Hi,
I can cook up something along the lines of my setups.. I can't publish the
actual rulesets that I use (for obvious reasons).
Here goes. Note that:
- State check is one of the first rules every time; this saves time traversing
the chains (important advantage over 2.2); combined with NAPI I get about
wire speed 100Mbit on my test box.
- Unconforming ingress packets are simply dropped, whereas unconforming
egress packets are rejected (to be friendly to the inside hosts).
- I firewall what goes out as well as what comes in. This stops a lot of
exploit-with-backconnect-payload scenarios.
- It's all typed from memory, so could contain syntactical errors.
Don't hesitate to ask if there are questions (if you do, please note that
you will most likely end up somewhere in the swamp that's called my inbox;
don't feel ignored if you don't get a reply in a week, and if it's important,
just keep resending)
cheers,
Lennert
/etc/rc.d/firewall-local
------------------------
#!/bin/sh
iptables -F INPUT 2>/dev/null
iptables -X INPUT 2>/dev/null
iptables -Z INPUT 2>/dev/null
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s friendly.host.goes.here -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s another.friendly.host.here -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "IN "
iptables -A INPUT -j DROP
iptables -F OUTPUT 2>/dev/null
iptables -X OUTPUT 2>/dev/null
iptables -Z OUTPUT 2>/dev/null
iptables -A OUTPUT -i lo -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -d mail.server.goes.here -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix "OUT "
iptables -A OUTPUT -j DROP
/etc/rc.d/firewall
------------------
#!/bin/sh
#
# $Id: firewall,v 1.1 2001/01/01 01:01:01 buytenh Exp $
#
#
ITF_EXT=eth0
ITF_INT=eth1
# ingress rules #########################
iptables -F Iall 2>/dev/null
iptables -X Iall 2>/dev/null
iptables -N Iall 2>/dev/null
# always-allowed IP addresses
iptables -A Iall -s outside.host.no.1 -j ACCEPT
iptables -A Iall -s outside.host.no.2 -j ACCEPT
# services
iptables -A Iall -d inside.host.no.1 -p tcp --dport 80 -j ACCEPT
iptables -A Iall -d inside.host.no.2 -p tcp --dport 25 -j ACCEPT
iptables -A Iall -j LOG --log-prefix "Iall "
iptables -A Iall -j DROP
# egress rules ##########################
iptables -F Oall 2>/dev/null
iptables -X Oall 2>/dev/null
iptables -N Oall 2>/dev/null
# allow web server to rsync ftp.kernel.org
iptables -A Oall -s web.server.ip.here -d ftp.kernel.org -p tcp --dport 873 -j ACCEPT
# reject everything else
iptalbes -A Oall -j LOG --log-prefix "Oall "
iptables -A Oall -p tcp -j REJECT --reject-with tcp-reset
iptables -A Oall -j REJECT
# FORWARD chain
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${ITF_EXT} -o ${ITF_INT} -j Iall
iptables -A FORWARD -i ${ITF_INT} -o ${ITF_EXT} -j Oall
iptables -A FORWARD -j LOG --log-prefix "this is odd.. "
iptables -A FORWARD -j DROP
On Mon, Oct 29, 2001 at 01:41:26PM -0500, Christopher C. Northrop wrote:
> Group,
>
> I know I have seen several requests for examples using iptables but I don't
> remember seeing any replies. If anyone out there has some good
> bridge-iptables examples and would like to share, please do..
>
> Lennert, I know this will not put food on the plate but I would like to
> thank you for the time, work and effort you have put into this bridging
> stuff.. Good Job..
>
> Chris
>
> "People who are willing to sacrifice essential freedoms for security deserve
> neither freedom nor security."
> --- Benjamin Franklin
>
> _______________________________________________
> Bridge mailing list
> [EMAIL PROTECTED]
> http://www.math.leidenuniv.nl/mailman/listinfo/bridge
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge
