[gentoo-user] IPTables - Going Stateless

Tue, 21 May 2013 08:07:42 -0700 

Hello Everyone,

We recently moved our stateful firewall inside, and would like to
strip down the firewall at our router connected to the outside world.
The problem I am experiencing is getting things to work properly
without connection tracking. I hope I am not in breach of mailing list
rules however, a stripped down configuration is as follows:

#!/bin/bash
IPTABLES='/sbin/iptables'

#Set interface values
INTIF1='eth0'

#flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

#echo -e "       - Accepting input lo traffic"
$IPTABLES -A INPUT -i lo -j ACCEPT

#echo -e "       - Accepting output lo traffic"
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#echo -e "       - Defined Chains"
$IPTABLES -N TCP
$IPTABLES -N UDP

#echo -e "       - Accepting SSH Traffic"
$IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
--dport 22 -j ACCEPT
$IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP

#echo -e "       - Accepting input TCP and UDP traffic to open ports"
$IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
$IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP

#echo -e "       - Accepting output TCP and UDP traffic to open ports"
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
$IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP

#echo -e "       - Dropping input TCP and UDP traffic to closed ports"
# $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
# $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e "       - Dropping output TCP and UDP traffic to closed ports"
# $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
# $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e "       - Dropping input traffic to remaining protocols sent
to closed ports"
# $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e "       - Dropping output traffic to remaining protocols sent
to closed ports"
# $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable


Everything works fine with the REJECT rules commented out, but when
included SSH access is blocked out. Not sure why, isn't the sequence
correct (i.e., the ACCPET entries before the DROP and REJECT)?

Also, any pointers or heads up when going stateless would be greatly
appreciated.

Kind Regards,

Nick

Reply via email to