Ocserv Firewall - iptables IPv4

Author: Mauro Gaspari

Scope

This recipe provides a deployment example of iptables (ipv4) for a GNU/Linux based router/firewall and ocserv as VPN server.
This recipe does not claim to be a step-by-step guide or a iptables tutorial, as there are plenty of those available online. Also, this recipe does not claim to be the best or most secure iptables setup, but barely a starting point example for a GNU/Linux based router/firewall with Ocserv.

Platforms used for testing

This Recipe was tested on the following platforms:

Assumptions

Requirements

Details on lab used on this recipe

Details on Firewall configuration

Filtering - input chain

Filtering - forward chain

Filtering - output chain

NAT - prerouting chain

NAT - postrouting chain

Enable Kernel Network Security options

  1. Edit sysctl.conf

    nano /etc/sysctl.conf

  2. Add the following lines to sysctl.conf

    # Protect from IP Spoofing  
    net.ipv4.conf.all.rp_filter = 1
    net.ipv4.conf.default.rp_filter = 1
    
    # Ignore ICMP broadcast requests
    net.ipv4.icmp_echo_ignore_broadcasts = 1
    
    # Protect from bad icmp error messages
    net.ipv4.icmp_ignore_bogus_error_responses = 1
    
    # Disable source packet routing
    net.ipv4.conf.all.accept_source_route = 0
    net.ipv6.conf.all.accept_source_route = 0
    net.ipv4.conf.default.accept_source_route = 0
    net.ipv6.conf.default.accept_source_route = 0
    
    # Turn on exec shield
    kernel.exec-shield = 1
    kernel.randomize_va_space = 1
    
    # Block SYN attacks
    net.ipv4.tcp_syncookies = 1
    net.ipv4.tcp_max_syn_backlog = 2048
    net.ipv4.tcp_synack_retries = 2
    net.ipv4.tcp_syn_retries = 5
    
    # Log Martians  
    net.ipv4.conf.all.log_martians = 1
    net.ipv4.icmp_ignore_bogus_error_responses = 1
    
    # Ignore send redirects
    net.ipv4.conf.all.send_redirects = 0
    net.ipv4.conf.default.send_redirects = 0
    
    # Ignore ICMP redirects
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv6.conf.all.accept_redirects = 0
    net.ipv4.conf.default.accept_redirects = 0
    net.ipv6.conf.default.accept_redirects = 0
    net.ipv4.conf.all.secure_redirects = 0
    net.ipv4.conf.default.secure_redirects = 0
  3. Apply Changes without rebooting:

    sysctl -p

Disable distribution specific firewalls

Install and enable iptables services

Saved rules

For easy reference, this is where distribution specific iptables services save iptables rules.

Note for Webmin Users . Webmin users can enjoy web based iptables management. However, the basic configuration of webmin iptables module, called "Linux Firewall", under "Networking" has its own way of starting, saving, and restoring iptables rules.
Default webmin ipv4 rules location is:

/etc/iptables.up.rules

There are two easy ways to avoid conflicts and issues:

  1. Use Webmin iptables management instead of installing distribution specific iptables services.

  2. In order to coexist with distribution specific iptables services, it is recommended to change the webmin "Linux Firewall" "module config" options to match distribution specific iptables location. Please also note on main "Linux Firewall" page, keep the "Activate at boot" option to no, as distribution specific services will take care of this.

iptables basic configuration

As already stated in the recipe's scope, this is not an ultimate firewall configuration, just a starting point to have a working firewall with common policies. There are no port forwards and the only traffic allowed from outside is to reach openconnect server, installed on same box.

  1. Copy the following in your firewall configuration file.

    *nat
    :INPUT ACCEPT [0:0]
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    # Generic NAT for LAN Network 192.168.5.0/24  
    -A POSTROUTING -s 192.168.5.0/24 -o eth0 -j MASQUERADE
    COMMIT
    
    *mangle
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT
    
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    # START INPUT RULES
    # Stateful Rule - INPUT
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    # ACCEPT traffic from Loopback interface
    -A INPUT -i lo -j ACCEPT
    # ACCEPT SSH from LAN
    -A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
    # ACCEPT DHCP from LAN
    -A INPUT -p udp -m udp -i eth1 --dport 67:68 -j ACCEPT
    # ACCEPT Webmin from LAN (Optional, only for Webmin users)
    -A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT
    # ACCEPT DNS UDP From LAN
    -A INPUT -p udp -m udp -i eth1 --dport 53 -j ACCEPT
    # ACCEPT DNS TCP From LAN
    -A INPUT -p tcp -m tcp -i eth1 --dport 53 -j ACCEPT
    # ACCEPT ping from LAN
    -A INPUT -p icmp --icmp-type echo-request -i eth1 -j ACCEPT
    # ACCEPT OpenConnect TCP From WAN
    -A INPUT -p tcp -m tcp -i eth0 --dport 443 -j ACCEPT
    # ACCEPT OpenConnect UPD From WAN
    -A INPUT -p udp -m udp -i eth0 --dport 443 -j ACCEPT
    # DROP wan traffic
    -A INPUT -i eth0 -j DROP
    # LOG LAN
    -A INPUT -i eth1 -j LOG --log-prefix "IPTABLES-LOG-INPUT-LAN:" --log-level 4
    # ACCEPT LAN traffic - Learning rule - Should be changed to DROP once custom rules are created.
    -A INPUT -i eth1 -j ACCEPT
    # LAST RULE - DROP all traffic
    -A INPUT -j DROP
    # END INPUT RULES
    
    # START FORWARD RULES
    # Stateful Rule - FORWARD
    -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    # ACCEPT LAN to WAN
    -A FORWARD -s 192.168.5.0/24 -j ACCEPT
    # LOG Forwarded traffic
    -A FORWARD -j LOG --log-prefix "IPTABLES-LOG-FORWARD:" --log-level 4
    # LAST RULE - ACCEPT all traffic - Should be changed to DROP once custom rules are created.
    -A FORWARD -j ACCEPT
    # END FORWARD RULES
    
    # START OUTPUT RULES
    # Stateful Rule - OUTPUT 
    -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    # LOG Outgoing traffic
    -A OUTPUT -j LOG --log-prefix "IPTABLES-LOG-OUTPUT:" --log-level 4
    # LAST RULE - ACCEPT all traffic - Should be    changed to DROP once custom rules are created.
    -A OUTPUT -j ACCEPT
    # END OUTPUT RULES
    COMMIT
  2. Check and apply rules It is recommended to have a look at the rules, and tweak them for specific needs before applying. Worth of notice, if ssh and webmin ports are not standard, firewall input rules should be changed to match. Failing to do so will result in admin being locked out.
    Once all rules are reviewed and changed as needed, admin can proceed and apply. the general command is:

    iptables-restore < /path/to/your/iptables/rules/file

Examples

A few examples are given below.

Note for webmin users
Webmin users can apply rules from web interface.

Security Note on IPS/IDS system

Final notes

This concludes Ocserv Firewall - iptables IPv4 recipe. At this point iptables will allow Openconnect server to receive VPN connections from the WAN interface.