[TriLUG] Re: IPTables help
Corey Mutter
mutterc at nc.rr.com
Tue Sep 24 13:49:39 EDT 2002
> Subject: Re: [TriLUG] Re: IPTables help
> From: Tanner Lovelace <lovelace at wayfarer.org>
> To: trilug at trilug.org
> Date: 20 Sep 2002 16:45:27 -0400
> Reply-To: trilug at trilug.org
>
[snip]
> So, how is this as a possible iptables setup? (Note it's just
> your script with some modifications).
I like it, and have comments inline.
>
> ###################################################################
> # Proposed TriLUG iptables setup
> ###################################################################
>
>
> ###################################################################
> # Enable address spoofing protection, disable receiving source-routed
> # packets and ICMP Redirects
> ###################################################################
> echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
> echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
> echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
>
> ###################################################################
> # Flush all chains; delete all user-defined chains
> ###################################################################
> iptables -F
> iptables -X
>
> ###################################################################
> # Paranoid default: drop on all chains
> ###################################################################
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> ###################################################################
> # Chain for allowing no new inbound connections (stateful firewall)
> ###################################################################
> iptables -N nonew
> # If already part of an existing connection, okay
> iptables -A nonew -m state --state ESTABLISHED,RELATED -j RETURN
Note: If you don't have an identd running, and leave out the special
rule for it (reject-with tcp-reset without logging), whenever your box
connects somewhere that causes the other end to do an identd lookup
(e.g. sending mail), this code will log that connection attempt, even
though it's not (usually) malicious.
> # Anything else is a probe attempt, log
> # Reject with "port unreachable", just like nobody was listening
> # or RST for TCP connections, or drop for ICMP packets
> iptables -A nonew -p tcp -j REJECT --reject-with tcp-reset
> # [Will this cause pings not to work? If so, will removing this
> # rule bring that capability back?]
> iptables -A nonew -p icmp -j DROP
Pings won't work, but that's because of the connection state
tracking. Echo Requests coming in will be classified as NEW, where Echo
Replies (if you have sent a matching Echo Request) will be classified
as ESTABLISHED. You will be able to ping the Internet, but the
Internet won't be able to ping you.
If you want people to be able to ping you from the Internet, you have
to put in a rule before connection-tracking that says something like:
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT
The reason I have the ICMP DROP rule here is that REJECT will send back an
ICMP port unreachable message (or other configurable packet, such as
TCP reset). Before I had this, if you pinged my firewall, you would
get "port unreachable" error messages, which didn't make much
sense. Better to just drop those pckets, I figured.
> iptables -A nonew -j REJECT
>
>
> ###################################################################
> # Anything on loopback OK
> ###################################################################
> iptables -A INPUT -i lo+ -j ACCEPT
> iptables -A OUTPUT -o lo+ -j ACCEPT
>
> ###################################################################
> # Anything on eth1 OK
> ###################################################################
> iptables -A INPUT -i eth1 -j ACCEPT
> iptables -A OUTPUT -o eth1 -s 192.168.77.0/24 -d 192.168.77.0/24 -j \
> ACCEPT
>
>
> ###################################################################
> # Input chain (packets to the local box come here)
> ###################################################################
> # [One for each allowed server, as many as you like]
> iptables -A INPUT -i eth0 -p tcp --dport [insert port here] -j ACCEPT
> iptables -A INPUT -i eth0 -p udp --dport [insert port here] -j ACCEPT
> # No new connections from Internet
> iptables -A INPUT -j nonew
> # It passed the tests
> iptables -A INPUT -j ACCEPT
>
> ###################################################################
> # Output chain (packets from the local box come here)
> ###################################################################
> # [If you don't put output checking in, change default policy to ACCEPT]
> # Non-localnet on eth0 okay
> iptables -A OUTPUT -o eth0 -s ! 192.168.77.0/24 -d ! 192.168.77.0/24 -j\
> ACCEPT
> # Anything else bad, log and drop
> iptables -A OUTPUT -m limit --limit 3 -j LOG --log-level crit \
> --log-prefix "Bad output addr! "
> iptables -A OUTPUT -j DROP
> ---------------------------------------------------------------------------
>
> If we were to change the OUTPUT policy to ACCEPT, would we just
> delete the last section and change the line near the top that
> currently says: "iptables -P OUTPUT DROP" to instead say
> "iptables -P OUTPUT ACCEPT"?
That's right. If you do that, you can get rid of all the OUTPUT rules
and leave out the checking. All it does for me is generate log
messages if my routing gets messed up to the point where
internal-address packets are going to the outside, or vice
versa. (That hasn't happened yet...)
Corey
>
> Thanks much,
> Tanner
> --
> Tanner Lovelace | lovelace at wayfarer.org | http://wtl.wayfarer.org/
> --*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
> GPG Fingerprint = A66C 8660 924F 5F8C 71DA BDD0 CE09 4F8E DE76 39D4
> GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc
> --*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
> Si hoc legere scis, nimium eruditionis habes.
>
>
More information about the TriLUG
mailing list