Sample iptables rules list, inviting your suggestions / criticisms (thanks) :-)
- From: "C. J. Clegg" <reply.in.group@xxxxxxxxx>
- Date: Sat, 04 Nov 2006 15:47:19 -0500
Redirected here from the "Post iptables rules in newsgroups" and "What
iptables rules to allow name service" threads...
Thanks to all of your help, I think I have what looks to me like a
reasonable set of iptables rules to shut down unneeded access while
allowing DNS to work to/from the name server that runs on that host.
Please take a look at the following and let me know of any suggestions or
criticisms you may have ... thanks :-)
(DESPERATELY hoping that my newsreader, or yours, doesn't hopelessly hose
the formatting in the following cut-and-paste...)
# Firewall configuration excerpt
#
# Based on the config file written by Fedora Core 2
# system-config-securitylevel (the one that says
# "Manual customization of this file is not recommended.")
#
# This firewall only controls access to the machine on which it
# runs. This machine does not serve as a router to provide
# network access to other machines.
#
# Objectives:
# Allow ftp, http, mail, and ping to and from everybody
# Allow ssh to and from certain (trusted) hosts
# (the firewall allows ssh from all
# and access is controlled in hosts.allow/deny)
# Disable telnet, rlogin, rsh, rexec, etc.
# (all of which are turned off in xinetd.d anyway...)
# Allow name service to and from the name server that
# runs on this host (this is a "primary" name server that
# also serves several "secondary" name servers)
#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0] # Do I need this? See FORWARD chain below
:OUTPUT ACCEPT [0:0]
#
#################################################################
#
# Rule set for the INPUT chain
#
# Allow anything from the localhost
#
-A INPUT -i lo -j ACCEPT
#
# Allow any icmp (mostly ping ... should I restrict it to ping
# only? What other kinds of ICMP are there that could be
# intrusive or dangerous?)
#
-A INPUT -p icmp --icmp-type any -j ACCEPT
#
# Allow ftp, ssh, mail, http, https. ssh access is restricted
# in hosts.allow and hosts.deny.
#
# (NOTE: I don't need "-m tcp -p tcp", do I?
# Isn't "-m tcp" implied by "-p tcp"?
#
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#
# Enable DNS for input
#
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
#
# Silently drop everything else
#
# NOTE: Could I eliminate the "-A INPUT -j DROP" rule by just
# changing the ":INPUT ACCEPT [0:0]" to ":INPUT DROP [0:0]" up at
# the beginning of this rules list?
#
-A INPUT -j DROP
#
#################################################################
#
# Rule set for the FORWARD chain.
# Everything gets silently dropped.
#
# NOTE: Do I even need this at all, or should I just eliminate
# the FORWARD chain entirely, or change ":FORWARD ACCEPT [0:0]"
# to ":FORWARD DROP [0:0]" up near the top of this list?
#
# /proc/sys/net/ipv4/ip_forward is set to 0.
#
# If I don't need this, then should I also eliminate the
# ":FORWARD ACCEPT [0:0]" up near the top of this list?
#
-A FORWARD -j DROP
#
#################################################################
#
# Rule set for the OUTPUT chain. These mostly have to do with
# logging although there is one DROP rule.
#
# Don't log things to the localhost
#
-A OUTPUT -o lo -j RETURN
#
# Disable outbound telnet from local users
# (this is the only DROP rule in the chain)
#
-A OUTPUT -m state --state NEW -m tcp -p tcp --dport 23 -j DROP
#
# Enable DNS for output
#
# NOTE: The following three rules were recommended to me by
# 59cobalt on comp.security.firewalls in order to get DNS to
# work. However, everything in the OUTPUT chain is ACCEPTed by
# default except for one specific DROP to disable telnet, noted
# above, so I shouldn't need the following three rules at all,
# right?
#
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
#
# Don't log ping (or any ICMP), mail, http, https, X11-over-ssh,
# or dns
#
-A OUTPUT -p icmp --icmp-type any -j RETURN
-A OUTPUT -p tcp --sport 25 -j RETURN
-A OUTPUT -p tcp --dport 25 -j RETURN
-A OUTPUT -p tcp --dport 53 -j RETURN
-A OUTPUT -p udp --dport 53 -j RETURN
-A OUTPUT -p tcp --sport 80 -j RETURN
-A OUTPUT -p tcp --dport 80 -j RETURN
-A OUTPUT -p tcp --sport 443 -j RETURN
-A OUTPUT -p tcp --sport 6010 -j RETURN
-A OUTPUT -p tcp --dport 6010 -j RETURN
#
# Log everything else
#
-A OUTPUT -j LOG
#
COMMIT
.
- Follow-Ups:
- Re: Sample iptables rules list, inviting your suggestions / criticisms (thanks) :-)
- From: Ansgar -59cobalt- Wiechers
- Re: Sample iptables rules list, inviting your suggestions / criticisms (thanks) :-)
- Prev by Date: Re: Post iptables rules in newsgroup, bad idea?
- Next by Date: Re: Post iptables rules in newsgroup, bad idea?
- Previous by thread: stateful filtering
- Next by thread: Re: Sample iptables rules list, inviting your suggestions / criticisms (thanks) :-)
- Index(es):
Relevant Pages
|
