Re: iptables firewall script for debian-woody, 2.4.24

From: Gord Philpott (tech_at_gordphilpott.com)
Date: 04/02/04

  • Next message: Toni Heinonen: "RE: nis : how to avoid user1 becoming user2 using local root ?"
    Date: Thu, 01 Apr 2004 20:17:36 -0500
    To: cookie <cookie@rknrobin.com>, focus-linux@securityfocus.com
    
    

    At 02:08 PM 4/1/2004 -0800, you wrote:
    >a quick glance shows this to be pretty sound... I don't see any reason
    >your box should be dropping 53 requests after running these rules...
    >then again, there's no way to know for certain unless you take a look at
    >the running rules (iptables -L INPUT -n;iptables -L OUTPUT -n) and scan
    >through it for anything iffy if you're still unsure, I'd post that here as
    >well.
    >
    >PS. commented lines aren't really necessary for diagnosing a ruleset.

    Here is the output when the firewall is turned ON:
    --Gord.

    dns2:/etc/init.d# iptables -L -n
    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 30
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
    spts:32769:65535 dpts:33434:33523
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 127.0.0.1 127.0.0.1
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
    RELATED,ESTABLISHED
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:32768
    REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
    reject-with icmp-port-unreachable
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy DROP)
    target prot opt source destination

    Chain OUTPUT (policy DROP)
    target prot opt source destination
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
    spts:32769:65535 dpts:33434:33523
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 30
    ACCEPT all -- 127.0.0.1 127.0.0.1
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
    RELATED,ESTABLISHED
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    dns2:/etc/init.d#


  • Next message: Toni Heinonen: "RE: nis : how to avoid user1 becoming user2 using local root ?"

    Relevant Pages

    • Re: Iptables not saving...
      ... Chain FORWARD (policy ACCEPT) ... Chain OUTPUT ... You want to direct its output to where iptables normally ...
      (Fedora)
    • Re: Iptables not saving...
      ... Chain FORWARD (policy ACCEPT) ... Chain OUTPUT ... You want to direct its output to where iptables normally ...
      (Fedora)
    • Re: RPCemu vs. VRPC
      ... Chain FORWARD (policy ACCEPT) ... Chain OUTPUT ... And if I re-generated the iptables command after RPCEmu is running, ...
      (comp.sys.acorn.misc)
    • Re: modprobe cpu usage > 90 %
      ... >Maybe the gui is broken. ... Chain FORWARD (policy ACCEPT) ... Chain OUTPUT ...
      (Fedora)
    • Re: Iptables not saving...
      ... >> Chain FORWARD (policy ACCEPT) ... >> Chain OUTPUT ... You want to direct its output to where iptables normally ...
      (Fedora)