[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: iptables problem



Aleksandar Milivojevic wrote:
Quoting Lord of Gore <lordofgore logsoftgrup ro>:

[ deleted some good advice ]

Actually, if you look into his rules, he was configuring the system that allows outgoing connections to limited set of services, and accepting incomming connections only on port 25 (SMTP). The system also seems to be DHCP client. Or at least that was the way he attempted to construct his firewall rules. Unless he got everything totally messed up.

Something like this. Again, not tutorial, just an example that could be closed down a bit more than it is now.

# define filter table and set default policy to DROP in all chains
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# some generic stuff, no need to go wild with RELATED
-A INPUT -m state --state ESTABLISHED -j ACCEPT
I knew I had to forget something ^ :)

# this could be closed down a bit to allow only unreachable and ttl exceeded
-A INPUT -p icmp -m state --state RELATED -j ACCEPT

# smtp service running on this host
-A INPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT

# accept DHCP replies, assuming IP address of DHCP server is known
# and we always get address on fixed network.  replace dhcp-server
# and local-network with appropriate IP addresses
-A INPUT -p udp --sport 67 --dport 68 -s dhcp-server-ip -d local-network -j ACCEPT

# log
-A INPUT -j LOG --log-prefix="INPUT "

# unless this host is router, no rules in FORWARD chain
# other than logging
-A FORWARD -j LOG --log-prefix="FORWARD "

# again some generic stuff
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m state --state RELATED -j ACCEPT

# allow this host to access these services, and nothing else
-A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --dport 53 --syn -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT

# Allow this system to request and renew its IP address, this
# could be closed down a bit more, but not much gain in doing it
-A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT

# log the rest
-A OUTPUT -j LOG --log-prefix="OUTPUT "
Yes this should be stricter and more complete. I just wanted to make him understand how he should be thinking while developing some rules. mr tamer you have good friends on this list (<joke>of course you might have made enemies also but you should see the half full glass</joke> :) )



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]