iptables problem
Lord of Gore
lordofgore at logsoftgrup.ro
Wed Dec 20 23:22:22 UTC 2006
Aleksandar Milivojevic wrote:
> Quoting Lord of Gore <lordofgore at logsoftgrup.ro>:
>
> [ deleted some good advice ]
>
> Actually, if you look into his rules, he was configuring the system
> that allows outgoing connections to limited set of services, and
> accepting incomming connections only on port 25 (SMTP). The system
> also seems to be DHCP client. Or at least that was the way he
> attempted to construct his firewall rules. Unless he got everything
> totally messed up.
>
> Something like this. Again, not tutorial, just an example that could
> be closed down a bit more than it is now.
>
> # define filter table and set default policy to DROP in all chains
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
>
> # some generic stuff, no need to go wild with RELATED
> -A INPUT -m state --state ESTABLISHED -j ACCEPT
I knew I had to forget something ^ :)
>
> # this could be closed down a bit to allow only unreachable and ttl
> exceeded
> -A INPUT -p icmp -m state --state RELATED -j ACCEPT
>
> # smtp service running on this host
> -A INPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
>
> # accept DHCP replies, assuming IP address of DHCP server is known
> # and we always get address on fixed network. replace dhcp-server
> # and local-network with appropriate IP addresses
> -A INPUT -p udp --sport 67 --dport 68 -s dhcp-server-ip -d
> local-network -j ACCEPT
>
> # log
> -A INPUT -j LOG --log-prefix="INPUT "
>
> # unless this host is router, no rules in FORWARD chain
> # other than logging
> -A FORWARD -j LOG --log-prefix="FORWARD "
>
> # again some generic stuff
> -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
> -A OUTPUT -p icmp -m state --state RELATED -j ACCEPT
>
> # allow this host to access these services, and nothing else
> -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
> -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
> -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
> -A OUTPUT -p tcp --dport 53 --syn -m state --state NEW -j ACCEPT
> -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
>
> # Allow this system to request and renew its IP address, this
> # could be closed down a bit more, but not much gain in doing it
> -A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT
>
> # log the rest
> -A OUTPUT -j LOG --log-prefix="OUTPUT "
Yes this should be stricter and more complete. I just wanted to make him
understand how he should be thinking while developing some rules.
mr tamer you have good friends on this list (<joke>of course you might
have made enemies also but you should see the half full glass</joke> :) )
More information about the redhat-list
mailing list