[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: looking for suggestions

On Mon, May 10, 2004 at 08:25:10PM -0700, Kevin D. White wrote:
> >From what I have read, you would only have to make a
> couples of INPUT rules:
> 1. deny NEW connections 
> 2. ACCEPT either ESTABLISHED or RELATED depending on
> the kinds of out going connections your techs might
> want to make (e.g. Active FTP for RELATED)

The INPUT chain is strictly for connections terminating on the
firewall itself, so you typically want to allow remote management
traffic like SSH, but in this case, we want to also allow inbound DNS
queries, since this is a caching forwarder.

This snippet allows SSH connections to the firewall from authorized
hosts, and inbound DNS.


iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for ip in $SSH_IN; do
      iptables -A INPUT -p tcp --dport 22 -s $ip -m state --state NEW -j ACCEPT

# Allow inbound DNS queries to the firewall itself
# We have to allow TCP 53 for potentially oversized queries.
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

# Drop and log the rest
iptables -A INPUT -j LOG --log-prefix "INPUT DROP:"
iptables -A INPUT -j DROP

> Your OUTPUT rules would be pretty simple as well:
> 1. ALLOW only outgoing connections to your proxy
> server, if you have one that is... or only to an
> external network address.

This is actually the job of the FORWARD chain. The OUTPUT chain is for
connections that originate from the firewall itself. Most people just
allow all outbound connections. This is enough to do that statefully:

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -j ACCEPT

The line below handles the NAT for forwarded packets. $EXTIF is the
firewall's external interface. $LAN is the internal LAN network
address, and $STATIC_IP is the static source address you want to NAT
outgoing packets to. The MASQERADE target is used where the firewall's
external interface has a dynamically assigned IP (DSL, dialup, etc.):

iptables -t nat -A POSTROUTING -o $EXTIF -s $LAN -j SNAT --to-source $STATIC_IP


Reply to: