####################################################################################################################### # Firewall configuration for this host ################################################################################ ####################################################################################################################### # Allow minimum for all VLANS (ping, dhcp, dns, ntp) sudo iptables -A INPUT -j ACCEPT -p icmp --icmp-type 8 -m comment --comment "accept incomming pings" sudo iptables -A OUTPUT -j ACCEPT -p icmp --icmp-type 8 -m comment --comment "accept outgoing pings" sudo iptables -A INPUT -j ACCEPT -p udp --dport 67:68 --sport 67:68 -m comment --comment "accept incomming dhcp" sudo iptables -A OUTPUT -j ACCEPT -p udp --dport 67:68 --sport 67:68 -m comment --comment "accept outgoing dhcp" sudo iptables -A INPUT -j ACCEPT -p udp --dport 53 -m comment --comment "accept incomming dns" sudo iptables -A INPUT -j ACCEPT -p tcp --dport 53 -m comment --comment "accept incomming dns" sudo iptables -A OUTPUT -j ACCEPT -p udp --dport 53 -m comment --comment "accept outgoing dns" sudo iptables -A OUTPUT -j ACCEPT -p tcp --dport 53 -m comment --comment "accept outgoing dns" sudo iptables -A INPUT -j ACCEPT -p udp --dport 123 -m comment --comment "accept incomming ntp" sudo iptables -A OUTPUT -j ACCEPT -p udp --dport 123 -m comment --comment "accept outgoing ntp" # Allow some usefull outgoing traffic for all VLANS (ssh) sudo iptables -A OUTPUT -j ACCEPT -p tcp --dport 22 -m comment --comment "accept outgoing ssh" sudo iptables -A OUTPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "accept outgoing http" # Allow established and related trafic sudo iptables -A INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "accept all incomming established and related trafic" sudo iptables -A OUTPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "accept all outgoing established and related trafic" # Allow everything for trusted networks sudo iptables -A INPUT -j ACCEPT -i lo -m comment --comment "accept all incoming traffic of loopback device" sudo iptables -A OUTPUT -j ACCEPT -o lo -m comment --comment "accept all outgoing traffic of the loopback device" sudo iptables -A INPUT -j ACCEPT -i eth0.30 -m comment --comment "accept all incoming traffic of eth0.30 device" sudo iptables -A OUTPUT -j ACCEPT -o eth0.30 -m comment --comment "accept all outgoing traffic of the eth0.30 device" sudo iptables -A OUTPUT -j ACCEPT -o eth0 ! -d 192.168.0.0/16 -m comment --comment "accept all outgoing traffic to the internet" # Add reject rule for propper feedback sudo iptables -A INPUT -j REJECT -m comment --comment "Reject all remaining traffic" ####################################################################################################################### # Cros VLAN forwarding ################################################################################################ ####################################################################################################################### # General sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" sudo iptables -A FORWARD -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "forward all established and related traffic" sudo iptables -A FORWARD -j ACCEPT -p icmp --icmp-type 8 -m comment --comment "forward all pings" sudo iptables -A FORWARD -j ACCEPT -p udp --dport 123 -m comment --comment "forward all ntp request" sudo iptables -A FORWARD -j ACCEPT -p udp --sport 123 -m comment --comment "forward all ntp request" #--------------------- # -> VLAN10 (Internet) #--------------------- # Allow VLAN30 full access to the internet sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0 ! -d 192.168.0.0/16 -m comment --comment "forward all traffic from vlan30 to the internet" sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0 -d 192.168.0.0/24 -m comment --comment "forward all traffic from vlan30 to vlan10" # Allow VLAN40 access to to http,https sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet" sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 ! -d 192.168.0.0/16 -p tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher" # Allow VLAN60 access to to http,https sudo iptables -A FORWARD -j ACCEPT -i eth0.60 -o eth0 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet" #-------------------- # -> VLAN20 (Network) #-------------------- # Allow VLAN30 full access sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0.20 -d 192.168.20.0/24 -m comment --comment "forward traffic from vlan30 to VLAN20" #-------------------------------------- # -> VLAN30 (Family) - VERY RESTRICTIVE #-------------------------------------- # Allow VLAN40 and VLAN50 access to the mqtt port sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.30 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30" sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0.30 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30" sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0.30 -p tcp --dport 21 -d 192.168.30.0/24 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)" #------------------------------- # -> VLAN40 (Untrusted Internet) #------------------------------- # Allow VLAN30 full access sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0.40 -d 192.168.40.0/24 -m comment --comment "forward traffic from vlan30 to VLAN40" #--------------------------------- # -> VLAN50 (Untrusted no Internet #--------------------------------- # Allow VLAN30 full access sudo iptables -A FORWARD -j ACCEPT -i eth0.30 -o eth0.50 -d 192.168.50.0/24 -m comment --comment "forward traffic from vlan30 to VLAN50" #------------------ # -> VLAN60 (Gäste) #------------------ #---------------------- # Masquerade traffic to #---------------------- sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "masquerade ->eth0.10" sudo iptables -t nat -A POSTROUTING -o eth0.20 -j MASQUERADE -m comment --comment "masquerade ->eth0.20" sudo iptables -t nat -A POSTROUTING -o eth0.30 -j MASQUERADE -m comment --comment "masquerade ->eth0.30" sudo iptables -t nat -A POSTROUTING -o eth0.40 -j MASQUERADE -m comment --comment "masquerade ->eth0.40" sudo iptables -t nat -A POSTROUTING -o eth0.50 -j MASQUERADE -m comment --comment "masquerade ->eth0.50" ####################################################################################################################### # Change policy to drop all remainig ################################################################################## ####################################################################################################################### sudo iptables -P INPUT DROP sudo iptables -P OUTPUT DROP sudo iptables -P FORWARD DROP ####################################################################################################################### # Show configuration ################################################################################################## ####################################################################################################################### sudo iptables -L -n -v --line-numbers echo "********************************************************************************************" echo "* -> Execute sudo sh -c \"iptables-save > /etc/iptables/rules.v4\"" echo "********************************************************************************************"