AKLUG Archive: RE: Iptables

From: Jenkinson, John P \(SAIC\) <John.Jenkinson@bp.com>
Date: Sun Jun 04 2006 - 12:22:37 AKDT

very very true
thanks

Brian note both tcp and upd port 53 are used for dns
tho usually only zone transfers use tcp so first instinct is to block
tcp, large (grester than 512 byte) answers also use tcp.
to prevent zone transfers, use the restrict clause or similar in the dns
server setup

-----Original Message-----
From: Arthur Corliss [mailto:acorliss@nevaeh-linux.org]
Sent: Sunday, June 04, 2006 11:36 AM
To: Jenkinson, John P (SAIC)
Cc: Brian ThunderEagle; aklug@aklug.org
Subject: RE: Iptables

On Sun, 4 Jun 2006, Jenkinson, John P (SAIC) wrote:

> here's a working example
> no dns init but the modification is easy
> the specific source IP's are obviously now x.y.z but serve as
examples
>
> COMMIT
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p icmp --icmp-type any -j ACCEPT
> -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth1 -p tcp -m tcp --dport ssh -j ACCEPT
> -A INPUT -i eth1 -p tcp -m tcp --dport ntp -j ACCEPT
> -A INPUT -i eth1 -p udp -m udp --dport ntp -j ACCEPT
> # Allow portmapper from UNIX subnet
> -A INPUT -i eth1 -s x.y.z.0/24 -p tcp -m tcp --dport 111 -j ACCEPT
> -A INPUT -i eth1 -s x.y.z.0/24 -p udp -m udp --dport 111 -j ACCEPT
> # Default drop of privileged ports.
> -A INPUT -i eth1 -p tcp -m tcp --dport 0:1024 -j DROP
> -A INPUT -i eth1 -p udp -m udp --dport 0:1024 -j DROP
> COMMIT

This is a bit of a tangent, but I've always found setups like this a bit

counterintuitive, and a bit dangerous to boot. The properly paranoid
should
have a default INPUT policy of DROP (the default on all of my systems),
and
one should also consider rate-limiting. My default firewall for a DNS
server
is something like:

# Basic firewall filtering
#
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
:eth0-IN -
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j eth0-IN
#
# Allow ICMP
-A eth0-IN -i eth0 -p icmp -m limit --limit 3/s --limit-burst 1 -j
ACCEPT
#
# Allow ssh traffic from the local subnet
-A eth0-IN -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
#
# Allow DNS traffic from anywhere
-A eth0-IN -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A eth0-IN -i eth0 -p udp -m udp --dport 53 -j ACCEPT
#
COMMIT

In some situations a case can be made to set OUTPUT to DROP as well.

         --Arthur Corliss
           Bolverk's Lair -- http://arthur.corlissfamily.org/
           Digital Mages -- http://www.digitalmages.com/
           "Live Free or Die, the Only Way to Live" -- NH State Motto
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sun Jun 4 12:24:06 2006

This archive was generated by hypermail 2.1.8 : Sun Jun 04 2006 - 12:24:06 AKDT