Re: Checking FC2 Iptables firewall config for PPPoE-enabled Gateway
From: Leon Kyneur (lkyneur_at_unitedip.net.au)
Date: 08/31/04
- Next message: Jeroen Geilman: "Re: n00b in the house.. secure linux?"
- Previous message: Sensei: "Re: Secure clustering: kerberos issues"
- In reply to: Max: "Checking FC2 Iptables firewall config for PPPoE-enabled Gateway"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 31 Aug 2004 22:50:01 +1000
Hi,
With firewalls it's usually best to block everything and only allow
through what you require.
Your firewall looks ok, adequate for your LAN I'm sure.
I would be doing
iptables -P INPUT DROP
iptables -P FORWARD DROP
Rather than allow though.
Leon
--- Leon Kyneur lkyneur@unitedip.net.au United IP http://www.unitedip.net.au/ Phone: 02 8825 5586 Fax: 02 8825 5587 On Mon, 30 Aug 2004, Max wrote: > > Greetings, > > Recently, I completed setting up an FC2-enabled server as a home gateway. > > Its connection to the Internet is by way of Verizon's PPPoE DSL. The > external Westell modem connects to eth0; the home LAN connects to eth1. > > Everything seems to be communicating correctly. The concern I have and > the request I make of the list is to review the iptables setting for the > gateway. > > Stock FC2 Iptables looks like this: > root@leeloo ~> iptables-save > # Generated by iptables-save v1.2.9 on Sun Aug 29 17:06:53 2004 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [20310127:17271169167] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -s 127.127.1.0 -p udp -m udp --sport 123 --dport 123 -j ACCEPT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT > -A RH-Firewall-1-INPUT -p esp -j ACCEPT > -A RH-Firewall-1-INPUT -p ah -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT > # Completed on Sun Aug 29 17:06:53 2004 > > > I've amended it; the lines I've added are preceded by >>> and ended w/ <<<: > > # Generated by iptables-save v1.2.9 on Sun Aug 29 17:08:40 2004 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [10797:1210790] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > > >>>-A RH-Firewall-1-INPUT -s 127.127.1.0 -p udp -m udp --sport 123 --dport 123 -j ACCEPT <<< > > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > > >>>-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT<<< > > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT > -A RH-Firewall-1-INPUT -p esp -j ACCEPT > -A RH-Firewall-1-INPUT -p ah -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT > > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT > # Completed on Sun Aug 29 17:08:40 2004 > > >>>> Everything below was added to stock FC2 Iptables settings<<< > > # Generated by iptables-save v1.2.9 on Sun Aug 29 17:08:40 2004 > *nat > :PREROUTING ACCEPT [11662:691042] > :POSTROUTING ACCEPT [97:5735] > :OUTPUT ACCEPT [96:5659] > -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE > COMMIT > # Completed on Sun Aug 29 17:08:40 2004 > > >>>>>>>> End addition <<<< > > I run a standalone server on an ISP loaded w/ FC2 and running the stock Iptables > configuration. There doesn't seem to be any security problems. > > > The biggest hurdle was getting machines on the home network making > requests through the gateway; initially, no web, ssh, or ftp > requests were possible using domain names. They could only > be made using explicit ip addresses. > > Once I added > >>>-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT<<< > > service requests to the internet using domain names began to work > correctly. > > My concern is how exposed/vulnerable is the above gateway configuration? > > Much thanks for your help! > > Max Pyziur > pyz@brama.com > >
- Next message: Jeroen Geilman: "Re: n00b in the house.. secure linux?"
- Previous message: Sensei: "Re: Secure clustering: kerberos issues"
- In reply to: Max: "Checking FC2 Iptables firewall config for PPPoE-enabled Gateway"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
