We try to use Linux as a router in our home (bf&I and before x-mas a little one). We have our phones, tablets, one desktop and some smart home appliances, and we also would like to have a separate WLAN intended for occasional friends and guests.
We figured out we would like to use Linux on our router but it appears it doesn’t work as we would like. We do get full control over the system, but we are unsure what traffic we would like to keep inside and what route out. ICMP, for example, and also UDP with the exception of DNS queries. (Windows would be much better since it’s implementation of internet sharing doesn’t require the user to make those decisions). There is also no way to verify the security of our system. For example, iptables is supposed to have text-to-rules interpretators, but I have not yet found a way to test given rules in any way. I’m thinking of something like unit testing in software engineering.
Our Linux box, as it appears, will be much too insecure for us to use and security is the main reason we opted for this rather then a standard domestic wifi/lan box.
The output of our current configuration is listed below. It is the output of iptables-save. Also don’t worry about the obviously missing wifi interfaces for now. They are in the mail:
# Generated by iptables-save v1.6.0 on Tue Oct 24 23:40:04 2017
*security
:INPUT ACCEPT [10380635:5321211941]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10345804:4108452830]
COMMIT
# Completed on Tue Oct 24 23:40:04 2017
# Generated by iptables-save v1.6.0 on Tue Oct 24 23:40:04 2017
*raw
:PREROUTING ACCEPT [10387433:5321462253]
:OUTPUT ACCEPT [10345804:4108452830]
COMMIT
# Completed on Tue Oct 24 23:40:04 2017
# Generated by iptables-save v1.6.0 on Tue Oct 24 23:40:04 2017
*mangle
:PREROUTING ACCEPT [10387433:5321462253]
:INPUT ACCEPT [10387433:5321462253]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10345804:4108452830]
:POSTROUTING ACCEPT [10345804:4108452830]
COMMIT
# Completed on Tue Oct 24 23:40:04 2017
# Generated by iptables-save v1.6.0 on Tue Oct 24 23:40:04 2017
*nat
:PREROUTING ACCEPT [6902:256552]
:INPUT ACCEPT [104:6240]
:OUTPUT ACCEPT [507836:30475116]
:POSTROUTING ACCEPT [507685:30461100]
-A POSTROUTING -o enp1s0 -j MASQUERADE
COMMIT
# Completed on Tue Oct 24 23:40:04 2017
# Generated by iptables-save v1.6.0 on Tue Oct 24 23:40:04 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [10345805:4108453014]
:Badflags - [0:0]
:Firewall - [0:0]
:Rejectwall - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j Badflags
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -p icmp -j Firewall
-A INPUT -i enp1s0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --sport 137 --dport 137 -j DROP
-A INPUT -j Rejectwall
-A FORWARD -i enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp1s0 -m state --state INVALID,NEW -j DROP
-A FORWARD -i enp2s0 -o enp1s0 -j ACCEPT
-A FORWARD -i enp3s0 -o enp1s0 -j ACCEPT
-A FORWARD -i enp4s0 -o enp1s0 -j ACCEPT
-A Badflags -j LOG --log-prefix " Badflags "
-A Badflags -j DROP
-A Firewall -j LOG --log-prefix " Firewall "
-A Firewall -j DROP
-A Rejectwall -j LOG --log-prefix " Rejectwall "
-A Rejectwall -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Oct 24 23:40:04 2017