Re: Better iptables firewall

["Douglas A. Tutty" <dtutty@porchlight.ca>]

On Thu, Aug 30, 2007 at 12:25:25AM -0400, Michael Pobega wrote:
> Currently I'm using iptables as my main firewall, and I'm having no
> trouble with it whatsoever. But lately (Since college has started) I've
> been connecting to a lot more networks, with more peers connected. I'm
> worried about somebody breaking through the security on my laptop and
> doing something malicious.
> 
> I'm hoping some seasoned Debian sysadmins out there can help me by
> advising me on how to better setup iptables...My current setup is:
> 
> 
> # Generated by iptables-save v1.3.6 on Mon Jun 18 09:55:18 2007
> *filter
> :INPUT DROP [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [35639:3072343]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
> -A INPUT -p icmp -j DROP
> #-A INPUT -p tcp -m tcp --dport 5030 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT
> COMMIT
> # Completed on Mon Jun 18 09:55:18 2007
> 
> The commented rules are uncommented in my ruleset for home (I only have
> those ports forwarded on my home router, so opening them outside is a 
> potential security hazard)
> 
 
It looks like you're allowing unlimited output which means that if
something does break into your system then they can use your system to
spit stuff out without you knowing.  Overall, it seems like very few
rules.

Personally, I use shorewall to setup my netfilter rules.  If nothing
else, you probably should install the shorewall-doc package since it
covers the subject very well.  Here are my relavent shorewall configs
with the pramble-comments removed.  This box is my main box and also
acts as a firewall for the rest of the network.

Policy first:
###############################################################################
#SOURCE		DEST		POLICY		LOG		LIMIT:BURST
#						LEVEL
loc		net		REJECT		info
fw		net		REJECT		info
net		all		DROP		 -
all		all		REJECT		info
#LAST LINE -- DO NOT REMOVE

Then the rules:
#############################################################################################################
#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/
#						PORT(S)	PORT(S)		DEST		LIMIT		GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
DNS/ACCEPT	loc	fw
DNS/ACCEPT	loc	net
DNS/ACCEPT	fw	net
DNS/ACCEPT	fw	loc
SSH/ACCEPT	loc	fw
SSH/ACCEPT	fw	loc
NTP/ACCEPT	fw	net
NTP/ACCEPT	fw	loc
NTP/ACCEPT	loc	fw
POP3/ACCEPT	fw	net
POP3/ACCEPT	fw	loc
POP3/ACCEPT	loc	fw
POP3S/ACCEPT	fw	net
POP3S/ACCEPT	fw	loc
POP3S/ACCEPT	loc	fw
SMTP/ACCEPT	loc	fw
SMTP/ACCEPT	fw	net
SMTP/ACCEPT	fw	loc
SMTPS/ACCEPT	loc	fw
SMTPS/ACCEPT	fw	net
SMTPS/ACCEPT	loc	fw
Syslog/ACCEPT	fw	loc
Syslog/ACCEPT	loc	fw
FTP/ACCEPT	loc	net
FTP/ACCEPT	fw	net
FTP/ACCEPT	fw	loc
Ping/ACCEPT	loc	net
Ping/ACCEPT	fw	net
Ping/ACCEPT	loc	fw
Ping/ACCEPT	fw	loc
HTTP/ACCEPT	fw	net
HTTP/ACCEPT	loc	net
HTTP/ACCEPT	fw	loc
HTTPS/ACCEPT	fw	net
HTTPS/ACCEPT	loc	net
HTTPS/ACCEPT	fw	loc
Rsync/ACCEPT	loc	net
Rsync/ACCEPT	loc	fw
Rsync/ACCEPT	fw	net
Rsync/ACCEPT	fw	loc
Trcrt/ACCEPT	loc	net
Trcrt/ACCEPT	fw	net
Trcrt/ACCEPT	loc	fw
Trcrt/ACCEPT	fw	loc
ACCEPT		fw	loc	tcp	printer
ACCEPT		loc	fw	tcp	printer
# for GnuPG (OpenPGP) to retreive/send keys to key server
ACCEPT		fw	net	tcp	11371
ACCEPT		fw	net	udp	11371
ACCEPT		loc	net	tcp	11371
ACCEPT		loc	net	udp	11371
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE