Tuesday, October 18, 2016

iptables - Setup for a home router with 3 vlans

I began to create a home router with 2 NICs.  The first NIC is for the WAN and then the second NIC is for the LAN.  The LAN NIC is then split up with 3 vlans.  The vlans are serving the purposes of the first being for a Wireless LAN, second being the Wired LAN and the third being an Untrusted Network for testing and whatever else.  The NIC does plug into a switch that is then VLANed respectively also.  My purpose of posting it is to show how it could be done and understand it is probably not without bugs.

The main reason I am creating the 3 vlans is to separate out and monitor the IoT devices that are starting to accumulate in my house and separate my testing lab from everything else due to the malware that I sometimes will detonate in it.

Below is the configuration of the /etc/network/interfaces file to establish the vlans.  After that configuration is what I started with to built out iptables for each environment.  I am also running a caching bind9 server and plan to setup squid for a transparent web proxy.  With the logs that are generated I intend on feeding them into a SIEM.  I am in debate of using AlienVault OSSIM, Splunk Light, ELK or one of many others...

## /etc/network/interfaces ##
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 172.20.5.254
netmask 255.255.255.0
network 172.20.5.0
broadcast 172.20.5.255
gateway 172.20.5.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 172.20.5.1
dns-search thepcn3rd.local

# Native Network
auto eth1
iface eth1 inet static
address 10.0.0.1
netmask 255.255.255.0
network 10.0.0.0
broadcast 10.0.0.255
dns-nameservers 10.0.0.1
dns-search my.local

# Wireless Network
auto eth1.10
iface eth1.10 inet static
address 10.10.0.1
netmask 255.255.255.0
network 10.10.0.0
broadcast 10.10.0.255
dns-nameservers 10.10.0.1
dns-search wireless.local
vlan-raw-device eth1

# Wired Network
auto eth1.20
iface eth1.20 inet static
address 10.20.0.1
netmask 255.255.255.0
network 10.20.0.0
broadcast 10.20.0.255
dns-nameservers 10.20.0.1
dns-search wired.local
vlan-raw-device eth1

# Untrusted Network
auto eth1.30
iface eth1.30 inet static
address 10.30.0.1
netmask 255.255.255.0
network 10.30.0.0
broadcast 10.30.0.255
dns-nameservers 10.30.0.1
dns-search blue.local
vlan-raw-device eth1

## iptables ##
iptables -F
iptables -t nat -F
iptables -X
iptables -Z

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -N WAN_ACCEPT
iptables -N LAN_ACCEPT
iptables -N LOG_FORWARD_ACCEPT
iptables -N WAN_OUTPUT_DROP
iptables -N LAN_OUTPUT_DROP
iptables -N WAN_INPUT_DROP
iptables -N LAN_INPUT_DROP
iptables -N FORWARD_DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

################################## Allow incoming to eth0 #####
# Comcast LAN to eth0 Router WAN
# SSH
iptables -A INPUT -i eth0 -p tcp -s 172.20.5.0/24 -d 172.20.5.254 --dport 22 -m state --state NEW,ESTABLISHED -j WAN_ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 172.20.5.254 -d 172.20.5.0/24 --sport 22 -m state --state ESTABLISHED -j WAN_ACCEPT

################################## Allow incoming to eth1.20 #####
# eth1.20 Wired LAN to eth0 Router LAN
# SSH TCP/22 from LAN to 10.20.0.1
iptables -A INPUT -i eth1.20 -p tcp -s 10.20.0.0/24 -d 10.20.0.1 --dport 22 -m state --state NEW,ESTABLISHED -j LAN_ACCEPT
iptables -A OUTPUT -o eth1.20 -p tcp -s 10.20.0.1 -d 10.20.0.0/24 --sport 22 -m state --state ESTABLISHED -j LAN_ACCEPT
# DNS UDP/53 from LAN to 10.10.0.1, 10.20.0.1 and 10.30.0.1
iptables -A INPUT -i eth1.10 -p udp -s 10.10.0.0/24 -d 10.10.0.1 --dport 53 -j ACCEPT
iptables -A OUTPUT -o eth1.10 -p udp -s 10.10.0.1 -d 10.10.0.0/24 --sport 53 -j ACCEPT
iptables -A INPUT -i eth1.20 -p udp -s 10.20.0.0/24 -d 10.20.0.1 --dport 53 -j ACCEPT
iptables -A OUTPUT -o eth1.20 -p udp -s 10.20.0.1 -d 10.20.0.0/24 --sport 53 -j ACCEPT
iptables -A INPUT -i eth1.30 -p udp -s 10.30.0.0/24 -d 10.30.0.1 --dport 53 -j LAN_ACCEPT
iptables -A OUTPUT -o eth1.30 -p udp -s 10.30.0.1 -d 10.30.0.0/24 --sport 53 -j LAN_ACCEPT
# DHCP UDP/67 from LAN to 10.10.0.1, 10.20.0.1, 10.30.0.1
iptables -A INPUT -i eth1.10 -p udp -s 10.10.0.0/24 -d 10.10.0.1 --dport 67 -j ACCEPT
iptables -A OUTPUT -o eth1.10 -p udp -s 10.10.0.1 -d 10.10.0.0/24 --sport 67 -j ACCEPT
iptables -A INPUT -i eth1.20 -p udp -s 10.20.0.0/24 -d 10.20.0.1 --dport 67 -j ACCEPT
iptables -A OUTPUT -o eth1.20 -p udp -s 10.20.0.1 -d 10.20.0.0/24 --sport 67 -j ACCEPT
iptables -A INPUT -i eth1.30 -p udp -s 10.30.0.0/24 -d 10.30.0.1 --dport 67 -j LAN_ACCEPT
iptables -A OUTPUT -o eth1.30 -p udp -s 10.30.0.1 -d 10.30.0.0/24 --sport 67 -j LAN_ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Forward eth1.10 to eth0 and back
iptables -A FORWARD -i eth1.10 -o eth0 -p udp -s 10.10.0.0/24 -d 75.75.75.75 --dport 53 -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.10 -p udp -d 10.10.0.0/24 -s 75.75.75.75 --sport 53 -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth1.10 -o eth0 -p tcp -s 10.10.0.0/24 --dport 80 -m state --state NEW,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.10 -p tcp -d 10.10.0.0/24 --sport 80 -m state --state RELATED,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth1.10 -o eth0 -p tcp -s 10.10.0.0/24 --dport 443 -m state --state NEW,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.10 -p tcp -d 10.10.0.0/24 --sport 443 -m state --state RELATED,ESTABLISHED -j LOG_FORWARD_ACCEPT

# Forward eth1.20 to eth0 and back
iptables -A FORWARD -i eth1.20 -o eth0 -p udp -s 10.20.0.0/24 -d 75.75.75.75 --dport 53 -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.20 -p udp -d 10.20.0.0/24 -s 75.75.75.75 --sport 53 -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth1.20 -o eth0 -p tcp -s 10.20.0.0/24 --dport 80 -m state --state NEW,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.20 -p tcp -d 10.20.0.0/24 --sport 80 -m state --state RELATED,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth1.20 -o eth0 -p tcp -s 10.20.0.0/24 --dport 443 -m state --state NEW,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.20 -p tcp -d 10.20.0.0/24 --sport 443 -m state --state RELATED,ESTABLISHED -j LOG_FORWARD_ACCEPT

# Forward eth1.30 to eth0 and back
iptables -A FORWARD -i eth1.30 -o eth0 -p udp -s 10.30.0.0/24 -d 75.75.75.75 --dport 53 -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.30 -p udp -d 10.30.0.0/24 -s 75.75.75.75 --sport 53 -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth1.30 -o eth0 -p tcp -s 10.30.0.0/24 --dport 80 -m state --state NEW,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.30 -p tcp -d 10.30.0.0/24 --sport 80 -m state --state RELATED,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth1.30 -o eth0 -p tcp -s 10.30.0.0/24 --dport 443 -m state --state NEW,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.30 -p tcp -d 10.30.0.0/24 --sport 443 -m state --state RELATED,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -j FORWARD_DROP

# Output from eth0 to WAN
# DNS to 75.75.75.75 or root servers
iptables -A OUTPUT -o eth0 -p udp -s 172.20.5.254 -d 75.75.75.75 --dport 53 -j LAN_ACCEPT
iptables -A INPUT -i eth0 -p udp -d 172.20.5.254 -s 75.75.75.75 --sport 53 -j LAN_ACCEPT

#iptables -N LOGGING
#iptables -A INPUT -j LOGGING
#iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTABLES: " --log-level 7
#iptables -A LOGGING -j DROP

iptables -A WAN_ACCEPT -m limit --limit 2/min -j LOG --log-prefix "WAN-ACCEPT " --log-level 6
iptables -A WAN_ACCEPT -j ACCEPT 

iptables -A LAN_ACCEPT -m limit --limit 2/min -j LOG --log-prefix "LAN-ACCEPT " --log-level 6
iptables -A LAN_ACCEPT -j ACCEPT 

iptables -A LOG_FORWARD_ACCEPT -m limit --limit 2/min -j LOG --log-prefix "FORWARD-ACCEPT " --log-level 6
iptables -A LOG_FORWARD_ACCEPT -j ACCEPT 

iptables -A INPUT -i eth0 -j WAN_INPUT_DROP
iptables -A INPUT -i eth1.10 -j LAN_INPUT_DROP
iptables -A INPUT -i eth1.20 -j LAN_INPUT_DROP
iptables -A INPUT -i eth1.30 -j LAN_INPUT_DROP

iptables -A OUTPUT -o eth0 -j WAN_OUTPUT_DROP
iptables -A OUTPUT -o eth1.10 -j LAN_OUTPUT_DROP
iptables -A OUTPUT -o eth1.20 -j LAN_OUTPUT_DROP
iptables -A OUTPUT -o eth1.30 -j LAN_OUTPUT_DROP

iptables -A WAN_INPUT_DROP -m limit --limit 2/min -j LOG --log-prefix "WAN_INPUT_DROP " --log-level 6
iptables -A WAN_INPUT_DROP -j DROP 

iptables -A WAN_OUTPUT_DROP -m limit --limit 2/min -j LOG --log-prefix "WAN_OUTPUT_DROP " --log-level 6
iptables -A WAN_OUTPUT_DROP -j DROP 

iptables -A LAN_INPUT_DROP -m limit --limit 2/min -j LOG --log-prefix "LAN_INPUT_DROP " --log-level 6
iptables -A LAN_INPUT_DROP -j DROP

iptables -A LAN_OUTPUT_DROP -m limit --limit 2/min -j LOG --log-prefix "LAN_OUTPUT_DROP " --log-level 6
iptables -A LAN_OUTPUT_DROP -j DROP

iptables -A FORWARD_DROP -m limit --limit 2/min -j LOG --log-prefix "FORWARD_DROP " --log-level 6
iptables -A FORWARD_DROP -j DROP
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...