Jump to content

eth1 incoming while eth0 is meant for outbound traffic


dolphs

Recommended Posts

Hi,

 

 

Idea is to run a wireguard server having two ethernet devices, therefore

added an USB3 adapter "ASIX AX88179" to my rockpi4a. 
I like to allow incoming traffic, incl SSH, on "eth1". Instead, outgoing, on eth0 ( RTL8211E ) 

 

 

I wrote following ( preps, nmcli, iptables ) up - but perhaps there is an easier approach and I am sure I am missing other (routing) stuff, for sure the forwarding part.

Anyway perhaps there is one to guide me a bit, TiA!

 

 

1/ preparations

 

apt update && apt -y upgrade && apt -y install firmware-realtek


 

nano /boot/armbianEnv.txt
# add extraargs=net.ifnames=0 

 

reboot

 

 

2/ nmcli stuff

 

nmcli c mod "Wired connection 2" connection.id realtek
nmcli c mod "Wired connection 1" connection.id asix

nmcli c mod asix ipv6.method ignore
nmcli c mod realtek ipv6.method ignore

nmcli c mod asix ipv4.never-default true


nmcli c up asix
nmcli c up realtek

 

 

3/ iptables "hardening"

# 1. Delete all existing rules
iptables -F

# 2. Set default chain policies to DROP all both eth0 and eth1
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# 3. Allow SSH on eth1
iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 4. Allow incoming Wireguard on eth1
iptables -A INPUT -i eth1 -p udp --dport 51820 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --sport 51820 -m state --state ESTABLISHED -j ACCEPT
FORWARD? ( wg0 )

# 5. Allow outbound Wireguard on eth0
iptables -A OUTPUT -o eth0 -p udp --dport 51820 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 51820 -m state --state ESTABLISHED -j ACCEPT
FORWARD? ( wg0 )

# 6. Allow outbound http(s) on eth0 ( eg updates )
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# iperf3 excluded for now

# 7. Accept all traffic on loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

 


 

Link to comment
Share on other sites

I am not sure to understand what your problem is ?

 

I am interested because I use a board for (complex) firewalling with ethernet (for LAN) and direct usb connection to my box, need to upgrade (understand redo all), and of course had been confronted to the problem.

 

I have forgotten everything about the question but I remember having to face the problem of eth0, eth1 discrimination. Of course, in case of a firewall you don't want to leave configuration choice to hazard, or obscure hidden rules !

 

A quick look at my configuration scripts tell me that I resolved the problem by blacklisting cdc_ether and do modprobe manually after startup (so it become eth1) and then do iptable config.

 

My config is totally scripted of course : I doubt an auto-dynamic-guimanaged-meta configuration is suited for special cases.

Link to comment
Share on other sites

cheers for your response.

 

eth0, eth1 solved by " extraargs=net.ifnames=0  " as @Igor pointed out in this topic

I cut down iptables script to the basics as shown below ,

allowing SSH on eth1 only and outbound traffic goes over eth0.

 

#!/bin/sh

# Delete all existing iptables rules
iptables -F

# Set default chain policies to DROP all
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow SSH on eth1
iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow all outbound traffic eth0
iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

 

 

Next part would be to update routing accordingly so outbound won't check for eth1 and go straight to eth0, etc etc

 

 

Link to comment
Share on other sites

This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines