On Mon, Mar 7, 2011 at 5:35 PM, William L. Thomson Jr.
<[email protected]> wrote:
> A few comments mostly inline below.
>
> To start I tend to put some common stuff in variables to reduce typing.
>
> INPUT_ICMP="iptables -A INPUT -p ICMP"
> INPUT_TCP="iptables -A INPUT -p TCP"
> OUTPUT_TCP="iptables -A OUTPUT -p TCP"
>
> OUTPUT_ICMP="iptables -A OUTPUT -p ICMP"
> INPUT_UDP="iptables -A INPUT -p UDP"
> OUTPUT_UDP="iptables -A OUTPUT -p UDP"
>
> On Mon, 2011-03-07 at 17:13 -0500, robert mckennon wrote:
>>
>> # My system IP/set ip address of server
>> SERVER_IP="10.11.248.75"
>> # Flushing all rules
>> iptables -F
>> iptables -X
>
> I also flush the nat table, not sure if either of the previous do that,
> but also depends on use of that and/or other tables.
>
> iptables -t nat -F
>
>> # Setting default filter policy
>> iptables -P INPUT DROP
>> iptables -P OUTPUT DROP
>> iptables -P FORWARD DROP
>> # Allow unlimited traffic on loopback
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A OUTPUT -o lo -j ACCEPT
>
> Where did you get the loopback stuff? I can't recall ever seeing
> loopback stuff in iptables before, which is why I ask :)
>
Not sure where it came from, I'd have go google it again.
>> # Allow incoming ssh
>> iptables -A INPUT -p tcp -s 10.11.248.0/24 -d $SERVER_IP --sport
>> 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -p tcp -s 10.11.250.0/24 -d $SERVER_IP --sport
>> 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
>> iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport
>> 513:65535 -m state --state ESTABLISHED -j ACCEPT
>
> Pretty sure you do not have to specify -d 0/0 that will be assumed. Just
> the same might want to bind the above to specific interfaces like your
> doing for the loopback ones above. Usually a good rule of thumb to
> specify either input interface -i, or output interface -o.
>
> Also not sure you need to specify the port range that can connect, but
> can't hurt to do so I suppose.
>
>> # Allow NAT and forwarding of ftp requests
>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> I tend to do the nat stuff at the end, after all rules are setup, but
> could be moot. However in theory it could allow something to
> communicate/reach the outside world before other stuff is setup.
>
>> iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.11.248.119
>> --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
>> iptables -A OUTPUT -p tcp -s 10.11.248.119 --sport 21 -d 0/0 --dport
>> 1024:65535 -m state --state ESTABLISHED -j ACCEPT
>>
>> iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.11.248.119
>> --dport 20 -m state --state ESTABLISHED -j ACCEPT
>> iptables -A OUTPUT -p tcp -s 10.11.248.119 --sport 20 -d 0/0 --dport
>> 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> You can combine these rules sets using -m multiport --dport 20,21 and
> -m multiport --sport 20,21. You can use either : or , between ports.
> The : normally does a range, like 1:10, does all 1-10. In the case above
> its totally moot, they are consecutive either way.
>
>> iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.11.248.119
>> --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -A OUTPUT -p tcp -s 10.11.248.119 --sport 1024:65535 -d 0/0
>> --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
>
> This should fail since your missing -m multiport, unless that is no
> longer necessary to specify.
So could this be why it's not working?
I have to head home to do some more testing from the external side.
I'll check my mail when I get there.
Thank you for your reply!
>
>> # make sure nothing comes or goes out of this box
>> iptables -A INPUT -j DROP
>> iptables -A OUTPUT -j DROP
>
> I tend to log dropped stuff, but not a must. Also reject with ICMP host
> unreachable before I drop, just to be polite :)
>
> ${INPUT_ICMP} -i ${int} -j LOG -m limit --log-prefix "iptables: "
> ${INPUT_ICMP} -i ${int} -j REJECT --reject-with icmp-host-unreachable
> ${INPUT_ICMP} -i ${int} -j DROP
>
> I need to switch to newer logging method that doesn't fill up kernel
> output, mess with command line dmesg.
>
> --
> William L. Thomson Jr.
> Obsidian-Studios, Inc.
> http://www.obsidian-studios.com
>
>
> ---------------------------------------------------------------------
> Archive http://marc.info/?l=jaxlug-list&r=1&w=2
> RSS Feed http://www.mail-archive.com/[email protected]/maillist.xml
> Unsubscribe [email protected]
>
>
---------------------------------------------------------------------
Archive http://marc.info/?l=jaxlug-list&r=1&w=2
RSS Feed http://www.mail-archive.com/[email protected]/maillist.xml
Unsubscribe [email protected]
