[gentoo-user] Re: [gentoo-user] IPTables - Going Stateless

2013-05-21 Thread the guard 



Вторник, 21 мая 2013, 11:07 -04:00 от Nick Khamis sym...@gmail.com:
 Hello Everyone,
 
 We recently moved our stateful firewall inside, and would like to
 strip down the firewall at our router connected to the outside world.
 The problem I am experiencing is getting things to work properly
 without connection tracking. I hope I am not in breach of mailing list
 rules however, a stripped down configuration is as follows:
 
 #!/bin/bash
 IPTABLES='/sbin/iptables'
 
 #Set interface values
 INTIF1='eth0'
 
 #flush rules and delete chains
 $IPTABLES -F
 $IPTABLES -X
 
 #echo -e- Accepting input lo traffic
 $IPTABLES -A INPUT -i lo -j ACCEPT
 
 #echo -e- Accepting output lo traffic
 $IPTABLES -A OUTPUT -o lo -j ACCEPT
 
 #echo -e- Defined Chains
 $IPTABLES -N TCP
 $IPTABLES -N UDP
 
 #echo -e- Accepting SSH Traffic
 $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
 --dport 22 -j ACCEPT
 $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP
 
 #echo -e- Accepting input TCP and UDP traffic to open ports
 $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
 $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP
 
 #echo -e- Accepting output TCP and UDP traffic to open ports
 $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
 $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP
 
 #echo -e- Dropping input TCP and UDP traffic to closed ports
 # $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
 # $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
 icmp-port-unreachable
 
 #echo -e- Dropping output TCP and UDP traffic to closed ports
 # $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
 # $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
 icmp-port-unreachable
 
 #echo -e- Dropping input traffic to remaining protocols sent
 to closed ports
 # $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable
 
 #echo -e- Dropping output traffic to remaining protocols sent
 to closed ports
 # $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with 
 icmp-proto-unreachable
 
 
 Everything works fine with the REJECT rules commented out, but when
 included SSH access is blocked out. Not sure why, isn't the sequence
 correct (i.e., the ACCPET entries before the DROP and REJECT)?
 
 Also, any pointers or heads up when going stateless would be greatly
 appreciated.
 
 Kind Regards,
 
 Nick

Looks like the packet never gets to the tcp chain. what is --syn?

Re: [gentoo-user] Re: [gentoo-user] IPTables - Going Stateless

2013-05-21 Thread Nick Khamis 
 Looks like the packet never gets to the tcp chain. what is --syn?

It seems that way I am not sure what --syn is actually. But even
if I comment it out it does not work. Also, for testing I changed the
SSH rule to allow bidirectional traffic until this is fixed:

-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

As mentioned before everything works as expected until when I try to
close up the ports not included in the TCP and UDP chains:

#echo -e- Dropping input TCP and UDP traffic to closed ports
-A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
-A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable

#echo -e- Dropping output TCP and UDP traffic to closed ports
-A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
-A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable

#echo -e- Dropping input traffic to remaining protocols sent
to closed ports
-A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e- Dropping output traffic to remaining protocols sent
to closed ports
-A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable


Thanks in Advance,

Nick.