Firewall setup

Bridged connection

This is situation, which I use, so the description is more detailed. My network configuration is shown below: 

            switch                       WiFi
            _______         _____
   ISP ----| VLAN1 |  eth0 |     | eth1  \|/ . . . . . . NTB1
           | ~~~~~ |-------| br0 |--------| . .
EDMini ----|       |       |_____|        |  . . . .
           |   V   |                          .     . . . NTB2
   PC1 ----|   L   |                           .
           |   A   |                            .
   PC2 ----|   N   |                             . Nokia N95
           |   0   |
   PC3 ----|_______|
I use switch which is able to tag packets according the incomming port. It is configured to distinguish between traffic from outside my network (ISP) and my home network traffic. All networks (vlan0, vlan1 and eth1) are bridged together, as my ISP provides enougth IP addresses.

I consider my network secure as the wifi is protected by WPA2 and when someone is able to hack cable connection, he can also easily grabs the computers. Becouse some services I use doesn't support password protection, filtering is required. It can be done using ebtables. Command scheme is following: 
ebtables -I FORWARD -i __INCOMING_INTERFACE -p IPv4 --ip-protocol __PROTOCOL --ip-destination-port __PORT_NUMBER -j DROP
where
  • __INCOMING_INTERFACE is where the ISP is connected - vlan1 in my case.
  • __PROTOCOL is transport layer protocol - tcp, udp, sctp etc.
  • __PORT_NUMBER is service port number
For example I can filter NFSv4 with following command: 
ebtables -I FORWARD -i vlan1 -p IPv4 --ip-protocol tcp --ip-destination-port 2049 -j DROP

Routed connection

In case of routed connection, use iptables. Commands will looks like this: 
iptables -I FORWARD -i __INCOMING_INTERFACE -p __PROTOCOL --dport __PORT_NUMBER -j REJECT
where
  • __INCOMING_INTERFACE is where the ISP is connected.
  • __PROTOCOL is transport layer protocol - tcp, udp, sctp etc.
  • __PORT_NUMBER is service port number

Filtering on EDMini

If you want to do filtering on EDMini, use following command to reject all packets except these originating from __ALLOWED_IP: 
iptables -I INPUT -i __INCOMING_INTERFACE -s ! __ALLOWED_IP -p __PROTOCOL --dport __PORT_NUMBER -j REJECT
where
  • __INCOMING_INTERFACE is where the ISP is connected.
  • __ALLOWED_IP packets from this IP will not be rejected
  • __PROTOCOL is transport layer protocol - tcp, udp, sctp etc.
  • __PORT_NUMBER is service port number

Services protocols and port numbers

  • NFSv4: TCP 2049
  • UPnP Media Server (mediatomb):
  • SSH server (dropbear): TCP 22
  • MLDonkey Web Interface: TCP 4080
  • MLDonkey GUI Interface: TCP 4001

-- PetrMalat - 29 Sep 2009

EditAttachPrint versionHistory: r1BacklinksView wiki textMore topic actions