[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Simple iptables questions

On Wed, 28 Aug 2002, Lucas Barbuto wrote:

> Hi List,
> This is a bit of a monster, I'll appreciate it if anyone has the
> patience to read it and give me a hand...
> I've recently been given the task of installing a new firewall for a
> small office.  I haven't got much iptables experience, but I'm picking
> it up.  I have got a copy of the current iptables script used at the
> site and I understand most of it but there are a couple of rules that
> I'm not sure about and was wondering if anyone could clarify.
> My basic setup is to set the default policies for all chains to DROP and
> then open up specific ports as I need them for incoming connections
> (routing through NAT to internal servers) and outgoing (accepting NEW 
> connections from internal hosts for specific services only) and then
> allowing all ESTABLISHED,RELATED connections from either side.
> These are the rules in the current setup that I'm confused about:
> 1) # this allows our gateway to act as a name server...
What ?!?  This has nothing to do with DNS.  This is the implementation of 
"My basic setup" above, only for the local machine.

> As I understand it, this one allows the gateway machine to create any
> kind of new connection on to anywhere, and accept responses.  If this
> rule is only intended to allow DNS queries, would I be safe to restrict
> it to the well known DNS port, 53?  For example with --dport 53?  Or is
> that being unneccessarily restrictive?

iptables -A INPUT -p TCP --dport 53 -j ACCEPT
iptables -A INPUT -p UDP --dport 53 -j ACCEPT

> 2) # this allows pings through from both sides...
> iptables -A INPUT -p ICMP -j ACCEPT
> iptables -A OUTPUT -p ICMP -j ACCEPT
> How does this work?  Shouldn't this rule be in the FORWARD chain?  I
> want my internal hosts to be able to ping hosts on the internet.  I
> don't get this one at all.

It seems as though your iptables script was converted from ipchains by 
someone who didn't know quite what they were doing.  I did the same thing 
my first try ;)  Yes, you do want this on FORWARD

> 3) # this allows us to act as a dhcp server for the LAN...
> iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT
> iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT
> And this one allows all traffic to and from this host on the LAN side,
> again, can I restrict this just to DHCP ports (547 for DHCPv6 server) or
> again is that being overly cautious?
You can.  But if other things start breaking, it may have slipped by when 
it was open like this.  You definately should have more fine-grained 

> Just as a note, I'm not that concerned about attacks from the inside I'm
> just wondering whether or not it is neccessary to have all ports open
> for things like DHCP and DNS or whether I can safely close off most of
> them
> Thanks to anybody who has read this far and wants to reply.
> Regards,
> Lucas

The computer can't tell you the emotional story.  It can give you the exact
mathematical design, but what's missing is the eyebrows.
- Frank Zappa

Reply to: