Re: Better iptables firewall
On Thu, Aug 30, 2007 at 12:25:25AM -0400, Michael Pobega wrote:
> Currently I'm using iptables as my main firewall, and I'm having no
> trouble with it whatsoever. But lately (Since college has started) I've
> been connecting to a lot more networks, with more peers connected. I'm
> worried about somebody breaking through the security on my laptop and
> doing something malicious.
>
> I'm hoping some seasoned Debian sysadmins out there can help me by
> advising me on how to better setup iptables...My current setup is:
>
>
> # Generated by iptables-save v1.3.6 on Mon Jun 18 09:55:18 2007
> *filter
> :INPUT DROP [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [35639:3072343]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
> -A INPUT -p icmp -j DROP
> #-A INPUT -p tcp -m tcp --dport 5030 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
> #-A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT
> COMMIT
> # Completed on Mon Jun 18 09:55:18 2007
>
> The commented rules are uncommented in my ruleset for home (I only have
> those ports forwarded on my home router, so opening them outside is a
> potential security hazard)
>
It looks like you're allowing unlimited output which means that if
something does break into your system then they can use your system to
spit stuff out without you knowing. Overall, it seems like very few
rules.
Personally, I use shorewall to setup my netfilter rules. If nothing
else, you probably should install the shorewall-doc package since it
covers the subject very well. Here are my relavent shorewall configs
with the pramble-comments removed. This box is my main box and also
acts as a firewall for the rest of the network.
Policy first:
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net REJECT info
fw net REJECT info
net all DROP -
all all REJECT info
#LAST LINE -- DO NOT REMOVE
Then the rules:
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT(S) PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
DNS/ACCEPT loc fw
DNS/ACCEPT loc net
DNS/ACCEPT fw net
DNS/ACCEPT fw loc
SSH/ACCEPT loc fw
SSH/ACCEPT fw loc
NTP/ACCEPT fw net
NTP/ACCEPT fw loc
NTP/ACCEPT loc fw
POP3/ACCEPT fw net
POP3/ACCEPT fw loc
POP3/ACCEPT loc fw
POP3S/ACCEPT fw net
POP3S/ACCEPT fw loc
POP3S/ACCEPT loc fw
SMTP/ACCEPT loc fw
SMTP/ACCEPT fw net
SMTP/ACCEPT fw loc
SMTPS/ACCEPT loc fw
SMTPS/ACCEPT fw net
SMTPS/ACCEPT loc fw
Syslog/ACCEPT fw loc
Syslog/ACCEPT loc fw
FTP/ACCEPT loc net
FTP/ACCEPT fw net
FTP/ACCEPT fw loc
Ping/ACCEPT loc net
Ping/ACCEPT fw net
Ping/ACCEPT loc fw
Ping/ACCEPT fw loc
HTTP/ACCEPT fw net
HTTP/ACCEPT loc net
HTTP/ACCEPT fw loc
HTTPS/ACCEPT fw net
HTTPS/ACCEPT loc net
HTTPS/ACCEPT fw loc
Rsync/ACCEPT loc net
Rsync/ACCEPT loc fw
Rsync/ACCEPT fw net
Rsync/ACCEPT fw loc
Trcrt/ACCEPT loc net
Trcrt/ACCEPT fw net
Trcrt/ACCEPT loc fw
Trcrt/ACCEPT fw loc
ACCEPT fw loc tcp printer
ACCEPT loc fw tcp printer
# for GnuPG (OpenPGP) to retreive/send keys to key server
ACCEPT fw net tcp 11371
ACCEPT fw net udp 11371
ACCEPT loc net tcp 11371
ACCEPT loc net udp 11371
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Reply to: