| View previous topic :: View next topic |
| Author |
Message |
Shienarier
Apprentice
Joined: 16 Jun 2003
Posts: 278
|
 Posted: Thu Dec 11, 2003 6:41 pm Post subject: Help with IPtables |
 |
|
I have written the following script.
| Code: |
#!/bin/sh
$IP=""
$IPTABLES="/sbin/iptables"
#Flushes all and sets default to drop
$IPTABLES -F
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
#Port 80: HTTP
$IPTABLES -A OUTPUT -p tcp -sport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --!syn -j ACCEPT
# Allow loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
|
My purpose is to not allow anything except port 80 (apart from lo), and in that case, no connections to my computer. Will this script do just that? I am also planning to maybe open up additional ports further ahead. |
|
| Back to top |
|
 |
dreamer
Apprentice
Joined: 16 Aug 2003
Posts: 236
|
| Posted: Thu Dec 11, 2003 6:48 pm Post subject: |
|
|
| Quote: | | Will this script do just that? |
i think you should remove this rule:
| Code: | | $IPTABLES -A INPUT -p tcp --!syn -j ACCEPT |
this allows alle inbound traffic as long as the packets are not syn packets, that is "connection-make" packets. |
|
| Back to top |
|
|
Shienarier
Apprentice
Joined: 16 Jun 2003
Posts: 278
|
| Posted: Fri Dec 12, 2003 6:47 pm Post subject: |
|
|
| Perhaps i should make it drop SYNpackets instead? I thought that the two previous lines would ensure that only port 80 was open. And that i after that would drop all SYNpackages (only those directed at port 80 being left). |
|
| Back to top |
|
|
dreamer
Apprentice
Joined: 16 Aug 2003
Posts: 236
|
| Posted: Fri Dec 12, 2003 7:26 pm Post subject: |
|
|
| Quote: |
Perhaps i should make it drop SYNpackets instead?
|
That's not nessecary, since everything is already dropped by default.
i think you can remove the last line, since it opens up your whole system. Without it you will just allow port 80 in and out and that's exactly what you wanted.
Something else, i'm not sure if it's wise to close the OUTPUT this tight. If you run into problems you should check this. |
|
| Back to top |
|
|
Shienarier
Apprentice
Joined: 16 Jun 2003
Posts: 278
|
| Posted: Sat Dec 13, 2003 2:18 pm Post subject: |
|
|
But SYNpackages directed at port 80 would be alowed if i removed that line? Thing is a want everything to be able to go in and out of port 80 frely, except SYNpackages.
Doesnt iptables check rules line by line? |
|
| Back to top |
|
|
Senso
Apprentice
Joined: 17 Jun 2003
Posts: 250
Location: Montreal, Quebec
|
| Posted: Sat Dec 13, 2003 8:45 pm Post subject: |
|
|
| Shienarier wrote: | But SYNpackages directed at port 80 would be alowed if i removed that line? Thing is a want everything to be able to go in and out of port 80 frely, except SYNpackages.
Doesnt iptables check rules line by line? |
SYNpackages? I guess you simply mean SYN packets. In any case, if you are blocking SYN packets (new connections), nobody will be able to connect to your website, so I hope that's what you want. With your current rules, traffic will be allowed to port 80 only if your side initiates the connection (and why you would initiate a connection from port 80, I don't know).
I suggest you block NEW connections which are not SYN with the following rule:
| Code: |
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP |
Normally, if a new connection isn't a SYN, that means someone is randomly scanning you or trying to infiltrate/override an already running connection. |
|
| Back to top |
|
|
|
Networking & Security
