Benutzer-Werkzeuge

Webseiten-Werkzeuge


know-how:firewall

FIXME

Features

Voraussetzungen

  • Minimale Requirements mit update-ipsets.tar auf jeden Fall wird iprange benötigt
  • Für /usr/share/netfilter-persistent/plugins.d# iptables-scripts.zip , Originalmodule löschen
  • dnsmasq zum aktualisieren von den Domain/Hostname basierenden IP Sets
  • zB: auf Debian Stretch:
apt-get install ipset netfilter-persistent iptables iptables-persistent dnsmasq

Anpassungen

Verzeichnisse u. Dateien

  • Grundsätzlicher Aufbau
root@mrBox-x:/etc/iptables# ls -al /etc/iptables/
total 60
drwxr-x---  5 root root 4096 Sep 29 11:42 .
drwxr-xr-x 91 root root 4096 Nov 22 10:08 ..
drwxr-x---  2 root root 4096 Dec  8  2017 ipset-dns.v4
drwxr-x---  2 root root 4096 Sep 29 11:15 ipset-ips.v4
drwxr-x---  2 root root 4096 Sep 29 11:28 ipset-networks.v4
-rw-r-----  1 root root 9291 Sep 29 11:42 rules-new.v4
-rw-r-----  1 root root 6353 Dec  8  2017 rules-new.v6
-rw-r-----  1 root root 9291 Sep 29 11:43 rules.v4
-rw-r-----  1 root root 6353 Dec  8  2017 rules.v6


root@mrBox-x:~# ls -al /usr/share/netfilter-persistent/plugins.d/
total 16
drwxr-xr-x 2 root root 4096 Nov 22 10:19 .
drwxr-xr-x 3 root root 4096 Mar 24  2016 ..
-rwx------ 1 root root 3902 Sep 29 11:31 40-ip4tables
-rwx------ 1 root root 2078 Mar 18  2017 60-ip6tables


root@mrBox-x:~# ls -al /usr/local/sbin/update-ipsets/
total 324
drwxr-sr-x 2 root staff   4096 Sep 29 11:29 .
drwxrwsr-x 3 root staff   4096 Sep 29 11:26 ..
-rw-r--r-- 1 root staff      70 May  2  2018 commands.txt
-rw-r--r-- 1 root staff    2095 May  2  2018 functions.common
-rw-r--r-- 1 root staff    2346 May  2  2018 install.config
-rwxr--r-- 1 root staff  310196 May  2  2018 update-ipsets.sh


root@mrBox-x:/etc/cron.d# cat update-ipset 
SHELL=/bin/bash

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

*/15 * * * * root /usr/local/sbin/update-ipsets/update-ipsets.sh --silent &> /dev/null

  • Firewall IPv4 Beispiel FIXME:
# Generated by iptables-save v1.4.12 on Mon Oct 14 15:11:00 2013
*raw
:PREROUTING ACCEPT [60:6158]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -s 10.0.0.0/8 -j RETURN
-A PREROUTING -i eth0 -s 192.168.0.0/16 -j RETURN
-A PREROUTING -i eth0 -s 172.16.0.0/12 -j RETURN
-A PREROUTING -i eth0 -m set --match-set firehol_level1 src -m limit --limit 5/sec -j LOG --log-prefix "fw firehol_level1 DROP: " --log-level 7
-A PREROUTING -i eth0 -m set --match-set firehol_level1 src -j DROP
-A PREROUTING -i eth0 -m set --match-set firehol_level2 src -m limit --limit 5/sec -j LOG --log-prefix "fw firehol_level2 DROP: " --log-level 7
-A PREROUTING -i eth0 -m set --match-set firehol_level2 src -j DROP
COMMIT
*nat
:PREROUTING ACCEPT [1:84]
:INPUT ACCEPT [1:84]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING ! -d 192.168.1.1/32 -i br0 -p udp --dport 53 -m limit --limit 5/sec -j LOG --log-prefix "fw DNS REDIRECT: " --log-level 7
-A PREROUTING ! -d 192.168.1.1/32 -i br0 -p udp --dport 53 -j REDIRECT --to 53
-A PREROUTING ! -d 192.168.1.1/32 -i br0 -p tcp -m tcp --dport 53 -m limit --limit 5/sec -j LOG --log-prefix "fw DNS REDIRECT: " --log-level 7
-A PREROUTING ! -d 192.168.1.1/32 -i br0 -p tcp -m tcp --dport 53 -j REDIRECT --to 53
-A PREROUTING ! -d 192.168.1.1/32 -i br0 -p tcp -m tcp --dport 80 -m limit --limit 5/sec -j LOG --log-prefix "fw HTTP REDIRECT: " --log-level 7
-A PREROUTING ! -d 192.168.1.1/32 -i br0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8081
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 14 15:11:00 2013
# Generated by iptables-save v1.4.12 on Mon Oct 14 15:11:00 2013
*mangle
:PREROUTING ACCEPT [348:36659]
:INPUT ACCEPT [348:36659]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [252:78891]
:POSTROUTING ACCEPT [252:78891]
COMMIT
# Completed on Mon Oct 14 15:11:00 2013
# Generated by iptables-save v1.4.12 on Mon Oct 14 15:11:00 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ALLOW - [0:0]
:EXT-FW - [0:0]
:EXT-INT - [0:0]
:FW-EXT - [0:0]
:FW-INT - [0:0]
:GARBAGE - [0:0]
:INT-EXT - [0:0]
:INT-FW - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j EXT-FW
-A INPUT -i br0 -j INT-FW
-A INPUT -j GARBAGE
-A INPUT -m limit --limit 5/sec -j LOG --log-prefix "fw INPUT DROP: " --log-level 7
-A INPUT -j DROP
-A FORWARD -i br0 -o eth0 -j INT-EXT
-A FORWARD -i eth0 -o br0 -j EXT-INT
-A FORWARD -j GARBAGE
-A FORWARD -m limit --limit 5/sec -j LOG --log-prefix "fw FORWARD DROP: " --log-level 7
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j FW-EXT
-A OUTPUT -o br0 -j FW-INT
-A OUTPUT -j GARBAGE
-A OUTPUT -m limit --limit 5/sec -j LOG --log-prefix "fw OUTPUT DROP: " --log-level 7
-A OUTPUT -j DROP
-A ALLOW -m limit --limit 5/sec -j LOG --log-prefix "fw ALLOW ACCEPT: " --log-level 7
-A ALLOW -j ACCEPT
-A EXT-FW -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A EXT-FW -p icmp -m icmp --icmp-type 8 -j ALLOW
-A EXT-FW -j GARBAGE
-A EXT-FW -m limit --limit 5/sec -j LOG --log-prefix "fw EXT-FW DROP: " --log-level 7
-A EXT-FW -j DROP
-A EXT-INT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A EXT-INT -j GARBAGE
-A EXT-INT -m limit --limit 5/sec -j LOG --log-prefix "fw EXT-INT DROP: " --log-level 7
-A EXT-INT -j DROP
-A FW-EXT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FW-EXT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A FW-EXT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A FW-EXT -p icmp -m icmp --icmp-type 8 -j ALLOW
-A FW-EXT -p udp -m udp --dport 67 -j ALLOW
-A FW-EXT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A FW-EXT -p udp -m udp --dport 123 -j ALLOW
-A FW-EXT -p udp -m udp --dport 53 -j ALLOW
-A FW-EXT -p tcp -m tcp --dport 53 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A FW-EXT -p udp -m udp --dport 65194 -j ALLOW
-A FW-EXT -m owner --uid-owner proxy -j ALLOW
-A FW-EXT -j GARBAGE
-A FW-EXT -m limit --limit 5/sec -j LOG --log-prefix "fw FW-EXT DROP: " --log-level 7
-A FW-EXT -j DROP
-A FW-INT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FW-INT -p udp -m udp --dport 68 -j ALLOW
-A FW-INT -p icmp -m icmp --icmp-type 8 -j ALLOW
-A FW-INT -j GARBAGE
-A FW-INT -m limit --limit 5/sec -j LOG --log-prefix "fw FW-INT DROP: " --log-level 7
-A FW-INT -j DROP
-A GARBAGE -d 224.0.0.1/32 -j DROP
-A GARBAGE -d 255.255.255.255/32 -j DROP
-A GARBAGE -d 224.0.0.251/32 -j DROP
-A GARBAGE -p udp -m udp --dport 137 -j DROP
-A GARBAGE -p udp -m udp --dport 138 -j DROP
-A INT-EXT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INT-EXT -p tcp --syn --dport 465 -j ALLOW
-A INT-EXT -p tcp --syn --dport 587 -j ALLOW
-A INT-EXT -p tcp --syn --dport 993 -j ALLOW
-A INT-EXT -p tcp --syn --dport 995 -j ALLOW
-A INT-EXT -p icmp -m icmp --icmp-type 8 -j ALLOW
-A INT-EXT -m limit --limit 5/sec -j LOG --log-prefix "fw INT-EXT DROP: " --log-level 7
-A INT-EXT -j DROP
-A INT-FW -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INT-FW -p tcp -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A INT-FW -p tcp -m tcp --dport 8081 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A INT-FW -p tcp -m tcp --dport 53 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A INT-FW -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A INT-FW -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A INT-FW -p udp -m udp --dport 53 -j ALLOW
-A INT-FW -p udp -m udp --dport 67 -j ALLOW
-A INT-FW -p icmp -m icmp --icmp-type 8 -j ALLOW
-A INT-FW -p udp -m udp --dport 123 -j ALLOW
-A INT-FW -j GARBAGE
-A INT-FW -m limit --limit 5/sec -j LOG --log-prefix "fw INT-FW DROP: " --log-level 7
-A INT-FW -j DROP
COMMIT
# Completed on Mon Oct 14 15:11:00 2013

Backup Leitung

  • Wenn der primäre Link offline geht wechsel zum Sekundären
  • Wenn der primäre Link offline war und „zurück“ kommt wechsel wieder zum Primären
  • Wenn der primäre Link funktioniert gibt es keine Änderungen
  • /usr/local/sbin/check_wan_links.sh
#!/bin/bash


# Requirements:
# IF primary link is down switch to  secondary link if not already active
# IF primary link is down and comes back switch to primary link
# IF primary link is active and working do nothing

PRIMARY_IP="82.149.97.213"
SECONDARY_IP="192.168.29.2"

PRIMARY_GATEWAY="82.149.97.1"
SECONDARY_GATEWAY="192.168.29.1"


function checkLink() 
{
  returnCode="1"

  /bin/ping -q -c 5 -I $1 8.8.8.8 >/dev/null  || /bin/ping -q -c 5 -I $1 1.1.1.1 >/dev/null || /bin/ping -q -c 5 -I $1 9.9.9.9 >/dev/null || returnCode="0"

   echo $returnCode
}

function checkCurrentGateway()
{

default=$(/sbin/ip route get 8.8.8.8 | awk '{print $3}') 

echo $default
}

function setCurrentGateway()
{

/sbin/ip route change default via $1

echo "Default route changed to: $1"

}

linkPrimary=$(checkLink $PRIMARY_IP);
currentGateway=$(checkCurrentGateway);


#echo "Link Primary: $linkPrimary"
#echo "Current Gateway: $currentGateway"



[[ $linkPrimary == "0" && $currentGateway == $PRIMARY_GATEWAY ]] &&  setCurrentGateway $SECONDARY_GATEWAY 

[[ $linkPrimary == "1" && $currentGateway == $SECONDARY_GATEWAY ]] &&  setCurrentGateway $PRIMARY_GATEWAY

exit 0
  • Routing zB: /etc/network/interfaces
#DREI Huawei Modem
auto bond0.29
iface bond0.29 inet static
       up ip route add 192.168.29.0/24 dev bond0.29 table lte
       up ip route add default via 192.168.29.1 table lte
       up ip rule add from 192.168.92.2 lookup lte
       address 192.168.29.2
       netmask 255.255.255.0

#EXT - kabelsignal AG
auto eth2
iface eth2 inet static
	address 82.149.97.213
	netmask 255.255.255.0
	gateway 82.149.97.1
        up ip route add 82.149.97.0/24 dev eth2 table kabsi
        up ip route add default via 82.149.97.1 table kabsi
        up ip rule add from 82.149.97.213 lookup kabsi

Gäste WLAN

  • Gäste WLAN , das innerhalb der vorhandenen LAN Infrastruktur durchgereicht werden kann ohne komplexe VLAN Taggings
  • In Kombination mit zB: openwrt und openvpn möglich + Linux Firewall

Firewall Konfiguration

  • Wir benötigen eine Bridge und OpenVPN
  • Verschlüsselung ist nicht notwendig ausschließlich Authentifizierung
  • DNSMASQ dient als DHCP Server
  • /etc/dnsmasq.conf
..
dhcp-range=set:wlan,10.0.212.100,10.0.212.200,255.255.255.0,4h
dhcp-option=tag:wlan,6,8.8.8.8,8.8.4.4
dhcp-option=tag:wlan,3,10.0.212.1
..
  • /etc/network/interfaces
...
#WLAN Guest Interface
auto br-guest
iface br-guest inet manual
      pre-up  brctl addbr br-guest
      pre-up  brctl stp br-guest off
      pre-up  brctl setfd br-guest 0
      pre-up  ip addr add 10.0.212.1/24 brd + dev br-guest
      pre-up  ip li set dev br-guest up

...
  • /etc/openvpn/wlan-guest.conf
dev tap0
dev-type tap

port 65190
proto udp

mode server

management 127.0.0.1 222

cd /etc/openvpn/wlan-guest

cipher none

server 172.24.240.0 255.255.255.0

dh dh2048.pem
ca ca.crt
cert firewall.crt
key firewall.key

status status.log

client-config-dir ccd
topology subnet

tls-server

keepalive 5 15
verb 3
multihome

script-security 2
up /etc/openvpn/wlan-guest/add_tap.sh

multihome
  • /etc/openvpn/wlan-guest/add_tap.sh
#!/bin/bash

brctl addif br-guest tap0

Access Point Konfiguration

  • /etc/config/network
  • Achtung in diesem Fall 2 VLANs die das interne und Gästenetz aufteilen auf entsprechende Ports ( in diesem Fall 841n TP-Link)
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'guest'
       option ifname 'eth1.2'
       option type 'bridge'

config interface 'intern'
	option ifname 'eth0 eth1.3'
	option proto 'dhcp'
        option type 'bridge'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 2 3'


config switch_vlan
       option device 'switch0'
       option vlan '2'
       option ports '0t 1 4'
  • /etc/config/wireless
config wifi-device  radio0
	option type     mac80211
	option channel  auto
	option hwmode	11g
	option path	'platform/ar934x_wmac'
	option htmode	HT20
	list ht_capab	LDPC
	list ht_capab	SHORT-GI-20
	list ht_capab	SHORT-GI-40
	list ht_capab	TX-STBC
	list ht_capab	RX-STBC1
	list ht_capab	DSSS_CCK-40
	# REMOVE THIS LINE TO ENABLE WIFI:
	option disabled 0


config wifi-iface
	option device   radio0
	option network  guest
	option mode     ap
	option ssid     SSID_GASTNETZWERK
	option encryption psk2
        option key  PSK_GASTNETZWERK
  • /etc/openvpn/client.conf
client                                                                                                 
dev tap-guest                                                                                              
dev-type tap

cipher none
proto udp                                                                                              
remote firewall 65190                                                                
keepalive 5 10         
resolv-retry infinite                                                                                  

script-security 2
up /etc/openvpn/client/add_tap.sh

nobind                                                                                                 
ca /etc/openvpn/client/ca.crt                                                                                              
cert /etc/openvpn/client/wlanx.crt                                                                         
key /etc/openvpn/client/wlanx.key                                                                          
ns-cert-type server                                                                                    
                                                                                                       
verb 3
  • /etc/openvpn/client/add_tap.sh
#!/bin/sh


brctl addif br-guest tap-guest

openvpn - roadworker wake on lan (wol) trigger

  • zB: bei Roadworkern die per Remote Desktop auf ihre Bürorechner zugreifen möchten / Die Bürorechner können ruhig heruntergefahren werden / Sobald eine erfolgreiche authentifizierte Verbindung aufgebaut wurde wird wol für den Rechner getriggered
  • /etc/openvpn/roadworker.conf (getestet auf Debian stretch)
...
script-security 2
client-connect /usr/local/sbin/wake-on-vpn.sh
...
  • /usr/local/sbin/wake-on-vpn.sh
#!/bin/bash

case "$common_name" in 
	COMMON_NAME_ROADWORKER)

	echo "Wake up Client associated with: $common_name"

/usr/bin/wakeonlan -i IP_BROADCAST  TARGET_MAC_ADDRESS | /usr/bin/logger -t roadworker

;;


*)
	echo "No Client to wake up found: $common_name" | logger -t roadworker

;;

esac


exit 0
Cookies helfen bei der Bereitstellung von Inhalten. Diese Website verwendet Cookies. Mit der Nutzung der Website erklären Sie sich damit einverstanden, dass Cookies auf Ihrem Computer gespeichert werden. Außerdem bestätigen Sie, dass Sie unsere Datenschutzerklärung gelesen und verstanden haben. Wenn Sie nicht einverstanden sind, verlassen Sie die Website. Weitere Information
know-how/firewall.txt · Zuletzt geändert: 2020/03/17 10:29 von cc