RE: IPTables configuration.
To correctly audit your configuration, I need an output of
"/sbin/iptables -L -n -v"
The mere "/sbin/iptables -L [-n]" is not sufficient to me, cause it won't
reveal the per interface filters.
Vincent
> -----Original Message-----
> From: Tore Nilsson [mailto:iceydee@bredband.net]
> Sent: Wednesday 4 December 2002 14:23
> To: debian-security@lists.debian.org
> Subject: IPTables configuration.
>
>
> Hello!
>
> Can someone review my iptables configuration and give suggestions?
> Btw. if I'd want to block someone completely using this configuration
> should I put them in "Parole" by using this command:
>
> iptables -A PAROLE -s [ip-number] -j DROP
>
> //Tore Nilsson
>
> here's my configuration. btw, it was made with Bastille:
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> DROP tcp -- anywhere 127.0.0.0/8
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere
> DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
> PUB_IN all -- anywhere anywhere
> DROP all -- anywhere anywhere
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> DROP all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> PUB_OUT all -- anywhere anywhere
>
> Chain INT_IN (0 references)
> target prot opt source destination
> ACCEPT icmp -- anywhere anywhere
> DROP all -- anywhere anywhere
>
> Chain INT_OUT (0 references)
> target prot opt source destination
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
>
> Chain PAROLE (4 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain PUB_IN (1 references)
> target prot opt source destination
> ACCEPT icmp -- anywhere anywhere icmp
> destination-unreachable
> ACCEPT icmp -- anywhere anywhere
> icmp echo-reply
> ACCEPT icmp -- anywhere anywhere icmp
> time-exceeded
> PAROLE tcp -- anywhere anywhere
> tcp dpt:www
> LOG tcp -- anywhere anywhere
> tcp dpt:telnet
> state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> prefix `audit'
> LOG tcp -- anywhere anywhere
> tcp dpt:ftp
> state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> prefix `audit'
> LOG tcp -- anywhere anywhere
> tcp dpt:imap2
> state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> prefix `audit'
> LOG tcp -- anywhere anywhere
> tcp dpt:pop3
> state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> prefix `audit'
> LOG tcp -- anywhere anywhere
> tcp dpt:finger
> state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> prefix `audit'
> LOG tcp -- anywhere anywhere
> tcp dpt:sunrpc
> state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> prefix `audit'
> LOG tcp -- anywhere anywhere
> tcp dpt:exec
> state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> prefix `audit'
> LOG tcp -- anywhere anywhere
> tcp dpt:login
> state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> prefix `audit'
> LOG tcp -- anywhere anywhere tcp
> dpt:linuxconf state INVALID,NEW limit: avg 5/sec burst 8 LOG
> level warning
> prefix `audit'
> LOG tcp -- anywhere anywhere
> tcp dpt:ssh
> state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> prefix `audit'
> LOG tcp -- anywhere anywhere
> tcp dpt:1980
> state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> prefix `audit'
> LOG udp -- anywhere anywhere
> udp dpt:31337
> state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> prefix `audit'
> DROP icmp -- anywhere anywhere
> DROP all -- anywhere anywhere
>
> Chain PUB_OUT (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
Reply to: