Re: netfilter iptables and firewall
- From: "EldarXP" <jeremy.gillet@xxxxxxxxx>
- Date: 24 Oct 2006 21:05:27 -0700
Moe Trin wrote:
On 24 Oct 2006, in the Usenet newsgroup comp.security.firewalls, in articleOups forget the ! in front of the destination
<1161680624.249954.282620@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, EldarXP wrote:
I'm currently using a computer with linux to do a Bridge Firewall, as
my company have limited ressources i have put together some other
service on it (apache, dansguardian).
it give them a fairly secure network and should only allow some people
to access internet.
"some people" - but none of your rules limit to individual addresses.
Of course, if your LAN is running DHCP because it's to much trouble to
set the boxes to static addresses, then you can't allow "some" people
to access the Internet unless everything is done through an authenticated
proxy, in which case your rules should block ALL access to/from the world
except via that proxy. HOWEVER - you should not depend on your firewall
to _replace_ written policy.
Still i found some problem in my firewall where some people were still
ablle to use web and messenger even with the set of rules i have put on
it.
See that a _written_ policy detailing allowed Internet use is in place.
Depending on your jurisdiction, there may or may not be legal implications.
You _probably_ should consult with your company's legal advisor to be sure.
Temporarily, jack up the logging, so that you are logging all NEW
and ESTABLISHED connections (all you need it headers), for a month or
so. Use common scripting tools to sort out source and destination IPs,
and destination port numbers. Who is talking to who, and why? Is such
traffic beneficial, or tolerable? If you don't understand scripting, see
the "Bash-Prog-Intro-HOWTO" (should be on your system in /usr/share/HOWTO)
and "Advanced Bash-Scripting Guide" (version 4.1 was released two weeks
ago - try http://tldp.org/guides.html). When we did this (using tcpdump
because the firewall logging of the era wasn't very good), we wound up with
a log of roughly 350 Megabytes. It two two people _less_than_two_days_ to
ID every site, showing about 200 "holes" that had to be created through
our "block everything by default" firewall.
iptables -P FORWARD ACCEPT
If it's not explicitly in the rules, allow ??? WTF?!? In the comments below,
I'm assuming $INTERNET means 0.0.0.0/0 or literally, the entire world.
iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET
--dport 25
Some mail admins don't like to accept mail from systems not designated
as mail servers. Allow the mail to be forwarded to a smarthost, and sent
on from there only.
iptables -A FORWARD -j LOG -p tcp -s $LOCALNET -d 202.72.104.1
--dport 110
iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET dport
110
Log stuff to a specific destination, but allow to anywhere? Seems reversed.
still i won't be in this country and i know the support would be quite
difficult so i just prefer to allow them access to any smtp server (i
would prefer to block it but then who will change the rules to match
the new destination...)
Might be right i can remove this i'm the only one to use ssh.iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET
--dport 22
Allow _all_ SSH outbound???
iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET
--dport 443
Allow _all_ https outbound???
hum that was for me :)iptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET
--dport 6667
And the reason your employees need IRC to do their jobs is what exactly?
arg this one i would prefer to remove it but they got an application oniptables -A FORWARD -j ACCEPT -p tcp -s $LOCALNET -d $INTERNET
--dport 8383
What's 8383/tcp, and why is it needed?
this port wich need to access their intranet...
iptables -A FORWARD -j r_drop
I don't have to deal with windoze, but I'd drop INPUT and OUTPUT as well,
as nothing runs on my firewall box except the firewall, and the ordinary
users (much less the entire world) has no reason to be connecting to that
box.
hum i will folow the example in the first post for my input and output
seem good for me.
Hum ok i will just remove themiptables -A Icmp_Related_And_New -p icmp --icmp-type
destination-unreachable -m state --state RELATED -j ACCEPT
OK
iptables -A Icmp_Related_And_New -p icmp --icmp-type source-quench
-m state --state RELATED -j ACCEPT
Stretching - I rarely see a source-quench.
iptables -A Icmp_Related_And_New -p icmp --icmp-type
parameter-problem -m state --state RELATED -j ACCEPT
I can't recall the last time I saw one of those
iptables -A Icmp_Related_And_New -p icmp --icmp-type time-exceeded
-m state --state RELATED -j ACCEPT
In the modern Internet, the only time you see this is in traceroute.
iptables -A Icmp_Related_And_New -p icmp --icmp-type echo-reply -m
state --state ESTABLISHED -j ACCEPT
iptables -A Icmp_Related_And_New -p icmp --icmp-type echo-request -m
limit --limit 1/s -j ACCEPT
We allow ICMP Echo request outbound, and ICMP Echo reply inbound only.
Old guy
.
- Follow-Ups:
- Re: netfilter iptables and firewall
- From: Moe Trin
- Re: netfilter iptables and firewall
- From: Ansgar -59cobalt- Wiechers
- Re: netfilter iptables and firewall
- References:
- netfilter iptables and firewall
- From: EldarXP
- Re: netfilter iptables and firewall
- From: Moe Trin
- netfilter iptables and firewall
- Prev by Date: Re: netfilter iptables and firewall
- Next by Date: Re: New 8K Feed
- Previous by thread: Re: netfilter iptables and firewall
- Next by thread: Re: netfilter iptables and firewall
- Index(es):
Relevant Pages
|
