Re: How to work with my iptables script
On 2004-08-25 Jacob Friis Larsen wrote:
> #!/bin/sh
>
> # Disable forwarding
> echo 0 > /proc/sys/net/ipv4/ip_forward
>
> # load some modules (if needed)
> modprobe ip_nat_ftp
> modprobe ip_conntrack_ftp
>
> # Flush
> iptables -t nat -F POSTROUTING
> iptables -t nat -F PREROUTING
> iptables -t nat -F OUTPUT
> iptables -F
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
Set the default policies *before* flushing the tables.
> #localhost
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # Open ports on router for server/services
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21
> iptables -A INPUT -j ACCEPT -p tcp --dport 22
> iptables -A INPUT -j ACCEPT -p tcp --dport 25
> iptables -A INPUT -j ACCEPT -p tcp --dport 80
> iptables -A INPUT -j ACCEPT -p tcp --dport 143
> iptables -A INPUT -j ACCEPT -p tcp --dport 993
By these rules you allow everyone (internal and external networks) to
use services running on your router. Are these services really running
on the router?
> # STATE RELATED for router
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
I would rather add a rule to accept ESTABLISHED,RELATED traffic in the
OUTPUT chain and set the default OUTPUT policy to DROP.
You should also allow ICMP (at least some types) and REJECT TCP traffic
(with RST) rather than just DROP it. IMHO.
> # Enable forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
It is absolutely pointless to enable forwarding, if you drop every
packet in the FORWARD chain.
Regards
Ansgar Wiechers
--
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin
Reply to: