[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables rules


> Can someone give me some advice on how to setup some simple rules as well as 
> having them refreshed when I restart?

I'd be happy to send you my iptables script if you like.  But it's
really best to craft one yourself so you'll really understand what
you are doing along the way.  That way when something breaks, you'll
have an understanding of how to fix it.  Here's how I did it:

    * Set up four chains:

        in_yes -- new connections we allow from the outside.  This
          includes things like a mail server, web server, and any local
          traffic I want to allow

        in_out -- connections we allow to contact our machine once
          we've initiated a connection.  For example, if I hit a
          web site, I need to let the web server send me the information
          I request.  With iptables connection tracking, this is easy
          (-m state --state ESTABLISHED,RELATED)

        logger -- By the time we've reached this chain, the packet
          shouldn't be allowed in, so we should be logging it so we
          can keep track of what people are trying to do

        in_no -- Drop everything that gets here (except port 113
          requests, which you should reject so mail servers don't hang
          while waiting for a response).

    * Connect these chains, in this order, to the INPUT chain:

        iptables -A INPUT --source -j in_yes
        iptables -A INPUT --source -j in_out
        iptables -A INPUT --source -j logger
        iptables -A INPUT --source -j in_no

    * Open a new window, 'tail -f /var/log/syslog' and start
        doing what you normally do.

    * When you see iptables complaining about something, either
        add a rule to allow that connection / protocol / etc.,
        or decide that it's a hacking attempt and consider yourself
        lucky that you've blocked him or her.

Expect to break things.  A lot!  And then expect to be very surprised
at how many scans, and hack attempts you discover. . .

As far as getting it to run automatically when you restart, you might
look at the ipchains script that appeared recently in woody / sid.
Personally, I put all my rules into a shell script and then have
an init.d script call this file when I boot.  That way it goes into
effect on boot, but it's easy for me to tweak it when I discover I
want a new rule or want to block something special.  The first thing my
shell script does is to flush the chains so I'm always starting fresh.

Christopher S. Swingley         930 Koyukuk Drive
System / Network Manager        University of Alaska Fairbanks
IARC -- Frontier Program        Fairbanks, AK 99775

phone: 907-474-2689             fax: 907-474-2643
email: cswingle@iarc.uaf.edu    GNUPG and PGP2 keys at my web site
  web: http://www.frontier.iarc.uaf.edu/~cswingle

Attachment: pgp9Nq1HhRtYo.pgp
Description: PGP signature

Reply to: