linux-router-iptables.md

IPTables setup for a Linux-based Router

The following script will set the router's firewall to reject every thing coming from the WAN, while forwarding all the traffic from LAN to WAN.

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

WAN=enp2s0
LAN=enp3s0
IPTABLES=sudo iptables

#
# delete all existing rules.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X

# Always accept loopback traffic
$IPTABLES -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW ! -i $WAN -j ACCEPT
$IPTABLES -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
$IPTABLES -A FORWARD -i $LAN -o $WAN -j ACCEPT

# Masquerade.
$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Don't forward from the outside to the inside.
$IPTABLES -A FORWARD -i $WAN -o $LAN -j REJECT

$IPTABLES -A INPUT -i $WAN -j REJECT

More Logging

Optionally, if we wish to see what is being dropped, we can replace the REJECT in our rules as follows:

$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "Iptables-Dropped: " --log-level 4
$IPTABLES -A LOGDROP -j DROP

Mirror traffic to a NIDS host

Optionally, if you want to mirror the whole traffic to one NIDS (snort, suricata, ..) host (or container),

$NIDS=nids.ip.add.ess
iptables -A POSTROUTING -t mangle -o br-lan ! -s $NIDS -j TEE --gateway $NIDS
iptables -A PREROUTING -t mangle -i br-lan ! -d $NIDS -j TEE --gateway $NIDS

Final Script

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

WAN=enp2s0
LAN=enp3s0
IPTABLES="sudo iptables"
SYSCTL="sudo sysctl"

#
# delete all existing rules.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X

$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "Iptables-Dropped: " --log-level 4
$IPTABLES -A LOGDROP -j DROP

$IPTABLES -N LOGREJECT
$IPTABLES -A LOGREJECT -m limit --limit 2/min -j LOG --log-prefix "Iptables-Rejected: " --log-level 4
$IPTABLES -A LOGREJECT -j REJECT

# Always accept loopback traffic
$IPTABLES -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW ! -i $WAN -j ACCEPT
$IPTABLES -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
$IPTABLES -A FORWARD -i $LAN -o $WAN -j ACCEPT

# Masquerade.
$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Don't forward from the outside to the inside.
$IPTABLES -A FORWARD -i $WAN -o $LAN -j LOGREJECT

$IPTABLES -A INPUT -i $WAN -j LOGREJECT

$SYSCTL net.ipv4.ip_forward=1