Re: Request for comments: iptables script for use on laptops.

To: George Hein <zweistein@optonline.net>
Cc: debian-laptop@lists.debian.org, debian-security@lists.debian.org
Subject: Re: Request for comments: iptables script for use on laptops.
From: Uwe Hermann <uwe@hermann-uwe.de>
Date: Tue, 23 May 2006 02:04:13 +0200
Message-id: <[🔎] 20060523000412.GB18009@aragorn>
In-reply-to: <4471A747.1050406@optonline.net>
References: <[🔎] 20060521174024.GA1833@aragorn> <4471A747.1050406@optonline.net>

Hi,

On Mon, May 22, 2006 at 07:57:59AM -0400, George Hein wrote:
> Your iptables scares me a bit, do we really have to do all that stuff 
> like "echo to /proc/sys/...".  I was a TP professional many years ago 
> but since the internet I have become a novice, thus running scared.

You don't really _need_ those lines, but they're mostly useful in that
they add some more levels of security (or mitigate some attacks),
in addition to just closing TCP/UDP ports.

>   iptables -A INPUT  -j ACCEPT -s 127.0.0.1      # local host
>   iptables -A OUTPUT -j ACCEPT -d 127.0.0.1

Correct me if I'm wrong, but I think this would also allow incoming
traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing
his IP address to appear to be 127.0.0.1 could send _any_ traffic
to you and you would ACCEPT it, basically rendering the firewall
useless. Did I miss anything?

The following should be better, as it only allows traffic to/from the
loopback interface (but not eth0 or what have you)...

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

>   iptables -A INPUT  -j ACCEPT -s 192.168.0.0/28 # allow x.x.x.1-7
>   iptables -A OUTPUT -j ACCEPT -d 192.168.0.0/28

IP-based blocking of traffic is almost always not a good idea. Same
reason as above - IPs are easily faked, so any intruder could
pretend to be 192.168.0.2 and would bypass the firewall.

> # iptables -A INPUT  -j ACCEPT -p icmp -m icmp --icmp-type 3
> # iptables -A OUTPUT -j ACCEPT -p icmp -m icmp --icmp-type 3
>   iptables -A INPUT  -j ACCEPT -p tcp -m multiport --port 
> 20,21,25,37,80,110,111,119,443

>   iptables -A INPUT  -j ACCEPT -p udp -m multiport --port 
> 53,67,68,111,520,631

Are you sure you want to allow the whole Internet access to all those
ports? Especially portmap, FTP, CUPS etc? Are you running a server which
needs to be reachable from the Internet?

Uwe.
-- 
Uwe Hermann 
http://www.hermann-uwe.de
http://www.it-services-uh.de  | http://www.crazy-hacks.org 
http://www.holsham-traders.de | http://www.unmaintained-free-software.org

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Request for comments: iptables script for use on laptops.
  - From: LeVA <leva@az.isten.hu>
- Re: Request for comments: iptables script for use on laptops.
  - From: Rolf Kutz <kutz@netcologne.de>
- Re: Request for comments: iptables script for use on laptops.
  - From: Konstantin Khomoutov <flatworm@users.sourceforge.net>

References:
- Request for comments: iptables script for use on laptops.
  - From: Uwe Hermann <uwe@hermann-uwe.de>

Prev by Date: Re: Request for comments: iptables script for use on laptops.
Next by Date: Re: Request for comments: iptables script for use on laptops.
Previous by thread: Re: Request for comments: iptables script for use on laptops.
Next by thread: Re: Request for comments: iptables script for use on laptops.
Index(es):
- Date
- Thread