Re: my iptables script

To: debian-firewall@lists.debian.org
Subject: Re: my iptables script
From: José Guzmán <jose@iteso.mx>
Date: Sun, 31 Aug 2003 23:20:19 -0500
Message-id: <[🔎] 1062390019.3f52c903bf510@iteso.mx>
In-reply-to: <[🔎] 200309011017.37884.tarragon@onthe.net.au>
References: <[🔎] 1062371226.1599.95.camel@coltrane> <[🔎] 200309011017.37884.tarragon@onthe.net.au>

 I´d also set the default policy to DROP and log whatever is dropped in the end:

#!/bin/sh
iptables -F
iptables -X

for tabla in nat mangle ; do
  iptables -F -t $tabla
  iptables -X -t $tabla
done

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

(all your rules go here)

iptables -A INPUT -j LOG -m limit --limit 10/minute
iptables -A OUTPUT -j LOG -m limit --limit 10/minute
iptables -A FORWARD -j LOG -m limit --limit 10/minute


 Set the --limit to whatever is acceptable for your setup.


 Also, if I had the chance and time, I´d be more picky about accepting every new
connection in the OUTPUT chain, call me paranoid but I prefer to allow only
what´s needed and nothing more; although it may be less flexible and requires
more maintenance.



 José


Mensaje citado por Tarragon Allen <tarragon@onthe.net.au>:

> On Monday 01 September 2003 09:07, Jule Slootbeek wrote:
> > Hello all,
> > As some of you might remember, i came here for help with my gateway at
> > thhe beginning of summer, and all of you helped me out very much, i'm
> > very gratefull. Now i finally came closer to finishing up the firewall
> > script, and i was wondering if when i have done is a safe way to set up
> > a firewall. I'll post my script below, and any feedback would be very
> > much appreciated. This script runs out of /etc/init.d and i put a
> > symlink in /etc/rcS.d named S42firewall. I'm not sure if this is the
> > best way to start and stop the script, but it's the best that I know.
> >
> > Thanks in Advance,
> >
> > Jule
> >
> > ps. i did block off my ip.
> 
> Well, there are a few problems I see with the script, I'll detail them
> below.
> 
> > //script
> >
> > #!/bin/sh
> >
> > case "$1" in
> >   start)
> >     echo "Setting firewall rules..."
> >     #ipforwarding and masquerading
> >     iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> 
> >     iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
> 
> Why the duplications? This could (should) be put on one line, like so:
> 
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
> 
> >     iptables -A INPUT -m state --stat ESTABLISHED,RELATED -j ACCEPT
> 
> ('stat' a typo for 'state'?)
> 
> This is all well and good, but you have no corresponding "--state NEW" rule
> 
> that would use this, except for the MASQUERADE rule, which will hit the 
> FORWARD chain, not the INPUT chain. I'd add these rules:
> 
> iptables -A OUTPUT -m state --state NEW -j ACCEPT
> 
> - This says : allow this machine (the firewall) to initiate connections.
> 
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m state --state NEW -s 192.168.0.0/24 -j ACCEPT
> 
> - This says : allow connections I know about through the firewall, keep track
> 
> of connections from my internal network. You may need to add specific allows
> 
> for your port-forwards below, something like this :
> 
> iptables -A FORWARD -m state --state NEW -p tcp -s 140.232.x.x --dport 2401
> -j 
> ACCEPT
> - etc ...
> 
> Now, lastly, and most importantly, you aren't actually blocking anything 
> specifically. I'd add rules similar to this :
> 
> iptables -A INPUT -s ! 192.168.0.0/24 -j DROP
> 
> - This says don't let anything except my internal network talk directly to 
> me.. previously established connections are caught by the 'state' rule above.
> 
> You could also use '-i ! ppp0' (or whatever your external interface is) 
> rather than '-s ! 192.168.0.0/24'.
> 
> iptables -A FORWARD -j DROP
> 
> - This says block everything I haven't already dealt with with the stateful
> 
> rules.
> 
> >     iptables -A INPUT -i lo -j ACCEPT
> >     #redirecting ports
> >     iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 2401 -j
> > DNAT --to-destination 192.168.0.2:2401
> >     iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 80 -j
> > DNAT --to-destination 192.168.0.2:80
> >     iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 22 -j
> > DNAT --to-destination 192.168.0.2:80
> 
> I expect the line above is a typo, should be 192.168.0.2:22 ?
> 
> >   ;;
> >   stop)
> >     echo "Stopping firewall..."
> >     #ipforwarding and masquerading
> 
> This is a much easier way to clear the firewall :
> 
> iptables -F
> iptables -X
> iptables -F -t nat
> iptables -X -t nat
> iptables -F -t mangle
> iptables -X -t mangle
> 
> t
> -- 
> GPG: http://n12turbo.com/tarragon/public.key
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 


José



---

Reply to:

References:
- my iptables script
  - From: Jule Slootbeek <jslootbeek@clarku.edu>
- Re: my iptables script
  - From: Tarragon Allen <tarragon@onthe.net.au>

Prev by Date: Re: my iptables script
Previous by thread: Re: my iptables script
Index(es):
- Date
- Thread