dolphs Posted February 6, 2021 Posted February 6, 2021 Hi, Idea is to run a wireguard server having two ethernet devices, therefore added an USB3 adapter "ASIX AX88179" to my rockpi4a. I like to allow incoming traffic, incl SSH, on "eth1". Instead, outgoing, on eth0 ( RTL8211E ) I wrote following ( preps, nmcli, iptables ) up - but perhaps there is an easier approach and I am sure I am missing other (routing) stuff, for sure the forwarding part. Anyway perhaps there is one to guide me a bit, TiA! 1/ preparations apt update && apt -y upgrade && apt -y install firmware-realtek nano /boot/armbianEnv.txt # add extraargs=net.ifnames=0 reboot 2/ nmcli stuff nmcli c mod "Wired connection 2" connection.id realtek nmcli c mod "Wired connection 1" connection.id asix nmcli c mod asix ipv6.method ignore nmcli c mod realtek ipv6.method ignore nmcli c mod asix ipv4.never-default true nmcli c up asix nmcli c up realtek 3/ iptables "hardening" # 1. Delete all existing rules iptables -F # 2. Set default chain policies to DROP all both eth0 and eth1 iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # 3. Allow SSH on eth1 iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT # 4. Allow incoming Wireguard on eth1 iptables -A INPUT -i eth1 -p udp --dport 51820 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p udp --sport 51820 -m state --state ESTABLISHED -j ACCEPT FORWARD? ( wg0 ) # 5. Allow outbound Wireguard on eth0 iptables -A OUTPUT -o eth0 -p udp --dport 51820 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p udp --sport 51820 -m state --state ESTABLISHED -j ACCEPT FORWARD? ( wg0 ) # 6. Allow outbound http(s) on eth0 ( eg updates ) iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT # iperf3 excluded for now # 7. Accept all traffic on loopback interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
arox Posted February 6, 2021 Posted February 6, 2021 I am not sure to understand what your problem is ? I am interested because I use a board for (complex) firewalling with ethernet (for LAN) and direct usb connection to my box, need to upgrade (understand redo all), and of course had been confronted to the problem. I have forgotten everything about the question but I remember having to face the problem of eth0, eth1 discrimination. Of course, in case of a firewall you don't want to leave configuration choice to hazard, or obscure hidden rules ! A quick look at my configuration scripts tell me that I resolved the problem by blacklisting cdc_ether and do modprobe manually after startup (so it become eth1) and then do iptable config. My config is totally scripted of course : I doubt an auto-dynamic-guimanaged-meta configuration is suited for special cases.
dolphs Posted February 7, 2021 Author Posted February 7, 2021 cheers for your response. eth0, eth1 solved by " extraargs=net.ifnames=0 " as @Igor pointed out in this topic I cut down iptables script to the basics as shown below , allowing SSH on eth1 only and outbound traffic goes over eth0. #!/bin/sh # Delete all existing iptables rules iptables -F # Set default chain policies to DROP all iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # Allow SSH on eth1 iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT # Allow all outbound traffic eth0 iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT Next part would be to update routing accordingly so outbound won't check for eth1 and go straight to eth0, etc etc
Recommended Posts