Adding iptables Rules

[These modifications only apply to Smoothwall Express 2.0, as GPL 1.0 uses ipchains.]

This page describes how to add additional firewall rules to the Smoothwall Express 2.0
firewall script.

For information on making similar changes to a Smoothwall GPL 1.0 box (using ipchains),
refer to Hilton's Smoothwall GPL 1.0 web site.

Requirements:
You'll need:

• A Smoothwall Express 2.0 installation (obviously...).

• A way of getting a command-line prompt on your Smoothwall box (either by logging
directly onto your Smoothwall box, using a SSH client such as PuTTY or SSH Secure
Shell, or via the Smoothwall web interface).

Editing the Firewall Script:

Smoothwall's iptables firewall configuration is stored in /etc/rc.d/rc.firewall.up, so to
make changes to the firewall, you'll need to edit this script.

Note that you can use various aliases in the firewall script to reference the red and green
network interfaces (ie, $RED_DEV, $GREEN_DEV), ip addresses (ie, $GREEN_ADDRESS), network
addresses (ie, $GREEN_NETADDRESS), and subnets (ie, $GREEN_NETMASK).
These aliases are defined in /var/smoothwall/ethernet/settings and this file should not
be edited, as it's generated by Smoothwall's setup program.

Note that if your red interface is a modem, ISDN, or using PPPoE or PPPoA, you can't use the
$RED_DEV alias, but need to specify the actual interface name, for example, ppp0.

As with any modifications to your Smoothwall, make a backup copy of this file before making
any changes to it, so you can easily revert back to a known working version.

Applying Your Changes:

Any changes you make to the firewall script will not take effect immediately.

After making changes to the firewall script, you can either reboot your Smoothwall, or run
the following from a command line:

/etc/rc.d/rc.netaddress.down; /etc/rc.d/rc.netaddress.up

This will re-apply the firewall (as well as restart Snort, any VPNs, etc), and your
modifications to the firewall script should be taking effect.

If you see any iptables errors immediately after the line

Setting up firewall

then you've probably made a typo or other mistake in the firewall script, and you'll have to
make the appropriate corrections.

Note that you need execute this as a single line if you're accessing your Smoothwall via SSH
- otherwise your SSH connection will be terminated, and you won't be able to re-establish it
without logging onto Smoothwall's console to run the up script!

Also note that if you are using Smoothwall's web proxy in transparent mode, and use the
rc.netaddress.down/up scripts to restart the firewall without rebooting, the appropriate
iptables rules to redirect web traffic through the proxy will not be loaded.
Operation of your transparent proxy can be restored by running the following from a
command prompt:

/usr/local/bin/restartsquid

Stop Logging Blaster Hits:

This will stop your firewall logs from filling up with hits on TCP port 135 from the Blaster
worm.
Note that Smoothwall will still block all incoming traffic on port 135 - it's just not logging the
hits anymore.

Edit /etc/rc.d/rc.firewall.up and immediately after the line containing

/sbin/iptables -P OUTPUT ACCEPT

insert the following

# drop hits from Blaster worm

/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 135 -s 0/0 -j DROP

Stop Logging Netbios Hits:

This will stop your firewall logs from filling up with hits on UDP port 137.
Note that Smoothwall will still block all incoming traffic on port 137 - it's just not logging the
hits anymore.

Edit /etc/rc.d/rc.firewall.up and immediately after the line containing

/sbin/iptables -P OUTPUT ACCEPT

insert the following

# drop netbios traffic

/sbin/iptables -A INPUT -p UDP -i $RED_DEV --dport 137 -s 0/0 -j DROP

Stop Logging Hits from the Sasser/etc Worms:

This will stop your firewall logs from filling up with hits on TCP port 445 from the Sasser
worm and its numerous variants.
Note that Smoothwall will still block all incoming traffic on port 445 - it's just not logging the
hits anymore.

Edit /etc/rc.d/rc.firewall.up and immediately after the line containing

/sbin/iptables -P OUTPUT ACCEPT

insert the following

# drop hits from Sasser and other worms

/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 445 -s 0/0 -j DROP

Block Outbound Traffic From Specific PCs:

If you want to prevent one or more specific PCs on your green network from accessing the
internet, edit /etc/rc.d/rc.firewall.up and immediately after the line containing

/sbin/iptables -P OUTPUT ACCEPT

insert the following

# block all outgoing traffic from this PC

/sbin/iptables -A FORWARD -p ALL -i $GREEN_DEV -s 192.168.0.3 -j DROP
To block specific traffic from a PC on your green network (ie, web traffic on port 80), use

# block all outgoing web traffic from this PC

/sbin/iptables -A FORWARD -p TCP -i $GREEN_DEV -s 192.168.0.3 --dport
80 -j DROP

Note that blocking outbound traffic in this way won't have any effect if you have
Smoothwall's web proxy enabled, and the user configures their browser to use the proxy. To
block this traffic too, you'll either need to block incoming traffic from that user on port 800
(the web proxy port), or implement an ACL in Squid.

You can also block traffic based on the source MAC address:

# block all outgoing traffic from this PC

/sbin/iptables -A FORWARD -p ALL -i $GREEN_DEV -m mac --mac-source
XX:XX:XX:XX:XX:XX -j DROP

Only Allow Outbound Traffic From Specific PCs:

If you want to block all outbound traffic from your green network, and only allow one or
more specific PCs to access the intenet, edit /etc/rc.d/rc.firewall.up and immediately
after the line containing

/sbin/iptables -P OUTPUT ACCEPT

insert the following

# allow outgoing traffic from these PCs

/sbin/iptables -A FORWARD -p ALL -i $GREEN_DEV -s 192.168.0.3 -j
ACCEPT
/sbin/iptables -A FORWARD -p ALL -i $GREEN_DEV -s 192.168.0.4 -j
ACCEPT
# block all other outgoing traffic
/sbin/iptables -A FORWARD -p ALL -i $GREEN_DEV -s 0/0 -j DROP

Note that blocking outbound traffic in this way won't have any effect if you have
Smoothwall's web proxy enabled, and the user configures their browser to use the proxy. To
block this traffic too, you'll either need to block incoming traffic from that user on port 800
(the web proxy port), or implement an ACL in Squid.

Block Unauthorised Outbound Mail Traffic

If you only want to allow outbound SMTP mail traffic to a specific mail server (ie, your ISP's
mail server), and block all other outbound SMTP traffic, you need to add some firewall rules
to allow the SMTP traffic to the specified mail server, followed by a rule to block all other
SMTP traffic.

This will allow you to prevent anyone behind your Smoothwall from sending email using any
mail servers which you don't want them to use, as well as blocking any outbound email from
a virus/worm which may have infected one of the PCs on your green network.

To do so, edit /etc/rc.d/rc.firewall.up and immediately after the line containing

/sbin/iptables -P OUTPUT ACCEPT

insert the following

# allow outgoing SMTP traffic to specific mail server

/sbin/iptables -A FORWARD -p TCP -i $GREEN_DEV -d w.x.y.z --dport 25
-j ACCEPT
# block all other outgoing SMTP traffic
 /sbin/iptables -A FORWARD -p TCP -i $GREEN_DEV -d 0/0 --dport 25 -j
DROP

and replace w.x.y.z with the IP address of the mail server you want to allow.

If you want to allow outbound SMTP to multiple mail servers, just add multiple rules before
the blocking rule, one for each mail server.

Alternatively, if you have a mail server on your green or orange network, and only want to
allow outbound SMTP from it, and block outbound SMTP from all other PCs on your green
and orange networks, use the following:

# block all outbound SMTP except from specified IP address

/sbin/iptables -A FORWARD -p TCP -i $GREEN_DEV -s ! 192.168.0.2 --
dport 25 -j DROP
/sbin/iptables -A FORWARD -p TCP -i $ORANGE_DEV -s ! 192.168.0.2 --
dport 25 -j DROP

This rule will block all outbound SMTP traffic from all PCs behind your Smoothwall, except
192.168.0.2.

Note:
Note that some of the Smoothwall fixes may overwrite rc.firewall.up with a newer
version, so if you install a new fix, it may overwrite your changes, so always keep a backup
copy of your rc.firewall.up before patching your Smoothie, so you can reapply the
changes to the new rc.firewall.up.

Similarly, when doing a fresh installation of Smoothwall, only make these changes once
you've fully patched the installation.