| View previous topic :: View next topic |
| Author |
Message |
compucoder
Apprentice
Joined: 16 Sep 2002
Posts: 246
Location: London, Canada
|
 Posted: Wed Apr 21, 2004 4:35 am Post subject: good firewall rules? |
 |
|
I am trying to setup my gentoo web server to only allow certain ports - using iptables.
I want to only allow connections incoming to 22,80,10000 and drop everything else. I also would like pings to be enabled - would be nice to control how much 'ping' is acceptable and drop if someone tries to ping me to death.
And outgoing just 25 for websites to send mail.
I managed to get together a rules file using webmin and some tampering.
The box has 1 card (eth0) and has a public internet ip(web server)
Can anyone tell me if this rules file is doing what I need above?
Thanks.
# Generated by iptables-save v1.2.9 on Tue Apr 20 23:40:36 2004
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# web
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Completed on Tue Apr 20 23:40:36 2004 |
|
| Back to top |
|
 |
Passe-Poil
Tux's lil' helper
Joined: 18 Feb 2004
Posts: 139
Location: Québec, QC, Canada
|
| Posted: Fri Apr 23, 2004 12:59 am Post subject: |
|
|
if you want to take it easy .. try guarddog .. it's a simple kde app used to configure firewall rules.
_________________
Violence is the last refuge of the incompetent. |
|
| Back to top |
|
|
klasikahl
Retired Dev
Joined: 04 Nov 2002
Posts: 118
Location: Paradise Valley, Arizona
|
| Posted: Fri Apr 23, 2004 4:50 am Post subject: |
|
|
Explore the rate parameter to limit how many pings can be sent in a specified amount of time. For instance, I limit certain packets to thwart possible syn/ack attacks.
_________________
http://tehunlose.com
http://dev.gentoo.org/~klasikahl/ |
|
| Back to top |
|
|
|
Networking & Security
