A few comments mostly inline below.
To start I tend to put some common stuff in variables to reduce typing.
INPUT_ICMP="iptables -A INPUT -p ICMP"
INPUT_TCP="iptables -A INPUT -p TCP"
OUTPUT_TCP="iptables -A OUTPUT -p TCP"
OUTPUT_ICMP="iptables -A OUTPUT -p ICMP"
INPUT_UDP="iptables -A INPUT -p UDP"
OUTPUT_UDP="iptables -A OUTPUT -p UDP"
On Mon, 2011-03-07 at 17:13 -0500, robert mckennon wrote:
>
> # My system IP/set ip address of server
> SERVER_IP="10.11.248.75"
> # Flushing all rules
> iptables -F
> iptables -X
I also flush the nat table, not sure if either of the previous do that,
but also depends on use of that and/or other tables.
iptables -t nat -F
> # Setting default filter policy
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> # Allow unlimited traffic on loopback
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
Where did you get the loopback stuff? I can't recall ever seeing
loopback stuff in iptables before, which is why I ask :)
> # Allow incoming ssh
> iptables -A INPUT -p tcp -s 10.11.248.0/24 -d $SERVER_IP --sport
> 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp -s 10.11.250.0/24 -d $SERVER_IP --sport
> 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport
> 513:65535 -m state --state ESTABLISHED -j ACCEPT
Pretty sure you do not have to specify -d 0/0 that will be assumed. Just
the same might want to bind the above to specific interfaces like your
doing for the loopback ones above. Usually a good rule of thumb to
specify either input interface -i, or output interface -o.
Also not sure you need to specify the port range that can connect, but
can't hurt to do so I suppose.
> # Allow NAT and forwarding of ftp requests
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I tend to do the nat stuff at the end, after all rules are setup, but
could be moot. However in theory it could allow something to
communicate/reach the outside world before other stuff is setup.
> iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.11.248.119
> --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s 10.11.248.119 --sport 21 -d 0/0 --dport
> 1024:65535 -m state --state ESTABLISHED -j ACCEPT
>
> iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.11.248.119
> --dport 20 -m state --state ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s 10.11.248.119 --sport 20 -d 0/0 --dport
> 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
You can combine these rules sets using -m multiport --dport 20,21 and
-m multiport --sport 20,21. You can use either : or , between ports.
The : normally does a range, like 1:10, does all 1-10. In the case above
its totally moot, they are consecutive either way.
> iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.11.248.119
> --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -p tcp -s 10.11.248.119 --sport 1024:65535 -d 0/0
> --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
This should fail since your missing -m multiport, unless that is no
longer necessary to specify.
> # make sure nothing comes or goes out of this box
> iptables -A INPUT -j DROP
> iptables -A OUTPUT -j DROP
I tend to log dropped stuff, but not a must. Also reject with ICMP host
unreachable before I drop, just to be polite :)
${INPUT_ICMP} -i ${int} -j LOG -m limit --log-prefix "iptables: "
${INPUT_ICMP} -i ${int} -j REJECT --reject-with icmp-host-unreachable
${INPUT_ICMP} -i ${int} -j DROP
I need to switch to newer logging method that doesn't fill up kernel
output, mess with command line dmesg.
--
William L. Thomson Jr.
Obsidian-Studios, Inc.
http://www.obsidian-studios.com
---------------------------------------------------------------------
Archive http://marc.info/?l=jaxlug-list&r=1&w=2
RSS Feed http://www.mail-archive.com/[email protected]/maillist.xml
Unsubscribe [email protected]
