[Chilli] IPTABLES

Steffen Dettmer steffen.dettmer at nomadrail.com
Mon Jun 2 09:47:33 UTC 2014


Hi,

good that you found a working setup!
However, maybe there are some details that still could be
improved.

* Stephen Davies [mailto:steve at base-it.co.uk]:
> This was added at the top of the script to get the gateway address
>
> # Get gateway IP for IPTABLES rules
> GATEWAYIP=$(netstat -rn | grep 0.0.0.0 | awk '{print $2}' | grep -v "0.0.0.0")

not sure it this is robust (e.g. when having multiple default routes)?

> Then I added the rules and included the gateway address variable so that
> access would not be blocked.

Are you sure your clients shall have access to the gateway? Maybe
you'd like to allow ICMP only? Or do you really offer services
for clients that run on the gateway?

> # Default
>      ipt -I FORWARD -i $TUNTAP -o $HS_WANIF -j ACCEPT
>
>      # Prevent access to SSH on Coovachilli router
>      ipt -I FORWARD -i $TUNTAP -p tcp --dport 22 -d 10.1.0.1 -j DROP

I think this normally should not be needed (see HS_TCP_PORTS, in
your case it should not include 22).

>      # Prevent access to private subnets
>      ipt -I FORWARD -d 192.0.0.0/255.0.0.0 -j DROP
>      ipt -I FORWARD -d 10.0.0.0/255.0.0.0 -j DROP
>      ipt -I FORWARD -d 172.0.0.0/255.0.0.0 -j DROP

I think this should be:

ipt -I FORWARD -d 192.168.0.0/255.255.0.0 -j DROP
ipt -I FORWARD -d 10.0.0.0/255.0.0.0 -j DROP
ipt -I FORWARD -d 172.16.0.0/255.240.0.0 -j DROP

(http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces).

otherwise you'd block a lot of public internet sites :-)

>      # Allow access to gateway
>      ipt -I FORWARD -d $GATEWAYIP -j ACCEPT

I think this should be double-checked...

Regards,
Steffen


More information about the Chilli mailing list