Re: iptables blocking eth0 .. why ?

To: debian-firewall@lists.debian.org
Subject: Re: iptables blocking eth0 .. why ?
From: Blair Strang <bls@nanocorp.net.nz>
Date: Fri, 07 Jan 2005 13:18:46 +1300
Message-id: <41DDD566.7090702@nanocorp.net.nz>
In-reply-to: <20050106233923.GA5164@paradise.net.nz>
References: <20050106233923.GA5164@paradise.net.nz>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adam Bogacki wrote:
| Hi,
|
| I'd appreciate a second opinion why this script is blocking eth0,
| confirming or disconfirming the line I've indicated.
|
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| re two interfaces in this server:
| #eth0 - <internet-address>
| #eth1 - <lan-address>
|
| ### Create Chains
| iptables -N IN_LO
| iptables -N OUT_LO
| iptables -N IN_ETH0
| iptables -N OUT_ETH0
| iptables -N IN_ETH1
| iptables -N OUT_ETH1
| iptables -N BLOCKED_PACKETS
| iptables -N ICMP_PACKETS
|
| ### POLICIES
| iptables -P INPUT DROP
| iptables -P FORWARD DROP
| iptables -P OUTPUT DROP
|
| ### INPUT
| iptables -A INPUT -j BLOCKED_PACKETS
| iptables -A INPUT -p icmp -j ICMP_PACKETS
| iptables -A INPUT -i lo -j IN_LO
| iptables -A INPUT -i eth0 -j IN_ETH0
| iptables -A INPUT -i eth1 -j IN_ETH1
|
| ### FORWARD
| iptables -A FORWARD -j BLOCKED_PACKETS
| iptables -A FORWARD -p icmp -j ICMP_PACKETS
| iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
| ### OUTPUT
| iptables -A OUTPUT -j BLOCKED_PACKETS
| iptables -A OUTPUT -p icmp -j ICMP_PACKETS
| iptables -A OUTPUT -o lo -j OUT_LO
| iptables -A OUTPUT -o eth0 -j OUT_ETH0
| iptables -A OUTPUT -o eth1 -j OUT_ETH1
|
| ### BLOCKING_PACKETS
| iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP
| iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \
| SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
| iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \
| -j DROP
| iptables -A BLOCKED_PACKETS -d 224.0.0.0/8 -j DROP
| # should this be on both interfaces?
| #iptables -A BLOCKED_PACKETS -d <internet-broadcast> -i eth0 -p udp \
| #--dport 135:139 -j DROP
|
| s the following line why eth0 is blocked on my system ?
| iptables -A BLOCKED_PACKETS -d 255.255.255.255 -i eth0 -p udp \
| --dport 67:68 -j DROP
|
| ### ICMP_PACKETS
| # are all of these really needed?  Which ones should I not accept?
| iptables -A ICMP_PACKETS -p icmp --icmp-type 0 -j ACCEPT
| iptables -A ICMP_PACKETS -p icmp --icmp-type 3 -j ACCEPT
| iptables -A ICMP_PACKETS -p icmp --icmp-type 4 -j ACCEPT
| iptables -A ICMP_PACKETS -p icmp --icmp-type 8 -j ACCEPT
| iptables -A ICMP_PACKETS -p icmp --icmp-type 11 -j ACCEPT
| iptables -A ICMP_PACKETS -p icmp --icmp-type 12 -j ACCEPT
| ### IN_LO (localhost)
| # are these really needed?  Why?
| iptables -A IN_LO -s 127.0.0.1 -i lo -j ACCEPT
| #iptables -A IN_LO -s <lan-address> -i lo -j ACCEPT
| #iptables -A IN_LO -s <internet-address> -i lo -j ACCEPT
|
| ### IN_ETH0 (Internet)
| #iptables -A IN_ETH0 -d <internet-address> -i eth0 -m state \
| #--state RELATED,ESTABLISHED -j ACCEPT
|
| ### IN_ETH1 (LAN)
| #iptables -A IN_ETH1 -d <lan-address> -i eth1 -m state \
| #--state RELATED,ESTABLISHED -j ACCEPT
|
| ### OUT_LO (Localhost)
| # are these really needed?  Why?
| iptables -A OUT_LO -d 127.0.0.1 -o lo -j ACCEPT
| #iptables -A OUT_LO -d <lan-address> -o lo -j ACCEPT
| #iptables -A OUT_LO -d <internet-address> -o lo -j ACCEPT
|
| ### OUT_ETH0 (Internet)
| #iptables -A OUT_ETH0 -s <internet-address> -o eth0 -m state \
| #--state RELATED,ESTABLISHED -j ACCEPT
|
| ### OUT_ETH1 (LAN)
| #iptables -A OUT_ETH1 -s <lan-address> -o eth1 -m state \
| #--state RELATED,ESTABLISHED -j ACCEPT
|
| #save this setup for next use
|
| iptables-save
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|

What do you mean by "blocking eth0"?  You will have to be more specific if you want
some specific feedback.

A few comments:

1) The line you've indicated as being a potential problem seems to be intended to block
~   some dhcp/bootp messages.

2) FORWARD: It looks to me like you're not going to be able to forward any packets,
~   because my reading of this says the FORWARD path will drop everything in state NEW,
~   except for the ICMP packets you've allowed.

3) INPUT/OUTPUT: All the rules which would allow established connections to proceed are
~   commented out.  No packets in state NEW will be accepted because there are no rules to
~   allow them.  So no-one should be able to connect to you, and you should not be able to
~   establish any outbound connections.  Except for those ICMP messages again.

4) I think the 2 lines after INVALID are superfluous, but that's a matter of taste.

5) Yes, you probably do want to let all those ICMP types through.  (Google will help you
~   out with this if you need more info).

Cheers,

~    Blair.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB3dVgvJfDavdnqDgRAudxAJ9MengFO1123bjyy2IP8eZ40ZOuSACfdhXc
sP6dnA3a/FQbZy/2J1Y+g0Q=
=IyxF
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: iptables blocking eth0 .. why ?
  - From: Bernd Eckenfels <lists@lina.inka.de>

References:
- iptables blocking eth0 .. why ?
  - From: Adam Bogacki <afb@paradise.net.nz>

Prev by Date: Re: iptables blocking eth0 .. why ?
Next by Date: Re: iptables blocking eth0 .. why ?
Previous by thread: Re: iptables blocking eth0 .. why ?
Next by thread: Re: iptables blocking eth0 .. why ?
Index(es):
- Date
- Thread