Re: How to work with my iptables script

To: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
Cc: debian-firewall@lists.debian.org
Subject: Re: How to work with my iptables script
From: Jacob Friis Larsen <jfl@list.idg.dk>
Date: Mon, 30 Aug 2004 13:02:33 +0200
Message-id: <[🔎] 41330949.7080103@list.idg.dk>
In-reply-to: <[🔎] 20040825124019.D19930@planetcobalt.net>
References: <[🔎] 412C2C07.4020806@list.idg.dk> <[🔎] 20040825124019.D19930@planetcobalt.net>

Set the default policies *before* flushing the tables.

OK.

# Open ports on router for server/services
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -p tcp --dport 25
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --dport 143
iptables -A INPUT -j ACCEPT -p tcp --dport 993


By these rules you allow everyone (internal and external networks) to
use services running on your router. Are these services really running
on the router?


Yes.

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


I would rather add a rule to accept ESTABLISHED,RELATED traffic in the
OUTPUT chain and set the default OUTPUT policy to DROP.


Like this?
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

You should also allow ICMP (at least some types) and REJECT TCP traffic
(with RST) rather than just DROP it. IMHO.


Like this?
iptables -A icmp-in -p icmp --icmp-type 0 -j RETURN
iptables -A icmp-in -p icmp --icmp-type 3 -j RETURN
iptables -A icmp-in -p icmp --icmp-type 4 -j RETURN
iptables -A icmp-in -p icmp --icmp-type 8 -j RETURN
iptables -A icmp-in -p icmp --icmp-type 11 -j RETURN
iptables -A icmp-in -p icmp --icmp-type 12 -j RETURN

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


It is absolutely pointless to enable forwarding, if you drop every
packet in the FORWARD chain.


OK.


This is my new script:
# cat myiptables
#!/bin/sh

# Disable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

# load some modules (if needed)
#modprobe ip_nat_ftp
#modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Default rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

# Localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Open ports on router for server/services
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20
iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -p tcp --dport 25
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --dport 143
#iptables -A INPUT -j ACCEPT -p tcp --dport 443
iptables -A INPUT -j ACCEPT -p tcp --dport 993

# STATE RELATED for router
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable forwarding
#echo 1 > /proc/sys/net/ipv4/ip_forward


Thanks,
Jacob

Reply to:

Follow-Ups:
- Re: How to work with my iptables script
  - From: Russell Martin <omega_monk@yahoo.com>

References:
- How to work with my iptables script
  - From: Jacob Friis Larsen <jfl@list.idg.dk>
- Re: How to work with my iptables script
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>

Prev by Date: Re: How to work with my iptables script
Next by Date: Re: How to work with my iptables script
Previous by thread: Re: How to work with my iptables script
Next by thread: Re: How to work with my iptables script
Index(es):
- Date
- Thread