Re: please read my script

From: The Saint (gur_fnvag_at_crgvgzbegr.arg)
Date: 11/20/03

  • Next message: Jeroen: "Re: Zonealarm stops messenger & browser"
    Date: 20 Nov 2003 11:06:17 -0600
    
    

    NeoSadist wrote:

    >Please read my IPTables script (for a home computer) and tell me what you
    >think. All ideas/comments accepted:
    >
    ># Accept all loopback
    >iptables -A INPUT -i lo -p all -j ACCEPT
    >iptables -A OUTPUT -o lo -p all -j ACCEPT

    Since you don't flush your rules, or set default policies, the above
    is unnecessary. Your iptables obviously accepts all by default.

    <snip chat rules>

    ># Close all other connection requests
    ># All rules for accepting connections should be entered before this rule.
    >iptables -A INPUT -p tcp --syn -j DROP

    Unfortunately, you are *not* closing all other connection requests.
    All ICMP and UDP are allowed. Not a good thing, IMHO. Also, you are
    limiting the TCP packets to be dropped. A classic example of a very
    permissive firewall ruleset. All output is allowed as well.

    Iptables/netfilter is a very robust and feature-rich firewall, and
    your ruleset isn't taking advantage of a lot of it. Try this command:
    iptables -L and you'll see how permissive it is. And I thought mine
    was rather permissive. Mind you, I'm behind a Linux firewall/router
    with a ruleset greater than 30K and nothing is forwarded to this
    computer except what is used by NAT.

    #!/bin/bash
    #
    modprobe ip_tables
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    # Flush Chains
    iptables -F
    iptables -X
    iptables -Z
    # Set Policies
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    # Allow Loopback
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    # Input Rules
    iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --sport 20 -j ACCEPT
    iptables -A INPUT -i eth0 -p udp --dport 67:68 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 113 -j REJECT \
    --reject-with tcp-reset
    iptables -A INPUT -i eth0 -p udp --sport 137:139 -j DROP
    iptables -A INPUT -i eth0 -p icmp -j ACCEPT
    iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED \
    -j ACCEPT
    # Output Rules
    iptables -A OUTPUT -o eth0 -p tcp --dport 20 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 21 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 23 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 25 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p udp --dport 43 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p udp --dport 67:68 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 110 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p udp --dport 123 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 119 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 443 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 3128 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 8080 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
    iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
    -j ACCEPT
    # Log and Drop Everything Else
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP
    iptables -A FORWARD -j LOG
    iptables -A FORWARD -j DROP
    iptables -A OUTPUT -j LOG
    iptables -A OUTPUT -j DROP


  • Next message: Jeroen: "Re: Zonealarm stops messenger & browser"