Re: ipchains question

From: Brad Olin (bwo_at_bwo1.com)
Date: 05/07/04 

Date: Fri, 07 May 2004 14:49:31 GMT

On Fri, 7 May 2004 15:36:02 +0200, PapaBear <Papabeer@No-SP_aM.nl>
wrote:

>LS.
>
>I'm working on an ipchains firewall on a litlle old Redhat 7.0 server.
>
>After flushing all rules, I start out making standard strategies as
>follows:
>
># ### Standard strategy is DENY ###
>ipchains -P input DENY # No answer for invalid incoming
>ipchains -P output REJECT # Error for invalid outgoing
>ipchains -P forward REJECT # Error for invalid forwarding
>
>Now the book I'm using suggests to put all kinds of rules in the file to
>deny access from for example class A, B and C networks.
>

I'm not certain what book your referencing, but there are reserved IP
addresses that are clearly invalid on the open Internet. These may be
used on the inside of your network, but they are never valid on the
Internet side.

So lets say you want to allow port 80, but you wouldn't want to open
port 80 to an invalid address. To resolve this issue you would have
rules, like the below set, to drop those reserved addresses before you
accept whatever ports you wanted open.

/sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
/sbin/iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
/sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
/sbin/iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
/sbin/iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP

Do you really need these rules? `iptables -vnL` on my boxes shows some
counts on these rules from time to time, so yes.

>Why is this? (since the standard strategy is to DENY or REJECT)
>

My default policy is DROP

/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP

The policy is used only if all rules are exhausted, so I only have to
open ports I want. With a policy of REJECT you allow hackers to finger
print 100% of your system. Not something I would recommend.

>imho I can just ACCEPT only those packages I would want and discard the
>others, since they would be denied or rejected, am I right?
>
Basically, but use policy DROP instead.

Brad 

-- 
"Nearly all men can stand adversity, but if you want to test a man's
character, give him power."                          Abraham Lincoln
Bradley W. Olin
http://www.bwo1.com

Relevant Pages

  • Re: [RE: Access to well-known ports on Win2K]
    ... communication typically uses the ephemeral port range. ... policy - works for all users of the machine; and can allow or block access ... many routes for deployment as you mention: Group Policy; Local Security ... > IPSec Policy Agent service then the IPSec policy is no longer active. ...
    (Focus-Microsoft)
  • RE: [RE: Access to well-known ports on Win2K]
    ... destination port and ANY source port. ... > policy - works for all users of the machine; ... > Local Security ... >> could use an IPSec policy and deploy to all users to block ...
    (Focus-Microsoft)
  • Re: event id 1030
    ... port filtering enabled and is blocking port 389. ... Windows Platform Support Team ... > Windows cannot query for the list of Group Policy objects. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Bittorrent - utorrent
    ... You mean free solutions? ... Block initiating traffic outbound to any port except those required for business purposes would be an excellent start. ... If no such policy is in place, you can't reasonably expect users to adher to unwritten rules. ...
    (Focus-IDS)
  • Re: IPSec Policy Doesnt Really Block
    ... basic filters to allow port 80 and port 25 inbound from Any to My IP, ... >I have created ipsec policies that work. ... The I add mirrored permit rules for the exceptions such ... >> Here is a list of IPSECPOL.exe commands I am using to create the policy. ...
    (microsoft.public.win2000.security)