Re: looking for suggestions

To: debian-firewall@lists.debian.org
Subject: Re: looking for suggestions
From: Douglas Maxwell <doug@turinglabs.com>
Date: Tue, 11 May 2004 10:04:22 -0400
Message-id: <[🔎] 20040511140422.GH17193@turinglabs.com>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20040511032511.76195.qmail@web41712.mail.yahoo.com>
References: <[🔎] 20040511011323.12699.qmail@web11907.mail.yahoo.com> <[🔎] 20040511032511.76195.qmail@web41712.mail.yahoo.com>

On Mon, May 10, 2004 at 08:25:10PM -0700, Kevin D. White wrote:
> >From what I have read, you would only have to make a
> couples of INPUT rules:
> 1. deny NEW connections 
> 2. ACCEPT either ESTABLISHED or RELATED depending on
> the kinds of out going connections your techs might
> want to make (e.g. Active FTP for RELATED)

The INPUT chain is strictly for connections terminating on the
firewall itself, so you typically want to allow remote management
traffic like SSH, but in this case, we want to also allow inbound DNS
queries, since this is a caching forwarder.

This snippet allows SSH connections to the firewall from authorized
hosts, and inbound DNS.

SSH_IN="192.168.10.1 10.10.10.1"

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for ip in $SSH_IN; do
      iptables -A INPUT -p tcp --dport 22 -s $ip -m state --state NEW -j ACCEPT
done

# Allow inbound DNS queries to the firewall itself
# We have to allow TCP 53 for potentially oversized queries.
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

# Drop and log the rest
iptables -A INPUT -j LOG --log-prefix "INPUT DROP:"
iptables -A INPUT -j DROP

> Your OUTPUT rules would be pretty simple as well:
> 1. ALLOW only outgoing connections to your proxy
> server, if you have one that is... or only to an
> external network address.
> 

This is actually the job of the FORWARD chain. The OUTPUT chain is for
connections that originate from the firewall itself. Most people just
allow all outbound connections. This is enough to do that statefully:

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -j ACCEPT

The line below handles the NAT for forwarded packets. $EXTIF is the
firewall's external interface. $LAN is the internal LAN network
address, and $STATIC_IP is the static source address you want to NAT
outgoing packets to. The MASQERADE target is used where the firewall's
external interface has a dynamically assigned IP (DSL, dialup, etc.):

iptables -t nat -A POSTROUTING -o $EXTIF -s $LAN -j SNAT --to-source $STATIC_IP

Doug

Reply to:

Follow-Ups:
- Re: looking for suggestions
  - From: Mike Mestnik <cheako911@yahoo.com>

References:
- Re: looking for suggestions
  - From: Mike Mestnik <cheako911@yahoo.com>
- Re: looking for suggestions
  - From: "Kevin D. White" <web_crawlz@yahoo.com>

Prev by Date: C'ialis - it`s COOL! Kf
Next by Date: Re: looking for suggestions
Previous by thread: Re: looking for suggestions
Next by thread: Re: looking for suggestions
Index(es):
- Date
- Thread