Firewall
Implementation of a basic and modular firewall using iptables.
Basic Operation
Introduction
The firewall works based on packets and their states as they enter and leave the host.The different types of packets, from the host's perspective, are treated as a block.
- Input
- The destination of the packets is the host itself.
- Output
- Packets generated by the host and leaving to the network.
- Forwarding
- The host is not the destination, but the packet must pass through it. The host acts as a router.
Packet Flow within the Host
Inside the host, the packet passes through a series of filtering and routing tables. These tables are determined by the following criteria:
- Protocol (tcp, udp, and icmp).
- Interface (lan0, wlan0, etc.).
- Port.
- Source IP/network.
- Destination IP/network.
- Destination Table.
The following image simplifies the structure of the path taken by packets within the host.
Firewall Implementation
Structure
The structure for handling packets is based on whether the packets are inbound or outbound.
- Input
- Packets are classified by protocol and then the rules are applied for each service. The outcome is based on whether it is accepted or part of an initiated connection (ALLOWED).
- Output
- It is divided by protocol, and only the ports of the determined services are opened.
Bash Script
Structure
The implement the proposed structure is divided the script into the following sections.
- Basic Configuration
- Creation of generic tables for each protocol and for existing connections (ALLOWED).
- Packet Manager
- Opens ports for the hkp connection to obtain the packet manager keys.
- Docker
- Configuration of the Docker container network.
- Local Network
- Configuration of ports per service (https, dhcp, etc.).
- VPN
- Similar to the local network in practical terms, only changing the interface to separate local and virtual networks.