Re: are these good iptables rules?

• Previous message: Luke Vogel: "Re: More LIDS ACL confusion"
• In reply to: Marc Greene: "are these good iptables rules?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Kasper Dupont <kasperd@daimi.au.dk>
Date: Sun, 13 Jan 2002 10:34:31 +0100

Marc Greene wrote:
>
> I just (finally) got around to upgrading to RedHat 7.2, started
> with iptables instead of ipchains, and was hoping someone would point
> if I made any mistakes. I have 2 machines on a lan behind the firewall,
> so I read the IP-Masquerading Howto for kernel 2.4, and also used some
> suggestions I've seen posted. I'm not providing any services to the
> internet, only to the lan, and this setup seems to work as it should
> (allowing the lan full access to services, but the internet none).
>
> First I used chkconfig to disable ipchains. The /etc/rc.d/init.d/iptables
> startup script looks for /etc/sysconfig/iptables, which wasn't there, so
> I had to write it from scratch:

That is the right way to start.

>
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -s 127.0.0.0/255.0.0.0 -j LOG
> -A INPUT -d 127.0.0.0/255.0.0.0 -j LOG
> -A INPUT -i eth0 -j ACCEPT
> -A INPUT -i ppp0 -s 192.168.0.0/255.255.255.0 -j LOG
> -A INPUT -i ppp0 -d 192.168.0.0/255.255.255.0 -j LOG
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -j LOG
> COMMIT

I see you log most spurious packets, but your first four
LOG rules actually let the spurious packets through. I
would think those packets should be logged and dropped.
You could make an userdefined chain for that:
  -A LOGDROP -j LOG
  -A LOGDROP -j DROP
You could also add to that a limit on how often packets
get logged to avoid filling up your disk with logs.

>
> I think that solved my firewall issue except for masquerading, so
> (according to the HowTo), I made an /etc/rc.firewall script and called
> it from /etc/rc.d/rc.local:
>
> /sbin/insmod ip_conntrack_ftp
> echo "1" >/proc/sys/net/ipv4/ip_forward
> echo "1" >/proc/sys/net/ipv4/ip_dynaddr
> /sbin/iptables -P FORWARD DROP
> /sbin/iptables -F FORWARD
> /sbin/iptables -t nat -F
> /sbin/iptables -A FORWARD -i ppp0 -o eth0
> -m state --state ESTABLISHED,RELATED -j ACCEPT
> /sbin/iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
> /sbin/iptables -A FORWARD -j LOG
> /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
> It seems to work well, but I just wonder if this is the 'correct'
> way to do this, or if it's the most secure. Can anyone criticize
> it for me? I'm not exactly an expert :-)

This howto seems to be a little outdated, or just not
suited for the system you use. The mixture of a custom
script and using /etc/sysconfig/iptables is a bad idea.

My suggestion is that you remove the custom script, and
place those rules in /etc/sysconfig/iptables instead.
Your /etc/sysconfig/iptables file could look like this:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGDROP - [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -j LOGDROP
-A INPUT -d 127.0.0.0/255.0.0.0 -j LOGDROP
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i ppp0 -s 192.168.0.0/255.255.255.0 -j LOGDROP
-A INPUT -i ppp0 -d 192.168.0.0/255.255.255.0 -j LOGDROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOGDROP

-A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth0 -o ppp0 -j ACCEPT
-A FORWARD -j LOGDROP

-A LOGDROP -m limit --limit 1/minute --limit-burst 42 -j LOG
-A LOGDROP -j DROP

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT

I think this would be the right way to implement your
ruleset. I put all of it in a single configuration
file, and I use the LOGDROP chain everywhere a packet
is logged and dropped.

The line echo "1" >/proc/sys/net/ipv4/ip_forward
should be completely removed, instead you should
change the configfile /etc/sysctl.conf

I don't know exactly what ip_dynaddr does, but
perhaps you could do the same by adding this line
net.ipv4.ip_dynaddr = 1 to /etc/sysctl.conf.

Finally the line /sbin/insmod ip_conntrack_ftp
needs to be somewhere if you need it. I don't
know if there is some appropriate place, in lack of
a better place I would suggest /etc/rc.d/rc.local
where you probably already call your firewallscript.

You might also want to load the module ip_nat_ftp
to make ftp work through the masquerading as well.

Notice that FTP is a very insecure protocol, it
sendes passwords in cleartext. If it is at all an
option you should avoid it on the internet. Using
it on your LAN is fine, if that is all you want to
do you of course don't need the ip_nat_ftp module.

>
> Marc

-- 
Kasper Dupont
For sending spam use mailto:u972183+6138@daimi.au.dk

• Next message: Marc Greene: "Re: are these good iptables rules?"
• Previous message: Luke Vogel: "Re: More LIDS ACL confusion"
• In reply to: Marc Greene: "are these good iptables rules?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]