[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Default Policy = DROP. Help-me

On 2007-10-24 Yuri Rodrigues wrote:
> #### Policing ####
> # Filter Table
> $iptables -t filter -P INPUT DROP
> $iptables -t filter -P OUTPUT DROP
> $iptables -t filter -P FORWARD DROP
> # Nat Table
> $iptables -t nat -P PREROUTING ACCEPT
> $iptables -t nat -P OUTPUT ACCEPT
> $iptables -t nat -P POSTROUTING ACCEPT
> # Mangle Table
> $iptables -t mangle -P PREROUTING ACCEPT
> $iptables -t mangle -P OUTPUT ACCEPT
> $iptables -t mangle -P INPUT ACCEPT
> $iptables -t mangle -P POSTROUTING ACCEPT
> echo "Policing .......................................... [ OK ]"
> 
> #### Loading Modules ####
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
> modprobe ip_queue
> modprobe ip_tables
> modprobe ipt_LOG
> modprobe ipt_MARK
> modprobe ipt_MASQUERADE
> modprobe ipt_REDIRECT
> modprobe ipt_REJECT
> modprobe ipt_TCPMSS
> modprobe ipt_TOS
> modprobe ipt_limit
> modprobe ipt_mac
> modprobe ipt_mark
> modprobe ipt_multiport
> modprobe ipt_owner
> modprobe ipt_state
> modprobe ipt_tcpmss
> modprobe ipt_tos
> modprobe iptable_filter
> modprobe iptable_mangle
> modprobe iptable_nat
> echo "0" > /proc/sys/net/ipv4/ip_forward
> echo "Loading Modules ................................... [ OK ]"

Disable forwarding before you do anything else. And load the modules
before you set your policies. How are you going to set the policies for
the filter, nat and mangle table when the modules aren't loaded?

[...]
> #### SSH Access ####
> ## LAN 2 FIREWALL
> $iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j LOG 
> --log-prefix "[IPTABLES SSH] : " --log-level 6 --log-tcp-options 
> --log-ip-options
> $iptables -A INPUT -p tcp -m tcp --sport 22 -m state --state NEW -j LOG 
> --log-prefix "[IPTABLES SSH] : " --log-level 6 --log-tcp-options 
> --log-ip-options
> $iptables -A INPUT -p tcp --dport 22 -i $intranet -j ACCEPT
> $iptables -A OUTPUT -p tcp --sport 22 -o $intranet -j ACCEPT
> $iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
> $iptables -A FORWARD -p tcp --sport 22 -j ACCEPT
> ## FIREWALL 2 INTERNET
> $iptables -A INPUT -p tcp --sport 22 -i $internet -j ACCEPT
> $iptables -A OUTPUT -p tcp --dport 22 -o $internet -j ACCEPT
> ## INTERNET 2 FIREWALL
> $iptables -A INPUT -p tcp --dport 22 -i $internet -j ACCEPT
> $iptables -A OUTPUT -p tcp --sport 22 -o $internet -j ACCEPT
> echo "SSH Access ........................................ [ OK ]"

I already told you that you only need to allow NEW connections to
destination-port 22. The rest is already handled by the ESTABLISHED,
RELATED rule. Accepting arbitrary packets with source-port 22 is a
security risk. DON'T DO THAT.

> #### Ping Limit ####
> $iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 
> 1/s -j ACCEPT
> echo "Ping of Death Protection .......................... [ OK ]"

Again, this does *not* protect you from a Ping-of-Death.

> #### Local Conections ####
> $iptables -t nat -A POSTROUTING -o lo -j ACCEPT
> echo "Local Conections Accepted ......................... [ OK ]"

This rule is pointless, because the policy for POSTROUTING is already
set to ACCEPT.

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html
Reply to: