Re: Iptables config
On Wed, Apr 17, 2002 at 01:09:27PM +0200, Martin Peikert wrote:
> Jussi Ekholm wrote:
> >I was just wondering, if some experienced iptables users could give me,
> >at least some, opinions about my iptables rules. It is supposed to close
> >all the other ports, but leave 1050, 2222 and 8080 open. Here's the
> >file created by iptables-save.
> >
> >--snip--
> >
> ># Generated by iptables-save v1.2.3 on Mon Dec 17 15:18:04 2001
> >*filter
> >:INPUT ACCEPT [18453:2703999]
> >:FORWARD ACCEPT [0:0]
> >:OUTPUT ACCEPT [255753:190461092]
> >:external - [0:0]
> >-A INPUT -i eth0 -j external
> >-A external -p tcp -m tcp --dport 1050 -j ACCEPT
> >-A external -p tcp -m tcp --dport 2222 -j ACCEPT
> >-A external -p tcp -m tcp --dport 8080 -j ACCEPT
> >-A external -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT
> >--reject-with icmp-port-unreachable -A external -j ACCEPT
> >COMMIT
> ># Completed on Mon Dec 17 15:18:04 2001
> >
> >--snip--
> >
> >I'd like some input on this; how to make it better, how to possibly make
> >it log and just what should I modify in it to gain as great security as
> >possible? I know, that there's HOWTO's for these, and I've read those,
> >of course. But now I'd want to ask first-hand opinion about my iptables
> >rule file. Is it secure, or what should I do in order to make it more
> >secure?
> >
I use the connection-tracking support, so I can drop everything except
traffic related to a connection I opened. This is what I use (NAT stuff
omitted):
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
modprobe ip_conntrack
modprobe ip_conntrack_ftp
iptables -A INPUT -i ! eth0 -j ACCEPT # accept everything except from the big bad Internet
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# this is the important rule that allows outgoing connections to work even
# though the policy is DROP
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp --dport smtp -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT # incoming ssh from Internet
iptables -A INPUT -p tcp --dport auth -j REJECT --reject-with tcp-reset
> First, you should set your policy to DROP. The way you configured your
> filter with a policy set to ACCEPT would let all traffic pass through.
No it doesn't; It would block new connections, because it rejects TCP SYN
packets. It doesn't do anything about UDP, though.
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: