iptables blocking rules

To: debian-user@lists.debian.org
Subject: iptables blocking rules
From: David <dbree@duo-county.com>
Date: Tue, 13 Jan 2004 16:24:22 -0600
Message-id: <[🔎] 20040113222422.GA1612@localhost.localdomain>
Mail-followup-to: debian-user@lists.debian.org

This is not a Debian-specific question but I've tried to post this thing
twice on comp.os.linux.security and my ISP is (temporarily, I hope) not
sending posts out, it seems, so I'd like to ask here.

My iptables rules were installed by firestarter.  My system is strictly
desktop and I have no outward-facing services.


The rules in question are these.  I have a string of rules like this:

#Block nonroutable IPs
$IPT -t filter -A INPUT -s 1.0.0.0/8 -i $IF -j $STOP
$IPT -t filter -A INPUT -s 2.0.0.0/8 -i $IF -j $STOP
$IPT -t filter -A INPUT -s 5.0.0.0/8 -i $IF -j $STOP

This includes IP's beginning with 72 of the first 128 #'s, plus 172,
197, 221, 223, and 240

Now, as an overview, and this is not all-inclusive, but as it applies to
this question, my firewall first sets my policy to drop for all three
major targets, sets these rules mentioned above (among other things), -
well, actually, it goes through a pretty long series of ports that it
sends to a defined rule "STOP", which is actually basically a DROP rule.

Then, there' this:

$IPT  -A INPUT -p tcp --dport 1024:65535 -j STATE

State is this:
# Create a new 'stateful module check' (STATE) convenience chain.
$IPT -I STATE -m state --state ESTABLISHED,RELATED -j ACCEPT
# Try without this line...
#$IPT -A STATE -m state --state NEW -i ! lo -j ACCEPT
$IPT -A STATE -j LOG --log-prefix "STATE: "
$IPT -A STATE -j DROP


BTW.. note the commented-out rule with lo.  I commented this out.. I
ran the firestarter wizard on the latest (testing) package and now it's
-j DROP ( which would be correct), but quite a serious bug here..


Finally, the last rule in the chain (remember, policy is already DROP)
# Deny everything not let through earlier
$IPT -A INPUT -j DROP

Now, finally, the question.  

I don't see any need whatsoever for the "rules in question" above.  And
I think they are causing me some problems.  pricewatch.com, for one,
whose address is, I believe 69.20.62.194, falls in this group, as well,
I think, as skylane.? which is the pgp keyserver I've been trying to
use.  My firewall is dropping their (pricewatch's, at least) SYN ACK's
and they won't connect - or wouldn't - I commented out the 69.0.0.0/8
rule to DROP and can now connect.

Now, the question.  Are these rules needless?  I probably could put the
ESTABLISHED,RELATED rule prior to these rules, but in my case, it looks
like nothing should get in unless I specifically name it, seeing as my
policy is DROP and if that's not enough, that last rule should get them,
anyway.

Actually, the whole ruleset from firestarter seems a bit complex for my
setup.  Wouldn't it be pretty sufficient for a single-system setup to
have something basically like this:

set policy for INPUT & FORWARD to DROP ( leave OUTPUT to ACCEPT?)
set INPUT ESTABLISHED,RELATED to ACCEPT
< add some logging facilities >
< allow some icmp requests, maybe? >

Wouldn't that pretty well take care of it?

Sorry for the long post, but I wanted to include everything.

Reply to:

Follow-Ups:
- Re: iptables blocking rules
  - From: Matthias Hentges <mailinglisten@hentges.net>

Prev by Date: Problem installing debian over network
Next by Date: Re: charter font in debian's openoffice.org1.1
Previous by thread: Problem installing debian over network
Next by thread: Re: iptables blocking rules
Index(es):
- Date
- Thread