Static IP w/ PPPoe xDSL Firewall

Static IP w/ PPPoe xDSL Firewall

Post by dust » Sun, 26 Sep 2004 13:43:08



I have reciently had to switch to a static IP system that uses PPPoe.
This is a bit strange to me, but this is the way SBC seems to be doing
their static ips. I am hoping someone can explain to me what PPPoe is
doing, as I am having issues getting my firewall to work (it was
working fine before I had to implement PPPoe). When I ping out from
the firewall box, I notice it uses the PPPoe IP address? But if I
change my firewall to use this IP ping works, but not much else seems
to...

I would really appreciate some help with this issue, I don't really
understand firewalls all that well. I basically learn what I need to
ry few years when I have an issue like this.

Thanks in advance.

-Dustin

Firewall
#!/bin/sh
#
# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
        exit 0
fi

if [ ! -x /sbin/iptables ]; then
    exit 0
fi

# See how we were called.
case "$1" in
  start)
    echo -n "Starting Firewalling: "

# ------------------------------------------------------------------------
#  Some definitions for easy maintenance.
#  EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

IPADDR="x.x.x.145"                   # Site1-primary.com
IPADDR_2="x.x.x.146"                   # Virtual_Site-eth0:0.com
IPADDR_3="x.x.x.147"                   # Virtual_Site-eth0:1.com
IPADDR_4="x.x.x.148"                   # Virtual_Site-eth0:2.com
EXTERNAL_INTERFACE="eth0"                   # Internet connected
interface
GATEWAY_INTERFACE="ppp0"                    # Gateway connected
interface
LOOPBACK_INTERFACE="lo"                     # Your local naming
convention
LOCAL_INTERFACE="eth1"                      # Internal LAN network
WLOCAL_INTERFACE="eth2"                     # Internal WLAN network
INTRANET="192.168.100.1/24"                 # Private IP Addr Range
(dhcp)
WINTRANET="192.168.0.1/24"                  # Private wireless IP Addr
Range (dhcp)
PRIMARY_NAMESERVER="63.226.136.55"          # Your Primary NS
SECONDARY_NAMESERVER="64.169.140.6
LOOPBACK="127.0.0.0/8"                      # Reserved loopback addr
range
CLASS_A="10.0.0.0/8"                        # Class A private networks
CLASS_B="172.16.0.0/12"                     # Class B private networks
CLASS_C="192.168.0.0/16"                    # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4"             # Class D multicast addr
CLASS_E_RESERVED_NET="240.0.0.0/5"          # Class E reserved addr
BROADCAST_SRC="0.0.0.0"                     # Broadcast source addr
BROADCAST_DEST="255.255.255.248"            # Broadcast destination
addr
PRIVPORTS="0:1023"                          # Privileged port range
UNPRIVPORTS="1024:"                         # Unprivileged port range

# ------------------------------------------------------------------------

# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged
port.
# Clients can optionally be configured to use only unprivileged ports.
SSH_LOCAL_PORTS="1022:65535"                    # Port range for local
clients
SSH_REMOTE_PORTS="513:65535"                    # Port range for
remote clients

# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

#-------------------------------------------------------------------------

# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections

# Remove all existing rules belonging to this filter
iptables -F
iptables -F -t nat

# Remove any existing user-defined chains.
iptables -X

# Set the default policy of the filter to deny.
iptables -P INPUT   DROP
iptables -P OUTPUT  DROP
iptables -P FORWARD DROP

# -------------------------------------------------------------------------

# LOOPBACK
# --------

# Unlimited traffic on the loopback interface.

iptables -A INPUT  -i $LOOPBACK_INTERFACE  -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE  -j ACCEPT

#--------------------------
# All internal machines have access to the firewall machine.

iptables -A INPUT -i $LOCAL_INTERFACE -s $INTRANET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE -d $INTRANET -j ACCEPT

iptables -A INPUT -i $WLOCAL_INTERFACE -s $WINTRANET -j ACCEPT
iptables -A OUTPUT -o $WLOCAL_INTERFACE -d $WINTRANET -j ACCEPT

#--------------------------------------------------------------------------
# STATEFUL PART!

# Kill malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP

# Kill maformed NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

# Block faked, or "spoofed" packets from getting through the firewall.
iptables -A FORWARD -i $LOCAL_INTERFACE -s ! $INTRANET -j DROP
iptables -A FORWARD -i $WLOCAL_INTERFACE -s ! $WINTRANET -j DROP

# Allow all internal packets out of our network.
iptables -A FORWARD -m state --state NEW,ESTABLISHED \
        -i $LOCAL_INTERFACE -s $INTRANET -j ACCEPT

iptables -A FORWARD -m state --state NEW,ESTABLISHED \
        -i $WLOCAL_INTERFACE -s $WINTRANET -j ACCEPT

# Allow the associated packets with those connections back in.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
        -i $GATEWAY_INTERFACE -s ! $INTRANET -j ACCEPT

# Allow the associated packets with those connections back in.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
        -i $GATEWAY_INTERFACE -s ! $WINTRANET -j ACCEPT

# All internal traffic is masqueraded externally.
iptables -A POSTROUTING -t nat -o $GATEWAY_INTERFACE -j MASQUERADE

#---------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.

# Refuse incoming packets pretending to be from the external address.
iptables -A INPUT -s $IPADDR -j DROP

------------------------------------------------
# Refuse incoming packets claiming to be from a Class A, B or C
private network
iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
###INTERANET# iptables -A INPUT -s $CLASS_C -j DROP

# Refuse broadcast address SOURCE packets
iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP

# Refuse Class D multicast addresses
# Multicast is illegal as a source address.
# Multicast uses UDP.
iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP

# Refuse Class E reserved IP  addresses
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP

# Refuse special addresses defined as reserved by the IANA.
# Note:  The remaining reserved addresses are not included
# filtering them causes problems as reserved blocks are
# being allocated more often now. The following are based on
# reservations as listed by IANA as of 2001/01/04. Please regularly
# check at http://www.iana.org/ for the latest status.

# Note:  this list includes the loopback, multicast, & reserved
addresses.

# 0.*.*.*                   - Can't be blocked for DHCP users.
# 127.*.*.*                 - LoopBack
# 169.254.*.*               - Link Local Networks
# 192.0.2.*                 - TEST-NET
# 224-255.*.*.*             - Classes D & E, plus unallocated.

iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP

# ---------------------------------------------------------------------

# UDP TRACEROUTE
# --------------
#  Traceroute usually uses -S 32769:65535 -D 33434:33523

iptables -A INPUT  -i $GATEWAY_INTERFACE -p udp  \
         --source-port $TRACEROUTE_SRC_PORTS \
         -d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP

iptables -A OUTPUT -o $GATEWAY_INTERFACE -p udp  \
         -s $IPADDR --source-port $TRACEROUTE_SRC_PORTS \
         --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT

# ------------------------------------------------------------------------
# DNS: full server (53)
# ---------------------

# server/client to server query or response

iptables -A INPUT  -i $GATEWAY_INTERFACE -p udp  \
         --source-port $UNPRIVPORTS \
         -d $IPADDR --destination-port 53 -j ACCEPT

iptables -A OUTPUT -o $GATEWAY_INTERFACE -p udp  \
         -s $IPADDR --source-port 53 \
         --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A INPUT  -i $GATEWAY_INTERFACE -p udp  \
         --source-port 53 \
         -d $IPADDR --destination-port 53 -j ACCEPT

iptables -A OUTPUT -o $GATEWAY_INTERFACE -p udp  \
         -s $IPADDR --source-port 53 \
             --destination-port 53 -j ACCEPT

# DNS client (53)
# ---------------

iptables -A INPUT  -i $GATEWAY_INTERFACE -p udp  \
         --source-port 53 \
         -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $GATEWAY_INTERFACE -p udp  \
         -s $IPADDR --source-port $UNPRIVPORTS \
         --destination-port 53 -j ACCEPT

iptables -A INPUT  -i $GATEWAY_INTERFACE -p tcp ! --syn \
         --source-port 53 \
         -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $GATEWAY_INTERFACE -p tcp  \
         -s $IPADDR --source-port $UNPRIVPORTS \
         --destination-port 53 -j ACCEPT

# DNS Zone Transfers (53)
# -----------------------

iptables -A INPUT  -i $GATEWAY_INTERFACE -p tcp  \
         -s $SECONDARY_NAMESERVER --source-port $UNPRIVPORTS \
         -d $IPADDR --destination-port 53 -j ACCEPT

iptables -A OUTPUT -o $GATEWAY_INTERFACE -p tcp  \
         -s $IPADDR --source-port 53 \
         -d $SECONDARY_NAMESERVER --destination-port $UNPRIVPORTS -j
ACCEPT

# ---------------------------------------------------------------

# SSH server (22)
# ---------------

iptables -A INPUT  -i $GATEWAY_INTERFACE -p tcp  \
         --source-port $SSH_REMOTE_PORTS \
         -d
...

read more »

 
 
 

Static IP w/ PPPoe xDSL Firewall

Post by David Efflan » Mon, 27 Sep 2004 00:14:09



Quote:> I have reciently had to switch to a static IP system that uses PPPoe.
> This is a bit strange to me, but this is the way SBC seems to be doing
> their static ips. I am hoping someone can explain to me what PPPoe is
> doing, as I am having issues getting my firewall to work (it was
> working fine before I had to implement PPPoe). When I ping out from
> the firewall box, I notice it uses the PPPoe IP address? But if I
> change my firewall to use this IP ping works, but not much else seems
> to...

What modem (or modem/router) do you have?  I would think that SBC
installed hardware (tech visit) would handle the PPPoE, and you would just
be using ethernet for your public IPs on its switch ports.  But if you had
the self-install kit and/or converted from dynamic to static, then it is
up to you to handle the PPPoE and routing.  If you have a 5100b modem, it
would need to be configured to let the PC do PPPoE.

Routing/firewalling PPPoE is just like dialup, since it uses pppd.  So any
docs that describe how to configure a firewall or routing for dialup would
apply to your ppp0 interface.  Any private IPs going out ppp0 need to be
masqueraded.  The only difference is that your /29 block is routed in
through ppp0, so if you want to use your other public static IPs, your
firewall has to let them in, and let them out without masquerading
(unless doing single NAT for each to an internal private IP).

One potential problem is if pppd is not connected yet when your firewall
script runs, which could make it block.  So you should run or refresh the
firewall from /etc/ppp/ip-up (or ip-up.local), which runs whenever pppd
actually connects (even in demand mode).

I have been using Linux as pppoe/firewall/router for SBC dynamic PPPoE for
years, but SuSE makes the firewalling too easy by just setting variables.

Get you pppoe working with its primary and masquerading, then you can play
with getting your other statics working.  A good source for help is the
SBC related or Unix forums on http://www.broadbandreports.com/ alias
http://www.dslreports.com/

 
 
 

Static IP w/ PPPoe xDSL Firewall

Post by Clifford Kit » Mon, 27 Sep 2004 03:23:01



> I have reciently had to switch to a static IP system that uses PPPoe.
> This is a bit strange to me, but this is the way SBC seems to be doing
> their static ips. I am hoping someone can explain to me what PPPoe is
> doing, as I am having issues getting my firewall to work (it was
> working fine before I had to implement PPPoe). When I ping out from
> the firewall box, I notice it uses the PPPoe IP address? But if I
> change my firewall to use this IP ping works, but not much else seems
> to...

The description is a bit vague but there might be a PMTU Discovery
problem.

PPPoE encapsulates PPP frames in Ethernet frames of a special type
which are then send to the outgoing Ethernet interface.  A PPPoE
Ethernet frame, aka PPPoE session frame, has an additional 8 bytes in
it's header so the PPPoE Ethernet interface MTU is reduced, usually
by 8 bytes to 1492 since an Ethernet interface MTU is usually 1500.

The hosts behind the PPPoE host firewall must have their Ethernet
interface MTU reduced to 1492 also, or the MTU for the LAN hosts
effectively reduced by "clamping" the MSS during TCP SYN negotiation
to 1492, in order to facilitate PMTU Discovery.

MSS can be clamped by rp-pppoe, if that is used, or with an iptables
rule such as

        iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
                    -j TCPMSS --clamp-mss-to-pmtu

(straight out of man iptables).

I'm not familiar enough to say with conviction where to put this rule,
but my *guess* would be just before

iptables -A POSTROUTING -t nat -o $GATEWAY_INTERFACE -j MASQUERADE

in your firewall script would be okay.

--

PPP-Q&A links, downloads:                      http://ckite.no-ip.net/

 
 
 

Static IP w/ PPPoe xDSL Firewall

Post by dust » Tue, 28 Sep 2004 12:29:53


Thank you adding the:
        iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
                    -j TCPMSS --clamp-mss-to-pmtu

to the firewall worked! I forgot to metion that everything worked well
(i.e. PPPoe connection...) when the firewall was not dropping
everything.

I appreciate your help.
-Dustin



> > I have reciently had to switch to a static IP system that uses PPPoe.
> > This is a bit strange to me, but this is the way SBC seems to be doing
> > their static ips. I am hoping someone can explain to me what PPPoe is
> > doing, as I am having issues getting my firewall to work (it was
> > working fine before I had to implement PPPoe). When I ping out from
> > the firewall box, I notice it uses the PPPoe IP address? But if I
> > change my firewall to use this IP ping works, but not much else seems
> > to...

> The description is a bit vague but there might be a PMTU Discovery
> problem.

> PPPoE encapsulates PPP frames in Ethernet frames of a special type
> which are then send to the outgoing Ethernet interface.  A PPPoE
> Ethernet frame, aka PPPoE session frame, has an additional 8 bytes in
> it's header so the PPPoE Ethernet interface MTU is reduced, usually
> by 8 bytes to 1492 since an Ethernet interface MTU is usually 1500.

> The hosts behind the PPPoE host firewall must have their Ethernet
> interface MTU reduced to 1492 also, or the MTU for the LAN hosts
> effectively reduced by "clamping" the MSS during TCP SYN negotiation
> to 1492, in order to facilitate PMTU Discovery.

> MSS can be clamped by rp-pppoe, if that is used, or with an iptables
> rule such as

>         iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
>                     -j TCPMSS --clamp-mss-to-pmtu

> (straight out of man iptables).

> I'm not familiar enough to say with conviction where to put this rule,
> but my *guess* would be just before

> iptables -A POSTROUTING -t nat -o $GATEWAY_INTERFACE -j MASQUERADE

> in your firewall script would be okay.