/dev/rob0 on 17/05/08 00:36, wrote:
On Fri May 16 2008 13:30:01 Adam Hardy wrote:
I set up iptables myself today after using an obtusely written
script for some time.
I don't think this one is much better. :( Start simpler. A good
starting point is Rusty's Packet Filtering HOWTO, Really Quick Guide:
http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-5.html
I can appreciate minimalism, thanks. I'll definitely peruse that. My script is
based on the obtuse script I had earlier (generated by fwbuilder) but
rationalised by myself - we're talking rationalised as far as my understanding
of iptables goes, rather than what I desire for the end result. I'm pretty close
though I think.
I am trying to work out whether everything is in order and I am
seeing logs from iptables saying that it is dropping packets from the
Routine logging is an easy way to DoS yourself. When you have it all
working, stop the -j LOG rules.
machine every 12 minutes, which doesn't make sense - here's a line
from the log:
May 16 19:21:10 isengard kernel: dropped from OUTPUT IN= OUT=eth1
SRC=192.168.0.2 DST=192.168.0.255 LEN=237 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=217
Assuming that the --log-prefix is correct and that your iptables
machine's IP address is 192.168.0.2, do tell, WHY are you blocking
OUTPUT? What is your threat model?
Basically I have 3 housemates who I allow on the wireless LAN with their
laptops, and of course they all run windows, so I just want to make sure. I'd
rather not run the risk of someone leaving their PC on with a spam cannon trojan
running. I've forbidden Outlook and MSIE, so perhaps I'm being too keen, but I
figured I'd log what OUTPUT drops and figure out where it's coming from and
whether it's kosher or not, and adapt when necessary.
And I've seen the buffering config that can prevent log flooding, so I should be
OK vis a vis DoS.
I'm trying to find out what the broadcast address is for and I'm
pretty much in the dark despite looking around the mailing list and
google.
This is the old "Netbios" protocol, kludged up by Microsoft in the
1990's, to enable peer-to-peer file sharing on IP networks without
proper DNS services. I think you can turn it off in Samba's nmbd(8).
But your best bet is to just stop blocking OUTPUT.
You most likely also do not want much if any filtering on your LAN
interface. You should only filter INPUT and FORWARD traffic on your
external interface. If you really have a threat inside your RFC 1918
netblocks, I would suggest a physical approach: pull the plug on it.
Point taken - if I takes me too long to figure out the rule I need, I may just
go that way.
Thanks
Adam
