[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

NetFilter connection tracking

Hash: SHA1

Dear .debs,

I've setup iptables on my woody box with a policy to drop.  After some
tinkering I'd punched holes for the things I wanted to do (note this is
a *client* machine).  Then I got into the wonders of setting up rules
for active and passive FTP.  It works now, but I am asking myself
whether I can simplify my rules for all those other protocols.

For example, to get web browsing going I have:

  # Allow HTTP connections initiated from here and replies back in, but
  # do NOT allow connection requests from servers on the outside in.
  /sbin/iptables --append $O --protocol tcp               \
      --source      ${PPP_LOCAL} --source-port      1024: \
                                 --destination-port   80  \
      --jump ACCEPT
  /sbin/iptables --append $I --protocol tcp ! --syn       \
                                 --source-port        80  \
      --destination ${PPP_LOCAL} --destination-port 1024: \
      --jump ACCEPT

in my /etc/ppp/ip-up.d/1firewall script where $O and $I are the output
and input chains dedicated to the ppp device.

Now to get FTP going I added

  /sbin/iptables --append $O --match state        \
  /sbin/iptables --append $I --match state        \

I was thinking I could put these two rules near the top of my script,
remove the second HTTP rule and still have the same protection.  I
could also drop the counter part rules for all those other nice
protocols I would like to use (ssh, hkp, smtp, imap, ...).  It would
quite drastically simplify my script.  Question is, does it still give
me the same kind of protection?

OT: I noticed scans for an HTTP server and more (logging what I drop)
while I was connected via dial-up.  It's not safe out there!  But you
already knew that of course :-)

While I'm at it I might as well append my scripts for everyone to give
a once over.
- -- 
Olaf Meeuwissen
GnuPG key: 91114EAF/C3E1 2D40 C7CC AEB2 FB15  8BDF 60C2 5B3F 9111 4EAF
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


Attachment: /etc/ppp/ip-up.d/1firewall
Description: application/shellscript

Attachment: /etc/ppp/ip-down.d/1firewall
Description: application/shellscript

Reply to: