suggestions for iptables

To: debian-firewall@lists.debian.org
Subject: suggestions for iptables
From: Joseph Rinckey <jrinckey@pineriver.k12.mi.us>
Date: Tue, 14 Dec 2004 13:55:35 -0500
Message-id: <[🔎] 200412141355.35996.jrinckey@pineriver.k12.mi.us>

Hello,

I'm looking for suggestions on my iptables rule set.

There are three interfaces in this server:
eth0 - <internet-address>
eth1 - <lan-address>
eth2 - <dmz-address>

### Create Chains
iptables -N IN_LO
iptables -N OUT_LO
iptables -N IN_ETH0
iptables -N OUT_ETH0
iptables -N IN_ETH1
iptables -N OUT_ETH1
iptables -N IN_ETH2
iptables -N OUT_ETH2
iptables -N BLOCKED_PACKETS
iptables -N ICMP_PACKETS

### POLICIES
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

### INPUT
iptables -A INPUT -j BLOCKED_PACKETS
iptables -A INPUT -p icmp -j ICMP_PACKETS
iptables -A INPUT -i lo -j IN_LO
iptables -A INPUT -i eth0 -j IN_ETH0
iptables -A INPUT -i eth1 -j IN_ETH1
iptables -A INPUT -i eth2 -j IN_ETH2

### FORWARD
iptables -A FORWARD -j BLOCKED_PACKETS
iptables -A FORWARD -p icmp -j ICMP_PACKETS
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

### OUTPUT
iptables -A OUTPUT -j BLOCKED_PACKETS
iptables -A OUTPUT -p icmp -j ICMP_PACKETS
iptables -A OUTPUT -o lo -j OUT_LO
iptables -A OUTPUT -o eth0 -j OUT_ETH0
iptables -A OUTPUT -o eth1 -j OUT_ETH1
iptables -A OUTPUT -o eth2 -j OUT_ETH2

### BLOCKING_PACKETS
iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP
iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \ 
 SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \
 -j DROP
iptables -A BLOCKED_PACKETS -d 224.0.0.0/8 -j DROP
# should this be all three interfaces?
iptables -A BLOCKED_PACKETS -d <internet-broadcast> -i eth0 -p udp \
 --dport 135:139 -j DROP
iptables -A BLOCKED_PACKETS -d 255.255.255.255 -i eth0 -p udp \
 --dport 67:68 -j DROP

### ICMP_PACKETS
# are all of these really needed?  Which ones should I not accept?
iptables -A ICMP_PACKETS -p icmp --icmp-type 0 -j ACCEPT
iptables -A ICMP_PACKETS -p icmp --icmp-type 3 -j ACCEPT
iptables -A ICMP_PACKETS -p icmp --icmp-type 4 -j ACCEPT
iptables -A ICMP_PACKETS -p icmp --icmp-type 8 -j ACCEPT
iptables -A ICMP_PACKETS -p icmp --icmp-type 11 -j ACCEPT
iptables -A ICMP_PACKETS -p icmp --icmp-type 12 -j ACCEPT

### IN_LO (localhost)
# are these really needed?  Why?
iptables -A IN_LO -s 127.0.0.1 -i lo -j ACCEPT
iptables -A IN_LO -s <lan-address> -i lo -j ACCEPT
iptables -A IN_LO -s <dmz-address> -i lo -j ACCEPT
iptables -A IN_LO -s <internet-address> -i lo -j ACCEPT

### IN_ETH0 (Internet)
iptables -A IN_ETH0 -d <internet-address> -i eth0 -m state \
 --state RELATED,ESTABLISHED -j ACCEPT

### IN_ETH1 (LAN)
iptables -A IN_ETH1 -d <lan-address> -i eth1 -m state \
 --state RELATED,ESTABLISHED -j ACCEPT

### IN_ETH2 (DMZ)
iptables -A IN_ETH2 -d <dmz-address> -i eth2 -m state \
 --state RELATED,ESTABLISHED -j ACCEPT

### OUT_LO (Localhost)
# are these really needed?  Why?
iptables -A OUT_LO -d 127.0.0.1 -o lo -j ACCEPT
iptables -A OUT_LO -d <lan-address> -o lo -j ACCEPT
iptables -A OUT_LO -d <dmz-address> -o lo -j ACCEPT
iptables -A OUT_LO -d <internet-address> -o lo -j ACCEPT

### OUT_ETH0 (Internet)
iptables -A OUT_ETH0 -s <internet-address> -o eth0 -m state \
 --state RELATED,ESTABLISHED -j ACCEPT

### OUT_ETH1 (LAN)
iptables -A OUT_ETH1 -s <lan-address> -o eth1 -m state \
 --state RELATED,ESTABLISHED -j ACCEPT

### OUT_ETH2 (DMZ)
iptables -A OUT_ETH2 -d <dmz-address> -o eth2 -m state \
 --state RELATED,ESTABLISHED -j ACCEPT

Specific Services:
------------------
### DNS
iptables -t nat -A PREROUTING -d <dns-internet-IP> -p tcp \
 --dport 53 -j DNAT --to-destination <dns-DMZ-IP>
iptables -t nat -A PREROUTING -d <dns-internet-IP> -p udp \
 --dport 53 -j DNAT --to-destination <dns-DMZ-IP>
iptables -A FORWARD -d <dns-DMZ-IP> -p tcp --syn --dport 53 \
 -m state --state NEW -j ACCEPT
iptables -A FORWARD -d <dns-DMZ-IP> -p udp --dport 53 -m state \
 --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -s <dns-DMZ-IP> -p tcp --sport 53 \
 -j SNAT --to-source <dns-internet-IP>
iptables -t nat -A POSTROUTING -s <dns-DMZ-IP> -p udp --sport 53 \
 -j SNAT --to-source <dns-internet-IP>

### FTP
iptables -t nat -A PREROUTING -d <ftp-internet-IP> -p tcp \
 --dport 21 -j DNAT --to-destination <ftp-DMZ-IP>
iptables -A FORWARD -d <ftp-DMZ-IP> -p tcp --syn --dport 21 \
 -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -s <ftp-DMZ-IP> -p tcp --sport 21 \
 -j SNAT --to-source <ftp-internet-IP>

# I have other services, but if these are right I should be fine

What about these two lines?
- iptables -A INPUT -i eth2 -d <dmz-address> -j ACCEPT
- iptables -A INPUT -i eth1 -d <lan-address> -j ACCEPT


Thanks,

Joseph

Reply to:

Follow-Ups:
- Re: suggestions for iptables
  - From: Michael Tschach <m.tschach@bitsz.de>

Prev by Date: Re: More on traffic shaping
Next by Date: Re: suggestions for iptables
Previous by thread: Re: More on traffic shaping
Next by thread: Re: suggestions for iptables
Index(es):
- Date
- Thread