Re: iptables configuration
From: Natman (natmanz@home.com)Date: 12/11/01
- Next message: Sean: "Re: MySQl snort logging"
- Previous message: Bit Twister: "Re: DNS Security (2)"
- Next in thread: Ian Jones: "Re: iptables configuration"
- Reply: Ian Jones: "Re: iptables configuration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Natman" <natmanz@home.com> Date: Mon, 10 Dec 2001 23:42:01 GMT
I have a few questions to Ian... (In case you havn't noticed, I'm not the
OP).
I have a RH firewall (iptables) setup to protect my LAN, and this setup is
similar to mine (but my setup is fairly complex, esp in the INPUT chain... I
even have a special INPUT chain to dynamically deny Nimda attackers). I'm
always trying to find ways to improve things, hence the questions. They're
below.
"Ian Jones" <ian@dsl081-056-052.sfo1.dsl.speakeasy.net> wrote in message
news:m3lmgbubjd.fsf@mobile.lan...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jerry Cornelius <multiverse@hotmail.com> writes:
>
> > Have I left any gaping holes with this configuration? I've tried to
> > nmap it from outside the network without success (a heartening sign).
> > How could I be less verbose with these rules? Any feedback at all would
> > be appreciated.
>
> You did ask....
>
> > $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Protected hosts can initiate absolutely any connection they want
> here. Is this what you intended?
I do this too. What other options are there? My clients on the LAN run
everything from basic web/email to mIRC, Morpheus, and some games. I know
that if a 'virus/trojan' initiated a connection to the net, the firewall
would not protect the LAN. Is there some better way to make sure that only
'authorized' connections are allowed?
>
> > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
>
> You want to respond to ping?
>
> > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
>
> You do not want to accept redirects do you?
>
> > # TCP rules
> > # UDP ports
>
> My, but you are allowing a lot of services, among them DNS and irc
> server. Your time might be better spent shutting down services than
> building a packet filter.
>
> > $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
>
> This means that you are not filtering _anything_ in your OUTPUT
> chain. The result of this is that your OS can be fingerprinted and
> your filter rules can be mapped. If the hosts behind the firewall are
> assigned public IP addresses then they can be mapped too.
My OUTPUT chain contains accepts (basically) everything too. The only
exception is known bad IPs. What should I be blocking here? I run DNS,
HTTP, FTP, SSH, etc to the net, so I think I can't really block much... any
specifics?
Natman
- Next message: Sean: "Re: MySQl snort logging"
- Previous message: Bit Twister: "Re: DNS Security (2)"
- Next in thread: Ian Jones: "Re: iptables configuration"
- Reply: Ian Jones: "Re: iptables configuration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
