Adding iptables Rules

[These modifications only apply to Smoothwall Express 2.0, as GPL 1.0 uses ipchains.]

This page describes how to add additional firewall rules to the Smoothwall Express 2.0 firewall script.

For information on making similar changes to a Smoothwall GPL 1.0 box (using ipchains), refer to Hilton's web site.

Requirements:
You'll need:

A Smoothwall Express 2.0 installation (obviously...).
A way of getting a command-line prompt on your Smoothwall box (either by logging directly onto your Smoothwall box, using a SSH client such as PuTTY or SSH Secure Shell, or via the Smoothwall web interface).
Editing the Firewall Script:
Smoothwall's iptables firewall configuration is stored in /etc/rc.d/rc.firewall.up, so to make changes to the firewall, you'll need to edit this script.

Note that you can use various aliases in the firewall script to reference the red and green network interfaces (ie, $RED_DEV, $GREEN_DEV), ip addresses (ie, $GREEN_ADDRESS), network addresses (ie, $GREEN_NETADDRESS), and subnets (ie, $GREEN_NETMASK).
These aliases are defined in /var/smoothwall/ethernet/settings and this file should not be edited, as it's generated by Smoothwall's setup program.

Note that if your red interface is a modem, ISDN, or using PPPoE or PPPoA, you can't use the $RED_DEV alias, but need to specify the actual interface name, for example, ppp0.

As with any modifications to your Smoothwall, make a backup copy of this file before making any changes to it, so you can easily revert back to a known working version.

Applying Your Changes:
Any changes you make to the firewall script will not take effect immediately.

After making changes to the firewall script, you can either reboot your Smoothwall, or run the following from a command line:

/etc/rc.d/rc.netaddress.down; /etc/rc.d/rc.netaddress.up

This will re-apply the firewall (as well as restart Snort, any VPNs, etc), and your modifications to the firewall script should be taking effect.

If you see any iptables errors immediately after the line

Setting up firewall

then you've probably made a typo or other mistake in the firewall script, and you'll have to make the appropriate corrections.

Note that you need execute this as a single line if you're accessing your Smoothwall via SSH - otherwise your SSH connection will be terminated, and you won't be able to re-establish it without logging onto Smoothwall's console to run the up script!

Stop Logging Blaster Hits:
This will stop your firewall logs from filling up with hits on TCP port 135 from the Blaster worm.
Note that Smoothwall will still block all incoming traffic on port 135 - it's just not logging the hits anymore.

Edit /etc/rc.d/rc.firewall.up and immediately after the line containing

/sbin/iptables -P OUTPUT ACCEPT

insert the following

# drop hits from Blaster worm
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 135 -s 0/0 -j DROP

Stop Logging Netbios Hits:
This will stop your firewall logs from filling up with hits on UDP port 137.
Note that Smoothwall will still block all incoming traffic on port 137 - it's just not logging the hits anymore.

Edit /etc/rc.d/rc.firewall.up and immediately after the line containing

/sbin/iptables -P OUTPUT ACCEPT

insert the following

# drop netbios traffic
/sbin/iptables -A INPUT -p UDP -i $RED_DEV --dport 137 -s 0/0 -j DROP

Block Outbound Traffic From Specific PCs:
If you want to prevent one or more specific PCs on your green network from accessing the internet, edit /etc/rc.d/rc.firewall.up and immediately after the line containing

/sbin/iptables -P OUTPUT ACCEPT

insert the following

# block all outgoing traffic from this PC
/sbin/iptables -A FORWARD -p ALL -i $GREEN_DEV -s 192.168.0.3 -j DROP

To block specific traffic from a PC on your green network (ie, web traffic on port 80), use

# block all outgoing web traffic from this PC
/sbin/iptables -A FORWARD -p TCP -i $GREEN_DEV -s 192.168.0.3 --dport 80 -j DROP

Note that blocking outbound traffic in this way won't have any effect if you have Smoothwall's web proxy enabled, and the user configures their browser to use the proxy. To block this traffic too, you'll either need to block incoming traffic from that user on port 800 (the web proxy port), or implement an ACL in Squid.

You can also block traffic based on the source MAC address:

# block all outgoing traffic from this PC
/sbin/iptables -A FORWARD -p ALL -i $GREEN_DEV -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP

Only Allow Outbound Traffic From Specific PCs:
If you want to block all outbound traffic from your green network, and only allow one or more specific PCs to access the intenet, edit /etc/rc.d/rc.firewall.up and immediately after the line containing

/sbin/iptables -P OUTPUT ACCEPT

insert the following

# allow outgoing traffic from these PCs
/sbin/iptables -A FORWARD -p ALL -i $GREEN_DEV -s 192.168.0.3 -j ACCEPT
/sbin/iptables -A FORWARD -p ALL -i $GREEN_DEV -s 192.168.0.4 -j ACCEPT
# block all other outgoing traffic
/sbin/iptables -A FORWARD -p ALL -i $GREEN_DEV -s 0/0 -j DROP

Note that blocking outbound traffic in this way won't have any effect if you have Smoothwall's web proxy enabled, and the user configures their browser to use the proxy. To block this traffic too, you'll either need to block incoming traffic from that user on port 800 (the web proxy port), or implement an ACL in Squid.

Note:
Note that some of the Smoothwall fixes may overwrite rc.firewall.up with a newer version, so if you install a new fix, it may overwrite your changes, so always keep a backup copy of your rc.firewall.up before patching your Smoothie, so you can reapply the changes to the new rc.firewall.up.

Similarly, when doing a fresh installation of Smoothwall, only make these changes once you've fully patched the installation.

References:
netfilter/iptables project

last updated 7 Jan 2004