[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: suggestions for iptables

>
> Hi,
>
> what exactly is your problem? all i can see is good firewall.
>

That's why I sent this e-mail.  To see if there were any problems.  I 
didn't want to put this firewall on the Internet until I knew it was 
good.

So, if it's good...Thanks!

If there is something that you see that might be a problem, could you 
let me know.

Thanks,

Joseph


> > Hello,
> >
> > I'm looking for suggestions on my iptables rule set.
> >
> > There are three interfaces in this server:
> > eth0 - <internet-address>
> > eth1 - <lan-address>
> > eth2 - <dmz-address>
> >
> > ### Create Chains
> > iptables -N IN_LO
> > iptables -N OUT_LO
> > iptables -N IN_ETH0
> > iptables -N OUT_ETH0
> > iptables -N IN_ETH1
> > iptables -N OUT_ETH1
> > iptables -N IN_ETH2
> > iptables -N OUT_ETH2
> > iptables -N BLOCKED_PACKETS
> > iptables -N ICMP_PACKETS
> >
> > ### POLICIES
> > iptables -P INPUT DROP
> > iptables -P FORWARD DROP
> > iptables -P OUTPUT DROP
> >
> > ### INPUT
> > iptables -A INPUT -j BLOCKED_PACKETS
> > iptables -A INPUT -p icmp -j ICMP_PACKETS
> > iptables -A INPUT -i lo -j IN_LO
> > iptables -A INPUT -i eth0 -j IN_ETH0
> > iptables -A INPUT -i eth1 -j IN_ETH1
> > iptables -A INPUT -i eth2 -j IN_ETH2
> >
> > ### FORWARD
> > iptables -A FORWARD -j BLOCKED_PACKETS
> > iptables -A FORWARD -p icmp -j ICMP_PACKETS
> > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j
> > ACCEPT
> >
> > ### OUTPUT
> > iptables -A OUTPUT -j BLOCKED_PACKETS
> > iptables -A OUTPUT -p icmp -j ICMP_PACKETS
> > iptables -A OUTPUT -o lo -j OUT_LO
> > iptables -A OUTPUT -o eth0 -j OUT_ETH0
> > iptables -A OUTPUT -o eth1 -j OUT_ETH1
> > iptables -A OUTPUT -o eth2 -j OUT_ETH2
> >
> > ### BLOCKING_PACKETS
> > iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP
> > iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \
> >  SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
> > iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \
> >  -j DROP
> > iptables -A BLOCKED_PACKETS -d 224.0.0.0/8 -j DROP
> > # should this be all three interfaces?
> > iptables -A BLOCKED_PACKETS -d <internet-broadcast> -i eth0 -p
> > udp \ --dport 135:139 -j DROP
> > iptables -A BLOCKED_PACKETS -d 255.255.255.255 -i eth0 -p udp \
> >  --dport 67:68 -j DROP
> >
> > ### ICMP_PACKETS
> > # are all of these really needed?  Which ones should I not
> > accept? iptables -A ICMP_PACKETS -p icmp --icmp-type 0 -j ACCEPT
> > iptables -A ICMP_PACKETS -p icmp --icmp-type 3 -j ACCEPT iptables
> > -A ICMP_PACKETS -p icmp --icmp-type 4 -j ACCEPT iptables -A
> > ICMP_PACKETS -p icmp --icmp-type 8 -j ACCEPT iptables -A
> > ICMP_PACKETS -p icmp --icmp-type 11 -j ACCEPT iptables -A
> > ICMP_PACKETS -p icmp --icmp-type 12 -j ACCEPT
> >
> > ### IN_LO (localhost)
> > # are these really needed?  Why?
> > iptables -A IN_LO -s 127.0.0.1 -i lo -j ACCEPT
> > iptables -A IN_LO -s <lan-address> -i lo -j ACCEPT
> > iptables -A IN_LO -s <dmz-address> -i lo -j ACCEPT
> > iptables -A IN_LO -s <internet-address> -i lo -j ACCEPT
> >
> > ### IN_ETH0 (Internet)
> > iptables -A IN_ETH0 -d <internet-address> -i eth0 -m state \
> >  --state RELATED,ESTABLISHED -j ACCEPT
> >
> > ### IN_ETH1 (LAN)
> > iptables -A IN_ETH1 -d <lan-address> -i eth1 -m state \
> >  --state RELATED,ESTABLISHED -j ACCEPT
> >
> > ### IN_ETH2 (DMZ)
> > iptables -A IN_ETH2 -d <dmz-address> -i eth2 -m state \
> >  --state RELATED,ESTABLISHED -j ACCEPT
> >
> > ### OUT_LO (Localhost)
> > # are these really needed?  Why?
> > iptables -A OUT_LO -d 127.0.0.1 -o lo -j ACCEPT
> > iptables -A OUT_LO -d <lan-address> -o lo -j ACCEPT
> > iptables -A OUT_LO -d <dmz-address> -o lo -j ACCEPT
> > iptables -A OUT_LO -d <internet-address> -o lo -j ACCEPT
> >
> > ### OUT_ETH0 (Internet)
> > iptables -A OUT_ETH0 -s <internet-address> -o eth0 -m state \
> >  --state RELATED,ESTABLISHED -j ACCEPT
> >
> > ### OUT_ETH1 (LAN)
> > iptables -A OUT_ETH1 -s <lan-address> -o eth1 -m state \
> >  --state RELATED,ESTABLISHED -j ACCEPT
> >
> > ### OUT_ETH2 (DMZ)
> > iptables -A OUT_ETH2 -d <dmz-address> -o eth2 -m state \
> >  --state RELATED,ESTABLISHED -j ACCEPT
> >
> > Specific Services:
> > ------------------
> > ### DNS
> > iptables -t nat -A PREROUTING -d <dns-internet-IP> -p tcp \
> >  --dport 53 -j DNAT --to-destination <dns-DMZ-IP>
> > iptables -t nat -A PREROUTING -d <dns-internet-IP> -p udp \
> >  --dport 53 -j DNAT --to-destination <dns-DMZ-IP>
> > iptables -A FORWARD -d <dns-DMZ-IP> -p tcp --syn --dport 53 \
> >  -m state --state NEW -j ACCEPT
> > iptables -A FORWARD -d <dns-DMZ-IP> -p udp --dport 53 -m state \
> >  --state NEW -j ACCEPT
> > iptables -t nat -A POSTROUTING -s <dns-DMZ-IP> -p tcp --sport 53
> > \ -j SNAT --to-source <dns-internet-IP>
> > iptables -t nat -A POSTROUTING -s <dns-DMZ-IP> -p udp --sport 53
> > \ -j SNAT --to-source <dns-internet-IP>
> >
> > ### FTP
> > iptables -t nat -A PREROUTING -d <ftp-internet-IP> -p tcp \
> >  --dport 21 -j DNAT --to-destination <ftp-DMZ-IP>
> > iptables -A FORWARD -d <ftp-DMZ-IP> -p tcp --syn --dport 21 \
> >  -m state --state NEW -j ACCEPT
> > iptables -t nat -A POSTROUTING -s <ftp-DMZ-IP> -p tcp --sport 21
> > \ -j SNAT --to-source <ftp-internet-IP>
> >
> > # I have other services, but if these are right I should be fine
> >
> > What about these two lines?
> > - iptables -A INPUT -i eth2 -d <dmz-address> -j ACCEPT
> > - iptables -A INPUT -i eth1 -d <lan-address> -j ACCEPT
> >
> >
> > Thanks,
> >
> > Joseph
Reply to: