[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to work with my iptables script

On 2004-08-25 Jacob Friis Larsen wrote:
> #!/bin/sh
> # Disable forwarding
> echo 0 > /proc/sys/net/ipv4/ip_forward
> # load some modules (if needed)
> modprobe ip_nat_ftp
> modprobe ip_conntrack_ftp
> # Flush
> iptables -t nat -F POSTROUTING
> iptables -t nat -F PREROUTING
> iptables -t nat -F OUTPUT
> iptables -F
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT

Set the default policies *before* flushing the tables.

> #localhost
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> # Open ports on router for server/services
> iptables -A INPUT -s -j ACCEPT -p tcp --dport 20
> iptables -A INPUT -s -j ACCEPT -p tcp --dport 21
> iptables -A INPUT -j ACCEPT -p tcp --dport 22
> iptables -A INPUT -j ACCEPT -p tcp --dport 25
> iptables -A INPUT -j ACCEPT -p tcp --dport 80
> iptables -A INPUT -j ACCEPT -p tcp --dport 143
> iptables -A INPUT -j ACCEPT -p tcp --dport 993

By these rules you allow everyone (internal and external networks) to
use services running on your router. Are these services really running
on the router?

> # STATE RELATED for router
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

I would rather add a rule to accept ESTABLISHED,RELATED traffic in the
OUTPUT chain and set the default OUTPUT policy to DROP.

You should also allow ICMP (at least some types) and REJECT TCP traffic
(with RST) rather than just DROP it. IMHO.

> # Enable forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward

It is absolutely pointless to enable forwarding, if you drop every
packet in the FORWARD chain.

Ansgar Wiechers
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin

Reply to: