
-A FORWARD -p tcp --syn -m limit --limit 1/s --limit-burst 5 -j ACCEPT
# Furtive port scanner
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 5 -j ACCEPT
# Ping attack
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 2/s --limit-burst 10 -j ACCEPT

# forward from LAN (br1) to PPPoE (ppp0)
-A FORWARD -i br1 -o ppp1 -j ACCEPT

# allow specific WAN traffic to be forwarded to LAN
-A FORWARD -p tcp -d 192.168.1.15 --dport 80,443 -j ACCEPT
-A FORWARD -p tcp -d 192.168.1.18 --dport 25,993,995 -j ACCEPT

# drop all other forwarded traffic
-A FORWARD -j DROP

COMMIT

Persistent IPTables on Boot and before Network Start-up:

To initialise IPtables on boot, before the networks is brought on line:

  • Edit this file: sudo vim /etc/network/if-pre-up.d/iptables
  • Add the following:
    #!/bin/sh
    /sbin/iptables-restore < /etc/network/iptables
  • Change the file permissions: sudo chown root /etc/network/if-pre-up.d/iptables, and sudo chmod 755 /etc/network/if-pre-up.d/iptable.

Note that if /etc/network/if-pre-up.d/iptables is not complete the network may not start-up. This is desirable, as router connectivity is dangerous without firewall in place.

Some IPTables Commands

  • iptable -L , lists the tables, by default the filter table. To list the nat table, add -t nat. For more verbose information, add -v.

  • /app/www/public/data/pages/linux_router/iptables.txt
  • Last modified: 2023-04-30 Sun wk17 17:43
  • by 127.0.0.1