Re: suggestions for iptables
--- Joseph Rinckey <jrinckey@pineriver.k12.mi.us> wrote:
> >
> > Hi,
> >
> > what exactly is your problem? all i can see is good firewall.
> >
>
> That's why I sent this e-mail. To see if there were any problems. I
> didn't want to put this firewall on the Internet until I knew it was
> good.
>
> So, if it's good...Thanks!
>
It should be noted in big black letters that...
No one on this list is responsible for the information it contains.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
> If there is something that you see that might be a problem, could you
> let me know.
>
> Thanks,
>
> Joseph
>
>
> > > Hello,
> > >
> > > I'm looking for suggestions on my iptables rule set.
> > >
> > > There are three interfaces in this server:
> > > eth0 - <internet-address>
> > > eth1 - <lan-address>
> > > eth2 - <dmz-address>
> > >
> > > ### Create Chains
> > > iptables -N IN_LO
> > > iptables -N OUT_LO
> > > iptables -N IN_ETH0
> > > iptables -N OUT_ETH0
> > > iptables -N IN_ETH1
> > > iptables -N OUT_ETH1
> > > iptables -N IN_ETH2
> > > iptables -N OUT_ETH2
> > > iptables -N BLOCKED_PACKETS
> > > iptables -N ICMP_PACKETS
> > >
> > > ### POLICIES
> > > iptables -P INPUT DROP
> > > iptables -P FORWARD DROP
> > > iptables -P OUTPUT DROP
> > >
> > > ### INPUT
> > > iptables -A INPUT -j BLOCKED_PACKETS
> > > iptables -A INPUT -p icmp -j ICMP_PACKETS
> > > iptables -A INPUT -i lo -j IN_LO
> > > iptables -A INPUT -i eth0 -j IN_ETH0
> > > iptables -A INPUT -i eth1 -j IN_ETH1
> > > iptables -A INPUT -i eth2 -j IN_ETH2
> > >
> > > ### FORWARD
> > > iptables -A FORWARD -j BLOCKED_PACKETS
> > > iptables -A FORWARD -p icmp -j ICMP_PACKETS
> > > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j
> > > ACCEPT
> > >
> > > ### OUTPUT
> > > iptables -A OUTPUT -j BLOCKED_PACKETS
> > > iptables -A OUTPUT -p icmp -j ICMP_PACKETS
> > > iptables -A OUTPUT -o lo -j OUT_LO
> > > iptables -A OUTPUT -o eth0 -j OUT_ETH0
> > > iptables -A OUTPUT -o eth1 -j OUT_ETH1
> > > iptables -A OUTPUT -o eth2 -j OUT_ETH2
> > >
> > > ### BLOCKING_PACKETS
> > > iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP
> > > iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \
> > > SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
> > > iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \
> > > -j DROP
> > > iptables -A BLOCKED_PACKETS -d 224.0.0.0/8 -j DROP
> > > # should this be all three interfaces?
> > > iptables -A BLOCKED_PACKETS -d <internet-broadcast> -i eth0 -p
> > > udp \ --dport 135:139 -j DROP
> > > iptables -A BLOCKED_PACKETS -d 255.255.255.255 -i eth0 -p udp \
> > > --dport 67:68 -j DROP
> > >
> > > ### ICMP_PACKETS
> > > # are all of these really needed? Which ones should I not
> > > accept? iptables -A ICMP_PACKETS -p icmp --icmp-type 0 -j ACCEPT
> > > iptables -A ICMP_PACKETS -p icmp --icmp-type 3 -j ACCEPT iptables
> > > -A ICMP_PACKETS -p icmp --icmp-type 4 -j ACCEPT iptables -A
> > > ICMP_PACKETS -p icmp --icmp-type 8 -j ACCEPT iptables -A
> > > ICMP_PACKETS -p icmp --icmp-type 11 -j ACCEPT iptables -A
> > > ICMP_PACKETS -p icmp --icmp-type 12 -j ACCEPT
> > >
> > > ### IN_LO (localhost)
> > > # are these really needed? Why?
> > > iptables -A IN_LO -s 127.0.0.1 -i lo -j ACCEPT
> > > iptables -A IN_LO -s <lan-address> -i lo -j ACCEPT
> > > iptables -A IN_LO -s <dmz-address> -i lo -j ACCEPT
> > > iptables -A IN_LO -s <internet-address> -i lo -j ACCEPT
> > >
> > > ### IN_ETH0 (Internet)
> > > iptables -A IN_ETH0 -d <internet-address> -i eth0 -m state \
> > > --state RELATED,ESTABLISHED -j ACCEPT
> > >
> > > ### IN_ETH1 (LAN)
> > > iptables -A IN_ETH1 -d <lan-address> -i eth1 -m state \
> > > --state RELATED,ESTABLISHED -j ACCEPT
> > >
> > > ### IN_ETH2 (DMZ)
> > > iptables -A IN_ETH2 -d <dmz-address> -i eth2 -m state \
> > > --state RELATED,ESTABLISHED -j ACCEPT
> > >
> > > ### OUT_LO (Localhost)
> > > # are these really needed? Why?
> > > iptables -A OUT_LO -d 127.0.0.1 -o lo -j ACCEPT
> > > iptables -A OUT_LO -d <lan-address> -o lo -j ACCEPT
> > > iptables -A OUT_LO -d <dmz-address> -o lo -j ACCEPT
> > > iptables -A OUT_LO -d <internet-address> -o lo -j ACCEPT
> > >
> > > ### OUT_ETH0 (Internet)
> > > iptables -A OUT_ETH0 -s <internet-address> -o eth0 -m state \
> > > --state RELATED,ESTABLISHED -j ACCEPT
> > >
> > > ### OUT_ETH1 (LAN)
> > > iptables -A OUT_ETH1 -s <lan-address> -o eth1 -m state \
> > > --state RELATED,ESTABLISHED -j ACCEPT
> > >
> > > ### OUT_ETH2 (DMZ)
> > > iptables -A OUT_ETH2 -d <dmz-address> -o eth2 -m state \
> > > --state RELATED,ESTABLISHED -j ACCEPT
> > >
> > > Specific Services:
> > > ------------------
> > > ### DNS
> > > iptables -t nat -A PREROUTING -d <dns-internet-IP> -p tcp \
> > > --dport 53 -j DNAT --to-destination <dns-DMZ-IP>
> > > iptables -t nat -A PREROUTING -d <dns-internet-IP> -p udp \
> > > --dport 53 -j DNAT --to-destination <dns-DMZ-IP>
> > > iptables -A FORWARD -d <dns-DMZ-IP> -p tcp --syn --dport 53 \
> > > -m state --state NEW -j ACCEPT
> > > iptables -A FORWARD -d <dns-DMZ-IP> -p udp --dport 53 -m state \
> > > --state NEW -j ACCEPT
> > > iptables -t nat -A POSTROUTING -s <dns-DMZ-IP> -p tcp --sport 53
> > > \ -j SNAT --to-source <dns-internet-IP>
> > > iptables -t nat -A POSTROUTING -s <dns-DMZ-IP> -p udp --sport 53
> > > \ -j SNAT --to-source <dns-internet-IP>
> > >
> > > ### FTP
> > > iptables -t nat -A PREROUTING -d <ftp-internet-IP> -p tcp \
> > > --dport 21 -j DNAT --to-destination <ftp-DMZ-IP>
> > > iptables -A FORWARD -d <ftp-DMZ-IP> -p tcp --syn --dport 21 \
> > > -m state --state NEW -j ACCEPT
> > > iptables -t nat -A POSTROUTING -s <ftp-DMZ-IP> -p tcp --sport 21
> > > \ -j SNAT --to-source <ftp-internet-IP>
> > >
> > > # I have other services, but if these are right I should be fine
> > >
> > > What about these two lines?
> > > - iptables -A INPUT -i eth2 -d <dmz-address> -j ACCEPT
> > > - iptables -A INPUT -i eth1 -d <lan-address> -j ACCEPT
> > >
> > >
> > > Thanks,
> > >
> > > Joseph
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com
Reply to: