--- Joseph Rinckey <[EMAIL PROTECTED]> wrote: > > > > Hi, > > > > what exactly is your problem? all i can see is good firewall. > > > > That's why I sent this e-mail. To see if there were any problems. I > didn't want to put this firewall on the Internet until I knew it was > good. > > So, if it's good...Thanks! > It should be noted in big black letters that... No one on this list is responsible for the information it contains.
NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. > If there is something that you see that might be a problem, could you > let me know. > > Thanks, > > Joseph > > > > > Hello, > > > > > > I'm looking for suggestions on my iptables rule set. > > > > > > There are three interfaces in this server: > > > eth0 - <internet-address> > > > eth1 - <lan-address> > > > eth2 - <dmz-address> > > > > > > ### Create Chains > > > iptables -N IN_LO > > > iptables -N OUT_LO > > > iptables -N IN_ETH0 > > > iptables -N OUT_ETH0 > > > iptables -N IN_ETH1 > > > iptables -N OUT_ETH1 > > > iptables -N IN_ETH2 > > > iptables -N OUT_ETH2 > > > iptables -N BLOCKED_PACKETS > > > iptables -N ICMP_PACKETS > > > > > > ### POLICIES > > > iptables -P INPUT DROP > > > iptables -P FORWARD DROP > > > iptables -P OUTPUT DROP > > > > > > ### INPUT > > > iptables -A INPUT -j BLOCKED_PACKETS > > > iptables -A INPUT -p icmp -j ICMP_PACKETS > > > iptables -A INPUT -i lo -j IN_LO > > > iptables -A INPUT -i eth0 -j IN_ETH0 > > > iptables -A INPUT -i eth1 -j IN_ETH1 > > > iptables -A INPUT -i eth2 -j IN_ETH2 > > > > > > ### FORWARD > > > iptables -A FORWARD -j BLOCKED_PACKETS > > > iptables -A FORWARD -p icmp -j ICMP_PACKETS > > > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j > > > ACCEPT > > > > > > ### OUTPUT > > > iptables -A OUTPUT -j BLOCKED_PACKETS > > > iptables -A OUTPUT -p icmp -j ICMP_PACKETS > > > iptables -A OUTPUT -o lo -j OUT_LO > > > iptables -A OUTPUT -o eth0 -j OUT_ETH0 > > > iptables -A OUTPUT -o eth1 -j OUT_ETH1 > > > iptables -A OUTPUT -o eth2 -j OUT_ETH2 > > > > > > ### BLOCKING_PACKETS > > > iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP > > > iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \ > > > SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset > > > iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \ > > > -j DROP > > > iptables -A BLOCKED_PACKETS -d 224.0.0.0/8 -j DROP > > > # should this be all three interfaces? > > > iptables -A BLOCKED_PACKETS -d <internet-broadcast> -i eth0 -p > > > udp \ --dport 135:139 -j DROP > > > iptables -A BLOCKED_PACKETS -d 255.255.255.255 -i eth0 -p udp \ > > > --dport 67:68 -j DROP > > > > > > ### ICMP_PACKETS > > > # are all of these really needed? Which ones should I not > > > accept? iptables -A ICMP_PACKETS -p icmp --icmp-type 0 -j ACCEPT > > > iptables -A ICMP_PACKETS -p icmp --icmp-type 3 -j ACCEPT iptables > > > -A ICMP_PACKETS -p icmp --icmp-type 4 -j ACCEPT iptables -A > > > ICMP_PACKETS -p icmp --icmp-type 8 -j ACCEPT iptables -A > > > ICMP_PACKETS -p icmp --icmp-type 11 -j ACCEPT iptables -A > > > ICMP_PACKETS -p icmp --icmp-type 12 -j ACCEPT > > > > > > ### IN_LO (localhost) > > > # are these really needed? Why? > > > iptables -A IN_LO -s 127.0.0.1 -i lo -j ACCEPT > > > iptables -A IN_LO -s <lan-address> -i lo -j ACCEPT > > > iptables -A IN_LO -s <dmz-address> -i lo -j ACCEPT > > > iptables -A IN_LO -s <internet-address> -i lo -j ACCEPT > > > > > > ### IN_ETH0 (Internet) > > > iptables -A IN_ETH0 -d <internet-address> -i eth0 -m state \ > > > --state RELATED,ESTABLISHED -j ACCEPT > > > > > > ### IN_ETH1 (LAN) > > > iptables -A IN_ETH1 -d <lan-address> -i eth1 -m state \ > > > --state RELATED,ESTABLISHED -j ACCEPT > > > > > > ### IN_ETH2 (DMZ) > > > iptables -A IN_ETH2 -d <dmz-address> -i eth2 -m state \ > > > --state RELATED,ESTABLISHED -j ACCEPT > > > > > > ### OUT_LO (Localhost) > > > # are these really needed? Why? > > > iptables -A OUT_LO -d 127.0.0.1 -o lo -j ACCEPT > > > iptables -A OUT_LO -d <lan-address> -o lo -j ACCEPT > > > iptables -A OUT_LO -d <dmz-address> -o lo -j ACCEPT > > > iptables -A OUT_LO -d <internet-address> -o lo -j ACCEPT > > > > > > ### OUT_ETH0 (Internet) > > > iptables -A OUT_ETH0 -s <internet-address> -o eth0 -m state \ > > > --state RELATED,ESTABLISHED -j ACCEPT > > > > > > ### OUT_ETH1 (LAN) > > > iptables -A OUT_ETH1 -s <lan-address> -o eth1 -m state \ > > > --state RELATED,ESTABLISHED -j ACCEPT > > > > > > ### OUT_ETH2 (DMZ) > > > iptables -A OUT_ETH2 -d <dmz-address> -o eth2 -m state \ > > > --state RELATED,ESTABLISHED -j ACCEPT > > > > > > Specific Services: > > > ------------------ > > > ### DNS > > > iptables -t nat -A PREROUTING -d <dns-internet-IP> -p tcp \ > > > --dport 53 -j DNAT --to-destination <dns-DMZ-IP> > > > iptables -t nat -A PREROUTING -d <dns-internet-IP> -p udp \ > > > --dport 53 -j DNAT --to-destination <dns-DMZ-IP> > > > iptables -A FORWARD -d <dns-DMZ-IP> -p tcp --syn --dport 53 \ > > > -m state --state NEW -j ACCEPT > > > iptables -A FORWARD -d <dns-DMZ-IP> -p udp --dport 53 -m state \ > > > --state NEW -j ACCEPT > > > iptables -t nat -A POSTROUTING -s <dns-DMZ-IP> -p tcp --sport 53 > > > \ -j SNAT --to-source <dns-internet-IP> > > > iptables -t nat -A POSTROUTING -s <dns-DMZ-IP> -p udp --sport 53 > > > \ -j SNAT --to-source <dns-internet-IP> > > > > > > ### FTP > > > iptables -t nat -A PREROUTING -d <ftp-internet-IP> -p tcp \ > > > --dport 21 -j DNAT --to-destination <ftp-DMZ-IP> > > > iptables -A FORWARD -d <ftp-DMZ-IP> -p tcp --syn --dport 21 \ > > > -m state --state NEW -j ACCEPT > > > iptables -t nat -A POSTROUTING -s <ftp-DMZ-IP> -p tcp --sport 21 > > > \ -j SNAT --to-source <ftp-internet-IP> > > > > > > # I have other services, but if these are right I should be fine > > > > > > What about these two lines? > > > - iptables -A INPUT -i eth2 -d <dmz-address> -j ACCEPT > > > - iptables -A INPUT -i eth1 -d <lan-address> -j ACCEPT > > > > > > > > > Thanks, > > > > > > Joseph > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > __________________________________ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com