RE: Iptables

Thanks for the examples, I got it all working now. I'm still not too sure
why my individual commands didn't work, but I assume the original rules were
conflicting somehow.

>From: Arthur Corliss <acorliss@nevaeh-linux.org>
>To: "Jenkinson, John P (SAIC)" <John.Jenkinson@bp.com>
>CC: Brian ThunderEagle <thundereagle@hotmail.com>, aklug@aklug.org
>Subject: RE: Iptables
>Date: Sun, 4 Jun 2006 11:35:58 -0800 (AKDT)
>
>On Sun, 4 Jun 2006, Jenkinson, John P (SAIC) wrote:
>
>>here's a working example
>>no dns init but the modification is easy
>>the specific source IP's are obviously now x.y.z but serve as examples
>>
>>COMMIT
>>*filter
>>:INPUT ACCEPT [0:0]
>>:FORWARD DROP [0:0]
>>:OUTPUT ACCEPT [0:0]
>>-A INPUT -i lo -j ACCEPT
>>-A INPUT -p icmp --icmp-type any -j ACCEPT
>>-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
>>-A INPUT -i eth1 -p tcp -m tcp --dport ssh -j ACCEPT
>>-A INPUT -i eth1 -p tcp -m tcp --dport ntp -j ACCEPT
>>-A INPUT -i eth1 -p udp -m udp --dport ntp -j ACCEPT
>># Allow portmapper from UNIX subnet
>>-A INPUT -i eth1 -s x.y.z.0/24 -p tcp -m tcp --dport 111 -j ACCEPT
>>-A INPUT -i eth1 -s x.y.z.0/24 -p udp -m udp --dport 111 -j ACCEPT
>># Default drop of privileged ports.
>>-A INPUT -i eth1 -p tcp -m tcp --dport 0:1024 -j DROP
>>-A INPUT -i eth1 -p udp -m udp --dport 0:1024 -j DROP
>>COMMIT
>
>This is a bit of a tangent, but I've always found setups like this a bit
>counterintuitive, and a bit dangerous to boot. The properly paranoid
>should
>have a default INPUT policy of DROP (the default on all of my systems), and
>one should also consider rate-limiting. My default firewall for a DNS
>server
>is something like:
>
># Basic firewall filtering
>#
>*filter
>:INPUT DROP
>:FORWARD DROP
>:OUTPUT ACCEPT
>:eth0-IN -
>-A INPUT -i lo -j ACCEPT
>-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>-A INPUT -i eth0 -j eth0-IN
>#
># Allow ICMP
>-A eth0-IN -i eth0 -p icmp -m limit --limit 3/s --limit-burst 1 -j ACCEPT
>#
># Allow ssh traffic from the local subnet
>-A eth0-IN -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
>#
># Allow DNS traffic from anywhere
>-A eth0-IN -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
>-A eth0-IN -i eth0 -p udp -m udp --dport 53 -j ACCEPT
>#
>COMMIT
>
>In some situations a case can be made to set OUTPUT to DROP as well.
>
> --Arthur Corliss
> Bolverk's Lair -- http://arthur.corlissfamily.org/
> Digital Mages -- http://www.digitalmages.com/
> "Live Free or Die, the Only Way to Live" -- NH State Motto

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sun Jun 4 12:28:37 2006