Re: suggestions for iptables

To: debian-firewall@lists.debian.org
Subject: Re: suggestions for iptables
From: Michael Tschach <m.tschach@bitsz.de>
Date: Wed, 15 Dec 2004 16:04:30 +0100
Message-id: <[🔎] 200412151604.37364.m.tschach@bitsz.de>
In-reply-to: <[🔎] 200412141355.35996.jrinckey@pineriver.k12.mi.us>
References: <[🔎] 200412141355.35996.jrinckey@pineriver.k12.mi.us>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

what exactly is your problem? all i can see is good firewall.

Michael.
Am Dienstag, 14. Dezember 2004 19:55 schrieb Joseph Rinckey:
> Hello,
>
> I'm looking for suggestions on my iptables rule set.
>
> There are three interfaces in this server:
> eth0 - <internet-address>
> eth1 - <lan-address>
> eth2 - <dmz-address>
>
> ### Create Chains
> iptables -N IN_LO
> iptables -N OUT_LO
> iptables -N IN_ETH0
> iptables -N OUT_ETH0
> iptables -N IN_ETH1
> iptables -N OUT_ETH1
> iptables -N IN_ETH2
> iptables -N OUT_ETH2
> iptables -N BLOCKED_PACKETS
> iptables -N ICMP_PACKETS
>
> ### POLICIES
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> ### INPUT
> iptables -A INPUT -j BLOCKED_PACKETS
> iptables -A INPUT -p icmp -j ICMP_PACKETS
> iptables -A INPUT -i lo -j IN_LO
> iptables -A INPUT -i eth0 -j IN_ETH0
> iptables -A INPUT -i eth1 -j IN_ETH1
> iptables -A INPUT -i eth2 -j IN_ETH2
>
> ### FORWARD
> iptables -A FORWARD -j BLOCKED_PACKETS
> iptables -A FORWARD -p icmp -j ICMP_PACKETS
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> ### OUTPUT
> iptables -A OUTPUT -j BLOCKED_PACKETS
> iptables -A OUTPUT -p icmp -j ICMP_PACKETS
> iptables -A OUTPUT -o lo -j OUT_LO
> iptables -A OUTPUT -o eth0 -j OUT_ETH0
> iptables -A OUTPUT -o eth1 -j OUT_ETH1
> iptables -A OUTPUT -o eth2 -j OUT_ETH2
>
> ### BLOCKING_PACKETS
> iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP
> iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \
>  SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
> iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \
>  -j DROP
> iptables -A BLOCKED_PACKETS -d 224.0.0.0/8 -j DROP
> # should this be all three interfaces?
> iptables -A BLOCKED_PACKETS -d <internet-broadcast> -i eth0 -p udp \
>  --dport 135:139 -j DROP
> iptables -A BLOCKED_PACKETS -d 255.255.255.255 -i eth0 -p udp \
>  --dport 67:68 -j DROP
>
> ### ICMP_PACKETS
> # are all of these really needed?  Which ones should I not accept?
> iptables -A ICMP_PACKETS -p icmp --icmp-type 0 -j ACCEPT
> iptables -A ICMP_PACKETS -p icmp --icmp-type 3 -j ACCEPT
> iptables -A ICMP_PACKETS -p icmp --icmp-type 4 -j ACCEPT
> iptables -A ICMP_PACKETS -p icmp --icmp-type 8 -j ACCEPT
> iptables -A ICMP_PACKETS -p icmp --icmp-type 11 -j ACCEPT
> iptables -A ICMP_PACKETS -p icmp --icmp-type 12 -j ACCEPT
>
> ### IN_LO (localhost)
> # are these really needed?  Why?
> iptables -A IN_LO -s 127.0.0.1 -i lo -j ACCEPT
> iptables -A IN_LO -s <lan-address> -i lo -j ACCEPT
> iptables -A IN_LO -s <dmz-address> -i lo -j ACCEPT
> iptables -A IN_LO -s <internet-address> -i lo -j ACCEPT
>
> ### IN_ETH0 (Internet)
> iptables -A IN_ETH0 -d <internet-address> -i eth0 -m state \
>  --state RELATED,ESTABLISHED -j ACCEPT
>
> ### IN_ETH1 (LAN)
> iptables -A IN_ETH1 -d <lan-address> -i eth1 -m state \
>  --state RELATED,ESTABLISHED -j ACCEPT
>
> ### IN_ETH2 (DMZ)
> iptables -A IN_ETH2 -d <dmz-address> -i eth2 -m state \
>  --state RELATED,ESTABLISHED -j ACCEPT
>
> ### OUT_LO (Localhost)
> # are these really needed?  Why?
> iptables -A OUT_LO -d 127.0.0.1 -o lo -j ACCEPT
> iptables -A OUT_LO -d <lan-address> -o lo -j ACCEPT
> iptables -A OUT_LO -d <dmz-address> -o lo -j ACCEPT
> iptables -A OUT_LO -d <internet-address> -o lo -j ACCEPT
>
> ### OUT_ETH0 (Internet)
> iptables -A OUT_ETH0 -s <internet-address> -o eth0 -m state \
>  --state RELATED,ESTABLISHED -j ACCEPT
>
> ### OUT_ETH1 (LAN)
> iptables -A OUT_ETH1 -s <lan-address> -o eth1 -m state \
>  --state RELATED,ESTABLISHED -j ACCEPT
>
> ### OUT_ETH2 (DMZ)
> iptables -A OUT_ETH2 -d <dmz-address> -o eth2 -m state \
>  --state RELATED,ESTABLISHED -j ACCEPT
>
> Specific Services:
> ------------------
> ### DNS
> iptables -t nat -A PREROUTING -d <dns-internet-IP> -p tcp \
>  --dport 53 -j DNAT --to-destination <dns-DMZ-IP>
> iptables -t nat -A PREROUTING -d <dns-internet-IP> -p udp \
>  --dport 53 -j DNAT --to-destination <dns-DMZ-IP>
> iptables -A FORWARD -d <dns-DMZ-IP> -p tcp --syn --dport 53 \
>  -m state --state NEW -j ACCEPT
> iptables -A FORWARD -d <dns-DMZ-IP> -p udp --dport 53 -m state \
>  --state NEW -j ACCEPT
> iptables -t nat -A POSTROUTING -s <dns-DMZ-IP> -p tcp --sport 53 \
>  -j SNAT --to-source <dns-internet-IP>
> iptables -t nat -A POSTROUTING -s <dns-DMZ-IP> -p udp --sport 53 \
>  -j SNAT --to-source <dns-internet-IP>
>
> ### FTP
> iptables -t nat -A PREROUTING -d <ftp-internet-IP> -p tcp \
>  --dport 21 -j DNAT --to-destination <ftp-DMZ-IP>
> iptables -A FORWARD -d <ftp-DMZ-IP> -p tcp --syn --dport 21 \
>  -m state --state NEW -j ACCEPT
> iptables -t nat -A POSTROUTING -s <ftp-DMZ-IP> -p tcp --sport 21 \
>  -j SNAT --to-source <ftp-internet-IP>
>
> # I have other services, but if these are right I should be fine
>
> What about these two lines?
> - iptables -A INPUT -i eth2 -d <dmz-address> -j ACCEPT
> - iptables -A INPUT -i eth1 -d <lan-address> -j ACCEPT
>
>
> Thanks,
>
> Joseph

- -- 
You will soon forget this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBwFKDC+AbA0CPxiwRAjNOAJ0ZCyvnWDQB6H/X6fwKiDJIZm7kXACaAlAK
9rJxcOodG95eJmxi38sU/Oc=
=b4/z
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: suggestions for iptables
  - From: Joseph Rinckey <jrinckey@pineriver.k12.mi.us>

References:
- suggestions for iptables
  - From: Joseph Rinckey <jrinckey@pineriver.k12.mi.us>

Prev by Date: suggestions for iptables
Next by Date: Re: suggestions for iptables
Previous by thread: suggestions for iptables
Next by thread: Re: suggestions for iptables
Index(es):
- Date
- Thread