[TriLUG] Re: IPTables help
Tanner Lovelace
lovelace at wayfarer.org
Fri Sep 20 16:45:27 EDT 2002
On Fri, 2002-09-20 at 09:20, Corey Mutter wrote:
> Yes, good catch. I have other redundancies that may make even less
> sense, in the parts I cut out. What's probably best is to leave any
> interface checking out of "nonew", and conditionally jump to that
> chain with an interface check, like:
>
> iptables -A INPUT -i eth0 -j nonew
Yeah, that would make sense. That way you could reuse
nonew on other interfaces if they were added.
> Yes. You also need to put any of those services before
> connection-state tracking or the "accept" rules won't get reached.
Ah, good point!
> You shouldn't need the modules. The FTP/IRC conntrack modules are
> there to handle the client side. From a non-passive FTP client, when a
> file is about to be transferred, the FTP server opens a data
> connection (separate from the control connection on port 21) back to
> you. If the client's connection-state-tracking firewall is unaware of
> FTP, it will classify the connection as NEW instead of RELATED (and
> get dropped). This module lets the connection-tracking tell (from the
> presence/data in? the control connection) that the connection back is
> related to the FTP session.
Ah. So, if we want to be able to ftp *from* one of the machines,
then we would need the ftp conntrack module, but not for normal
server setup.
> I don't know what IRC does to make connection-state tracking difficult
> (by the way, these are all the same things that makes NAT difficult),
> but it's probably something like FTP.
I think it's something to do with DCC, but I don't have
personal knowledge of it.
So, how is this as a possible iptables setup? (Note it's just
your script with some modifications).
###################################################################
# Proposed TriLUG iptables setup
###################################################################
###################################################################
# Enable address spoofing protection, disable receiving source-routed
# packets and ICMP Redirects
###################################################################
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
###################################################################
# Flush all chains; delete all user-defined chains
###################################################################
iptables -F
iptables -X
###################################################################
# Paranoid default: drop on all chains
###################################################################
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
###################################################################
# Chain for allowing no new inbound connections (stateful firewall)
###################################################################
iptables -N nonew
# If already part of an existing connection, okay
iptables -A nonew -m state --state ESTABLISHED,RELATED -j RETURN
# Anything else is a probe attempt, log
# Reject with "port unreachable", just like nobody was listening
# or RST for TCP connections, or drop for ICMP packets
iptables -A nonew -p tcp -j REJECT --reject-with tcp-reset
# [Will this cause pings not to work? If so, will removing this
# rule bring that capability back?]
iptables -A nonew -p icmp -j DROP
iptables -A nonew -j REJECT
###################################################################
# Anything on loopback OK
###################################################################
iptables -A INPUT -i lo+ -j ACCEPT
iptables -A OUTPUT -o lo+ -j ACCEPT
###################################################################
# Anything on eth1 OK
###################################################################
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -s 192.168.77.0/24 -d 192.168.77.0/24 -j \
ACCEPT
###################################################################
# Input chain (packets to the local box come here)
###################################################################
# [One for each allowed server, as many as you like]
iptables -A INPUT -i eth0 -p tcp --dport [insert port here] -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport [insert port here] -j ACCEPT
# No new connections from Internet
iptables -A INPUT -j nonew
# It passed the tests
iptables -A INPUT -j ACCEPT
###################################################################
# Output chain (packets from the local box come here)
###################################################################
# [If you don't put output checking in, change default policy to ACCEPT]
# Non-localnet on eth0 okay
iptables -A OUTPUT -o eth0 -s ! 192.168.77.0/24 -d ! 192.168.77.0/24 -j\
ACCEPT
# Anything else bad, log and drop
iptables -A OUTPUT -m limit --limit 3 -j LOG --log-level crit \
--log-prefix "Bad output addr! "
iptables -A OUTPUT -j DROP
---------------------------------------------------------------------------
If we were to change the OUTPUT policy to ACCEPT, would we just
delete the last section and change the line near the top that
currently says: "iptables -P OUTPUT DROP" to instead say
"iptables -P OUTPUT ACCEPT"?
Thanks much,
Tanner
--
Tanner Lovelace | lovelace at wayfarer.org | http://wtl.wayfarer.org/
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
GPG Fingerprint = A66C 8660 924F 5F8C 71DA BDD0 CE09 4F8E DE76 39D4
GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
Si hoc legere scis, nimium eruditionis habes.
More information about the TriLUG
mailing list