Based on rusty russels document I worked out the following rules. Could someone tell me if they look safe ?
Topology : internet ------------------------ FW --------------------- intranet (192.168.1.xxx) (eth0) (eth1) gtw : 192.168.1.1 Aim : 1°. Any outbound traffic is authorized 2°. No inbound traffic authorized but when initiated from inside 3°. or, HTTP, ftp, ssh, 8080, 8083, ... requests which will be forwarded to an internal machine accroding to the traffic type (not implemented yet!). Here is the script I wanna run : <script> # Defines some variables IPT=/sbin/iptables # Creates two tables ${IPT} -N never ${IPT} -N logdrop ${IPT} -A never -j LOG --log-level alert --log-prefix "Filter error : " ${IPT} -A never -j logdrop # Create the policy to drop the packets ${IPT} -A logdrop -m limit -j log --log-prefix "Filter : " ${IPT} -A logdrop -j DROP # Creates a policy for traffic going to & fro the DMZ ${IPT} -N dmz-bad ${IPT} -N bad-dmz # This allow to "just" tag the traffic going from one interface # to the other ${IPT} -A FORWARD -i eth1 -o eth0 -j dmz-bad ${IPT} -A FORWARD -i eth0 -o eth1 -j bad-dmz # This allows to monitor all the ICMP traffic ${IPT} -N icmp-accept ${IPT} -A icmp-accept -p icmp --icmp-type destination-unreachable -j ACCEPT ${IPT} -A icmp-accept -p icmp --icmp-type source-quench -j ACCEPT ${IPT} -A icmp-accept -p icmp --icmp-type time-exceed -j ACCEPT ${IPT} -A icmp-accept -p icmp --icmp-type parameter-problem -j ACCEPT # Creates a policy for all outbound service requested ${IPT} -N outbnd-services ${IPT} -A outbnd-services -p tcp --dport 1:1024 -j ACCEPT ${IPT} -A outbnd-services -p udp --dport 1:1024 -j ACCEPT ${IPT} -A outbnd-services -p icmp --icmp-type ping -j ACCEPT ${IPT} -A outbnd-services -j DROP # Creates the policy for all the inbound traffic ${IPT} -N inbnd-services ${IPT} -A inbnd-services -p tcp ! --syn --sport www -j ACCEPT ${IPT} -A inbnd-services -p tcp ! --syn --sport ssh -j ACCEPT ${IPT} -A inbnd-services -p tcp ! --syn --sport ftp -j ACCEPT ${IPT} -A inbnd-services -p tcp --dport 1024:65535 -j ACCEPT ${IPT} -A inbnd-services -p udp --dport 1024:65535 -j ACCEPT ${IPT} -A inbnd-services -p icmp --icmp-type pong -j ACCEPT ${IPT} -A inbnd-services -j LOG ${IPT} -A inbnd-services -j REJECT </script> Is this conservative & safe enough ? What could I add more to this to avoid any unwanted intrusion ? much tx, Thomas, -- Thomas SMETS rue J. Wytsmanstraat 62 1050 Bruxelles yahoo-id : smetsthomas
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com