Re: Request for comments: iptables script for use on laptops.
On Tue, May 23, 2006 at 02:04:13AM +0200, Uwe Hermann wrote:
[...]
>> iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
>> iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
> Correct me if I'm wrong, but I think this would also allow incoming
> traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing
> his IP address to appear to be 127.0.0.1 could send _any_ traffic
> to you and you would ACCEPT it, basically rendering the firewall
> useless. Did I miss anything?
Kernel shoots any packet it considers as being "martian" -- e.g. packets
from 127.0.0.0/8 cannot appear on any interface except lo.
The same applies to the reverse case: no packet coming from "external"
interface but claiming to be destined to 127.0.0.0/8 woun't be passed
further by the kernel.
See RFC 1812 for explanations.
One can switch logging records about killed martian packets with
net/ipv4/conf/ethN/log_martians=1
in /etc/sysctl.conf
[...]
I agree to your other comments.
P.S.
I think the best way to secure the box is the simplest: allow incoming
packets with states ESTABLISHED and RELATED, deny all others (except for
OpenVPN or whatever remote access is needed).
May be it's also worth accepting ICMP Ping packets.
All special ICMP packets needed for proper functioning of TCP/IP (PMTU
discovery for example) fall to the RELATED domain and are passed to the
stack.
Reply to: