Debian for router: eth0, eth1, tun0 - review iptables for routing/firewall

iptables
firewall
networking
sysadmin

#1

I have installed debian on a pc that will be connected directly to the internet and will act as a router. It has 3 interfaces: eth0 (internet), eth1 (lan), and tun0 (vpn). All traffic should go through tun0.

Currently the setup works.

These are the iptable rules I came up with:
http://termbin.com/2vqj7

#!/bin/sh -e

#WAN	eth0

#LAN	eth1


#default policy to drop all incoming packets
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP

ip6tables -F
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

iptables -A INPUT -i eth0 -p tcp --dport 48000 -j ACCEPT

iptables -A INPUT -i tun0 -j ACCEPT

iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

iptables -A FORWARD -i eth0 -o tun0 -m conntrack \
	--ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i tun0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE

#accept incoming packets from localhost and the LAN interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT

#accept incoming packets from the WAN if the router intiated the connection
iptables -A INPUT -i eth0 -m conntrack \
	--ctstate ESTABLISHED,RELATED -j ACCEPT

#forward LAN packets to the WAN
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

#forward WAN packets to the LAN if the LAN initiated the connection
iptables -A FORWARD -i eth0 -o eth1 -m conntrack \
	--ctstate ESTABLISHED,RELATED -j ACCEPT

#NAT traffic going out to the WAN interface
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

exit 0
  1. Could someone review the rules and see if it’s secure (or it can be improved)?

#2

I edited out your post to include rules directly in forum so that if termbin url died, people can still read your post.

Looks good to me. Since you are dropping everything that is a good firewall policy. Try to add some log rules with -m limit module for dropped packets. So that you will know if somebody trying to get in etc.