6
Adding iptables Rules [These modifications only apply to Smoothwall Express 2.0, as GPL 1.0 uses ipchains.] This page describes how to add additional firewall rules to the Smoothwall Express 2.0 firewall script. For information on making similar changes to a Smoothwall GPL 1.0 box (using ipchains), refer to Hilton'sSmoothwall GPL 1.0 web site . Requirements: You'll need: A Smoothwall Express 2.0 installation (obviously...). A way of getting a command-line prompt on your Smoothwall box (either by logging directly onto your Smoothwall box, using a SSH client such as PuTTY or SSH Secure Shell , or via the Smoothwall web interface). Editing the Firewall Script: Smoothwall's iptables firewall configuration is stored in /etc/rc.d/rc.firewall.up, so to make changes to the firewall, you'll need to edit this script. Note that you can use various aliases in the firewall script to reference the red and green network interfaces (ie, $RED_DEV, $GREEN_DEV), ip addresses (ie, $GREEN_ADDRESS), network addresses (ie, $GREEN_NETADDRESS), and subnets (ie, $GREEN_NETMASK). These aliases are defined in /var/smoothwall/ethernet/settings and this file should not be edited, as it's generated by Smoothwall's setup program. Note that if your red interface is a modem, ISDN, or using PPPoE or PPPoA, you can't use the $RED_DEV alias, but need to specify the actual interface name, for example, ppp0. As with any modifications to your Smoothwall, make a backup copy of this file before making any changes to it, so you can

Adding Iptables Rules to Smoothwall Firewall

Embed Size (px)

DESCRIPTION

How to customize firewall rules in smoothwall

Citation preview

Page 1: Adding Iptables Rules to Smoothwall Firewall

Adding iptables Rules 

[These modifications only apply to Smoothwall Express 2.0, as GPL 1.0 uses ipchains.] 

This page describes how to add additional firewall rules to the Smoothwall Express 2.0 firewall

script. 

For information on making similar changes to a Smoothwall GPL 1.0 box (using ipchains), refer to Hilton'sSmoothwall GPL 1.0 web site. 

Requirements: You'll need: 

A Smoothwall Express 2.0 installation (obviously...). A way of getting a command-line prompt on your Smoothwall box (either by logging

directly onto your Smoothwall box, using a SSH client such as PuTTY or SSH Secure Shell, or via the Smoothwall web interface).

Editing the Firewall Script: Smoothwall's iptables firewall configuration is stored in /etc/rc.d/rc.firewall.up, so to make changes to the firewall, you'll need to edit this script. 

Note that you can use various aliases in the firewall script to reference the red and green network interfaces (ie,$RED_DEV, $GREEN_DEV), ip addresses (ie, $GREEN_ADDRESS), network addresses (ie, $GREEN_NETADDRESS), and subnets (ie, $GREEN_NETMASK). These aliases are defined in /var/smoothwall/ethernet/settings and this file should not be edited, as it's generated by Smoothwall's setup program. 

Note that if your red interface is a modem, ISDN, or using PPPoE or PPPoA, you can't use the $RED_DEV alias, but need to specify the actual interface name, for example, ppp0.

As with any modifications to your Smoothwall, make a backup copy of this file before making any changes to it, so you can easily revert back to a known working version. 

Applying Your Changes: Any changes you make to the firewall script will not take effect immediately. 

After making changes to the firewall script, you can either reboot your Smoothwall, or run the following from a command line: 

/etc/rc.d/rc.netaddress.down; /etc/rc.d/rc.netaddress.up

This will re-apply the firewall (as well as restart Snort, any VPNs, etc), and your modifications to the firewall script should be taking effect. 

If you see any iptables errors immediately after the line 

Setting up firewall

http://www.quarkav.com/content/category/3/66/26/
http://www.ssh.com/products/ssh/download.cfm
http://www.ssh.com/products/ssh/download.cfm
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Page 2: Adding Iptables Rules to Smoothwall Firewall

then you've probably made a typo or other mistake in the firewall script, and you'll have to make the appropriate corrections. 

Note that you need execute this as a single line if you're accessing your Smoothwall via SSH - otherwise your SSH connection will be terminated, and you won't be able to re-establish it without logging onto Smoothwall's console to run the up script! 

Also note that if you are using Smoothwall's web proxy in transparent mode, and use the rc.netaddress.down/up scripts to restart the firewall without rebooting, the appropriate iptables rules to redirect web traffic through the proxy will not be loaded. Operation of your transparent proxy can be restored by running the following from a command prompt: 

/usr/local/bin/restartsquid

Stop Logging Blaster Hits: This will stop your firewall logs from filling up with hits on TCP port 135 from the Blaster worm. Note that Smoothwall will still block all incoming traffic on port 135 - it's just not logging the hits anymore. 

Edit /etc/rc.d/rc.firewall.up and immediately after the line containing 

/sbin/iptables -P OUTPUT ACCEPT

insert the following 

# drop hits from Blaster worm/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 135 -s 0/0 -j DROP

Stop Logging Netbios Hits: This will stop your firewall logs from filling up with hits on UDP port 137. Note that Smoothwall will still block all incoming traffic on port 137 - it's just not logging the hits anymore. 

Edit /etc/rc.d/rc.firewall.up and immediately after the line containing 

/sbin/iptables -P OUTPUT ACCEPT

insert the following 

# drop netbios traffic/sbin/iptables -A INPUT -p UDP -i $RED_DEV --dport 137 -s 0/0 -j DROP

Stop Logging Hits from the Sasser/etc Worms: This will stop your firewall logs from filling up with hits on TCP port 445 from the Sasser worm and its numerous variants. Note that Smoothwall will still block all incoming traffic on port 445 - it's just not logging the hits anymore. 

Page 3: Adding Iptables Rules to Smoothwall Firewall

Edit /etc/rc.d/rc.firewall.up and immediately after the line containing 

/sbin/iptables -P OUTPUT ACCEPT

insert the following 

# drop hits from Sasser and other worms/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 445 -s 0/0 -j DROP

Block Outbound Traffic From Specific PCs: If you want to prevent one or more specific PCs on your green network from accessing the internet, edit/etc/rc.d/rc.firewall.up and immediately after the line containing 

/sbin/iptables -P OUTPUT ACCEPT

insert the following 

# block all outgoing traffic from this PC/sbin/iptables -A FORWARD -p ALL -i $GREEN_DEV -s 192.168.0.3 -j DROP

To block specific traffic from a PC on your green network (ie, web traffic on port 80), use 

# block all outgoing web traffic from this PC/sbin/iptables -A FORWARD -p TCP -i $GREEN_DEV -s 192.168.0.3 --dport 80 -j DROP

Note that blocking outbound traffic in this way won't have any effect if you have Smoothwall's web proxy enabled, and the user configures their browser to use the proxy. To block this traffic too, you'll either need to block incoming traffic from that user on port 800 (the web proxy port), or implement an ACL in Squid. 

You can also block traffic based on the source MAC address: 

# block all outgoing traffic from this PC/sbin/iptables -A FORWARD -p ALL -i $GREEN_DEV -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP

Only Allow Outbound Traffic From Specific PCs: If you want to block all outbound traffic from your green network, and only allow one or more specific PCs to access the intenet, edit /etc/rc.d/rc.firewall.up and immediately after the line containing 

/sbin/iptables -P OUTPUT ACCEPT

insert the following 

# allow outgoing traffic from these PCs/sbin/iptables -A FORWARD -p ALL -i $GREEN_DEV -s 192.168.0.3 -j ACCEPT/sbin/iptables -A FORWARD -p ALL -i $GREEN_DEV -s 192.168.0.4 -j ACCEPT# block all other outgoing traffic /sbin/iptables -A FORWARD -p ALL -i $GREEN_DEV -s 0/0 -j DROP

Note that blocking outbound traffic in this way won't have any effect if you have Smoothwall's

Page 4: Adding Iptables Rules to Smoothwall Firewall

web proxy enabled, and the user configures their browser to use the proxy. To block this traffic too, you'll either need to block incoming traffic from that user on port 800 (the web proxy port), or implement an ACL in Squid. 

Block Unauthorised Outbound Mail Traffic If you only want to allow outbound SMTP mail traffic to a specific mail server (ie, your ISP's mail server), and block all other outbound SMTP traffic, you need to add some firewall rules to allow the SMTP traffic to the specified mail server, followed by a rule to block all other SMTP traffic. 

This will allow you to prevent anyone behind your Smoothwall from sending email using any mail servers which you don't want them to use, as well as blocking any outbound email from a virus/worm which may have infected one of the PCs on your green network. 

To do so, edit /etc/rc.d/rc.firewall.up and immediately after the line containing 

/sbin/iptables -P OUTPUT ACCEPT

insert the following 

# allow outgoing SMTP traffic to specific mail server/sbin/iptables -A FORWARD -p TCP -i $GREEN_DEV -d w.x.y.z --dport 25 -j ACCEPT# block all other outgoing SMTP traffic /sbin/iptables -A FORWARD -p TCP -i $GREEN_DEV -d 0/0 --dport 25 -j DROP

and replace w.x.y.z with the IP address of the mail server you want to allow. 

If you want to allow outbound SMTP to multiple mail servers, just add multiple rules before the blocking rule, one for each mail server. 

Alternatively, if you have a mail server on your green or orange network, and only want to allow outbound SMTP from it, and block outbound SMTP from all other PCs on your green and orange networks, use the following: 

# block all outbound SMTP except from specified IP address/sbin/iptables -A FORWARD -p TCP -i $GREEN_DEV -s ! 192.168.0.2 --dport 25 -j DROP/sbin/iptables -A FORWARD -p TCP -i $ORANGE_DEV -s ! 192.168.0.2 --dport 25 -j DROP

This rule will block all outbound SMTP traffic from all PCs behind your Smoothwall, except 192.168.0.2. 

Note: Note that some of the Smoothwall fixes may overwrite rc.firewall.up with a newer version, so if you install a new fix, it may overwrite your changes, so always keep a backup copy of your rc.firewall.up before patching your Smoothie, so you can reapply the changes to the new rc.firewall.up. 

Page 5: Adding Iptables Rules to Smoothwall Firewall

Similarly, when doing a fresh installation of Smoothwall, only make these changes once you've fully patched the installation. 

References: netfilter/iptables project 

http://www.netfilter.org/

Building a dynamic firewall with iptables

Building a dynamic firewall with iptables

Documents
smoothwall networkguide

smoothwall networkguide

Education
Dominando Linux Firewall Iptables - Urubatan Neto (1)

Dominando Linux Firewall Iptables - Urubatan Neto (1)

Documents
2.1.Linux Security & Firewall - SANOG...Typical Linux Firewall SANOG34 –Kolkata 3-7 August –2019 iptables •Two components –Netfilter •Run in the kernel space •A set of

2.1.Linux Security & Firewall - SANOG...Typical Linux Firewall SANOG34 –Kolkata 3-7 August –2019 iptables •Two components –Netfilter •Run in the kernel space •A set of

Documents
1 Firewalls. ECE 4112 - Internetwork Security 2 Overview Background General Firewall setup Iptables Introduction Iptables commands “Limit” Function Explanation

1 Firewalls. ECE 4112 - Internetwork Security 2 Overview Background General Firewall setup Iptables Introduction Iptables commands “Limit” Function Explanation

Documents
Open source firewall tools Iptables and PF - WordPress.com · Open source firewall tools Iptables and PF Prepared by : ... case server listen on particular port and and ... CARP is

Open source firewall tools Iptables and PF - WordPress.com · Open source firewall tools Iptables and PF Prepared by : ... case server listen on particular port and and ... CARP is

Documents
Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means

Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means

Documents
Packet Filtering - Intranet DEIB · A stateful firewall is a firewall able to track the connections status and to decide accordingly the packet filtering actions ... IPTables does

Packet Filtering - Intranet DEIB · A stateful firewall is a firewall able to track the connections status and to decide accordingly the packet filtering actions ... IPTables does

Documents
IPTABLES Manual prácticoindex-of.co.uk/INFOSEC/doc-iptables-firewall.pdfIPTABLES Manual práctico En este manual se muestran las habituales arquitecturas de redes con firewall y la

IPTABLES Manual prácticoindex-of.co.uk/INFOSEC/doc-iptables-firewall.pdfIPTABLES Manual práctico En este manual se muestran las habituales arquitecturas de redes con firewall y la

Documents
Firewall, Netfilter and iptables - ICT Senecaraymond.chan/srt210/1402/tasks-slides/... · 27 Firewall: Basic Operation More firewall rules Allow packets which responding to previous

Firewall, Netfilter and iptables - ICT Senecaraymond.chan/srt210/1402/tasks-slides/... · 27 Firewall: Basic Operation More firewall rules Allow packets which responding to previous

Documents
CSE 468 Home Page: Project 1: Firewall and iptablesuniteng.com/wiki/lib/exe/fetch.php?media=classlog:... · Project 1: Firewall and iptables February 22, 2014 Bing Hao Project description

CSE 468 Home Page: Project 1: Firewall and iptablesuniteng.com/wiki/lib/exe/fetch.php?media=classlog:... · Project 1: Firewall and iptables February 22, 2014 Bing Hao Project description

Documents
firewalld ↔ iptables (continued) · firewalld ↔ iptables (continued) Or, better said as, Understanding Linux Firewall Changes and Tools A firewall evolution and system management

firewalld ↔ iptables (continued) · firewalld ↔ iptables (continued) Or, better said as, Understanding Linux Firewall Changes and Tools A firewall evolution and system management

Documents
iptables - firewall administration

iptables - firewall administration

Documents
Ver s Express - KONČAR Elektronika i informatika d.d.download.koncar-inem.hr/public/serveri/Firewall/FWA-700/SmoothWall... · 3 SmoothWall Express Installation Guide Ver s About

Ver s Express - KONČAR Elektronika i informatika d.d.download.koncar-inem.hr/public/serveri/Firewall/FWA-700/SmoothWall... · 3 SmoothWall Express Installation Guide Ver s About

Documents
Dominando Linux Firewall Iptables - Urubatan Neto.pdf

Dominando Linux Firewall Iptables - Urubatan Neto.pdf

Documents
Smoothwall Advanced Firewall Upgrade

Smoothwall Advanced Firewall Upgrade

Documents
IEEE TRANSACTIONS ON CLOUD COMPUTING 1 Hybrid Tree rule Firewall … · Tree-rule firewall with the capability of tracking the states of network connections. In comparison with IPTABLES,

IEEE TRANSACTIONS ON CLOUD COMPUTING 1 Hybrid Tree rule Firewall … · Tree-rule firewall with the capability of tracking the states of network connections. In comparison with IPTABLES,

Documents
PERFORMANCE EVALUATIONS OF CISCO ASA AND LINUX IPTABLES FIREWALL SOLUTIONS

PERFORMANCE EVALUATIONS OF CISCO ASA AND LINUX IPTABLES FIREWALL SOLUTIONS

Documents
Smoothwall Commercial

Smoothwall Commercial

Technology
Firewall Sobre Linux Iptables

Firewall Sobre Linux Iptables

Documents
INFRASTRUCTURE - Linux kernelvger.kernel.org/lpc_net2018_talks/ebpf-firewall-LPC.pdfBPF Firewall • iptables has a linearly increasing cpu-util as packets hit lower rules • Best

INFRASTRUCTURE - Linux kernelvger.kernel.org/lpc_net2018_talks/ebpf-firewall-LPC.pdfBPF Firewall • iptables has a linearly increasing cpu-util as packets hit lower rules • Best

Documents
Linux 2.4 stateful firewall designread.pudn.com/downloads65/ebook/231158/Linux 2.4... · Firewall design basics In putting together our firewall, the "iptables" command is our friend

Linux 2.4 stateful firewall designread.pudn.com/downloads65/ebook/231158/Linux 2.4... · Firewall design basics In putting together our firewall, the "iptables" command is our friend

Documents
Nada Abdulla Ahmed. SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall

Nada Abdulla Ahmed. SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall

Documents
Ver s Express - Huihoodocs.huihoo.com/smoothwall/smoothwall-express-3.0-install-guide.pdf · SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating

Ver s Express - Huihoodocs.huihoo.com/smoothwall/smoothwall-express-3.0-install-guide.pdf · SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating

Documents
Unified Threat Management - SmoothWall · Unified Threat Management Advanced Firewall Installation Guide ... mechanical, for any purpose, without the express written permission of

Unified Threat Management - SmoothWall · Unified Threat Management Advanced Firewall Installation Guide ... mechanical, for any purpose, without the express written permission of

Documents
Verified iptables Firewall Analysis and Verification · Verified iptables Firewall Analysis and Verification 193 the subsequent rules are the interesting ones which shape the firewall’s

Verified iptables Firewall Analysis and Verification · Verified iptables Firewall Analysis and Verification 193 the subsequent rules are the interesting ones which shape the firewall’s

Documents
Desvendando as Regras de Firewall Linux Iptables [Artigo]

Desvendando as Regras de Firewall Linux Iptables [Artigo]

Documents
Ipchains Iptables Firewall

Ipchains Iptables Firewall

Documents
Dominando Linux Firewall Iptables

Dominando Linux Firewall Iptables

Documents
Firewall Iptables Linux

Firewall Iptables Linux

Documents