On Thu, May 16, 2002 at 06:15:52PM -0400, Louis Garcia wrote: > I'm just trying to teach myself how to configure a filewall using > iptables. This is my current script:
<snip> I'm not very experienced with IPTables myself but I would strongly suspect that a lot of your rules allowing outbound connections could be covered in many fewer rules using the "state" and "multiport" code. > ## Make sure NEW tcp connections are SYN packets > iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP I would think that this rule is unnecessary, as the connection tracking code won't open an entry in its state table if the packets isn't a SYN. > ## FRAGMENTS > # Log fragments just to see if we get any, and deny them too. > iptables -A INPUT -i eth0 -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " > iptables -A INPUT -i eth0 -f -j DROP Also if I remember correctly you don't need to worry about fragments if you're keeping state. <snip> > # Refuse Class D multicast addresses. Multicast is illegal as a source > # address. > iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP Oooh, is that definitely the case? <snip> > ## FTP (20,21,1024:65535) > # Allow ftp outbound. (21) > iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state \ > ESTABLISHED -j ACCEPT > iptables -A OUTPUT -o eth0 -p tcp --dport 21 -m state --state \ > NEW,ESTABLISHED -j ACCEPT > 1) Active ftp. (20) > iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state \ > ESTABLISHED,RELATED -j ACCEPT > iptables -A OUTPUT -o eth0 -p tcp --dport 20 -m state --state \ > ESTABLISHED -j ACCEPT > # 2) Passive ftp. (1024:65535) > iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport \ > 1024:65535 -m state --state ESTABLISHED -j ACCEPT > iptables -A OUTPUT -o eth0 -p tcp --sport 1024:65535 --dport \ > 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT Do look at the FTP tracking module. I'm not sure if these rules will work anyway, but I gather the FTP module will make this a lot easier to specify anyway. > ## TRACEROUTE > # Outgoing traceroute anywhere. > iptables -A OUTPUT -o eth0 -p udp --sport 32769:65535 --dport \ > 33434:33523 -m state --state NEW -j ACCEPT Are you sure about those source ports? I thought Linux used 1024-5000 by default? > Also do I have do iptables -P OUTPUT DROP or can I > iptables -P OUTPUT ACCEPT to allow anything out?? As long as you're on a single user box, or not looking to restrict outbound connectivity anyway ( which can be useful for spotting compromised software ), iptables -P OUTPUT ACCEPT is fine. -- FunkyJesus System Administration Team
