Re: Iptables config

To: debian-security@lists.debian.org
Subject: Re: Iptables config
From: Peter Cordes <peter@llama.nslug.ns.ca>
Date: Wed, 17 Apr 2002 12:15:49 -0300
Message-id: <[🔎] 20020417121549.B4143@yeti.nslug.ns.ca>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 3CBD57E7.4020204@discon.de>
References: <[🔎] Pine.OSF.4.21.0204121108010.16570-100000@gram.math.ku.dk> <[🔎] 20020412093709.GD9175@pn66.sdi.poznan.tpnet.pl> <[🔎] 20020417094505.GA3359@erpland> <[🔎] 3CBD57E7.4020204@discon.de>

On Wed, Apr 17, 2002 at 01:09:27PM +0200, Martin Peikert wrote:
> Jussi Ekholm wrote:
> >I was just wondering, if some experienced iptables users could give me,
> >at least some, opinions about my iptables rules. It is supposed to close
> >all the other ports, but leave 1050, 2222 and 8080 open. Here's the
> >file created by iptables-save.
> >
> >--snip--
> >
> ># Generated by iptables-save v1.2.3 on Mon Dec 17 15:18:04 2001
> >*filter
> >:INPUT ACCEPT [18453:2703999]
> >:FORWARD ACCEPT [0:0]
> >:OUTPUT ACCEPT [255753:190461092]
> >:external - [0:0]
> >-A INPUT -i eth0 -j external 
> >-A external -p tcp -m tcp --dport 1050 -j ACCEPT 
> >-A external -p tcp -m tcp --dport 2222 -j ACCEPT 
> >-A external -p tcp -m tcp --dport 8080 -j ACCEPT 
> >-A external -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT 
> >--reject-with icmp-port-unreachable -A external -j ACCEPT 
> >COMMIT
> ># Completed on Mon Dec 17 15:18:04 2001
> >
> >--snip--
> >
> >I'd like some input on this; how to make it better, how to possibly make
> >it log and just what should I modify in it to gain as great security as
> >possible? I know, that there's HOWTO's for these, and I've read those,
> >of course. But now I'd want to ask first-hand opinion about my iptables
> >rule file. Is it secure, or what should I do in order to make it more
> >secure?
> >

 I use the connection-tracking support, so I can drop everything except
traffic related to a connection I opened.  This is what I use (NAT stuff
omitted):

	iptables -t filter -P FORWARD ACCEPT
	iptables -t filter -P INPUT DROP
	iptables -t filter -P OUTPUT ACCEPT

	modprobe ip_conntrack
	modprobe ip_conntrack_ftp

	iptables -A INPUT -i ! eth0 -j ACCEPT  # accept everything except from the big bad Internet
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# this is the important rule that allows outgoing connections to work even
# though the policy is DROP

	iptables -A INPUT -p icmp -j ACCEPT

	iptables -A INPUT -p tcp --dport smtp -j ACCEPT
	iptables -A INPUT -p tcp --dport ssh -j ACCEPT # incoming ssh from Internet
	iptables -A INPUT -p tcp --dport auth -j REJECT --reject-with tcp-reset
 
> First, you should set your policy to DROP. The way you configured your 
> filter with a policy set to ACCEPT would let all traffic pass through.

 No it doesn't;  It would block new connections, because it rejects TCP SYN
packets.  It doesn't do anything about UDP, though.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Iptables config
  - From: Mathias Palm <Mathias.Palm@gmx.net>
- Re: Iptables config
  - From: "Martin Peikert" <Martin.Peikert@discon.de>

References:
- Iptables config
  - From: Lars Roland Kristiansen <m00lrk@math.ku.dk>
- Re: Iptables config
  - From: Michal Melewski <mike@pn66.poznan.sdi.tpnet.pl>
- Re: Iptables config
  - From: Jussi Ekholm <ekhowl@goa-head.org>
- Re: Iptables config
  - From: "Martin Peikert" <Martin.Peikert@discon.de>

Prev by Date: invalid html
Next by Date: Re: Iptables config
Previous by thread: Re: Iptables config
Next by thread: Re: Iptables config
Index(es):
- Date
- Thread