iptables problem

Lord of Gore lordofgore at logsoftgrup.ro
Wed Dec 20 23:22:22 UTC 2006 

Aleksandar Milivojevic wrote:
> Quoting Lord of Gore <lordofgore at logsoftgrup.ro>:
>
> [ deleted some good advice ]
>
> Actually, if you look into his rules, he was configuring the system 
> that allows outgoing connections to limited set of services, and 
> accepting incomming connections only on port 25 (SMTP).  The system 
> also seems to be DHCP client.  Or at least that was the way he 
> attempted to construct his firewall rules.  Unless he got everything 
> totally messed up.
>
> Something like this.  Again, not tutorial, just an example that could 
> be closed down a bit more than it is now.
>
> # define filter table and set default policy to DROP in all chains
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
>
> # some generic stuff, no need to go wild with RELATED
> -A INPUT -m state --state ESTABLISHED -j ACCEPT
I knew I had to forget something ^ :)
>
> # this could be closed down a bit to allow only unreachable and ttl 
> exceeded
> -A INPUT -p icmp -m state --state RELATED -j ACCEPT
>
> # smtp service running on this host
> -A INPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
>
> # accept DHCP replies, assuming IP address of DHCP server is known
> # and we always get address on fixed network.  replace dhcp-server
> # and local-network with appropriate IP addresses
> -A INPUT -p udp --sport 67 --dport 68 -s dhcp-server-ip -d 
> local-network -j ACCEPT
>
> # log
> -A INPUT -j LOG --log-prefix="INPUT "
>
> # unless this host is router, no rules in FORWARD chain
> # other than logging
> -A FORWARD -j LOG --log-prefix="FORWARD "
>
> # again some generic stuff
> -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
> -A OUTPUT -p icmp -m state --state RELATED -j ACCEPT
>
> # allow this host to access these services, and nothing else
> -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
> -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
> -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
> -A OUTPUT -p tcp --dport 53 --syn -m state --state NEW -j ACCEPT
> -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
>
> # Allow this system to request and renew its IP address, this
> # could be closed down a bit more, but not much gain in doing it
> -A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT
>
> # log the rest
> -A OUTPUT -j LOG --log-prefix="OUTPUT "
Yes this should be stricter and more complete. I just wanted to make him 
understand how he should be thinking while developing some rules.
mr tamer you have good friends on this list (<joke>of course you might 
have made enemies also but you should see the half full glass</joke> :) )

More information about the redhat-list mailing list