Firewall Ruleset für VPN Gateway

Ein kleines Firewall Ruleset für ein VPN Gateway, das auch als transparenter Proxy dient.

Typischer Usecase: Adblocker für nicht gerootete Smartphones.

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-N DIVERT
-A DIVERT -j MARK --set-mark 1
-A DIVERT -j ACCEPT

-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -s 10.3.0.0/24 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3128
-A PREROUTING -s 10.3.0.0/24 -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
-A PREROUTING -s 10.5.0.0/24 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3128
-A PREROUTING -s 10.5.0.0/24 -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A POSTROUTING -s 10.0.0.0/8 -d 192.168.0.0/16 -j ACCEPT
-A POSTROUTING -d 192.168.26.16/32 -j SNAT --to-source 10.1.1.1
-A POSTROUTING -d 192.168.0.0/16 -j ACCEPT
-A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 172.31.1.100

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VPN - [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -s 10.3.0.0/24 -j ACCEPT
-A INPUT -s 10.5.0.0/24 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -s 10.3.0.0/24 -j LOG --log-prefix "invalid_dropped: " --log-level 4
-A INPUT -m conntrack --ctstate INVALID -s 10.5.0.0/24 -j LOG --log-prefix "invalid_dropped: " --log-level 4
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Log TR069 requests - they are still active...
-A INPUT -p tcp -m tcp --dport 7547 -j LOG --log-prefix "TR069_dropped: " --log-level 4
-A INPUT -p tcp -m tcp --dport 7547 -j DROP

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -s 192.168.0.1/32 -j ACCEPT
-A INPUT -s 192.168.26.16/32 -j ACCEPT
-A INPUT -s 10.1.1.1/32 -j ACCEPT
-A INPUT -s 10.3.0.0/24 -j LOG --log-prefix "vpn_dropped: " --log-level 4
-A INPUT -s 10.5.0.0/24 -j LOG --log-prefix "vpn_dropped: " --log-level 4
#-A INPUT -j LOG --log-prefix "vpn_dropped: " --log-level 4
-A INPUT -j DROP

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.1.1.1/32 -j ACCEPT
-A FORWARD -s 10.3.0.0/24 -j ACCEPT
-A FORWARD -s 10.5.0.0/24 -j ACCEPT

-A FORWARD -j REJECT

COMMIT

Diese Firewall Rules lassen einmal IPsec Verbindungen zu und Verbindungen zu dem Proxy. Da der Proxy auch transparent für TLS
Verbindungen sein soll, werden auch die entsprechenden Port für TLS zugelassen.