Re: Iptables firewall

From: hf (nfg@lol.com)
Date: 12/12/02


From: "hf" <nfg@lol.com>
Date: Thu, 12 Dec 2002 01:39:33 +0100


Ok, I corrected these rules, but is there anything else I could do about my
firewall?

Uzytkownik "Teemu" <teemu@suomi.fi> napisal w wiadomosci
news:2baevuk4i4qtdklpgirk44cqlsjaop3gog@4ax.com...
> On Wed, 11 Dec 2002 11:15:31 +0100, "hf" <nfg@lol.com> wrote:
>
> >Hello
> >I am an iptables newbie, but I read some docs and set up some firewall
rules
> >by myself.
> >I want to achieve:
> >
> >access to port 80 for everyone
> >access to port 21 for specified address
> >access to port 22 for specified address
> >access to dns
> >
> >As I said before I wrote my own rules, but I have a little problems with
> >them (with setting up "state" I think).
> >Once I am conected with ssh it's ok, but I cannot connect again.
> >
> >If you could help me write correct rules, I want to write best possible
for
> >me firewall.
> >
> >These are my rules:
> >
>
> >iptables -P INPUT DROP
> You should propably flush these.
> iptables -F INPUT
> >iptables -P FORWARD DROP
> iptables -F FORWARD
> >iptables -P OUTPUT ACCEPT
> iptables F OUTPUT
> >iptables -A INPUT -i lo -j ACCEPT
> >iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
> >iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
> >iptables -A INPUT -i eth0 -s 172.16.0.0/16 -j DROP
> >iptables -A INPUT -i eth0 -s 224.0.0.4/3 -j DROP
> >
> >
> >iptables -I INPUT -i eth0 -p tcp --tcp-flags ! ALL SYN -m state --state
> >NEW -j DROP
> >iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags
FIN,SYN,RST,PSH,ACK,URG
> >FIN,PSH,URG -j DROP
>
> SYN and ACK dropped? why?
>
>
> ># http
> >iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -j
ACCEPT
>
> not --state NEW,ESTABLISHED?
>
> >
> >#ssh
> >iptables -A INPUT -s 192.168.0.0 -p tcp --dport 22 -m state --state
NEW -j
> >ACCEPT
> >iptables -A INPUT -s 62.233.231.17 -p tcp --dport 22 -m state --state
NEW -j
> >ACCEPT
> >
> >iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT
>
> IMO you should use established on each individual rule. Its easier to
> read, and accepting all established could be trouble.
>
> >
> >#dns
> >iptables -A INPUT -i eth0 -p udp -s 194.204.159.1 --sport 53 -m
> >state --state ESTABLISHED -j ACCEPT
> >iptables -A INPUT -i eth0 -p udp -s 194.204.152.34 --sport 53 -m
> >state --state ESTABLISHED -j ACCEPT
>
> Is it meaning that new connectons are not accepted?
>
> >
> >iptables -A INPUT -i eth0 -p tcp --sport 53 -m state --state NEW -j
ACCEPT
> >iptables -A INPUT -i eth0 -p tcp --dport 53 -m state --state NEW -j
ACCEPT
> >
> >iptables -A INPUT -i eth0 -p udp -d 62.233.231.17 -s
194.204.152.34 --sport
> >53 -m state --state ESTABLISHED -j ACCEPT
> >iptables -A INPUT -i eth0 -p udp -d 62.233.231.17 -s
194.204.159.1 --sport
> >53 -m state --state ESTABLISHED -j ACCEPT
>
> unless you always have same ip, you should use variable, which is
> given your current IP.
>
>



Relevant Pages

  • Firewall Rules Summary
    ... Subject: Firewall Rules Summary ... This script is provided "as is" with no implied warranty. ... this came from various howtos and articles on iptables that existed around ... #specific port denies>1024 tcp ...
    (Focus-Linux)
  • Re: How to maximize security with iptables when http service opening?
    ... You're running firewall ... single host running httpd and iptables. ... If you want to run www server then you need to open port 80 ... Of course, attacker still can get it, ...
    (comp.os.linux.security)
  • Re: Webmin & system-config-securitylevel
    ... > I have a server running FC2, iptables were setup using ... > service unless I expressly opened that port. ... I did this thru webmin using the firewall config tool under ... <snip config files> ...
    (alt.os.linux.redhat)
  • Re: Feedback solicited - best way to harden a mail/web server?
    ... Was the system protected by a properly configured firewall? ... it's not a bad "starting point" and it can generate an IPtables rule ... > nor is there a web or ftp server; aside from that I haven't tried to secure ... Before I'll install some nifty application ...
    (comp.os.linux.security)
  • Re: restrict implicit binding to addresses
    ... You probably want a firewall that is not administered by the students. ... user, by port, or by any other method iptables allows. ... that opens the firewall for the ...
    (comp.os.linux.networking)