On Thu, 2003-03-20 at 22:10, Vineet Kumar wrote: > * Adrian 'Dagurashibanipal' von Bidder <avbidder@fortytwo.ch> [20030320 06:39 PST]: > > Set it up to block everything and then selectively open ports until > > everything works as desired. Depending on the applications it may be a > > good idea to REJECT auth (identd) packets instead of dropping them - > > some applications have long timeouts. > > IMO, it's a good idea to REJECT instead of DROPping most packets. If > you think DROPping makes you invisible, you're deluding yourself. I > generally end my INPUT chain with I'm not invisible (you can even ping most of my machines). - DROP takes less bandwidth than REJECT. - DROP slows down nimda/code-red style trojans as they wait for the connect timeout, so it's actually friendly to your neighbours. back when code-red was all new and shiny, I got > 10 connects per second, and that was just a 256/64k cable link. while we're at it, people may want to read and comment on my config (way OT - so ignore it if you're not interested) ppp0 is the outside world (pppoe over eth1). Port 6346 is gnutella, port 11372 is pgp keyserver related (not hkp), thefirewall box runs a mailserver from the inside and a teergrube on 44444 accessible from the outside. If you read the mail headers, you know which box it is, too. root@syydelaervli:~# iptables-save # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003 *nat :PREROUTING ACCEPT [17038:1364291] :POSTROUTING ACCEPT [1561:131055] :OUTPUT ACCEPT [7155:558179] -A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j REDIRECT --to-ports 44444 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 11372 -j DNAT --to-destination 192.168.1.17 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 6346 -j DNAT --to-destination 192.168.1.17 -A POSTROUTING -o ppp0 -j MASQUERADE COMMIT # Completed on Fri Mar 21 10:13:12 2003 # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003 *filter :INPUT DROP [1323:393571] :FORWARD DROP [0:0] :OUTPUT ACCEPT [399596:206648275] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ! ppp0 -j ACCEPT -A INPUT -p udp -m udp --dport 123 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 10/min -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -m tcp --dport 44444 -j ACCEPT -A INPUT -i ppp0 -p udp -m udp --dport 137 -j DROP -A INPUT -m limit --limit 20/hour --limit-burst 50 -j LOG --log-prefix "iptables:INPUT " -A FORWARD -i ! ppp0 -m state --state NEW -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp -m tcp --dport 11372 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 6346 -j ACCEPT -A FORWARD -m limit --limit 20/hour --limit-burst 50 -j LOG --log-prefix "iptables:FORWARD " COMMIT # Completed on Fri Mar 21 10:13:12 2003 -- vbi -- OpenPGP encrypted mail welcome - my key: http://fortytwo.ch/gpg/92082481
Attachment:
signature.asc
Description: This is a digitally signed message part