AKLUG Archive: RE: Iptables

From: Arthur Corliss <acorliss@nevaeh-linux.org>
Date: Sun Jun 04 2006 - 11:35:58 AKDT

On Sun, 4 Jun 2006, Jenkinson, John P (SAIC) wrote:

> here's a working example
> no dns init but the modification is easy
> the specific source IP's are obviously now x.y.z but serve as examples
>
> COMMIT
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p icmp --icmp-type any -j ACCEPT
> -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth1 -p tcp -m tcp --dport ssh -j ACCEPT
> -A INPUT -i eth1 -p tcp -m tcp --dport ntp -j ACCEPT
> -A INPUT -i eth1 -p udp -m udp --dport ntp -j ACCEPT
> # Allow portmapper from UNIX subnet
> -A INPUT -i eth1 -s x.y.z.0/24 -p tcp -m tcp --dport 111 -j ACCEPT
> -A INPUT -i eth1 -s x.y.z.0/24 -p udp -m udp --dport 111 -j ACCEPT
> # Default drop of privileged ports.
> -A INPUT -i eth1 -p tcp -m tcp --dport 0:1024 -j DROP
> -A INPUT -i eth1 -p udp -m udp --dport 0:1024 -j DROP
> COMMIT

This is a bit of a tangent, but I've always found setups like this a bit
counterintuitive, and a bit dangerous to boot. The properly paranoid should
have a default INPUT policy of DROP (the default on all of my systems), and
one should also consider rate-limiting. My default firewall for a DNS server
is something like:

# Basic firewall filtering
#
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
:eth0-IN -
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j eth0-IN
#
# Allow ICMP
-A eth0-IN -i eth0 -p icmp -m limit --limit 3/s --limit-burst 1 -j ACCEPT
#
# Allow ssh traffic from the local subnet
-A eth0-IN -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
#
# Allow DNS traffic from anywhere
-A eth0-IN -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A eth0-IN -i eth0 -p udp -m udp --dport 53 -j ACCEPT
#
COMMIT

In some situations a case can be made to set OUTPUT to DROP as well.

         --Arthur Corliss
           Bolverk's Lair -- http://arthur.corlissfamily.org/
           Digital Mages -- http://www.digitalmages.com/
           "Live Free or Die, the Only Way to Live" -- NH State Motto
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sun Jun 4 11:36:31 2006

This archive was generated by hypermail 2.1.8 : Sun Jun 04 2006 - 11:36:31 AKDT