Re: please read my script
From: The Saint (gur_fnvag_at_crgvgzbegr.arg)
Date: 11/20/03
- Previous message: Knutts: "ARP Broadcast From CISCO PIX Firewall"
- In reply to: NeoSadist: "please read my script"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 20 Nov 2003 11:06:17 -0600
NeoSadist wrote:
>Please read my IPTables script (for a home computer) and tell me what you
>think. All ideas/comments accepted:
>
># Accept all loopback
>iptables -A INPUT -i lo -p all -j ACCEPT
>iptables -A OUTPUT -o lo -p all -j ACCEPT
Since you don't flush your rules, or set default policies, the above
is unnecessary. Your iptables obviously accepts all by default.
<snip chat rules>
># Close all other connection requests
># All rules for accepting connections should be entered before this rule.
>iptables -A INPUT -p tcp --syn -j DROP
Unfortunately, you are *not* closing all other connection requests.
All ICMP and UDP are allowed. Not a good thing, IMHO. Also, you are
limiting the TCP packets to be dropped. A classic example of a very
permissive firewall ruleset. All output is allowed as well.
Iptables/netfilter is a very robust and feature-rich firewall, and
your ruleset isn't taking advantage of a lot of it. Try this command:
iptables -L and you'll see how permissive it is. And I thought mine
was rather permissive. Mind you, I'm behind a Linux firewall/router
with a ruleset greater than 30K and nothing is forwarded to this
computer except what is used by NAT.
#!/bin/bash
#
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Flush Chains
iptables -F
iptables -X
iptables -Z
# Set Policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Input Rules
iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 20 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 113 -j REJECT \
--reject-with tcp-reset
iptables -A INPUT -i eth0 -p udp --sport 137:139 -j DROP
iptables -A INPUT -i eth0 -p icmp -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Output Rules
iptables -A OUTPUT -o eth0 -p tcp --dport 20 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 23 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 43 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 67:68 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 119 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 8080 -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Log and Drop Everything Else
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
iptables -A FORWARD -j LOG
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j LOG
iptables -A OUTPUT -j DROP
- Previous message: Knutts: "ARP Broadcast From CISCO PIX Firewall"
- In reply to: NeoSadist: "please read my script"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
