Re: Setting up masquerading (not sure where the problem is happening)

To: Dave Price <davep@kinaole.org>
Cc: debian-firewall@lists.debian.org
Subject: Re: Setting up masquerading (not sure where the problem is happening)
From: Gene Wheelbarger <gwheelbarger@yahoo.com>
Date: Thu, 12 Sep 2002 12:57:51 -0700 (PDT)
Message-id: <[🔎] 20020912195751.77062.qmail@web21402.mail.yahoo.com>
In-reply-to: <[🔎] 20020909102500.G14190@kinaole.org>

Forgive my entering this thread late, but I just had a
couple comments on your firewall script, mostly on the
security (or lack thereof). 

Here's the snippet showing your default policies.
Either the notation before the policies is documenting
it incorrectly, or you somehow managed to put ACCEPT
in place of DROP!

>     # setup the default policies -- DROP everything
>     iptables -P OUTPUT  ACCEPT
>     iptables -P INPUT   ACCEPT
>     iptables -P FORWARD ACCEPT

Now, assuming the above commands are correct, you
should have catch-all rules for every chain to drop
everything that wasn't already accepted. This does not
appear to be the case. From the looks of the firewall,
it doesn't appear that a single packet will be dropped
(except for samba traffic), or even denied for that
matter.

Looks like the quickest fix is to change your default
policies. I'm not trying to ridicule you, I'm just
concerned for your system's security.

Gene

--- Dave Price <davep@kinaole.org> wrote:
<snip>
> Here is /root/iptables script that works fine for
> this box
> 
> #!/bin/bash
> ####
> # default table :
> 
>     # setup the default policies -- DROP everything
>     iptables -P OUTPUT  ACCEPT
>     iptables -P INPUT   ACCEPT
>     iptables -P FORWARD ACCEPT
> 
> 
>     # flush out all the old chains and delete user
> chains
>     iptables -F
>     iptables -X
> 
> 
>     ####
>     # INPUT chain -- what can come into the system
> 
>         # allow loopback
>         iptables -A INPUT -i lo -j ACCEPT
>         #iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
> 
>         # allow replies
>         iptables -A INPUT -i eth0 -m state --state
> ESTABLISHED -j ACCEPT
>         iptables -A INPUT -i eth1 -m state --state
> ESTABLISHED -j ACCEPT
> 
>         # take all input from the LAN (assumes
> addresses are correct)
>         iptables -A INPUT -i eth0 -j ACCEPT
> 
>         # allow ping
>         iptables -A INPUT -p icmp -j ACCEPT
> 
>     ####
>     # OUTPUT chain -- what is allowed to get out
> 
>         # allow loopback
>         iptables -A OUTPUT -o lo -j ACCEPT
>       # stop all samba stuff going out the DSL line,
> but tell the host (me)
>         iptables -A OUTPUT -o eth1 -p tcp --dport
> 137:139 -j REJECT
> 
>         iptables -A OUTPUT -o eth0 -j ACCEPT
>         iptables -A OUTPUT -o eth1 -j ACCEPT
> 
> 
> ####
> # nat table -- how we translate (masq) stuff
> 
>     # flush out all the old chains
>     iptables -t nat -F
> 
> 
>     ####
>     # POSTROUTING chain
> 
>         # allow loopback
>         iptables -A OUTPUT -o lo -j ACCEPT
> 
>         # masquerade stuff from the LAN to the WAN
>         iptables -t nat -A POSTROUTING -o eth1 -j
> MASQUERADE
> 
>         # enable forwarding in the kernel
>         echo "1" > /proc/sys/net/ipv4/ip_forward
<snip>

=====
Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html

__________________________________________________
Yahoo! - We Remember
9-11: A tribute to the more than 3,000 lives lost
http://dir.remember.yahoo.com/tribute

Reply to:

References:
- Re: Setting up masquerading (not sure where the problem is happening)
  - From: Dave Price <davep@kinaole.org>

Prev by Date: Re: traffic reporter
Next by Date: Iptables newbie
Previous by thread: Re: Setting up masquerading (not sure where the problem is happening)
Next by thread: Re: Setting up masquerading (not sure where the problem is happening)
Index(es):
- Date
- Thread