Re: please read my script

From: The Saint (gur_fnvag_at_crgvgzbegr.arg)
Date: 11/20/03

  • Next message: Jeroen: "Re: Zonealarm stops messenger & browser"
    Date: 20 Nov 2003 11:06:17 -0600
    
    

    NeoSadist wrote:

    >Please read my IPTables script (for a home computer) and tell me what you
    >think. All ideas/comments accepted:
    >
    ># Accept all loopback
    >iptables -A INPUT -i lo -p all -j ACCEPT
    >iptables -A OUTPUT -o lo -p all -j ACCEPT

    Since you don't flush your rules, or set default policies, the above
    is unnecessary. Your iptables obviously accepts all by default.

    <snip chat rules>

    ># Close all other connection requests
    ># All rules for accepting connections should be entered before this rule.
    >iptables -A INPUT -p tcp --syn -j DROP

    Unfortunately, you are *not* closing all other connection requests.
    All ICMP and UDP are allowed. Not a good thing, IMHO. Also, you are
    limiting the TCP packets to be dropped. A classic example of a very
    permissive firewall ruleset. All output is allowed as well.

    Iptables/netfilter is a very robust and feature-rich firewall, and
    your ruleset isn't taking advantage of a lot of it. Try this command:
    iptables -L and you'll see how permissive it is. And I thought mine
    was rather permissive. Mind you, I'm behind a Linux firewall/router
    with a ruleset greater than 30K and nothing is forwarded to this
    computer except what is used by NAT.

    #!/bin/bash
    #
    modprobe ip_tables
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    # Flush Chains
    iptables -F
    iptables -X
    iptables -Z
    # Set Policies
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    # Allow Loopback
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    # Input Rules
    iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --sport 20 -j ACCEPT
    iptables -A INPUT -i eth0 -p udp --dport 67:68 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 113 -j REJECT \
    --reject-with tcp-reset
    iptables -A INPUT -i eth0 -p udp --sport 137:139 -j DROP
    iptables -A INPUT -i eth0 -p icmp -j ACCEPT
    iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED \
    -j ACCEPT
    # Output Rules
    iptables -A OUTPUT -o eth0 -p tcp --dport 20 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 21 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 23 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 25 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p udp --dport 43 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p udp --dport 67:68 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 110 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p udp --dport 123 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 119 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 443 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 3128 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 8080 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
    iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
    -j ACCEPT
    # Log and Drop Everything Else
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP
    iptables -A FORWARD -j LOG
    iptables -A FORWARD -j DROP
    iptables -A OUTPUT -j LOG
    iptables -A OUTPUT -j DROP


  • Next message: Jeroen: "Re: Zonealarm stops messenger & browser"

    Relevant Pages

    • RE: Iptables flushing hangs the network
      ... Yeah your default policy is set to drop. ... Don't flush the rules just restart ... iptables or set the policy to accept before you flush. ...
      (RedHat)
    • Re: iptables - flushing only drop policies
      ... > How do I flush the accumulated in the IPTABLES drop policies without ... You can't "flush drop policies". ... Your policy is set to ACCEPT, ... Depending on what you are trying to do, it will be "iptables ...
      (RedHat)
    • Re: netfilter-script, check please
      ... I know you are rejecting packets ... >$IPTABLES -F OUTPUT ... this does not flush masquerading, ... NAT table. ...
      (comp.os.linux.security)
    • Re: sshd with built-in blacklist?
      ... MT> We have one machine (a gateway) with sshd open to the world. ... I deal with this with iptables. ... # default policies ...
      (uk.comp.os.linux)
    • Re: iptables problem
      ... just knowing it is not normal behaviour of a Slackware system is a bit ... Are there any logs for iptables I can check? ... If you are using "iptables stop" or maybe iptables flush then ...
      (alt.linux)