Re: Where to install the firewall scripts
Hi!
On Sun, Dec 15, 2002 at 09:07:21AM -0800, Torrin wrote:
> /etc/network/if-pre-up.d/iptables
>
> #!/bin/sh
>
> if [ `uname -r | cut -b -3` != "2.4" ]; then
> # echo "Not a 2.4 kernel. Exiting iptables firewall script.";
> exit 0;
> fi
>
> # This deletes existing tables
> iptables -F
> iptables -X
>
> # Drop everything by default
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> # Allow all internal network traffic
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # Drop spoofed packets
> iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0
>
> # let ICMP in and out
> iptables -A OUTPUT -o eth0 -j ACCEPT -p ICMP
> iptables -A INPUT -i eth0 -j ACCEPT -p ICMP
>
> # let domain (dns) requests out
> iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -d 0.0.0.0/0 --destination-port domain #53
> iptables -A OUTPUT -o eth0 -j ACCEPT -p UDP -d 0.0.0.0/0 --destination-port domain #53
> iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port domain #53
> iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port domain #53
>
> # let ssh out
> iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -d 0.0.0.0/0 --destination-port ssh #22
> iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port ssh #22
> # let ssh in from the local network only
> #iptables -A OUTPUT -o eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port ssh -d 192.168.0.0/16
> #iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 192.168.0.0/16 -d 0.0.0.0/0 --destination-port ssh
Well, this ruleset looks realy dangerous to me since (unless I'm missing
something obvious) you allow any machine to connect to any of your ports
as soon as the connection is coming from ports 22 or 53. You should much
better use connection tracking.
You should add the rule:
$IPTABLES -A INPUT -j ACCEPT -i eth0 -m state --state ESTABLISHED,RELATED
and then remove the explicit rules for answers...
Regards,
Nicolas
Reply to: