coreutils
n00b
Joined: 16 Oct 2003
Posts: 25
|
 Posted: Thu Oct 16, 2003 5:04 pm Post subject: iptables filters sanity check |
 |
|
I have set up a basic firewall using iptables on my gentoo box.
I am connected to the internet through a cisco 677 router, and there are no other hosts on my LAN. eth0 has IP 10.0.0.2.
I don't have too much experience with iptables and would therefore appreciate a second opinion of my iptables rules. My iptables script looks like this:
#!/bin/bash
# Load modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
###############################################################
IPT=/sbin/iptables
# 113 AUTH - needed for logging in on certain IRC servers
TCPIN="auth"
# 8118 privoxy
TCPOUT="telnet,smtp,nntp,www,ftp,ftp-data,ircd,8118,rsync"
# Logging ?
LOGGING=1
# INPUT log prefix
IPREFIX="INPUT filter: "
# OUTPUT log prifix
OPREFIX="OUTPUT filter: "
# 4=warning 6=informational 7=debug
LOGLEVEL=4
#################################################################
# Flush all tables
$IPT -F
# (1) Defualt policy - deny all traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# (2) Accept fragments, in iptables this must be done this explicitly.
$IPT -A INPUT -f -j ACCEPT
# (3) Accept all packets belonging to an established connection
# (i.e having the ACK bit set)
# $IPT -A INPUT -p ALL -d 10.0.0.2 ! --tcp-flags SYN,ACK ACK -j ACCEPT
$IPT -A INPUT -p ALL -d 10.0.0.2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p ALL -s 10.0.0.2 -m state --state ESTABLISHED,RELATED -j ACCEPT
# (4) TCP - INCOMING CONNECTIONS
# Accept connection requests from the outside only on the allowed TCP ports.
$IPT -A INPUT -m multiport -p tcp -i eth0 -d 10.0.0.2 --dports $TCPIN --syn -j ACCEPT
# (5) TCP - OUTGOING CONNECTIONS
# Accept all outgoing tcp connection requests only on the allowed TCP ports.
# SYN bit set, ACK and FIN bit cleared i.e establish a connection
$IPT -A OUTPUT -m multiport -p tcp -s 10.0.0.2 --dports $TCPOUT --syn -j ACCEPT
# (6) UDP - INCOMING
# Allow UDP datagrams in on the allowed ports and back.
# $IPT -A INPUT -p udp -j ACCEPT
# (7) UDP - OUTGOING
# Allow UDP datagrams out to the allowed ports and back.
$IPT -A OUTPUT -p udp -s 10.0.0.2 --dport domain -j ACCEPT #DNS
$IPT -A OUTPUT -p udp -s 10.0.0.2 --dport rsync -j ACCEPT
# (8) ICMP - INCOMING
# We will allow ICMP datagrams in of the allowed types.
$IPT -A INPUT -p icmp -d 10.0.0.2 --icmp-type destination-unreachable -j ACCEPT
$IPT -A INPUT -p icmp -d 10.0.0.2 --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -p icmp -d 10.0.0.2 --icmp-type echo-reply -j ACCEPT
# (9) ICMP - OUTGOING
# ref: /usr/include/netinet/ip_icmp.h for type numbers
$IPT -A OUTPUT -p icmp -j ACCEPT
# (10) loopback rules (Accept all loopbacking)
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# (11) DEFAULT and LOGGING
# All remaining datagrams fall through to the default rule and are dropped.
# They will be logged if the LOGGING variable is set.
if [ "$LOGGING" ]
then
$IPT -A INPUT -p ALL -j LOG --log-prefix=$IPREFIX --log-level=$LOGLEVEL
$IPT -A OUTPUT -p ALL -j LOG --log-prefix=$OPREFIX --log-level=$LOGLEVEL
fi
#
# end.
Thanks in advance for any response. |
|
Networking & Security
