question iptables rules

tsmets Wed, 20 Feb 2002 05:51:17 -0800


Based on rusty russels document I worked out the following rules.
Could someone tell me if they look safe ?


Topology :


 internet
------------------------ FW --------------------- intranet (192.168.1.xxx)
                   (eth0)   (eth1)                gtw : 192.168.1.1



Aim :
 1�. Any outbound traffic is authorized
 2�. No inbound traffic authorized but when initiated from inside
 3�. or, HTTP, ftp, ssh, 8080, 8083, ...  requests which will be forwarded
     to an internal machine accroding to the traffic type (not implemented
yet!).

Here is the script I wanna run :
<script>
# Defines some variables
IPT=/sbin/iptables

# Creates two tables
${IPT} -N never
${IPT} -N logdrop

${IPT} -A never -j LOG --log-level alert --log-prefix "Filter error : "
${IPT} -A never -j logdrop

# Create the policy to drop the packets
${IPT} -A logdrop -m limit -j log --log-prefix "Filter : "
${IPT} -A logdrop -j DROP

# Creates a policy for traffic going to & fro the DMZ
${IPT} -N dmz-bad
${IPT} -N bad-dmz

# This allow to "just" tag the traffic going from one interface
# to the other
${IPT} -A FORWARD -i eth1 -o eth0 -j dmz-bad
${IPT} -A FORWARD -i eth0 -o eth1 -j bad-dmz

# This allows to monitor all the ICMP traffic
${IPT} -N icmp-accept
${IPT} -A icmp-accept -p icmp --icmp-type destination-unreachable -j ACCEPT
${IPT} -A icmp-accept -p icmp --icmp-type source-quench           -j ACCEPT
${IPT} -A icmp-accept -p icmp --icmp-type time-exceed             -j ACCEPT
${IPT} -A icmp-accept -p icmp --icmp-type parameter-problem       -j ACCEPT

# Creates a policy for all outbound service requested
${IPT} -N outbnd-services
${IPT} -A outbnd-services -p tcp --dport 1:1024    -j ACCEPT
${IPT} -A outbnd-services -p udp --dport 1:1024    -j ACCEPT
${IPT} -A outbnd-services -p icmp --icmp-type ping -j ACCEPT
${IPT} -A outbnd-services                          -j DROP


# Creates the policy for all the inbound traffic
${IPT} -N inbnd-services
${IPT} -A inbnd-services -p tcp ! --syn --sport www -j ACCEPT
${IPT} -A inbnd-services -p tcp ! --syn --sport ssh -j ACCEPT
${IPT} -A inbnd-services -p tcp ! --syn --sport ftp -j ACCEPT
${IPT} -A inbnd-services -p tcp --dport 1024:65535  -j ACCEPT
${IPT} -A inbnd-services -p udp --dport 1024:65535  -j ACCEPT
${IPT} -A inbnd-services -p icmp --icmp-type pong   -j ACCEPT
${IPT} -A inbnd-services -j LOG
${IPT} -A inbnd-services -j REJECT

</script>

Is this conservative & safe enough ?
What could I add more to this to avoid any unwanted intrusion ?


much tx,

Thomas,

--
Thomas SMETS
rue J. Wytsmanstraat 62
1050 Bruxelles
yahoo-id : smetsthomas

question iptables rules

Reply via email to