Simple iptables questions

To: debian-firewall-list <debian-firewall@lists.debian.org>
Subject: Simple iptables questions
From: Lucas Barbuto <lucas@qk.com.au>
Date: Wed, 28 Aug 2002 11:44:13 +1000
Message-id: <[🔎] 20020828014413.GA14332@qk.com.au>
Reply-to: Lucas Barbuto <lucas@qk.com.au>

Hi List,

This is a bit of a monster, I'll appreciate it if anyone has the
patience to read it and give me a hand...

I've recently been given the task of installing a new firewall for a
small office.  I haven't got much iptables experience, but I'm picking
it up.  I have got a copy of the current iptables script used at the
site and I understand most of it but there are a couple of rules that
I'm not sure about and was wondering if anyone could clarify.

My basic setup is to set the default policies for all chains to DROP and
then open up specific ports as I need them for incoming connections
(routing through NAT to internal servers) and outgoing (accepting NEW 
connections from internal hosts for specific services only) and then
allowing all ESTABLISHED,RELATED connections from either side.

These are the rules in the current setup that I'm confused about:

1) # this allows our gateway to act as a name server...

iptables -A INPUT -m STATE --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m STATE --state NEW,ESTABLISHED,RELATED -j ACCEPT

As I understand it, this one allows the gateway machine to create any
kind of new connection on to anywhere, and accept responses.  If this
rule is only intended to allow DNS queries, would I be safe to restrict
it to the well known DNS port, 53?  For example with --dport 53?  Or is
that being unneccessarily restrictive?

2) # this allows pings through from both sides...

iptables -A INPUT -p ICMP -j ACCEPT
iptables -A OUTPUT -p ICMP -j ACCEPT

How does this work?  Shouldn't this rule be in the FORWARD chain?  I
want my internal hosts to be able to ping hosts on the internet.  I
don't get this one at all.

3) # this allows us to act as a dhcp server for the LAN...

iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT

And this one allows all traffic to and from this host on the LAN side,
again, can I restrict this just to DHCP ports (547 for DHCPv6 server) or
again is that being overly cautious?

Just as a note, I'm not that concerned about attacks from the inside I'm
just wondering whether or not it is neccessary to have all ports open
for things like DHCP and DNS or whether I can safely close off most of
them.

Thanks to anybody who has read this far and wants to reply.

Regards,

Lucas

Reply to:

Follow-Ups:
- Re: Simple iptables questions
  - From: Jeremy Drake <jeremyd@apptechsys.com>

Prev by Date: Re: FTP with iptables
Next by Date: Re: Simple iptables questions
Previous by thread: Re: FTP with iptables
Next by thread: Re: Simple iptables questions
Index(es):
- Date
- Thread