Menu
▾
▴
Re: [Astlinux-users] Wireguard VPN Security
|
From: Michael K. <mic...@ip...> - 2019-09-15 02:12:52
|
Thanks Lonnie
I have never done any iptables rules so this will be a first.
Regards
Michael Knill
Sent from my iPhone so please excuse my brevity.
> On 10 Sep 2019, at 8:32 am, Lonnie Abelbeck <li...@lo...> wrote:
>
> Hi Michael,
>
> OK, that is best done via custom rules in "/mnt/kd/arno-iptables-firewall/custom-rules".
>
> For this example WireGuard LAN->Local will drop all traffic except SSH.
>
> -- /mnt/kd/arno-iptables-firewall/custom-rules --
> # Put any custom (iptables) rules here down below:
> ##################################################
>
> custom_wg_lan_input()
> {
> local wg_if
>
> wg_if="${WIREGUARD_IF:-wg0}"
>
> echo "[CUSTOM RULE] Custom WireGuard LAN->Local"
> iptables -A INT_INPUT_CHAIN -i $wg_if -p tcp --dport 22 -j ACCEPT
> iptables -A INT_INPUT_CHAIN -i $wg_if -j DROP
> }
> custom_wg_lan_input
> --
>
> apply changes...
> pbx # arno-iptables-firewall restart
>
> test new rules with...
> pbx # iptables -nvL INT_INPUT_CHAIN
> Chain INT_INPUT_CHAIN (3 references)
> pkts bytes target prot opt in out source destination
> 1 60 ACCEPT tcp -- wg0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
> 3 180 DROP all -- wg0 * 0.0.0.0/0 0.0.0.0/0
> ...
>
> and for IPv6...
> pbx # ip6tables -nvL INT_INPUT_CHAIN
> Chain INT_INPUT_CHAIN (3 references)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT tcp wg0 * ::/0 ::/0 tcp dpt:22
> 0 0 DROP all wg0 * ::/0 ::/0
> ...
>
> Since the default LAN->Local policy is ACCEPT we need to use DROP to block all for wg0.
>
> As always, test the firewall rule changes to make sure it works as expected.
>
> Lonnie
>
>
>> On Sep 9, 2019, at 3:17 PM, Michael Knill <mic...@ip...> wrote:
>>
>> Hi sorry Lonnie, I didn't explain it well enough.
>>
>> I want to provide different access to Local from a physical LAN than the wg0 interface.
>> For instance I want to open TCP443, my SSH Port and possibly other ports from the physical LAN but open my SSH Port only from wg0.
>>
>> I could do it based on the Source IP however as there is only Deny LAN->Local rules possible, I'm not sure how I could just open a single port and deny all the rest?
>>
>> Regards
>> Michael Knill
>>
>> On 9/9/19, 11:05 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
>>
>> I don't understand what you are asking, but the default isolated wg0 interface can be allowed to access physical LAN interfaces with:
>>
>> _x_ Allow WireGuard VPN tunnel to the [ 1st ] LAN Interface(s)
>>
>> And LAN's can access Local by default.
>>
>> Lonnie
>>
>>
>>
>>> On Sep 8, 2019, at 10:57 PM, Michael Knill <mic...@ip...> wrote:
>>>
>>> Thanks Lonnie.
>>>
>>> Just wondering how I could use Deny LAN->Local when I actually want to allow onsite local LAN traffic to access the system admin interface?
>>> I really need a Pass LAN->Local to do this!
>>>
>>> Regards
>>> Michael Knill
>>>
>>> On 9/9/19, 1:11 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
>>>
>>>
>>>
>>>> On Sep 8, 2019, at 8:46 PM, Michael Knill <mic...@ip...> wrote:
>>>>
>>>> Hi Group
>>>>
>>>> I am seeing lots of hacking attempts on my systems as they have found my non standard SSH port. Although there is no issue as I have SSH Key access only, I'm sick of the long list of addresses in the Adaptive Ban list and I'm thinking I should be adding another line of defence in my security anyway.
>>>> As such, along with implementing Geoblocking Netset files (next release), I also want to use a Jump box for management. This server would connect to each system via Wireguard VPN allowing management also when in a failover condition through NAT e.g. 4G backup, firewall managed by others.
>>>>
>>>> With this architecture in mind, I was wondering how I would go about restricting access to a single port only from this Wireguard VPN tunnel to the local interface e.g. wg0 address. I think is completely open currently.
>>>>
>>>> Is it easy to do?
>>>>
>>>> Regards
>>>> Michael Knill
>>>
>>> If SSH access can only occur within a WireGuard tunnel, no port filtering is required since access is secured by WireGuard.
>>>
>>> As such, only allow remote user access to the management VPN via a WireGuard tunnel.
>>>
>>> But, if you want to filter SSH from wg0 to the local device by source IP address, try
>>>
>>> Firewall Rules:
>>> Action: [ Deny LAN->Local ]
>>>
>>> keeping in mind that the wg0 interface is treated as an isolated LAN subnet from any other LAN subnet.
>>>
>>> Lonnie
>>>
>>>
>>>
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Ast...@li...
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>>>
>>>
>>>
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Ast...@li...
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>>
>>
>>
>> _______________________________________________
>> Astlinux-users mailing list
>> Ast...@li...
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>>
>>
>> _______________________________________________
>> Astlinux-users mailing list
>> Ast...@li...
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
