Re: iptables udp and output
From: Noi (noi_at_siam.com)
Date: 01/14/04
- Next message: Noi: "Re: where are my packets getting filtered?"
- Previous message: charly: "Re: iptables udp and output"
- In reply to: charly: "Re: iptables udp and output"
- Next in thread: NeoSadist: "Re: iptables udp and output"
- Reply: NeoSadist: "Re: iptables udp and output"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 14 Jan 2004 18:24:29 GMT
On Wed, 14 Jan 2004 14:47:03 +0100, charly thoughtfully wrote:
>> Don't you mean:
>> iptables -A INPUT -p tcp --sport 137:139 -j DROP
>> iptables -A INPUT -p udp --sport 137:139 -j DROP
> yes, thanx !
>
> I post my script here for comments and remarks before testing it tonight :
> IPTABLES="/usr/local/iptables-1.2.9/iptables"
> INSMOD="/sbin/insmod"
> INTERNET_SERVICES="25,110,119"
> LOCAL_SERVICES="20,21,22"
>
> # Modules to load
> $INSMOD ip_tables
> $INSMOD ip_conntrack
> $INSMOD ip_conntrack_ftp
> $INSMOD ipt_state
> $INSMOD iptable_nat
> $INSMOD ipt_MASQUERADE
>
>
> $IPTABLES -F
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
> $IPTABLES -F -t mangle
> $IPTABLES -F -t nat
>
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> #$IPTABLES -P FORWARD ACCEPT
I think I would ACCEPT policy for OUTPUT
and DROP policy for FORWARD. Of course
you're dropping all traffic unless you explicitly
accept it in your rules.
>
>
> #-----------------------------
> # INPUT RULES
> #-----------------------------
> $IPTABLES -A INPUT -o lo -j ACCEPT
>
> # Drop ALL attempted port scans
> $IPTABLES -A INPUT -m psd -j DROP
>
> # ping falls dead
> $IPTABLES -A INPUT -p icmp -j DROP
>
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -p tcp --match multiport --sports $INTERNET_SERVICES
> -j ACCEPT
> $IPTABLES -A INPUT -p tcp --match multiport --dports $LOCAL_SERVICES -j
> ACCEPT
I think the 2 multiport commands above will accept $INTERNET_SERVICES
and $LOCAL_SERVICES of any state from everywhere on any device.
Wouldn't you want a $LOCAL_NET=192.168.0.0/24 ?
>
> # Stop W2K Chatter
> $IPTABLES -A INPUT -p tcp --sport 137:139 -j DROP
> $IPTABLES -A INPUT -p udp --sport 137:139 -j DROP
>
> #Allow incoming DNS traffic
> $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
>
Which protocol does DNS come on and from who?
> #Allow incoming NMBD/SMB traffic
> $IPTABLES -A INPUT -p udp --dport 137 -i eth0 -j ACCEPT
> $IPTABLES -A INPUT -p udp --dport 138 -i eth0 -j ACCEPT
>
I thought you dropped port 137,138 from above, not to mention the drop
policy.
>
> #-----------------------------
> # OUTPUT RULES
> #-----------------------------
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
> $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPTABLES -A OUTPUT -m state --state NEW -m owner --uid-owner charly -j
> ACCEPT
>
Who is charly? What about owners news, smtp, pop3, smbd/nmbd?
You're not sending port 137,138 due to policy so nmbd/smbd won't work.
> # No ping answer allowed
> $IPTABLES -A OUTPUT -p icmp -j DROP
ICMP is too important a feature to block. Some ISPs use icmp to heartbeat
the line for connectivity, no icmp then no dhcp or dns. How will you test
basic (access layer) connectivity? Telnet tests the application
layers, ie, user program connection. Applies to INPUT as well because
you'd need to accept some ICMP if sending ICMP you can specify types of
acceptable ICMP.
GL
-- ------------------------------------------------------ Linux registered user #302812 using Fedora Core 1 kernel 2.4.22-1.2115.nptl ------------------------------------------------------
- Next message: Noi: "Re: where are my packets getting filtered?"
- Previous message: charly: "Re: iptables udp and output"
- In reply to: charly: "Re: iptables udp and output"
- Next in thread: NeoSadist: "Re: iptables udp and output"
- Reply: NeoSadist: "Re: iptables udp and output"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
