Re: iptables for 1 interface pc and other questions

To: debian-firewall <debian-firewall@lists.debian.org>
Subject: Re: iptables for 1 interface pc and other questions
From: Jason McCarty <bclg@iup.edu>
Date: Sun, 19 Jan 2003 22:53:17 -0500
Message-id: <[🔎] 20030120035317.GA2390@iup.edu>
Mail-followup-to: debian-firewall <debian-firewall@lists.debian.org>
In-reply-to: <[🔎] 1043012899.3305.5.camel@lancelot.camelot>
References: <[🔎] 20030117124301.9AA811F8E4@murphy.debian.org> <[🔎] 20030117180438.GA10177@iup.edu> <[🔎] 1042857214.2861.33.camel@lancelot.camelot> <[🔎] 20030118181358.GA844@iup.edu> <[🔎] 1043012899.3305.5.camel@lancelot.camelot>

Benedict Verheyen wrote:
> Hello,
> 
> below is the new 1 nic firewall setup with a lot of recommendations
> and ideas from Jason McCarty.
> I changed the INPUT and OUTPUT rules mainly but didn't touch the 
> FORWARD rule. I think all the line's there are useless in a 1 nic
> setup.

Glad I could help :) It looks pretty good, just a couple things I want
to mention.

> # this ip is used by my isp for something (don't know what) and is send every 2 minutes so i do 
> # not even want to log this! Annoying isp. It goes to address 224.0.0.1
> $IPT -A checkspoof -s 10.95.11.80 -j DROP

These are (IGMP I think) multicast queries asking if your computer wants
to listen to a multicast channel. I ignore them too. I think the
multicast network is 224.0.0.0/4 .

> inet_out ####
> ###############################################################################
> ### allow outside: ping, dns, proxy of isp (8080), dhcp, news, smtp, msn/gaim?,
> ###                irc, www, imap, pop3, ftp (+ftpdata), ssh
> 
> ### all tcp ports ###
> #$IPT -A inet_out -o eth0 -p tcp --sport 67 --dport 68 -j ACCEPT # DHCP to isp
> $IPT -A inet_out -o eth0 -p tcp --dport 80 -j ACCEPT             # www
> $IPT -A inet_out -o eth0 -p tcp --dport 22 -j ACCEPT             # ssh
> $IPT -A inet_out -o eth0 -p tcp --dport 21 -j ACCEPT             # ftp
> $IPT -A inet_out -o eth0 -p tcp --dport 110 -j ACCEPT            # pop3
> $IPT -A inet_out -o eth0 -p tcp --dport 143 -j ACCEPT            # imap
> $IPT -A inet_out -o eth0 -p tcp --dport 6667 -j ACCEPT           # irc
> $IPT -A inet_out -o eth0 -p tcp --dport 25 -j ACCEPT             # smtp
> $IPT -A inet_out -o eth0 -p tcp --dport 119 -j ACCEPT            # news
> $IPT -A inet_out -o eth0 -p tcp --dport 8080 -j ACCEPT           # proxy isp
> $IPT -A inet_out -o eth0 -p tcp --dport 53 -j ACCEPT             # dns
> 
> ### all udp ports ###
> $IPT -A inet_out -o eth0 -p udp --sport 67 --dport 68 -j ACCEPT  # DHCP to isp
> $IPT -A inet_out -o eth0 -p udp --dport 53 -j ACCEPT             # dns
> 
> ### all icmp ###
> $IPT -A inet_out -o eth0 -p icmp --icmp-type 3 -j ACCEPT
> $IPT -A inet_out -o eth0 -p icmp --icmp-type 8 -j ACCEPT
> $IPT -A inet_out -o eth0 -p icmp --icmp-type 0 -j ACCEPT
> $IPT -A inet_out -o eth0 -p icmp --icmp-type 11 -j ACCEPT

You can take off the -o eth0 parts here, since inet_out only gets called
by INPUT for -o eth0 anyway.


Jason

Reply to:

Follow-Ups:
- Re: iptables for 1 interface pc and other questions
  - From: Benedict Verheyen <benedict.verheyen@pandora.be>

References:
- iptables for 1 interface pc and other questions
  - From: "benedict.verheyen@pandora.be" <linux4bene@pandora.be>
- Re: iptables for 1 interface pc and other questions
  - From: Jason McCarty <bclg@iup.edu>
- Re: iptables for 1 interface pc and other questions
  - From: Benedict Verheyen <benedict.verheyen@pandora.be>
- Re: iptables for 1 interface pc and other questions
  - From: Jason McCarty <bclg@iup.edu>
- Re: iptables for 1 interface pc and other questions
  - From: Benedict Verheyen <benedict.verheyen@pandora.be>

Prev by Date: Re: iptables / bridge mode
Next by Date: Re: iptables / bridge mode
Previous by thread: Re: iptables for 1 interface pc and other questions
Next by thread: Re: iptables for 1 interface pc and other questions
Index(es):
- Date
- Thread